Well this will be a rather short post since it’s about the automation of my previous blog post in which we analysed the memory dump of the pageant process and manually extracted unencrypted keys. You can find the tool which automates this process in pageant_xkeys git repository. Since I’m a firm believer that you learn best from mistakes and old code, the repository also includes some of the other code I was playing around with.
A Red Team exercise is lotsa fun not only because you have a more realistic engagement due to the broader scope, but also because you can encounter situations which you normally wouldn’t on a regular narrow scoped penetration test. I’m going to focus on pageant which Slurpgeit recently encountered during one of these red team exercises which peeked my interest.
Apparantly he got access to a machine on which the user used pageant to manage ssh keys and authenticate to servers without having to type his key password every single time he connects. This of course raises the following interesting (or silly) question:
Why does the user only have to type his ssh key in once?
Which has a rather logical (or doh) answer as well:
The pageant process keeps the decrypted key in memory so that you can use them without having to type the decryption password every time you want to use the key.
From an attackers perspective it of course begs the question if you can steal these unencrypted keys? Assuming you are able to make a memory dump of the running process you should be able to get these decrypted ssh keys. During this blog post I’ll be focusing on how you could achieve this and the pitfalls I encountered when approaching this.
Continue reading “Discovering the secrets of a pageant minidump”