Vim Encryption

VIM can encrypt text files transparently. I wrote a python script which can decrypt all three types given the password, or do a simple dictionary search.

Never use the old methods ( zip and blowfish ) the way these are used in VIM is broken. The latest blowfish2 method is somewhat better, though there is room for improvement.

Read more…

Hexdumper for C++ IOStreams

A hex::dumper object which can output hexdumps in several ways, configured by using various stream manipulators. Usage is as simple as:

std::cout << hex::hexstring << hex::dumper(data, size) << std::endl;

or

std::cout << hex::offset(0x12000) << std::hex << hex::dumper(data, size) << std::endl;

Read more…

Benchmarking some python crypto libraries

I wrote a little benchmark, comparing the PyCrypto and cryptography python modules.

You can find the script here.

results

Most symmetric ciphers are significantly faster in pyCrypto for small blocksizes. but cryptography is much faster for larger data.

The ratio is the byterate of pycrypto divided by the byterate of cryptography. So values less than 1 mean: cryptography is faster, values larger than 1: pycrypto is faster.

I found that the cryptography library is generally faster for large data volumes, while pycrypto is faster for encrypting small items.

Read more…

PDF Certificate Encryption

Code for this project can be found here: https://github.com/nlitsme/pyPdfCrack

PDFS can be encrypted in several ways, the simplest being the std encryption, using an owner and user password. A more secure way is to use password protected certificates. In this post i describe how exactly these certificates are encrypted, and how they are used to decrypt a pdf. Also i provide python code for parsing the certificate, pdf and do the decryption. Finally i wrote some simple password cracking tools for the certificate.

Read more…

Adding custom ciphers to pyCrypto

A python module for adding custom ciphers to pyCrypto.

In GSMK's software, as a way of future proofing our ciphers, we XOR the result of two ciphers togehter:

Tandem(x) = AES(x) ^ Twofish(x)

Where AES and Twofish are each initialized with a different key.

Now I wanted to use the PyCrypto library as a basis for implementing some of our algorithms. Since Tandem cipher is not something supported by PyCrypto, i would need to add my own cipher, with a interface compatible with pyCrypto's. The problem i found is that in order to use the more complex ciphering modes found in pyCrypto you need to provide PyCrypto with a cipher which already supports several of the more basic ciphering modes.

The advanced modes implemented in Crypto/Cipher/blockalgo.py are these: MODE_CCM MODE_OPENPGP MODE_EAX MODE_SIV MODE_GCM

These are building upon the simple modes implemented by block_template.c: MODE_CTR MODE_CBC MODE_ECB MODE_CFB MODE_OFB and MODE_PGP ( no longer supported by PyCrypto )

So i wrote a base class which adds the simple modes to a cipher providing only the encrypt_block and decrypt_block methods.

The module can be found at: https://github.com/nlitsme/pyCryptoAdapter.

Testing

For the puprpose of testing _BlockCipher, i wrote an AES adapter using my _BlockCipher base class, and several wrapper objects implementing the various basic modes.

Now testing involves comparing the results of the wrapper objects against the original AES with MODE_xxx. This is done in test_consistency.py

pytorify

A module which makes sure all sockets use the TOR proxy at port 9050. Simply add the -mtorify switch to your python commandline.

Source code is available on github.

This module works with both python2 and python3.

Read more…

Key Exchange

Note: this post is more philosyphical, it does not describe any actual useful keyexchange algorithm.

Looking at how keyexchange protocols are constructed. And trying (unsuccesfully) to formulate a set of rules for constructing a keyexchange protocol.

Read more…

osx 10.11 problems

After installing OSX El Capitan ( OSX 10.11 ), I ran into several problems:

  • I was unable to modity system files
  • Problem with Java based apps
  • Problem with kernel extensions
  • Menumeters no longer works

Here are some workarounds.

Read more…

"Strange url in iOS CaptiveNetworkSupport binary"

While looking at traffic generated by iOS 8, I noticed that the request iOS uses to figure out if the current WLAN network it is connected to the internet had changed, I remembered it looked like this:

GET /library/test/success.html
Host: www.apple.com
Connection: close
User-Agent: CaptiveNetworkSupport-209.39 wispr

But now i noticed different requests, like

GET /PNLQhvxZ/xuysvIAF/UlBMhXpM/96j7W4OI.html
Host: www.itools.info
Connection: close
User-Agent: CaptiveNetworkSupport-305 wispr

The response still looked the same:

Content-Type: text/html
Content-Length: 68
Date: Sun, 19 Oct 2014 19:25:07 GMT
Connection: close

<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>

What i noticed:

  • a different hostname
  • a completely different URL.
  • that URL looks like something is encoded in it.

Experimenting some more, shows the URLS can vary in size:

  • http://www.appleiphonecell.com/FE4wVnGTi2/30ev47IPHa/qtuSz4qyEI/1beCBLubOk/6mx7wEuwWu.html
  • http://www.itools.info/pyvurkyw66kGkxv/JlP1AFh6NWlGmpZ/j5zaznQRiEOmLwI/lDon4e4tyMHFq4G/f4F6JosojEbdgIP.html
  • http://www.thinkdifferent.us/5L0tz1uQdrOVw/O49xGuWJm2Nbs/9YE97WN6LvlcJ/GcWCBwrllfhgF.html
  • http://www.thinkdifferent.us/ZyXweLwP5qj/gorlJSJPHq7/9WuiyO2xMjP.html
  • http://www.thinkdifferent.us/btszR5bVqi/PXZzhbyy4u.html
  • http://www.thinkdifferent.us/wMIv3CYrmP9GaP2/mHe77eYERri8O5h/NZ57XszWkZ0UM6B/leyDEyX21DQGRDe/6LHJqcf1lAOUPB1.html

So i look for the binary which has the User-Agent CaptiveNetworkSupport string in it, in an unpacked ios8 rom. I start by unzipping an OTA update for iOS8.0 for the iPhone5,2, this con be found in 93525b725ad90a65cd43f93d298fccdce3e3d1bc.zip, as noted below. Unzipping this file and searching where i would find the CaptiveNetworkSupport string, i ended up with these possible targets:

  • AssetData/payload/replace/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armv7s
  • AssetData/payload/replace/System/Library/SystemConfiguration/CaptiveNetworkSupport.bundle/CaptiveNetworkSupport
  • AssetData/payload/replace/usr/libexec/configd

The dyld_shared_cache file is really large, too large for IDA to handle, and needs to be split in its constituents. There is a tool named dyld_decache which can do this for you.

Inside the dyld file we find this file:

  • System/Library/PrivateFrameworks/CaptiveNetwork.framework/CaptiveNetwork

CaptiveNetworkSupport

CaptiveNetworkSupport seemed most interesting.

One thing that stood out, is that at some point handling wispr_login_async, the following form fields are used at some point:

OriginatingServer=http://copyfight.corante.com/
button=Login
FNAME=0

Hmm ... googling copyfight and corante, these guys don't exactly seem to be on friendly terms with apple. Then why is apple using their URL when loggin in to wifi hotspots?

Capturing the request

Capturing plaintext requests like this is easy: * open SystemPreferences -> Sharing * configure InternetSharing to share your ethernet connecting with people using WiFi. * set a password and network name in Wifi-Options * enable * run tcpdump ( or wireshark) either on your wifi or your ethernet interface. * connect your phone to your new wifi network.

Obtaining iOS 8 binaries

Apple releases iOS software in two formats:

Full upgrade, as .ipsw files, These contain the full operating system, but are unfortunately encrypted. Links to the ipsw files can be found in http://itunes.com/version

OTA upgrade, as .zip files. These often contain only patches, but occasionally, probably when the diff is too large, contain a full unencrypted image of the operating system. Links to the OTA files can be found in com_apple_MobileAsset_SoftwareUpdate.xml. Theiphonewiki keeps track of changes to this file.

For this article i use the iOS8.0 OTA update for the iPhone5,2, as found in 93525b725ad90a65cd43f93d298fccdce3e3d1bc.zip.