Project containing several tools/ scripts to recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic.
Home Page: https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/
License: Apache License 2.0
Project containing several tools/ scripts to recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic. More information can be found in this blogpost.
Put the plugin path after the -p flag.
The correct symbol file (openssh32 or openssh64) must be in the directory given after the -s.
Or put both, the plugin can choose the right one.
Plugin file can be added to volatility3/framework/plugins/linux
Symbols can be added to volatility3/framework/symbols/linux
Hi, would you consider adding a license to this code so other developers can potentially include parts of it in their own projects?
i have the following error when i tried to run from volatility3:
Unable to validate the plugin requirements: ['plugins.SSHKeys.pslist']
can you help me ??
Please add a reference to your blog post somw
https://research.nccgroup.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/
Hello,
I would like to know if there is a special manipulation for the memory dump to do?
I tested with Lime or the debug mode of Virtualbox and especially on a multitude of different Debian/Ubuntu versions (Debian 9,10,11 or Ubuntu 18.04 and 20.04).
I never manage to retrieve the values with the plugin openssh_sessionkeys (Adress, PID, Name, Key, IV, ...)
Is a particular version of OpenSSH server and/or client required?
Should the dump be done on the server or client side instead?
I'm interested in feedback from those who have succeeded.
thank you
/___/
\ ()/ OpenSSH Session Key Dumper
\ X By Jelle Vergeer
\ /
/
Scanning for OpenSSH sshenc structures...
Name Pid PPid Address Name Key IV
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
[root@localhost volatility-master]# python vol.py -vvvv -f /home/john/volatility-master/0321.vmem --profile=LinuxCentOs7_5x64 linux_sshkeys -n sshd
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)
/___/
\ ()/ OpenSSH Session Key Dumper
\ X By Jelle Vergeer
\ /
/
Scanning for OpenSSH sshenc structures...
Name Pid PPid Address Name Key IV
WARNING : volatility.debug : NoneObject as string: Pointer name invalid
WARNING : volatility.debug : NoneObject as string: Pointer name invalid
Always indicates that the pointer is not recognized,
System version:centos 7.5
To install it y copied OpenSSH-Session-Key-Recovery/volatility3/* into volatility3/volatility/plugins/linux/
After that i run it and get this error.
python3 volatility3/vol.py -f /home/pepe/Descargas/dump.mem linux.openssh_sessionkeys.SSHKeys
Volatility 3 Framework 2.0.0-beta.1
Traceback (most recent call last):acking attempts finished
File "/volatility3/vol.py", line 10, in <module>
volatility.cli.main()
File "/volatility3/volatility/cli/__init__.py", line 586, in main
CommandLine().run()
File "/volatility3/volatility/cli/__init__.py", line 303, in run
constructed = plugins.construct_plugin(ctx, automagics, plugin, base_config_path, progress_callback,
File "/volatility3/volatility/framework/plugins/__init__.py", line 51, in construct_plugin
constructed = plugin(context, plugin_config_path, progress_callback = progress_callback)
File "/volatility3/volatility/framework/interfaces/plugins.py", line 126, in __init__
framework.require_interface_version(*self._required_framework_version)
File "/volatility3/volatility/framework/__init__.py", line 47, in require_interface_version
raise RuntimeError("Framework interface version {} is incompatible with required version {}".format(
RuntimeError: Framework interface version 2 is incompatible with required version 1
Could you help me?
Thanks
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.