Windows
Putty
PPK
MSDN
SSH
PowerShell
DPAPI
HKCU
RSA
Ubuntu
Registry
Microsoft
Data Protection
the Registry
StackOverflow
ASCII
Powershell
Linux
Python
GitHub
JSON
Modified
registryThe
RepoThe
extractPrivateKeys.py
PoC.
Hugo
No matching tags
Kali
No matching tags
TCP
parse_mem_python.py
No matching tags
I released some PoC code here to extract and reconstruct the RSA private key from the registryThe first thing I tested was using the OpenSSH utilities normally to generate a few key-pairs and adding them to the ssh-agent.First, I generated some password protected test key-pairs using ssh-keygen.exe: To figure out how the SSH Agent was storing and reading my private keys, I poked around a little and started by statically examining ssh-agent.exe. I knew I had some sort of binary representation of a key, but I could not figure out the format or how to use it.I messed around generating various RSA keys with openssl, puttygen and ssh-keygen, but never got anything close to resembling the binary I had.Finally after much Googling, I found an awesome blogpost from NetSPI about pulling out OpenSSH private keys from memory dumps of ssh-agent on Linux: https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory/Could it be that the binary format is the same? All credit due to him for the awesome Python tool and blogpost.After I had proved to myself it was possible to extract a private key from the registry, I put it all together in two scripts.GitHub RepoThe first is a Powershell script (extract_ssh_keys.ps1) which queries the Registry for any saved keys in ssh-agent.
As said here by ropnop