lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110408220249.GE12726@sentinelchicken.org>
Date: Fri, 8 Apr 2011 15:02:49 -0700
From: Tim <tim-security@...tinelchicken.org>
To: Maksim.Filenko@...b.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cipher detection

> Here're some more examples:
> 
> dummy@...mple.com GGobQ2bsqd64PXVAmaDiDBg=
> eummy@...mple.com GWobQ2bsqd64PXVAmaDiDBg=
> dummy@...mple.co  GGobQ2bsqd64PXVAmaDiDA==
> dummy@...mple.@ex GGobQ2bsqd64PXVAmaDBBg0=
> dummy             GGobQ2Y=
> dumm              GGobQw==
> eummy             GWobQ2Y=
> eumm              GWobQw==
> example.com       GWcXQ2/AqYi6P2g=
> dxample.com       GGcXQ2/AqYi6P2g=
> 11111@...mple.com TS5HHy7sqd64PXVAmaDiDBg=
> 11111             TS5HHy4=
> 
> Looks like a base64+xor, am I right? And that's enough information for me. 


Yes, it is looking like a fixed key stream XORed with the plaintext.
Note that this could mean they're using any number of "good"
encryption algorithms (block cipher in OFB mode, stream cipher) with a
fixed IV.  This means the encryption is very broken, but it doesn't
necessarily mean they are using some half-baked custom obfuscation
technique.  They could be, but be careful with your accusations.

HTH,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ