cryptolok/CryKeX cryptolok/CryKeX

  • Stars
    star
    235
  • Rank 171,079 (Top 4 %)
  • Language
    Shell
  • License
    MIT License
  • Created about 7 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cryptolok/CryKeX
github

cryptolok

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Linux Memory Cryptographic Keys Extractor

Properties:

  • Cross-platform
  • Minimalism
  • Simplicity
  • Interactivity
  • Compatibility/Portability
  • Application Independable
  • Process Wrapping
  • Process Injection

Dependencies:

  • Unix - should work on any Unix-based OS
    • BASH - the whole script
    • root privileges (optional)

Limitations:

  • AES and RSA keys only
  • Fails most of the time for Firefox browser
  • Won't work for disk encryption (LUKS) and PGP/GPG
  • Needs proper user privileges and memory authorizations

How it works

You may already heard or even used my AES-REX project that does pretty the same thing, but differently. Whereas AES-REX extracts cryptographic keys from registers, CryKeX will extract it from volatile memory (RAM).

Some work has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types).

The idea is to dump live memory of a process and use those techniques in order to find probable keys since, memory mapping doesn't change. Thanks-fully, tools exist for that purpose.

The script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterwards. This makes it capable of dumping keys from almost any process/binary on the system.

Of course, accessing a memory is limited by kernel, which means that you will still require privileges for a process.

Linux disk ecnryption (LUKS) uses anti-forensic technique in order to mitigate such issue, however, extracting keys from a whole memory is still possible.

Firefox browser uses somehow similar memory management, thus seems not to be affected.

Same goes for PGP/GPG.

Unfortunately, solutions like Ansible are affected.

You can read more details from eForensics.

HowTo

Installing dependencies:

sudo apt install gdb aeskeyfind rsakeyfind || echo 'have you heard about source compiling?'

An interactive example for OpenSSL AES keys:

openssl aes-128-ecb -nosalt -out testAES.enc

Enter a password twice, then some text and before terminating:

CryKeX.sh openssl

Finally, press Ctrl+D 3 times and check the result.

OpenSSL RSA keys:

openssl genrsa -des3 -out testRSA.pem 2048

When prompted for passphrase:

CryKeX.sh openssl

Verify:

openssl rsa -noout -text -in testRSA.pem

Let's extract keys from SSH:

echo 'Ciphers [email protected]' >> /etc/ssh/sshd_config
ssh user@server
CryKeX.sh ssh

From OpenVPN:

echo 'cipher AES-256-CBC' >> /etc/openvpn/server.conf
openvpn yourConf.ovpn
sudo CryKeX.sh openvpn

TrueCrypt/VeraCrypt is also affected: Select "veracrypt" file in VeraCrypt, mount with password "pass" and:

sudo CryKeX.sh veracrypt

Chromium-based browsers (thanks Google):

CryKeX.sh chromium
CryKeX.sh google-chrome

Despite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling:

CryKeX.sh tor

As said, you can also wrap processes:

apt install libssl-dev
gcc -lcrypto cipher.c -o cipher
CryKeX.sh cipher
	wrap
	cipher

Notes

Feel free to contribute and test other applications.

"They key of persistence opens all door closed by resistence"

John Di Lemme

More Repositories

1

GhostInTheNet

Ultimate Network Stealther that makes Linux a Ghost In The Net and protects from MITM/DOS/scan
Shell
367
star
2

MorphAES

IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
Python
311
star
3

ASLRay

Linux ELF x32/x64 ASLR DEP/NX bypass exploit with stack-spraying
Shell
296
star
4

GhostInTheChaos

Chaotic Crypto Stealth VPN for Anonymity and Untraceable Hacking Attacks with Linux and Android
Shell
96
star
5

USBlok

badUSB & RubberDucky & PoisonTap ultimate mitigation for Linux
Shell
62
star
6

SteCoSteg

SteCoSteg is OutGuess successor and Vernam cipher analog in steganography.
Python
55
star
7

DMC

A simple decibel-meter converter that shows an approximate distance to a Wi-Fi device
Shell
40
star
8

EPMG

Entropic Password Manager Generator is a cross-platform, most secure and storageless password manager that generates passwords
HTML
23
star
9

DeCryKe

DeCryKe is a technique to transform almost any cryptographic algorithm into deniable-one, it is a decry of Russia's anti-terrorism law (aka Yarovaya law) and its FSB implementation.
23
star
10

BusAsM

AM radio data exfiltration with CPU cache in assembly
Python
19
star
11

cryptomnesia

Linux deniable cryptographic storage eraser based on hardware USB trigger for self-destruction in a case of emergency
Shell
13
star
12

CryptoTrooper

rant blog about CryptoTrooper ransomware, its history, legacy and MalwareTech case
12
star
13

AES-REX

AES-ni Registers kEy eXtractor
Shell
9
star
14

PTS

Private Token Sharing is a web service for secure and private password sharing with one-time tokens and end-to-end encryption
HTML
7
star
15

LYCOSA1307

CypherPunk city-specific challenges with epic loot
4
star
16

XMAZ

XMAZ was a simple, quick, robust, p2p, recursive cryptosystem, which is Unix 32/64-bit open-source
1
star