CryKeX: Linux Memory Cryptographic Keys Extractor
by do son · Published · Updated
Properties:
- Cross-platform
- Minimalism
- Simplicity
- Interactivity
- Compatibility/Portability
- Application Undependable
- Process Wrapping
- Process Injection
Limitations:
- AES and RSA keys only
- Fails most of the time for Firefox browser
- Won’t work for disk encryption (LUKS) and PGP/GPG
- Needs proper user privileges and memory authorizations
How it works
Some work has been already published regarding the subject of cryptographic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirms its nature by analyzing the memory structure around it (C data types).
The idea is to dump the live memory of a process and use those techniques in order to find probable keys since memory mapping doesn’t change. Thanks-fully, tools exist for that purpose.
The script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterward. This makes it capable of dumping keys from almost any process/binary on the system.
Of course, accessing a memory is limited by the kernel, which means that you will still require privileges for a process.
Linux disk encryption (LUKS) uses the anti-forensic technique in order to mitigate such issue, however, extracting keys from a whole memory is still possible.
Firefox browser uses somehow similar memory management, this seems not to be affected.
Same goes for PGP/GPG.
HowTo
Installing dependencies:
sudo apt install gdb aeskeyfind rsakeyfind || echo ‘have you heard about source compiling?‘
An interactive example for OpenSSL AES keys:
openssl aes-128-ecb -nosalt -out testAES.enc
Enter a password twice, then some text and before terminating:
CryKeX.sh openssl
Finally, press Ctrl+D 3 times and check the result.
OpenSSL RSA keys:
openssl genrsa -des3 -out testRSA.pem 2048
When prompted for a passphrase:
CryKeX.sh openssl
Verify:
openssl rsa -noout -text -in testRSA.pem
Let’s extract keys from SSH:
echo ‘Ciphers aes256-gcm@openssh.com‘ >> /etc/ssh/sshd_config
ssh user@server
CryKeX.sh ssh
From OpenVPN:
echo ‘cipher AES-256-CBC‘ >> /etc/openvpn/server.conf
openvpn yourConf.ovpn
sudo CryKeX.sh openvpn
TrueCrypt/VeraCrypt is also affected: Select “veracrypt” file in VeraCrypt, mount with password “pass” and:
sudo CryKeX.sh veracrypt
Chromium-based browsers (thanks, Google):
CryKeX.sh chromium
CryKeX.sh google-chrome
Despite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling:
CryKeX.sh tor
As said, you can also wrap processes:
Source: https://github.com/cryptolok/
