Where is the encryption "password" for auto-encrypted WS_FTP SSH private SSH keys?

2

I'm using WS_FTP to Automatically transfer files between my system and a large bank over FTPS.

When I browse to C:\Documents and Settings\Username\Application Data\Ipswitch\WS_FTP\SSH\ClientKeyStore I see the private and public key in TXT format.

I'm attempting to export these raw keys and import them into a new FTPS client, however the private key is secured using a private key I never typed in. To be sure of this, I created a new SSH key, and again saw that the private key was also created using a key I didn't type.

I can only assume that the text password required for SSH private keys is managed by WS_FTP itself, and after a call with tech support, they were unable to assist me either.

Where can I get the private key for WS-FTP SSH keys?

goodguys_activate

Posted 2014-12-15T23:41:30.040

Reputation: 1 925

Answers

1

I know this is an old thread but I spent a lot of time trying to figure this out and I couldn't find any guides online apart from this post. Martin was on the right path except for the base64 encoding on the passphrase. It turns out the encoding is a little bit more complex, but there already is a tool out there for getting past that: https://github.com/Ciastex/UniDec (you can also use this tool to recover site passwords)

I will run through the sample key Martin posted up because even with UniDec it took me a while to figure out the passphrase.

From the Store.ini file we get:

Pass=_uYIiwEW/JZFazUCvOd/TWbCmvzSdwu9aCmtFaVCSH51nomzGuvWAEAkti3EvnB+M0mTy6Z9CFma3nqAWO5IH1olwmyLYcJLoCOIUDLgd3/rA3LiiF4PUtT5saieLNBZZKHsJXOkzltW6/n4QhOJx/l345tmz079mEljhaN+2Dao=

Use UniDec with the WSFTP12 plugin:

UniDec.exe wsftp12 dec _uYIiwEW/JZFazUCvOd/TWbCmvzSdwu9aCmtFaVCSH51nomzGuvWAEAkti3EvnB+M0mTy6Z9CFma3nqAWO5IH1olwmyLYcJLoCOIUDLgd3/rA3LiiF4PUtT5saieLNBZZKHsJXOkzltW6/n4QhOJx/l345tmz079mEljhaN+2Dao=

Unidec returns:

tgNEu9GS3zoj5aMqnzzLb7RuYxqyO8kaN0bVlndXXpTTT52DHcKdQIIYWAVN0ZIkPg3BpvTR2EstOGd+NOOf0Q== 0M0JDARAMFqcFpgfm76MAUSpWVurQfKNvKcRCg=

Note the space after == Only the first part of the returned string is your passphrase. Remaining characters are some kind of padding that we can ignore. Now we have all of the information needed to decrypt the PKCS#8 private key file.

openssl rsa -in Pri26BD.tmp -out decrypted.key
Enter pass phrase for Pri26BD.tmp: tgNEu9GS3zoj5aMqnzzLb7RuYxqyO8kaN0bVlndXXpTTT52DHcKdQIIYWAVN0ZIkPg3BpvTR2EstOGd+NOOf0Q== 
writing RSA key

And here is the final key:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDTSC7Y6bKJ5mVlJeTkcHF7H13+nRuldBHUgcuDcb6F3aDBIFch
SzkNwpfzWnNFMQu1KNIy2o/V2FepN8C7QnS6FJIYsZ5wwUAyGtmTSfi+xN/jKIiP
55m8fz0kj1Fg2MyRb7IMj474hi7WMem9AJf4HIhOw3QRo+RebN9kf27k4QIDAQAB
AoGBALs5vOHU/bR7qSBf2xyfk8AyRJ3q5OPSHja9KfX55oZDpj9dhDhpq05JQVOR
tJH8604GtXYA/fLW+p9mW3DVbA8XONUHOleG2gRtsrk3gnBsKmp8OjyMC3UPFp21
e0IbrTNeUVkCWkBZVll6EZykPwnV2dE5ue7rV7j8p9tqh+sBAkEA/+DM1ctAvJvL
NFGmqjkZNP7SRXQa/ZrgqIgU+9hU232seDBEGRZba9lA+9sahDybHq1f0NyNnmCE
iuacbiBYsQJBANNh8fSTI5mEy3EJdx7w9dpPfqDJrua5hx398fUpJcXQNuSy6gph
EAPNLNxmi+z/kHlnAS53XnoCYSpYNSTnWzECQQCRFb4PW3gReaT2vXVq/4Uzb2l6
yCKlubO427BKPJeg/NlWLMfwEaU0ubMHG20lnde2xUeW/feu3btJpwj7yIuBAkBT
7Y6o4gb/fFdeYTi3w0qKTIflhU55c25vfRWllpnVyc8RzOvaBSHbsIpAVEL4bZxK
Z5hzf5e2b91ud6laJrXxAkEA48kg0N7RorSZUoE03SWOqMMKteq5nIxMlUZsK4ho
cwUDlut23aBCVU2wMs8ySxr0o9n7Ix1FNVNlQA4k2Xu9Mw==
-----END RSA PRIVATE KEY-----

Hope this helps someone out.

PatrykB

Posted 2014-12-15T23:41:30.040

Reputation: 11

1

The passphrase seems to be stored in the same folder as the key in Store.ini file:

[____Item____0]
____ItemName____=mysite
PublicKey=C:\Users\martin\AppData\Roaming\Ipswitch\WS_FTP\SSH\ClientKeyStore\Pub262F.tmp
Pass=_uYIiwEW/JZFazUCvOd/TWbCmvzSdwu9aCmtFaVCSH51nomzGuvWAEAkti3EvnB+M0mTy6Z9CFma3nqAWO5IH1olwmyLYcJLoCOIUDLgd3/rA3LiiF4PUtT5saieLNBZZKHsJXOkzltW6/n4QhOJx/l345tmz079mEljhaN+2Dao=
PrivateKey=C:\Users\martin\AppData\Roaming\Ipswitch\WS_FTP\SSH\ClientKeyStore\Pri26BD.tmp

It seems like base-64 encoded binary passphrase. Though I still was not able to decrypt the key.

I decoded the binary passphrase (using PHP base64_decode) and saved it to a file phrase. It has nice round 128 bytes, that looks good.

Then I run:

openssl rsa -in Pri26BD.tmp -out key.decrypted -passin file:phrase

and got:

unable to load Private Key
139830511232840:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:596:
139830511232840:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:
139830511232840:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:
139830511232840:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

So this is actually not a final answer, but at least a step forward. Maybe someone else will be able to build on it.

The test key (to make the post complete):

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICzzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIKhkn8LKv5EACAggA
MB0GCWCGSAFlAwQBKgQQSOjD82fwWX4q8EHVC7TQKQSCAoAfnMulDagEiw3Sw2kT
gWVVxesbanCeLCbuHLg8IkF7vFM84xfAwv0te60fTLM1PGOzD3mDQK3xFbHNAXMI
6X+cblkpqBu3COqfOEW0Kwt5CX0g1GZwRAe7LrysQcstqw8dSxmdmgK/YcJLvIn6
cNpwPP6XD6Jrlp1Z2yBotCBj13hs6VUZCH9U5N5/XiGeyMxniTaQag+ITjipanYt
tjGGDYKeGZkLrbJjaXuQh4PyfS+PGd03LlMJsuXMFpEIvWvxiRnOKHXJoHYDF8Z0
cWgD/+dZ9prkgAjN6PtEej8RDQFeEcDn6/jr//SbV2zo/m6+peYg99cUkeokpUJX
04fssu0s3ZjNPF9WdaS19FDioH9wqffFvNtWRlLc8tAFALZmSZROz0RGNaTaiO61
uH3KnAtAo1vyQWJR3THX2ebecq603XlH8aWlshi7pONzXTSvdTbT8iP5VCPri7Yp
EqityjbrXT2skH2rCE0vDqXXuKwsxuNROMR6IpkedVyA+AFOTU8gFVOuyZ3uSgZm
9t5tHw5+4wzI5MMuh1BbuwvyxzZG+NlbLdDfehvRjm1kY99OaAL9kp14xm4zVsnz
dORnuNjLwvTCaxHDa/TJQonuiUu8M98VDT7H4dLA1/iTyLxieNlYp7DHP3zGO8Y6
5zZeRHJYkkIMhAqd7WYokCHJljwC9c6D49M9ISZThHgZLR1+DVa5f7g58MlliP3E
q2xgDf9oP7uBPnk5ZiVllkvOzrZ1ucfr4Is/0vp2wZ0AdOW72OsKOsxnorTuT/jb
Mce5i8UoJtRVeUrcnU/KY3yTZEB6mRgh9B6htYAySLvfVdwZd0EnanqN+pnVnN80
Yx9Q
-----END ENCRYPTED PRIVATE KEY-----

Martin Prikryl

Posted 2014-12-15T23:41:30.040

Reputation: 13 764

Asked: 2014-12-15T23:41:30.040

Viewed: 1 439 times

Active: 2019-03-13T15:38:20.900