Open ricosolana opened 7 months ago
This pull changes how matching is normally performed against the starting "magic" bytes.
The previous method of matching uses string comparison (strncmp), requiring an exact string to be present starting from the first position.
In cases where the file type is unknown and is likely to be in binary format, this check fails.
sample.png:
Lets create an encrypted file:
openssl enc -aes-256-cbc -md md5 -in sample.png -out unknown_media.aes -k supersecret
To find the password of this unknown media file:
^(%PDF|.PNG|\xFF\xD8\xFF|\xFF\xFB\xFF\xF3\xFF\xF2|ftyp)
^\(%PDF\|"$(echo -e "\x89")"PNG\|"$(echo -e "\xFF\xD8\xFF")"\|"$(echo -e "\xFF\xFB\xFF\xF3\xFF\xF2")"\|ftyp\)
bruteforce-salted-openssl -1 -b supersecre -c aes-256-cbc -d md5 -m 11 -M ^\(%PDF\|"$(echo -e "\x89")"PNG\|"$(echo -e "\xFF\xD8\xFF")"\|"$(echo -e "\xFF\xFB\xFF\xF3\xFF\xF2")"\|ftyp\) -s rstuv -v 1 unknown_media.aes
rstuv
t
supersecre
-D
$ bruteforce-salted-openssl -1 -b supersecre -c aes-256-cbc -d md5 -m 11 -M ^\(%PDF\|"$(echo -e "\x89")"PNG\|"$(echo -e "\xFF\xD8\xFF")"\|"$(echo -e "\xFF\xFB\xFF\xF3\xFF\xF2")"\|ftyp\) -s rstuv -v 1 unknown_media.aes Warning: minimum length (1) isn't bigger than the length of specified password characters (10). Setting minimum length to 11.
Tried / Total passwords: 2 / 5 Tried passwords per second: inf Last tried password: supersecret Total space searched: 40.000000% ETA: Tue 30 Apr 2024 03:07:53 PM EDT
Password candidate: supersecret
There might be a better alternative for matching binary data, but regex seems to work for now.
Magic using regex
This pull changes how matching is normally performed against the starting "magic" bytes.
The previous method of matching uses string comparison (strncmp), requiring an exact string to be present starting from the first position.
In cases where the file type is unknown and is likely to be in binary format, this check fails.
Test case
sample.png:
Lets create an encrypted file:
openssl enc -aes-256-cbc -md md5 -in sample.png -out unknown_media.aes -k supersecretTo find the password of this unknown media file:
^(%PDF|.PNG|\xFF\xD8\xFF|\xFF\xFB\xFF\xF3\xFF\xF2|ftyp)^\(%PDF\|"$(echo -e "\x89")"PNG\|"$(echo -e "\xFF\xD8\xFF")"\|"$(echo -e "\xFF\xFB\xFF\xF3\xFF\xF2")"\|ftyp\)bruteforce-salted-openssl -1 -b supersecre -c aes-256-cbc -d md5 -m 11 -M ^\(%PDF\|"$(echo -e "\x89")"PNG\|"$(echo -e "\xFF\xD8\xFF")"\|"$(echo -e "\xFF\xFB\xFF\xF3\xFF\xF2")"\|ftyp\) -s rstuv -v 1 unknown_media.aesrstuv) pertaining to the last character (t) and provided most of the password (supersecre) to speed up the above decryption and to make debugging output easily readable (if including-D).Tried / Total passwords: 2 / 5 Tried passwords per second: inf Last tried password: supersecret Total space searched: 40.000000% ETA: Tue 30 Apr 2024 03:07:53 PM EDT
Password candidate: supersecret