{"id":13538149,"url":"https://github.com/cryptolok/crykex","last_synced_at":"2025-04-02T05:31:05.402Z","repository":{"id":110324012,"uuid":"112111597","full_name":"cryptolok/CryKeX","owner":"cryptolok","description":"Linux Memory Cryptographic Keys Extractor","archived":false,"fork":false,"pushed_at":"2023-05-22T11:36:51.000Z","size":10266,"stargazers_count":235,"open_issues_count":0,"forks_count":35,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-11-03T03:30:59.094Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cryptolok.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-26T19:47:42.000Z","updated_at":"2024-08-12T19:34:20.000Z","dependencies_parsed_at":"2024-01-16T15:41:19.122Z","dependency_job_id":"0b018ea5-6b6d-4a5d-a1cf-3357addc2799","html_url":"https://github.com/cryptolok/CryKeX","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptolok%2FCryKeX","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptolok%2FCryKeX/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptolok%2FCryKeX/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptolok%2FCryKeX/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cryptolok","download_url":"https://codeload.github.com/cryptolok/CryKeX/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246763794,"owners_count":20829794,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:07.128Z","updated_at":"2025-04-02T05:31:04.741Z","avatar_url":"https://github.com/cryptolok.png","language":"Shell","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"41d260119ad54db2739a9ae393bd87a5\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"3828e67170e5db714c9c16f663b42a5e\"\u003e\u003c/a\u003e新添加的"],"readme":"![](https://github.com/cryptolok/CryKeX/raw/master/logo.png)\n\nProperties:\n* Cross-platform\n* Minimalism\n* Simplicity\n* Interactivity\n* Compatibility/Portability\n* Application Independable\n* Process Wrapping\n* Process Injection\n\nDependencies:\n* **Unix** - should work on any Unix-based OS\n\t- BASH - the whole script\n\t- root privileges (optional)\n\nLimitations:\n* AES and RSA keys only\n* Fails most of the time for Firefox browser\n* Won't work for disk encryption (LUKS) and PGP/GPG\n* Needs proper user privileges and memory authorizations\n\n# How it works\n\nYou may already heard or even used my [AES-REX](https://github.com/cryptolok/AES-REX) project that does pretty the same thing, but differently. Whereas AES-REX extracts cryptographic keys from registers, CryKeX will extract it from volatile memory (RAM).\n\n[Some](https://dfrws.org/sites/default/files/session-files/paper-the_persistence_of_memory_-_forensic_identification_and_extraction_of_cryptographic_keys.pdf) [work](https://www.scribd.com/doc/130070110/Extracting-Encryption-keys-from-RAM) has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types).\n\nThe idea is to dump live memory of a process and use those techniques in order to find probable keys since, memory mapping doesn't change. Thanks-fully, tools exist for that purpose.\n\nThe script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterwards. This makes it capable of dumping keys from almost any process/binary on the system.\n\nOf course, accessing a memory is limited by kernel, which means that you will still require privileges for a process.\n\nLinux disk ecnryption (LUKS) uses anti-forensic [technique](https://gitlab.com/cryptsetup/cryptsetup/wikis/LUKS-standard/on-disk-format.pdf#4) in order to mitigate such issue, however, extracting keys from a whole memory is still possible.\n\nFirefox browser uses somehow similar memory management, thus seems not to be affected.\n\nSame goes for PGP/GPG.\n\nUnfortunately, solutions like [Ansible](https://docs.ansible.com/ansible/latest/user_guide/vault.html) are affected.\n\nYou can read more details from [eForensics](https://eforensicsmag.com/download/open-source-forensic-tools/).\n\n## HowTo\n\nInstalling dependencies:\n```bash\nsudo apt install gdb aeskeyfind rsakeyfind || echo 'have you heard about source compiling?'\n```\n\n\nAn interactive example for OpenSSL AES keys:\n```bash\nopenssl aes-128-ecb -nosalt -out testAES.enc\n```\nEnter a password twice, then some text and before terminating:\n```bash\nCryKeX.sh openssl\n```\nFinally, press Ctrl+D 3 times and [check](http://aes.online-domain-tools.com/) the result.\n\n\nOpenSSL RSA keys:\n```bash\nopenssl genrsa -des3 -out testRSA.pem 2048\n```\nWhen prompted for passphrase:\n```bash\nCryKeX.sh openssl\n```\nVerify:\n```bash\nopenssl rsa -noout -text -in testRSA.pem\n```\n\n\nLet's extract keys from SSH:\n```bash\necho 'Ciphers aes256-gcm@openssh.com' \u003e\u003e /etc/ssh/sshd_config\nssh user@server\nCryKeX.sh ssh\n```\n\nFrom OpenVPN:\n```bash\necho 'cipher AES-256-CBC' \u003e\u003e /etc/openvpn/server.conf\nopenvpn yourConf.ovpn\nsudo CryKeX.sh openvpn\n```\n\nTrueCrypt/VeraCrypt is also affected:\nSelect \"veracrypt\" file in VeraCrypt, mount with password \"pass\" and:\n```bash\nsudo CryKeX.sh veracrypt\n```\n\nChromium-based browsers (thanks Google):\n```bash\nCryKeX.sh chromium\nCryKeX.sh google-chrome\n```\n\nDespite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling:\n```bash\nCryKeX.sh tor\n```\n\nAs said, you can also wrap processes:\n```bash\napt install libssl-dev\ngcc -lcrypto cipher.c -o cipher\nCryKeX.sh cipher\n\twrap\n\tcipher\n```\n\n### Notes\n\nFeel free to contribute and test other applications.\n\n\u003e \"They key of persistence opens all door closed by resistence\"\n\nJohn Di Lemme\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcryptolok%2Fcrykex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcryptolok%2Fcrykex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcryptolok%2Fcrykex/lists"}