SSH/RSA Key Search

Sometimes you get a disk image that can’t be nicely mounted.  However, you’d still like to retrieve any ssh/rsa keys.  Found a nice article that will get you close to the answer: http://amandine.aupetit.info/291/ssl-private-key-file-recovery/

grep -i -a -B30 -A50 'BEGIN RSA PRIVATE KEY' /dev/sda2

The only things I changed were that 30 lines before, and 50 after is a little much.  5 before and 30 after should capture MOST keys.  If you see a long/secure key, it may be up to 50 lines, but then you can just refine the grep for later.

Comments are closed