Skip to content

Instantly share code, notes, and snippets.

@khramtsoff

khramtsoff/jenkins-ssh-decrypt.py

Created August 18, 2016 09:23
Show Gist options
  • Save khramtsoff/b138060aede2585897874382a6ce5ee3 to your computer and use it in GitHub Desktop.
Save khramtsoff/b138060aede2585897874382a6ce5ee3 to your computer and use it in GitHub Desktop.
Download ZIP
Decrypt jenkins ssh hashes
Raw
jenkins-ssh-decrypt.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# original: https://raw.githubusercontent.com/tweksteen/jenkins-decrypt/master/decrypt.py
# detailed explanation: http://thiébaud.fr/jenkins_credentials.html
import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
MAGIC = "::::MAGIC::::"
def usage():
print "./decrypt.py <master.key> <hudson.util.Secret> <credentials.xml>"
sys.exit(0)
def main():
if len(sys.argv) != 4:
usage()
master_key = open(sys.argv[1]).read()
hudson_secret_key = open(sys.argv[2], 'rb').read()
hashed_master_key = sha256(master_key).digest()[:16]
o = AES.new(hashed_master_key, AES.MODE_ECB)
x = o.decrypt(hudson_secret_key)
assert MAGIC in x
k = x[:-16]
k = k[:16]
credentials = open(sys.argv[3]).read()
keys = re.findall(r'<privateKey>(.*?)</privateKey>', credentials, re.DOTALL)
for key in keys:
p = base64.decodestring(key)
o = AES.new(k, AES.MODE_ECB)
x = o.decrypt(p)
print x
assert MAGIC in x
print re.findall('(.*)' + MAGIC, x)[0]
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment