Category Archives: Reverse Engineering

Decrypting OpenSSH sessions for fun and profit

This is a copy of the original article for archival purposes: https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/

Introduction

A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. The customer had pcaps and a hypervisor snapshot of the system on the moment it was compromised. We started wondering if it was possible to decrypt the SSH session and gain knowledge of it by recovering key material from the memory snapshot. In this blogpost I will cover the research I have done into OpenSSH and release some tools to dump OpenSSH session keys from memory and decrypt and parse sessions in combinarion with pcaps. I have also submitted my research to the 2020 Volatility framework plugin contest.

Continue reading

Pwnium CTF – Kernel land write-up

So.. My first CTF writeup! I participated with a few others in the Pwnium capture-the-flag. One of the challenges I looked at was the Reverse Engineering challenge “Kernel Land”. The challenge gave a link to a binary with the tip: “The third Tick gives you the answer ;)”. After a first peek it appeared to be a linux binary:

root@kalipwn:~/Downloads# file kernel
kernel: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped Continue reading

The Undocumented IsTopLevelWindow API

Once again I am astounded that such a simple, yet important API exists but is undocumented. I am talking about the IsTopLevelWindow function which is exported from user32.dll. As the name suggests it determines if a given window is a top-level window. I inspected User32.dll on Windows 7 and Windows 8.1 where it was present. Other Operating Systems may be supported. Continue reading