SSL Key/Cert Finder

Latest Version: v1.0 from 2006 — Current Status: Not further maintained.

In 2006 I published a paper titled All Your Private Keys are Belong to Us — Extracting RSA Private Keys and Certificates from Process Memory in which I discussed a novel technique to extract RSA private keys and SSL certificates from process memory.

Summary

The standard storage formats for RSA private keys and SSL certificates, as described in PKCS #8 and x509 respectively, are used to create a signature for locating them in memory. Using this signature, a simple pattern match could be done to extract the candidate asymmetric keys in their plaintext form, which could then be verified using an external tool such as OpenSSL.

Proof-of-Concept Implementations

SSL Key/Cert finder IDA Pro plugin v1.0 (compatible with IDA Pro 4.6 and later; 32-bit)
SHA-256: 4116CC9DA6F7C610A1584699627429D0701DE07EF495CDA12AB41EDDC1922160

SSL Key/Cert finder exploit payload (no longer available because of 202c; en)

Third-party implementations: Volatility plugin, IDA Pro script.

Use Case

Michael Hale Ligh, a core developer of The Volatility Framework, wrote an interesting blog post analyzing Stuxnet's footprint in memory with the afore-mentioned Volatility plugin.

Citations

The paper as well as the tools are cited in various academic journals and books.

Remote Extraction of RSA Private Keys in the Wild

It seems that the so-called Equation Group (widely believed to be operated by the NSA) used a similar technique to remotely extract RSA private keys from Cisco PIX devices. Read more