Decrypting files using OpenSSL
Background
I’m playing with one of the De-ICE pen-testing CD’s, and I came across a file that was encrypted.
The problem is, I don’t know:
- The cipher used to encrypt the file
- The password used
- Whether or not the file was Base64 encoded
Discovery
By poking around the box, I was able to determine that OpenSSL was installed. OpenSSL will reveal the encryption commands it supports by typing:
# openssl -help
So I know the set of algorithms that could have been used to encrypt the file.
I also have a candidate set of passwords that I believe were used to encrypt the file. These were uncovered during the pen test.
I need to figure out if the file was Base64 encoded and the cipher used.
# file encrypted_file.enc
encrypted_file.enc: data
The file is not Base64 encoded or it would be type text. I tested this by encrypting two files, one with Base64 and one without. The Base64 file returned type text, the other type data.
To test for the algorithm used, I tried encrypting a file and decrypting with both correct and incorrect passwords. Only clean decryptions (where the correct password was used) result in plain text (”ASCII text”) when using the “file” command. Decrypting a file with the wrong password results in a file with file type “data,” or something else.
This will make scripting of a solution easy.
The challenge for me is that I don’t know much about shell scripting. Fortunately, there is a sweet resource over at the LDP - the Advanced Bash-Scripting Guide by Mendel Cooper. It was a huge help.
What I know now:
- Candidate passwords
- Candidate encryption algorithms
- The file was not Base64 encoded
What I don’t know:
- The combination of password/algorithm used to encrypt the file.
What I want:
- The decrypted file
- The password and algorithm used to encrypt the file
Scripting a Solution
Result: decrypt.sh
Given a set of candidate encryption algorithms and candidate passwords, the script will:
- Try all combinations of password/algorithm
- Save the decrypted results in the specified directory
- Save decrypted files wiith a file name of the type <password>_<algorithm>.txt
- Run the “file” command at the end, looking for any that have type ASCII text
If the algorithm is successful, at least one file with type ASCII text will have be a valid decryption of the original file.
The file worked like a charm to decrypt the file I found.
The Code
#! /bin/bash
SUPPORTED_ALGS=(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40)
PASSWORD_LIST=(passwd password test)
OUTPUT_DIRECTORY="/root/1_100/decrypt_output/"
ENCRYPTED_FILE="/root/1_100/encrypted_file.csv.enc"
echo "Num algorithms=${#SUPPORTED_ALGS[*]}"
echo "Num passwords=${#PASSWORD_LIST[*]}"
for password in ${PASSWORD_LIST[*]}
do
for alg in ${SUPPORTED_ALGS[*]}
do
OUTFILE="${OUTPUT_DIRECTORY}${password}_${alg}.txt"
openssl enc -d -in $ENCRYPTED_FILE -pass pass:${password} -out $OUTFILE -${alg}
done
done
echo "Candidate files:"
file ${OUTPUT_DIRECTORY}* | grep ASCII
exit