Skip to content

kudelskisecurity/volatility-gpg

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Asciinema demo

Volatility3 gpg passphrase recovery plugin

Python 3.6+ License: GPL v3

This repository contains Volatility3 plugins that can retrieve partial and full gpg passphrases from gpg-agent's cache.

gpg_partial.py may retrieve at most 8 characters from a passphrase for gnupg using versions of libgcrypt older than 1.8.9.

gpg_full.py may fully retrieve passphrases.

Installation

Pass this directory as plugin directory using the -p option when using volatility3 (see examples below).

Use either the linux.gpg_partial or the linux.gpg_full plugins.

Make sure to use the latest git version of volatility3: https://github.com/volatilityfoundation/volatility3

mkdir ~/git
cd ~/git
git clone https://github.com/volatilityfoundation/volatility3

Usage

Just before capturing the memory dump, a file was symmetrically encrypted with gpg. When prompted, we enter a passphrase of our choice:

echo "some text that we want to encrypt" > cleartext.txt
gpg --symmetric --cipher-algo AES-256 -o out.enc cleartext.txt
gpg -d out.enc

For this example, we chose a passphrase that is longer than 8 characters: verylongpassphrase*!!.

A memory dump can be obtained, for example, using LiME. Volatility3 will also require the corresponding symbols, which can be generated as explained here.

Using the gpg_partial plugin, only the first 8 characters can be retrieved:

$ ~/git/volatility3/vol.py -f memdump-gpg-verylongpassphrasestarexclexcl -s symbols/ -p ~/git/volatility-gpg/ linux.gpg_partial
Volatility 3 Framework 2.0.0
Progress:  100.00               Stacking attempts finished                 
Offset  Partial GPG passphrase (max 8 chars)

0x7fb04caee2a0  verylong

With the gpg_full plugin, the full passphrase can be retrieved:

$ ~/git/volatility3/vol.py -f memdump-gpg-verylongpassphrasestarexclexcl -s symbols/ -p ~/git/volatility-gpg/ linux.gpg_full --fast --epoch 1638107484
Volatility 3 Framework 2.0.0
Progress:  100.00               Stacking attempts finished                 
Offset  Private key     Secret size     Plaintext
Searching from 28 Nov 2021 14:51:24 to 10 Jun 2022 20:11:39

0x7fb048002578  788dc61976e3ac8e9e10d7b80b3e7b40        32      verylongpassphrase*!!
0x7fb048002578  788dc61976e3ac8e9e10d7b80b3e7b40        32      verylongpassphrase*!!

The estimated epoch time around which the gpg-agent cache item was created can be passed as a parameter using the --epoch option. If it is not passed, the current time is used by default. Note that it is important to pass the right epoch time because only cache items created in the searched time range may be recovered.

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

About

Volatility3 plugin to extract secrets from gpg-agent

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages