-
Quipquip: subsituition cipher
-
Decode.fr: old school ciphers
-
CSCBE2019 - Rosetta: multiple ciphers / alphabets / languages / fonts
-
CyberChef: magic mode
-
kt.gy tools: decode string
-
GitHub - mwielgoszewski/python-paddingoracle: A portable, padding oracle exploit API
-
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
-
https://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/
gmpy2.isqrt(B * N // A)
hashlib.md5().update(b'foo').hexdigest()
# ~/code/guides/ctf/TFNS---writeups/2020-09-25-BalCCon/cryptosh/cryptsh.py
from Crypto.Cipher import AES
from Crypto.Util.strxor import strxor
from Crypto.Util.Padding import pad, unpad
# ~/code/guides/ctf/TFNS---writeups/2020-09-25-BalCCon/do_u_have_knowledge/server.py
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
cipher = Cipher(algorithms.AES(b'1234567890123456'), modes.ECB(), backend = default_backend())- Hill cipher - https://github.com/t3rmin0x/CTF-Writeups/tree/master/DarkCTF/Crypto/Embrace%20the%20Climb#embrace-the-climb-
- https://en.wikipedia.org/wiki/Feistel_cipher
- indistinguishability under chosen-plaintext attack (IND-CPA)
- Hash Analyzer - TunnelsUP
- CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
- POSIX user account passwords (
/etc/passwd, /etc/shadow)- ./misc.md#crypt
- md5 with salt
hashcat -m 20 -a 0 -o cracked.txt crackme.txt /usr/share/wordlists/rockyou.txt --force" # $hash:$salt
-
hs256 = hmac sha256
-
Given
AES_CTR(SHA1(msg), KEY)(AES keystream unchanged):- length extension
- hmac value calculation:
mac_evil = mac_good ^ sha1(msg_good) ^ sha1(msg_evil)
ssdeep -s foo > fuzzy.db
ssdeep -s -a -m fuzzy.db foo bar
# foo matches fuzzy.db:foo (100)
# bar matches fuzzy.db:foo (0)- GitHub - sdhash/sdhash: similarity digest hashing tool
- GitHub - ssdeep-project/ssdeep: Fuzzy hashing API and fuzzy hashing tool
md5sum <() # d41d8cd98f00b204e9800998ecf8427e
sha1sum <() # da39a3ee5e6b4b0d3255bfef95601890afd80709
sha256sum <() # e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855// [GRC's \| Password Haystacks: How Well Hidden is Your Needle?](https://www.grc.com/haystack.htm)
function grc(len) {
if(len < 1) {
return 0;
} else if (len == 1) {
return window.charsetsize;
}
return Math.pow(window.charsetsize, len - 1) + grc(len - 1);
}
console.log(grc(64));
// 110>>> len(list(permutations([i for i in range(0,10)], 2)))
90
>>> int(factorial(10)/factorial(10-2))
90
>>> int(factorial(36)/factorial(36-8))
1220096908800
# MAC address
>>> int(factorial(16)/factorial(16-12))
871782912000- GitHub - Ganapati/RsaCtfTool: RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data
- Factorizing big integers - http://factordb.com/
https://wiremask.eu/tools/xor-cracker/
- On length(known_prefix) >= length(key), full decryption is direct
~/code/snippets/ctf/crypto/xor_decrypt.py 'darkCTF{' <(printf '%s' '5552415c2b3525105a4657071b3e0b5f494b034515' | xxd -r -p) # 1337hack>'%lXjM$-*q.V ~/code/snippets/ctf/crypto/xor_decrypt.py '1337hack' <(printf '%s' '5552415c2b3525105a4657071b3e0b5f494b034515' | xxd -r -p) # darkCTF{kud0s_h4xx0r} ~/code/snippets/ctf/crypto/xor_decrypt.py 'darkCTF{kud0s_h4xx0r}' <(printf '%s' '5552415c2b3525105a4657071b3e0b5f494b034515' | xxd -r -p) # 1337hack1337hack1337h
- Split message into aligned sequences, count frequencies of chars foreach column, take most frequent char and xor with expected most frequent char (e.g.
_) to obtain key- Alterntive: xortool
- CTFtime.org / BalCCon2k20 CTF / Xoared / Writeup
- Guessing key length + values by decrypted output byte range
- ~/code/guides/ctf/grayrepo/2017_flareon/flare10_shellphp/README.md
- key length: ~/code/snippets/ctf/crypto/kasiski.py
- letter frequency: ~/code/snippets/ctf/crypto/frequency_analysis.py
- decrypt letters: ~/code/snippets/ctf/crypto/chi_squared.py
- known seed => bruteforce generated values
import random, string random.seed(1601405147.6444) alphabet = list(string.ascii_lowercase + string.digits) print("".join([random.choice(alphabet) for _ in range(32)])) # mq4fyjs6rlo5jjotg3xiwr76z8hm4chi
- CTFtime.org / BalCCon2k20 CTF / Two Sides of a Coin / Writeup
- ~/share/ctf/BalCCon2k20/two-sides-of-a-coin-solutions/
- CTFtime.org / BalCCon2k20 CTF / Two Sides of a Coin / Writeup
- small n-periodic
- https://ctftime.org/writeups?tags=prng&hidden-tags=prng
- https://www.cryptomathic.com/news-events/blog/generating-cryptographic-keys-with-random-number-generators-prng
- ~/Downloads/Not_So_Random_-_Exploiting_Unsafe_Random_Number_Generator_Use.pdf
- given known implementation, optionally seed range, and multiple generated values, then bruteforce seed
- GitHub - altf4/untwister: Seed recovery tool for PRNGs
- GitHub - kmyk/mersenne-twister-predictor: Predict MT19937 PRNG, from preceding 624 generated numbers. There is a specialization for the "random" of Python standard library.
- https://dragonsector.pl/docs/0ctf2016_writeups.pdf
- https://sasdf.github.io/ctf/tasks/2019/BalsnCTF/crypto/unpredictable/
GitHub - bozhu/BMA: Berlekamp-Massey algorithm
https://medium.com/hackstreetboys/securinets-ctf-quals-2019-useless-admin-crypto-4e2685452fec
- https://crypto.stackexchange.com/questions/31019/if-you-encrypt-an-image-aes-is-it-still-an-image-and-can-you-view-it
- https://blog.filippo.io/the-ecb-penguin/
- https://crypto.stackexchange.com/questions/63145/variation-on-the-ecb-penguin-problem
head -n 4 Tux.ppm > header.txt tail -n +5 Tux.ppm > body.bin openssl enc -aes-128-ecb -nosalt -pass pass:"ANNA" -in body.bin -out body.ecb.bin cat header.txt body.ecb.bin > Tux.ecb.ppm
| Language | CSPRNG |
|---|---|
| .NET | RNGCryptoServerProvider() |
| Java | java.security.SecureRandom() |
| JavaScript (Node.js) | crypto.RandomBytes() |
| PHP | random_bytes() |
| Python | random.SystemRandom() |
-
https://blog.quarkslab.com/differential-fault-analysis-on-white-box-aes-implementations.html
-
https://www.ledger.com/ctf-complete-hw-bounty-still-ongoing-2-337-btc/
induce faults using GDB during the computation, retrieve the faulty result and then execute AES DFA (Differential Fault Analysis)
-
https://github.com/TFNS/writeups/tree/master/2020-04-25-IJCTF
-
https://github.com/TFNS/writeups/tree/master/2020-04-12-ByteBanditsCTF
-
https://github.com/TFNS/writeups/tree/master/2020-03-07-zer0ptsCTF/ror
-
https://github.com/TFNS/writeups/tree/master/2020-03-01-AeroCTF/magic
-
https://www.pcg-random.org/posts/visualizing-the-heart-of-some-prngs.html
- reproduce vizs
-
https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d
-
https://blog.malwarebytes.com/threat-analysis/2018/01/scarab-ransomware-new-variant-changes-tactics/
- identifying files in raw dumps - 1. hash the first k bytes of all known files; 2. take offsets matching a given sequence, hash the first k bytes at those offsets, then compare with known set
- discovering bugs due to unexpected magic byte sequences
Mostly just IDA, I managed to get a trace of lsass while CryptUnprotectData() was working and failing, then got a lucky break - I saw it derive a key from a byte sequence I knew (da 39 a3 ee...), that's the SHA-1 of the empty string! That led me to credentials being clobbered