Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to extract the SSH private key from Windows 10 SSH-Agent. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Background

I installed Windows 10 Spring Update this weekend, and what I look forward to most is its built-in OpenSSH tool, which means that Windows administrators no longer need to use keys in Putty and PPK formats. Later, I spent some time exploring and understanding the features supported by this release. It didn't disappoint me in the end, and I was pleasantly surprised to see that ssh-agent.exe was included. The following section of a MSDN article on using the new Windows ssh-agent caught my attention:

I have hijacked ssh-agent in the past. And tried some interesting tests, so I decided to start looking at how Windows "securely" uses this new service to store your private key. I will outline my methods and steps in this article, which is a very interesting process. All right, don't say much. Let's start our journey.

The private key is protected by DPAPI and stored in the HKCU registry hive. I've released some PoC code here to extract and ReFactor the RSA private key from the registry.

Using OpenSSH in Windows 10

The first thing to do in the test is to use OpenSSH to generate several key pairs and add them to ssh-agent.

First, I used ssh-keygen.exe to generate some password-protected test key pairs:

Then make sure the new ssh-agent service is running and use ssh-add to add the private key pair to the running agent:

Run ssh-add.exe-L to display the keys currently managed by SSH agent.

Finally, after adding the public key to Ubuntu box, I verified that I can enter SSH from Windows 10 without having to decrypt my private key (because ssh-agent is processing it for me):

Monitoring SSH Agent

To understand how the SSH agent stores and reads my private key, I start checking ssh-agent.exe statically. However, my static analysis skills were weak, so I gave up and finally decided to track the process dynamically to see what it was doing.

I used Sysinternals's procmon.exe and added a filter for any process name that contains "ssh".

As procmon captures events, I enter my Ubuntu machine again. Looking at all the events, I see that ssh.exe opens a TCP connection to Ubuntu, and ssh-agent.exe enters and reads some values from Registry:

Here are two very important points:

The process ssh-agent.exe reads the key value from HKCU\ Software\ OpenSSH\ Agent\ Keys

After reading these values, dpapi.dll is opened immediately.

Because of this, I now know that some protected data is stored in the registry and read from the registry, and ssh-agent is using Microsoft's data protection API.

Test registry values

Sure enough, in the registry, you can see the two keys I added using ssh-add. The key name is the fingerprint of the public key, and there are some binary blobs:

I can pull registry values and manipulate them. The comment field is just ASCII encoded text, which is the name of the key I added:

(default) it's just a byte array that doesn't decode anything meaningful. I have a hunch that this is an "encrypted" private key, so can I pull and decrypt it? I put the byte pull to a Powershell variable:

Unprotect key

Although I know that many post-use tools can abuse it to fetch credentials, I'm not familiar with DPAPI, so I know that others may have implemented a wrapper. Through the Google search, I found a simple single-threaded wrapper.

I still don't know if this is feasible, but I try to use DPAPI to unprotect the byte array. The result of Base64 coding is as follows:

Add-Type-AssemblyName System.Security $unprotectedbytes = [Security.Cryptography.ProtectedData]:: Unprotect ($keybytes, $null, 'CurrentUser') [System.Convert]:: ToBase64String ($unprotectedbytes)

The returned Base64 doesn't look like a private key, but I decode it just for fun, but I'm surprised by the "ssh-rsa" string that appears in it.

Find out the binary format

This is the part that takes me the longest time. I know I have a binary representation of some key, but I can't find out the format or how to use it.

I use openssl,puttygen and ssh-keygen to generate various RSA keys, but I never get anything similar to the binaries I own.

Finally, after a lot of Google, I found an article from NetSPI about fetching the OpenSSH private key from the memory dump of ssh-agent on Linux: https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory/

Is the binary format the same? I got the Python script from my blog and provided it with the unprotected base64 blob I got from the Windows registry:

It can work properly! I don't know how the original author soleblaze found out the correct format of the binary data, but here I want to thank him for what he did and for his sharing!

After proving that the private key could be extracted from the registry, I shared PoC with GitHub.

GitHub Repo

The first is the Powershell script (extract_ssh_keys.ps1), which queries the registry for any keys saved by ssh-agent. Then use DPAPI with the current user context to unprotect the binaries and save it in Base64. Since I don't know how to parse binary data in Powershell, I save all the keys in a JSON file, which I can import in Python. The Powershell script has only a few lines:

$path = "HKCU:\ Software\ OpenSSH\ Agent\ Keys\" $regkeys = Get-ChildItem $path | Get-ItemPropertyif ($regkeys.Length-eq 0) {Write-Host "No keys in registry" exit} $keys = @ () Add-Type-AssemblyName System.Security $regkeys | ForEach-Object {$key = @ {} $comment = [System.Text.Encoding]:: ASCII.GetString ($_ .comment) Write-Host "Pulling key:" $comment $encdata = $_. (default)'$decdata = [Security.Cryptography.ProtectedData]:: Unprotect ($encdata, $null) 'CurrentUser') $b64key = [System.Convert]:: ToBase64String ($decdata) $key [$comment] = $b64key $keys + = $key} ConvertTo-Json-InputObject $keys | Out-File-FilePath'. / extracted_keyblobs.json'-Encoding ascii Write-Host "extracted_keyblobs.json written. Use Python script to reconstruct private keys: python extractPrivateKeys.py extracted_keyblobs.json "

I borrowed a lot of code from parse_mem_python.py and updated it to Python 3 for my next script: extractPrivateKeys.py. The JSON generated from the Powershell script will output all RSA private keys:

These RSA private keys are unencrypted. Although I added a password when I created them, they are stored using ssh-agent unencrypted storage, so I no longer need a password.

To verify, I copied the key back to Kali linux box to verify the fingerprint and applied it to SSH!

On how to extract the SSH private key from Windows 10 SSH-Agent to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.