sshkey-grab icon indicating copy to clipboard operation
sshkey-grab copied to clipboard

Published 20 hours ago verified publisher icon NetSPI

Can the parse_mem.py script extract an RSA key from a core dump file from an ssh agent?

Open Rocco-hash opened this issue 2 years ago • 13 comments

trying to run the parse_mem.py file and getting these errors trying to see if the script will do what I think it can the question which is the title of this issue. here is the error output

python3 parse_mem.py /home/john/Desktop/t5/sshkey-grab/parse_mem.py:45: SyntaxWarning: "is not" with a literal. Did you mean "!="? if magic is not -1: /home/john/Desktop/t5/sshkey-grab/parse_mem.py:91: SyntaxWarning: "is" with a literal. Did you mean "=="? if self.type is "rsa": /home/john/Desktop/t5/sshkey-grab/parse_mem.py:94: SyntaxWarning: "is" with a literal. Did you mean "=="? elif self.type is "dsa": Traceback (most recent call last): File "/home/john/Desktop/t5/sshkey-grab/parse_mem.py", line 185, in keystart.read(sys.argv[1]) IndexError: list index out of range

┌──(john㉿kali)-[~/Desktop/t5/sshkey-grab] └─$ python3 parse_mem.py core /home/john/Desktop/t5/sshkey-grab/parse_mem.py:45: SyntaxWarning: "is not" with a literal. Did you mean "!="? if magic is not -1: /home/john/Desktop/t5/sshkey-grab/parse_mem.py:91: SyntaxWarning: "is" with a literal. Did you mean "=="? if self.type is "rsa": /home/john/Desktop/t5/sshkey-grab/parse_mem.py:94: SyntaxWarning: "is" with a literal. Did you mean "=="? elif self.type is "dsa": Traceback (most recent call last): File "/home/john/Desktop/t5/sshkey-grab/parse_mem.py", line 185, in keystart.read(sys.argv[1]) File "/home/john/Desktop/t5/sshkey-grab/parse_mem.py", line 24, in read self.mem = "".join(file.readlines()) TypeError: sequence item 0: expected str instance, bytes found

thank you in advance if you can help with getting this script working

Rocco-hash avatar Aug 16 '22 14:08 Rocco-hash

I ran into the same issue today, on Fedora 36. This is using python3, given the age of this project it's possible it only supports python2. I'm not able to test this immediately since pip is no longer available for python2, making installing the module requirement a little more messy than I can spare the time for right now.

anlag avatar Aug 17 '22 13:08 anlag

I am on Kali linux kernel version 5.19, I have both python 2 and python 3 installed and have installed the pyasn1 module and no luck here, I have a core dump file and need to extract the ssh-agent generated RSA keys, thank you if you can help

Rocco-hash avatar Aug 17 '22 14:08 Rocco-hash

Do you get similar output if executing with the python2 executable?

anlag avatar Aug 17 '22 14:08 anlag

yes exact same output

Rocco-hash avatar Aug 17 '22 14:08 Rocco-hash

┌──(john㉿kali)-[~/Desktop/t5/sshkey-grab] └─$ python parse_mem.py core /home/john/Desktop/t5/sshkey-grab/parse_mem.py:45: SyntaxWarning: "is not" with a literal. Did you mean "!="? if magic is not -1: /home/john/Desktop/t5/sshkey-grab/parse_mem.py:91: SyntaxWarning: "is" with a literal. Did you mean "=="? if self.type is "rsa": /home/john/Desktop/t5/sshkey-grab/parse_mem.py:94: SyntaxWarning: "is" with a literal. Did you mean "=="? elif self.type is "dsa": Traceback (most recent call last): File "/home/john/Desktop/t5/sshkey-grab/parse_mem.py", line 185, in keystart.read(sys.argv[1]) File "/home/john/Desktop/t5/sshkey-grab/parse_mem.py", line 24, in read self.mem = "".join(file.readlines()) TypeError: sequence item 0: expected str instance, bytes found

Rocco-hash avatar Aug 17 '22 14:08 Rocco-hash

I am trying to do the same on kali.

┌──(kali㉿kali)-[~/Downloads]
└─$ python2 sshkey-grab-master/parse_mem.py "core"  "key.key"
A saved key was not found in core
The user may not have loaded a key or the key loaded is not supported.
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Downloads]
└─$

I was able to get it to run but it was not able to detect the key. I know there is a key in the file. (RSA)

Kracken256 avatar Aug 17 '22 21:08 Kracken256 

──(kali㉿kali)-[~/Downloads]
└─$ python2 sshkey-grab-master/parse_mem.py "core"  "key.key"
A saved key was not found in core
The user may not have loaded a key or the key loaded is not supported.
                                                                                                                                                                                                                         
┌──(kali㉿kali)-[~/Downloads]
└─$ cat core | strings | grep ssh
/tmp/ssh-smBOO3znD3Kz/agent.17
/tmp/ssh-smBOO3znD3Kz
ssh-agent
ssh-agent
/usr/bin/ssh-agent
ssh-agent
ssh-agent 
/usr/bin/ssh-agent
/usr/bin/ssh-agent
/usr/bin/ssh-agent
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Downloads]
└─$

Kracken256 avatar Aug 17 '22 21:08 Kracken256

Hey Wesley,

Thanks for that, yup I got it to run too, but no key as well, also know that a key is in the core file as it is a dump from an ssh-agent

Rocco-hash avatar Aug 17 '22 21:08 Rocco-hash

Same issue as you all. Need the keys for a hacking challenge.

1jzgte avatar Aug 18 '22 17:08 1jzgte

I'm also having an error, "Found ed25519 key. ed25519 key type is not currently supported."

Could support for ed25519 keys be added?

(I suspect I need a key for the same hacking challenge as you all)

To fix the bytes error:

self.mem = "".join(str(file.readlines()))

Here's from my command line:

~/Downloads/sshkey-grab$ python parse_mem.py ../ssh-agent ../core
Found ed25519 key
ed25519 key type is not currently supported.

~/Downloads/sshkey-grab$ cat ../core | strings | grep ssh
/tmp/ssh-EyJidd4D6M9H/agent.17
/tmp/ssh-EyJidd4D6M9H
ssh-agent
ssh-agent
/usr/bin/ssh-agent
ssh-agent
ssh-agent 
/usr/bin/ssh-agent
/usr/bin/ssh-agent
/usr/bin/ssh-agent

liloheinrich avatar Aug 20 '22 02:08 liloheinrich

I'm also having an error, "Found ed25519 key. ed25519 key type is not currently supported."

Could support for ed25519 keys be added?

(I suspect I need a key for the same hacking challenge as you all)

To fix the bytes error:

self.mem = "".join(str(file.readlines()))

Here's from my command line:

~/Downloads/sshkey-grab$ python parse_mem.py ../ssh-agent ../core
Found ed25519 key
ed25519 key type is not currently supported.

~/Downloads/sshkey-grab$ cat ../core | strings | grep ssh
/tmp/ssh-EyJidd4D6M9H/agent.17
/tmp/ssh-EyJidd4D6M9H
ssh-agent
ssh-agent
/usr/bin/ssh-agent
ssh-agent
ssh-agent 
/usr/bin/ssh-agent
/usr/bin/ssh-agent
/usr/bin/ssh-agent

hey lilo,

thank you for that, i got it to give the same error as your error message, but what I find odd though is that in the script it states ed25519 is a supported key so I am perplexed let me know if you find anything else

Rocco-hash avatar Aug 20 '22 02:08 Rocco-hash

I also get this if I run it on just core:

$ ./parse_mem.py ../core key

A saved key was not found in ../core The user may not have loaded a key or the key loaded is not supported.

Heck.

1jzgte avatar Aug 22 '22 00:08 1jzgte

I think the core file we’re inputting must not be compatible with the format parse_mem.py is looking for. We didn’t use the collection script grabagentmem.sh that was meant to go together with this

liloheinrich avatar Aug 22 '22 07:08 liloheinrich