Memory Forensics of OpenSSH

Aris Adamantiadis aris at 0xbadc0de.be
Thu May 8 02:17:03 EST 2014


Hi Fengwei,

I wouldn't want to do the work in your place myself, but it's pretty
straightforward. It's relatively easy to open the openssh .h files that
describe the data structures and scan for matching patterns in the
memory. For instance, a pointer would point to either some mapped memory
or 0, when it would be unlikely for an integer to be a valid pointer.
Also, all cryptographic primitives (like AES) leave very distinct traces
in the memory. "all" you have to do is to find pointers referencing them
and scan the memory bottom-up.

I also think many data structures are allocated on the bss. In that case
it's not even needed to bruteforce the memory to find what you need.

Regards,

Aris
Le 7/05/14 00:01, Fengwei Zhang a écrit :
> Hello Cal,
>
> Thanks for sharing these great links. These articles use a characteristic of RSA/DSA structure, and search the structure in process memory to extract the private key. 
> It verifies the structure by using the RSA/DSA algorithm. 
>
> However, my goal is to find the session key (in the struct session_state), and the techniques from the articles won't work because we cannot validate the session_state (or the related) structures (i.e., no validating algorithm). 
>
> So I am wondering if there is any SSH data structure with a fixed offset from somewhere (e.g., 0xdead from text_base).  Or if there is any data structure with a characteristic that I can search? 
>
> Thanks,
> Fengwei
>
> On May 4, 2014, at 4:49 PM, Cal Leeming [Simplicity Media Ltd] <cal.leeming at simplicitymedialtd.co.uk> wrote:
>
>> Although I cannot speak with any authority on the data structures of SSH, I can at least point you in the right direction on tools already available.
>>
>> Looks like someone also wrote a tool already to do SSH key extraction from memory;
>> https://github.com/kholia/passe-partout
>>
>> Have a look at volatility framework;
>> https://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6
>> http://www.forensicswiki.org/wiki/Volatility_Framework
>> http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins
>>
>> Also these;
>> http://sneakygcr.tumblr.com/post/52514790216/how-to-extract-the-private-key-from-a-running-ssh
>> http://c0decstuff.blogspot.co.uk/2011/01/in-memory-extraction-of-ssl-private.html
>> http://www.vnsecurity.net/2009/10/how-to-recover-rsa-private-key-in-a-coredump-of-ssh-agent-sapheads-hackjam-2009-challenge-6/
>>
>> Hope this helps
>>
>> Cal
>>
>>
>>
>> On Sun, May 4, 2014 at 9:37 PM, Fengwei Zhang <namedylan at gmail.com> wrote:
>> Hello List,
>>
>> One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem:
>>
>> I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example.  In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures.
>>
>> Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated.
>>
>> Thanks,
>> Fengwei
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



More information about the openssh-unix-dev mailing list