Skip to content

Latest commit

 

History

History
421 lines (300 loc) · 8.2 KB

cryptography.md

File metadata and controls

421 lines (300 loc) · 8.2 KB

Cryptography

Table of Contents

Resources

Name Description URL
Ciphey Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes https://github.com/Ciphey/Ciphey
FeatherDuster An automated, modular cryptanalysis tool; i.e., a Weapon of Math Destruction. https://github.com/nccgroup/featherduster
RsaCtfTool RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data. https://github.com/Ganapati/RsaCtfTool

Base64

$ echo aGVsbG8gd29ybGQh | base64 -d
$ base64 -d lasjkdfhalsfsaiusfs | base64 -d -    // double decryption

bcrypt

$ python -c 'import bcrypt; print(bcrypt.hashpw(b"<PASSWORD>", bcrypt.gensalt(rounds=10)).decode("ascii"))'
$ python -c "import bcrypt; print(bcrypt.hashpw('<PASSWORD>'.encode(), bcrypt.gensalt(rounds=10)))"

bcrypt-cli

$ npm install -g @carsondarling/bcrypt-cli
$ bcrypt $(echo -n "<PASSWORD>" | sha256sum | cut -d " " -f 1) && echo

Creating Password Hashes

Linux

$ cat /etc/shadow
root:$6$YIFGN9pFPOS3EmwO$qwICXAw4bqSjjjFaCT1qYscCV72BjFtx/tehbc7sQTJp09UJj9u83eBio1cLcaxyGkx2oDhJsXT6LL0FABlc5.:18277:0:99999:7:::

Windows

hashdump.exe

$ .\hashdump.exe /samdump

secretsdump.py (Impacket)

$ impacket-secretsdump -just-dc-ntlm <DOMAIN>.local/Administrator:"<PASSWORD>"@<RHOST>

Generating Hash

$ echo Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e06543aa40cbb4ab9dff::: | md5sum
9ec906faff027b1337f9df4955f917b9

EncFS/6

$ sudo apt-get install encfs

Decryption

$ encfsctl export <SOURCE_FOLDER> <DESTINATION_FOLDER>

Featherduster

https://github.com/nccgroup/featherduster

$ git clone https://github.com/nccgroup/featherduster.git
$ cd featherduster
$ python setup.py install

hash-identifier

$ hash-identifier

hashID

$ hashid -m -j '48bb6e862e54f2a795ffc4e541caed4d'

Magic Function

It tries to detect various Options of Input

https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')&input=TlZDaWpGN242cGVNN2E3eUxZUFpyUGdIbVdVSGk5N0xDQXpYeFNFVXJhS21l

MD5

$ echo 85f3980654g59sif | md5sum

OpenSSL

Create Certificate and Key

$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XY/ST=<ST>/L=<L>/O=<O>/OU=<OU>/CN=<CN>"

Create password for /etc/passwd

$ openssl passwd '<PASSWORD>'

Create Password for /etc/shadow

$ openssl passwd -6 -salt xyz  <PASSWORD>

Read a Certificate

$ openssl req -in <FILE>.txt -noout -text
$ openssl req -text -noout -verify -in <FILE>.req

Extracting Certificate

$ openssl pkcs12 -in <PFX>.pfx -clcerts -nokeys -out <CERTIFICATE>.crt

Extracting Private Key

$ openssl pkcs12 -in <PFX>.pfx -nocerts -out <KEY>.key

Examples

Extracting .pfx Files

$ openssl pkcs12 -in <CERTIFICATE>.pfx -nocerts -out <KEY>.key
$ openssl rsa -in <KEY>.key -out <KEY>.key
$ openssl pkcs12 -in <CERTIFICATE>.pfx -clcerts -nokeys -out <CERTIFICATE>.crt
Login using Certificate and Key
$ evil-winrm -i <RHOST> -S -k <KEY>.key -c <CERTIFICATE>.crt

PBKDF2

Structure

sha256:<ITERATION>:<FROM_HEX_TO_BASE64_SALT>:<FROM_HEX_TO_BASE64_HASHED_PASSWORD>

Formatting One-liner

$ echo "sha256:50000:$(echo <SALT> | xxd -r -p | base64):$(echo <HASHED_PASSWORD> | xxd -r -p | base64)"

CyberChef Recipe & Manual Steps

https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Base64('A-Za-z0-9%2B/%3D')&oeol=FF

Salt

227d873cca89103cd83a976bdac52486

Salt Base64

In2HPMqJEDzYOpdr2sUkhg==

Hashed Password

97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16

Hashed Password Base64

l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY=

Putting all together

sha256:50000:In2HPMqJEDzYOpdr2sUkhg==:l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY=

Cracking with Hashcat

$ hashcat -a 0 -m 10900 <FILE> /PATH/TO/WORDLIST/<WORDLIST>

PuTTY Tools

$ sudo apt-get install putty-tools
$ puttygen my_private_key.ppk -O private-openssh -o id_rsa

Python Pickle

import cPickle

f = open('<FILE>', 'r')
mydict = cPickle.load(f)
f.close

for i in mydict:
    b=[]
    for x in i:
        b.append(x[0] * x[1])
    print ''.join(b)

ROT13

https://tech.pookey.co.uk/non-wp/rot-decoder.php

RSA

https://github.com/Ganapati/RsaCtfTool

Manually breaking RSA

$ python
Python 2.7.18 (default, Apr 20 2020, 20:30:41)
[GCC 9.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from Crypto.PublicKey import RSA
>>> f = open("decoder.pub","r")
>>> key = RSA.importKey(f.read())
>>> print key.n
85161183100445121230463008656121855194098040675901982832345153586114585729131
>>> print key.e
65537

Notes

e = 85161183100445121230463008656121855194098040675901982832345153586114585729131
n = 65537

Use msieve to get the prime factors which are e if multiplied.

$ ./msieve n = 85161183100445121230463008656121855194098040675901982832345153586114585729131

Prime factors

p = 280651103481631199181053614640888768819
q = 303441468941236417171803802700358403049

That means: n = pq

280651103481631199181053614640888768819 * 303441468941236417171803802700358403049

modinv function

https://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python

crypto.py

from Crypto.PublicKey import RSA

n = 85161183100445121230463008656121855194098040675901982832345153586114585729131
e = 65537
p = 280651103481631199181053614640888768819
q = 303441468941236417171803802700358403049
m = n-(p+q-1)

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

d = modinv(e, m)
key = RSA.construct((n, long(e), d, p, q))
print key.exportKey()
$ python crypto.py
-----BEGIN RSA PRIVATE KEY-----
MIGsAgEAAiEAvEeFgY9UxibHe/Mls88ARrXQ0RNetXeYj3AmLOYUmGsCAwEAAQIg
LvuiAxyjSPcwXGvmgqIrLQxWT1SAKVZwewy/gpO2bKECEQDTI2+4s2LacjlWAWZA
A2kzAhEA5Eizfe3idizLLBr0vsjD6QIRALlM92clYJOQ/csCjWeO1ssCEQDHxRNG
BVGjRsm5XBGHj1tZAhEAkJAmnUZ7ivTvKY17SIkqPQ==
-----END RSA PRIVATE KEY-----

Write it into a file named decoder.priv

Decrypt the File

$ openssl rsautl -decrypt -inkey decoder.priv < pass.crypt

SHA256

Proof of Concept

$ echo -n fff34363f4d15e958f0fb9a7c2e7cc550a5672321d54b5712cd6e4fa17cd2ac8 | wc -c
64
$ echo foobar | sha256sum
aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f  -
$ echo -n aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f | wc -c
64

Creating SHA256 hashed Password with Python

$ python3          
Python 3.10.6 (main, Aug 10 2022, 11:19:32) [GCC 12.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> password = "password123"
>>> encoded = password.encode()
>>> result = hashlib.sha256(encoded)
>>> print(result)
<sha256 _hashlib.HASH object @ 0x7f315f0a96f0>
>>> print(result.hexdigest())
ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

XOR

XOR Table

^ = XOE

1 ^ 1 = 0
1 ^ 0 = 1
0 ^ 1 = 1
0 ^ 0 = 0

Byte Flip Attack

110011 flipped with 111111 = 001100