rsakeyfind MEMORY-IMAGE [MODULUS-FILE]
rsakeyfind is a tool that locates BER-encoded RSA private keys in MEMORY-IMAGE. If a MODULUS-FILE is specified, it will locate private and public keys matching the hex-encoded modulus read from this file.
If MODULUS-FILE is provided the program searches for the modulus and attempts to parse the surrounding data as a BER-encoded public or private key.
Otherwise the program searches for a fixed pattern--the BER-encoded RSA version field followed by the integer type of the following field in an RSA key--and attempts to parse the surrounding data as a BER-encoded private key.
These techniques were successfully tested on a Linux system running Apache 2.2.3 with mod_ssl. However, RSA implementations that store keys in memory using a different format will not be susceptible.
aesfix(1), aeskeyfind(1), biosmemimage(1)
rsakeyfind was written by Nadia Heninger and J. Alex Halderman