Clik here to view.
Simple Ciphers: cipher-tool.py
When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the...
View ArticleClik here to view.
Update: xor-kpa.py Version 0.0.4
This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys. xor-kpa_V0_0_4.zip (https) MD5: FCE75B6125104D8AFC56A67B65FF75C0 SHA256:...
View ArticleClik here to view.
Password History Analysis
When cracking Active Directory passwords as I explained in this series of blog posts, you can also crack the password history. The program I’m releasing now will make a report of users who “recycle”...
View ArticleClik here to view.
Practice ntds.dit File Part 9: Extracting Password History Hashes
I released a tool to analyze password history. To extract password history from ntds.dit with ntdsxtract/dsusers.py, use option –passwordhistory. To extract password history from ntds.dit with...
View ArticleClik here to view.
Quickpost: ZIP Password Cracking With John The Ripper
Here is how to crack a ZIP password with John the Ripper on Windows: First you generate the hash with zip2john: Then you run john: In this example, I use a specific pot file (the cracked password...
View ArticleClik here to view.
Update: xor-kpa.py Version 0.0.5
Some small changes to my XOR known plaintext attack tool (xor-kpa), which will be detailed in an ISC Diary entry. xor-kpa_V0_0_5.zip (https) MD5: 023D8E3725E0EF7CEC449085AA96BB3A SHA256:...
View ArticleClik here to view.
Cracking Encrypted PDFs – Part 1
In this series of blog posts, I’ll explain how I decrypted the encrypted PDFs shared by John August (John wanted to know how easy it is to crack encrypted PDFs, and started a challenge). Here is how I...
View ArticleClik here to view.
Cracking Encrypted PDFs – Part 2
After cracking the “easy” PDF of John’s challenge, I’m cracking the “tough” PDF (harder_encryption). Using the same steps as for the “easy” PDF, I confirm the PDF is encrypted with a user password...
View ArticleClik here to view.
Cracking Encrypted PDFs – Part 3
I performed a brute-force attack on the password of an encrypted PDF and a brute-force attack on the key of (another) encrypted PDF, both PDFs are part of a challenge published by John August. The...
View ArticleClik here to view.
Cracking Encrypted PDFs – Conclusion
TL;DR: PDFs protected with 40-bit keys can not guarantee confidentiality, even with strong passwords. When you protect your PDFs with a password, you have to encrypt your PDFs with strong passwords and...
View ArticleClik here to view.
Encrypted OOXML Documents
The Office Open XML format introduced with MS Office 2007, is essentially composed of XML files stored inside a ZIP container. When an OOXML file (like a .docx file) is protected with a password for...
View ArticleClik here to view.
KEIHash: Fingerprinting SSH
keihash.py is a program to parse pcap files and calculate the KEIHash of SSH connections. The KEIHash is the MD5 hash of the Key Exchange Init (KEI) data (strings). For obvious reasons, I could not...
View ArticleClik here to view.
New Tool: msoffcrypto-crack.py
This is a new tool to recover the password of encrypted MS Office documents. I quickly put together this script to help with the analysis of encrypted, malicious documents. This tool relies completely...
View ArticleClik here to view.
Update: msoffcrypto-crack.py Version 0.0.2
In this update of msoffcrypto-crack.py, two new options were added: -e takes a text file and extracts all words from this text file to be used in the dictionary attack. Words are strings delimited by...
View ArticleUpdate: msoffcrypto-crack.py Version 0.0.3
This is a bug fix update: for agile encryption, Python module msoffcrypto does not throw an exception in method load_key when an invalid password is provided. It throws an exception when an attempt is...
View ArticleClik here to view.
Quickpost: Retrieving an SSL Certificate with nmap
One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site. Since then, nmap has a scripting engine, and there is a script to check a...
View ArticleClik here to view.
WebDAV, NTLM & Responder
I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers. Long story short: there’s a...
View ArticleClik here to view.
Using CveEventWrite From VBA (CVE-2020-0601)
Microsoft’s patch for CVE-2020-0601 introduces a call to CveEventWrite in CryptoAPI when a faked certificate is detected. This will write a Windows event entry in the Application event log. For all of...
View ArticleClik here to view.
Update: msoffcrypto-crack.py Version 0.0.5
This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document. Option -p...
View ArticleUpdate: zipdump.py Version 0.0.19
This new version of zipdump uses module pyzipper in stead of build-in module zipfile. pyzipper supports AES encryption. It is not a built-in module, and needs to be installed (with pip for example)....
View Article