- Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memory.
This POC demonstrates method for obtaining GPG private keys from gpg-agent
memory under Windows.
Normally this should be possible only within 10 minutes
time frame (--default-cache-ttl
value).
Unfortunately housekeeping()
function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).
This means that in normal GPG usecase like: you sign some file then close GUI and do other task
you password is still in gpg-agent
memory (even if ttl expired).
Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.
Basic usage:
On victim computer:
powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txt
Transfer out.txt
to your machine and restore private keys:
gpg_reaper.py out.txt
Timeline
- 05-03-2018: Release