From kens1835@home.com Sun Jun 24 11:27:41 2001 Date: Fri, 22 Jun 2001 15:03:58 -0700 From: Ken Savage To: project@honeynet.org Subject: Scan of the month On June 22nd, 2001, while reading the CryptoGram newsletter, I came across a link to the Honeynet project. Within it was a challenge to decipher a blackhat uploaded file, 'somefile.zip'. The zip file was downloaded, and then I went off to lunch. Gotta get some energy for a rough and tough afternoon of cryptanalysis. :) The MD5 checksum matched, and upon decompressing the archive, a lone file, 'somefile' was created. A hex dump of the file revealed that the distribution of bytes in the file was FAR from uniform, as would be expected in a SERIOUSLY encrypted file. As a matter of fact, every byte within 'somefile' has its upper bit set. I guessed that either a simple byte inversion or XOR encryption technique was used. The following source code file was created to invert every byte: #include void main( void ) { unsigned char data[2000]; unsigned char out[2000]; int bytesRead, i; FILE *fp; fp = fopen( "somefile", "rb" ); bytesRead = fread( data, 1, 2000, fp ); fclose( fp ); for( i = 0; i < bytesRead; i++ ) out[i] = ~data[i]; fwrite( out, bytesRead, 1, stdout ); fflush( stdout ); } --------- AND THEN!!! ---------- Lo-and-behold, the output showed four sections: [file] ... stuff ... [ps] ... stuff ... [netstat] ... stuff ... [login] ... stuff ... su_pass=l33th4x0r The decryption was deemed successful, and no attempt at an xor mask routine was attempted. To answer the questions of the challenge: 1) The encryption algorithm used is a simple byte inversion algorithm, applied to each byte of the original file, with no feedback mode. 2) The encryption method was determined through a well-educated guess when the hexdump of the file was found to contain upper bits being set. A program was used to verify this guess. 3) The decrypted file is described above. 4) The file is a configuration file for a root kit. It was encrypted so that if discovered, the sysadmin wouldn't know what it was without further examination. 5) The lesson learned is that stronger encryption is needed. 6) The challenge took me, including my fuelling stop (aka lunch break) and writing this response about two hours. In terms of actual work, the message was deciphered in less than 15 minutes. Alas, I wasn't able to determine the toolkit this was taken from! Cheers, Ken Savage