[home] [<-back] [index] [next->]
____________________________________________________________________
[ 4:. - [ Crypto For Newbies ] [b0iler] :. ]
[http://b0iler.advknowledge.net] :. ]
____________________________________________________________________
#!/usr/bin/perl
# this will screw up all the perl, encoding, tables, charts, and encryption..
# so go ahead and do it :D
$text[0] =~ s/newbies/bogsters/ig;
@text =~ tr/aeiloz/431102/;
Written for b0g... since most b0g readers and idlers in #b0g have no clue what
they are doing I wrote up a little tutorial to help you with the basics of common
encoding and encryption techniques. I promise this paper isn't that boring
and you actually run across this stuff if you plan to 'hack the planet!@#'.
Table of contents
-Intro
-Uuencode
-Base64
-Rot-13
-XOR
-DES (section including how to use JTR)
-Conclusion
[Intro]
Alright, I know you have read some crypto tutorial on the web before and you
probably got confused at the first site of "cipher". In this tutorial I will
not describe very in depth of how the crypto works, but I will go over the very
basics and introduce you to the different types of common encryptions and
encoding schemes used on the net. I will go over how to encrypt and decrypt
each of them so this tutorial should be a walk in the park. I've added a
section on JTR, it is not very detailed.. but nether is the rest of this
tutorial. It should be enough to get you going with JTR and crack a few
password files.
There are a few basic encoding methods used. I say encoding because they are
just other ways of presenting data, unlike encryption they do not try to keep
the message secret. Anyone can decode them without knowing the key, all they
need to know is which program to use to decode it, or how to arrange the
letters. Three very basic forms of encoding are uuencode (.uue) base64 (.b64)
and rot13 (doesn't have a file extension as far as I know) All of these encoding
methods are really simple to understand and decode. I'll also go over XOR and
DES, which are true forms of encryption.
[Uuencode]
uuencode stands for unix to unix encoding also called uue, it was once only
for unix systems, but now can be used on almost all operating systems. What
uuencode does is convert the file (picture, text, program, etc..) bit-stream
into 7-bit ascii. This makes it possible for times when you cannot transfer
binary files, you can encode them in ascii and transfer them. uuencode is
often used in emails and most email clients can handle uuencode.
You can encode a file into uuencode by going to a *nix command prompt, if you
don't have *nix get a shell account, and use the command 'uuencode file.txt
file.uue' if file.txt is the file you want encoded and it will become encoded
into a file created called file.uue. Here is a trick if you only want the
output on the screen, instead of being saved in a file, use /dev/stdout as the
output: 'uuencode file.txt /dev/stdout'. Also to be noted that when you
uuencode a file it is increased in size by around 42%. On a couple systems
(both older mandrake) I had problems with the output file, it was not created.
Instead mandrake seems to send the output to /dev/stdout (your screen) every
time and not to the file you specify as the output. You could set the stdout
to any file you want and then run uuencode and it would work. With every other
system I've used worked as normal.
To decode uuencode you use the 'uudecode' command with 'uudecode -o file.txt
file.uue' this will decode file.uue and send the output to file.txt. Another
simple way to decode uuencode is to use a program most ever windows user has,
winzip. Simply name the uuencoded file: file.uue and open it in winzip and
follow the instructions on decoding it (press next, next, next... not that
hard).
So how can you tell if something is encoded in uue? First check if it has an
extension, if it is .uue then it is uuencoded. If the file doesn't have an
extension or is just text it should be like this:
begin 644 blah.txt
M=&AI<R!T97AT('=A'0@
M=V%S(&AA<FUE9"!I;B!T:&4@8W)E871I;VX@;V8@=&AI<R!F:6QE+@IA;'1H
H;W5G:"!A(&9E=R!C<'4@8WEC;&5S('=E `
end
Now there are a few ways to tell this is uuencoded. First, all uuencoding
starts with 'begin' and then the file permissions of the file, in this case
'664'. Then the file name, 'blah.txt'. Another way to tell is that uuencode
uses the first character of each line to tell how long that line is, in this
case the first 3 lines use 'M' and the last line, which is shorter, uses a
different letter 'H'. The second to last line is always ' and the very last
line in uuencoded files is 'end'. So if you don't know what kind of encoding
is used just look for these signs.
[base64]
Well base64 is the grand daddy of all encoding methods. It uses less cpu power
to encode/decode than uuencode and uuencode increases the file size much more,
base64 only increases file size by about 33%. Base64 is compliant with us
ascii and ebedic standards, nether of which uuencode is, making base64 much
more compatible. Base64 is pretty much the standard when sending email
attachments now. It uses what is known as MIME (Multipurpose Internet Mail
Extensions) when used with email attachments. It is also used with some weak
authentication methods. Like uue, base64 turns binary into ascii so it is able
to be transfered when binary transfer cannot be established. Base64 uses 65
characters for encoding, 64 actual characters and 1 character which is =, it is
used for signaling the end of the base64. Here is a base64 chart:
Table 1: The Base64 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 /
13 N 30 e 47 v
14 O 31 f 48 w (pad) =
15 P 32 g 49 x
16 Q 33 h 50 y
You can encode base64 by using the same command for uuencode with the -m
option.Although there is a popular program called mpack which can do this
aswell. Mpack comes for a variety of operating systems, the windows version
is located at ftp://ftp.andrew.cmu.edu/pub/mpack/mpack15d.zip the others are
in the /pub/mpack directory. Using mpack should be pretty easy since it comes
with a help file (readme.dos). Mpack doesn't just do base64, it does a few
mime types.To decode base64 you can use uudecode or munpack (comes with mpack),
uudecode will automaticly sense that it is base64 when decoding so do it just
like decoding uuencode. Mpack comes with that readme.dos file which will
explain everything very easily.
Here is an example of what blah.txt looks like encoded in base64:
begin-base64 644 blah.txt
dGhpcyB0ZXh0IHdhcyBlbmNvZGVkIGluIHV1ZW5jb2RpbmcuCm5vIHRleHQg
d2FzIGhhcm1lZCBpbiB0aGUgY3JlYXRpb24gb2YgdGhpcyBmaWxlLgphbHRo
b3VnaCBhIGZldyBjcHUgY3ljbGVzIHdlcmUgdXNlZCB1cC4KOy0oCg==
====
(note: the above is a bad example on how b64 is generally smaller than uue)
Sometimes you will see content-type headers on base64 files, such as:
Content-Type: application/octet-stream; name="a.txt"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="a.txt"
Content-MD5: LByIVUcB0AGQTTnYDyzOjQ==
VGhpcyBpcyBiYXNlNjQsIGFuZCB5b3UganVzdCBkZWNvZGVkIGl0IGNvcnJlY3RseSE=
A few ways to tell this was base64 is that it says it's
"Content-Transfer-Encoding" is base64. But also it ends in = which is a big
hint, sometimes base64 ends in multiple ='s. Another way to tell is if the
document contains many strings of "ICAg" which is used for a space. Often in
longer base64 encoded files you will find many ICAg's all together like:
ICAgICAgICAgICAgICAgICAgICAgICAg this is a sign that the file is base64 encoded.
$text[201] =~ s/icag/b0g!#@!/ig; #har har har
[Rot-13]
Rot-13 is probably the most basic type of encryption. It just rotates the
letters in the alphabit by 13 characters. Since the alphabit is 26 letters it
just moves letters to a new letter. It isn't really an encryption type, it is
just a way you can keep msg's from less net swavvy people. Also it is
used sometimes to keep info some people might not want to know hidden, for
example the ending of a movie might be in rot-13 so people who want to know can
read it, and those who don't can watch the movie themselves =) Here is the
rot-13 alphabit...
a = n
b = o
c = p
d = q
e = r
f = s
g = t
h = u
i = v
j = w
k = x
l = y
m = z
Rot-13 is a type of caesar cipher, which means each letter is replaced by
another letter and the replacement depends only on the plaintext character.
To encrypt or decrypt rot-13 you can use the alphabit above, or just go to
www.rot13.com and fill out the form.
[XOR]
XOR stands for eXclusive OR. What it does is it checks 2 values against each
other and if they are the same it will return a false (or 0) value, if they are
different it will return a true (or 1) value. Since xor works on the binary
level it only compares 0's and 1's. To decode xor you can write a simple
program. In most languages ^ is the xor operator. So it would be:
"whateverstring" ^= 1; you can even use the windows (or any other OS)
calculator to do it. Start->Run->calc.exe then click view and select
scientific. Enter in a number, select the 'bin' (binary) button and then press
'xor', go back to 'dec' (decimal) and enter in a second number (also known as
the mask), press 'bin' again and then press '='. It should be something like
this:
170 change to binary you can see it is: 10101010
xor
255 change to binary you can see it is: 11111111
=
1010101 change to decimal: 85
Now, if you followed along above you will know that it checks the binary values
against each other. I'll do it by hand so you can see how it works.
10101010
11111111
--------
01010101
if you still don't see it, let me explain:
1 1 - they are the same, so xor returns 0
0 1 - they are different, so xor returns 1
1 1 - they are the same, so xor returns 0
0 1 - they are different, so xor returns 1
1 1 - they are the same, so xor returns 0
0 1 - they are different, so xor returns 1
1 1 - they are the same, so xor returns 0
0 1 - they are different, so xor returns 1
Now here is a perl script for an XOR encryptor/decryptor:
--- script kiddies grep for 'cut here' ---
#!/usr/bin/perl
# Get Otp here: http://www3.marketrends.net/encrypt/download/Babel_Otp_Rot13.tar
#
# encrypt/decrypt xor
#
use Otp;
$xor = new Otp;
print 'type e for encrypt, anything else for decrypt:';
chomp($todo = <STDIN>);
if ($todo eq 'e'){
print 'type in the string you want encrypted:';
$orignal = <STDIN>;
print 'type in the key you want to use:';
$key = <STDIN>;
$encrypted = $xor->Otp($orignal,"$key");
}
else{
print 'type in the string you want decrypted:';
$encrypted = <STDIN>;
print 'type in the key to decrypt the string:';
$key = <STDIN>;
$orignal = $xor->Otp($encrypted,"$key");
}
print "The original string is: $orignaln";
print "The encrypted string is: $encryptedn";
exit;
---script kiddies cannot bother looking at tthe code, so 'stop cutting here'---
If you don't know the mask of xor you can brute force it with a program called
Vcrack (Unix version here) Although it will have to be a pretty weak password
for this to work in a reasonable amount of time. (don't expect it to crack keys
and strings longer than 10 characters).
[DES]
DES stands for Data Encryption Standard, it is a very commonly used encryption
method. So common infact that it is used on nearly very *nix machine to
encrypt the password. DES unlike most of the above cannot be easily decrypted
by moving bits or performing a simple command. There is no reasonable way of
decrypting DES, instead you have to rely on "brute forcing" the password.
What brute forcing means is trying different passwords until you get the right
one, this might be 100 guesses, it might be 100,000,000. It depends on how
good the password the user picked is.
Now this is pretty interesting.. when IBM originally created DES they used a
128bit key, but when NSA (National Security Agency) made it standard they
lowered it to 56bits. This made the encryption much weaker. Some people
(cough*everyone*cough) think that they made it weaker because with 128bit they
would not be able to brute force it. Also, it has been reported that the
government has tried to stop research and documentation on more advanced
ciphers.
Since brute forcers usually try all the combinations of letters first it is
always smart to add in a number or two for your passwords. Using both upper
and lower case letters can also help, as well as adding a special character
such as: &)
Now I won't explain how DES works in detail but the basics are that it takes a
message and breaks it into 64 bits groups and takes a key that is 56 bits
(actually 64 bits, but every 8th bit is ignored). DES is a block cipher, what
that means is it takes plaintext and groups it into a fixed length (64-bits)
and then does it's encryption algorithm. A seed is kind of the key to the
whole thing, when you encrypt des you get the seed as the first two characters
in the encrypted data. Run the following script and check the first two
characters of your encrypted password with your chosen seed.
To encrypt DES you can use this perl script:
--- script kiddies grep for 'cut here' ---
#!/usr/local/bin/perl
#
# script to encrypt des.
#to decrypt you will need to brute force it.
#
print 'enter in the username:';
chomp($username = <STDIN>);
$password = 1234567890;
while((length($password)) > 8){
print 'enter in the password (8 or less characters):';
#remember it is a block cipher of 64 bits (8 bytes)
chomp($password = <STDIN>);
}
$seed = 'not_two';
while ((length($seed)) != 2){
print 'enter in the seed (2 characters):';
#seeds must be 2 characters
chomp($seed = <STDIN>);
}
$encrypted = crypt($password, $seed);
print "your username:password is:nn";
print "$username:$encrypted";
exit;
---script kiddies cannot bother looking at tthe code, so 'stop cutting here'---
To decrypt you need to use a program that can brute force it. The hackers
favorite is JTR, John The Ripper, available for both windows and *nix systems.
I will go over how to use JTR to it's fullest.
[Using JTR]
Step one in using JTR is getting and installing jtr on your computer. Head
over to http://www.openwall.com/john/ and get the version of JTR you would like.
After you finish installing JTR get out the username and password you would
like to crack. If you do not know what the username and password looks like or
do not have a username and password to crack just use b0iler for the username
and YyBWL06.zBiZE for the encrypted password.
Now to create the file that JTR will crack, put the username and password in
this format
b0iler:YyBWL06.zBiZE
so it's username:password if you are trying to crack a *nix password file
(/etc/shadow) you can leave it in it's current format. You can also put
multiple username and passwords in like
b0iler:YyBWL06.zBiZE:0:0:owns:/home/b0iler:/bin/bash
root:Yym34X1Wq86GI:0:0:pansy:/dev/null:/bin/sh
cyrus:YySNBbemZw8pI:9999:10:obese:/slim/fast:/bin/hamburger
All you really need is the username:password, but since the *nix password file
contains more info on users you can just leave them in (it will make no
difference to JTR). Here is a tip, if you do not care which user's password
you crack just run them all. If you want root then take out the rest, save
them in a different file just incase. Save the file in the same directory as
JTR, you can name it anything (ex. pass1.txt).
Now go to a command prompt, *nix users will know how..
windows users start->programs->MS-DOS prompt->type in: cd c:unzippedjohn-16w
(or whatever dir it is in) then cd john-16 (or whatever dir) and finally cd run.
This is the directory where you should have saved your password file you wish
to crack. Now run jtr by issuing
john -single pass1.txt
or use whatever you named your password file. What this does is do a very
basic brute force attack on the password. The -single attack is a very quick
and basic attack which tries to break weak passwords. If this does not work,
or if you know that the users pick strong passwords I would move onto using
JTR's ability to use wordlist (otherwise known as dictionary) attacks. What
this does is allows you to use a file called a wordlist in JTR's attack. JTR
will try every string of characters in the wordlist file and see if any are
the passwords. To use a wordlist issue this command
john -w:wordlist.txt pass1.txt
you can get a wordlist at http://wordlist.sourceforge.net/ I would recommend a
wordlist around 3mb, it will crack most standard passwords people pick.
Now you can add rules to JTR to make it work extremely fast, but for this you
need to know a little about the password. Like if it uses numbers or only
letters, if it is a certain number of characters long, etc.. Most of the time
you have no clue, so telling newbies about rules is mostly pointless and will
just be confusing. Just stick with the standard ways unless you know some info
on the passwords. If you know that the password is 7 characters then by all
means please tell JTR that! It will allow JTR to only try combinations of 7
characters so it will crack the pass ALOT faster. But as I said, it is rare
that you know anything about the passwords like this :/
The last method you should try is incremental, this attack tries every possible
combination of characters until it gets it. This means it could take a long
long time for JTR to crack it.. but it will crack it. To do an incremental
attack issue this command
john -i:all pass1.txt
This will go through every possible character, number, and special character
until it gets it. If you don't think the users use special characters use
john -i:lanman pass1.txt
This will try characters, numbers .. but just a few special characters. Now
there are other more advanced ways to use JTR, some are very cool and can save
you a lot of time, such as the ability to use multiple computers on the same
password. This splits up the time it takes by a lot. Lets say you use your
schools computer lab for a night. If it has 20 computers you are almost
garenteed that one of them will crack it =)
Also editing the configuration file: john.ini will allow you more
customization. Since this is more advanced and not done by normal JTR users
I will let the ones who wish to learn about it visit Monkee's Advanced JTR
Tutorial.
Now let JTR run for A LONG TIME, don't email me asking why it is taking over
12 hours to crack a password. JTR has to brute force it.. this takes lots of
time. Don't be surprised to spend a long time waiting for it to crack. When
I say long, I mean L O N G. If you think 12 hours is long I will just laugh
at you.
While JTR is running you can check it's status by pressing enter. This will
display where it is at, how fast it is going, and other info you might find
amusing. Once it's done check the default cracked password file: john.pot ..
with any luck you'll get the password and be home free. JTR can also be used
to brute force other forms of encryption.. although I've had problems in the past
trying to use JTR to crack other cryptos.
[Conclusion]
Well, that's all a newbie would need to know about crypto to get into it.
Encoding, decoding, detecting the type of crypto used.. that's all you need to
know to break the basic types of crypto widely used. If you wish to get more
into crypto you will need to understand how the algorithms of the encryption
work, for this you will need to be above average in math and be very deticated
to it. If you are interested in learning about more advanced crypto I have
heard for many, many people that the book "Applied Cryptography" is the best
book ever written for learning cryptography. A few other encryption methods
you might want to look into include PGP, ssl, twofish, blowfish, tripleDES,
and steganography. Most of the stuff I covered I learned from reading, some
from experimenting, and a little bit is just my opinion or take on things. I
coded all the scripts and don't care if you distribute them under your name
or whatever since they took me a total of like 12 minutes to do. I didn't even
use any leetspeak in this article :D
About The Author
Written by b0iler
http://b0iler.advknowledge.net - lots of 0day hacking tutorials
With thanks to:
monkee - very smart guy.
litewait -- I can't find your tutorial anymore ;/
Cyrus - www.cyruslabs.com
l8nite - better at crypto than I am.
"
bob bob bob.. can't you see..
Sometimes your articles ejaculate me..
And I just love your goatsex shit..
All the lamers agree that you got nice tits.
-funk master b0iler and the furious alt+F4
"
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
Recently a survey was conducted by the U.N. worldwide.
The question asked was," Would you please give your opinion about the
food shortage in the rest of the world?" The survey was a huge failure.
- In Africa they did not know what 'food' meant.
- In Western Europe, they did not know what 'shortage' meant.
- In Eastern Europe they did not know what 'opinion' meant.
- In South America they did not know what 'please' meant.
- And in the U.S. they did not know what 'the rest of the world' meant.
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!