search

fox-it / OpenSSH-Session-Key-Recovery

Project containing several tools/ scripts to recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic.
https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/
Apache License 2.0
77 stars 17 forks source link

Acquistion dump memory #5

Closed dfirtest closed 2 years ago

dfirtest commented 2 years ago

Hello,

I would like to know if there is a special manipulation for the memory dump to do? I tested with Lime or the debug mode of Virtualbox and especially on a multitude of different Debian/Ubuntu versions (Debian 9,10,11 or Ubuntu 18.04 and 20.04).

I never manage to retrieve the values with the plugin openssh_sessionkeys (Adress, PID, Name, Key, IV, ...) Is a particular version of OpenSSH server and/or client required? Should the dump be done on the server or client side instead?

I'm interested in feedback from those who have succeeded.

thank you

jellever commented 2 years ago

Hey, You do have an open SSH session on the moment you are creating the memory dump? It shouldn't really matter which version of OpenSSH you are running, as the structure hasn't changed in a while and I account for the differences in older versions. Doesn't matter if you run it on the client or server, it should work in both cases. Are you scanning all processes using the plugin or only certain processes? Regards, Jelle