`
end
Now there are a few ways to tell this is uuencoded. First,
all uuencoding starts with 'begin' and then the file permissions of the file, in
this case '664'. Then the file name, 'blah.txt'. Another way to tell
is that uuencode uses the first character of each line to tell how long that
line is, in this case the first 3 lines use 'M' and the last line, which is
shorter, uses a different letter 'H'. The second to last line is always '
and the very last line in uuencoded files is 'end'. So if you don't know
what kind of encoding is used just look for these signs.
base64
Well base64 is the grand daddy of all
encoding methods. It uses less cpu power to encode/decode than uuencode
and uuencode increases the file size much more, base64 only increases file size
by about 33%. Base64 is compliant with us ascii and ebedic standards,
nether of which uuencode is, making base64 much more compatible. Base64 is
pretty much the standard when sending email attachments now. It uses what
is known as MIME (Multipurpose Internet Mail Extensions) when used with email
attachments. It is also used with some weak authentication methods.
Like uue, base64 turns binary into ascii so it is able to be transfered when
binary transfer cannot be established. Base64 uses 65 characters for
encoding, 64 actual characters and 1 character which is =, it is used for
signalling the end of the base64. Here is a base64 chart:
Table 1: The Base64 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 /
13 N 30 e 47 v
14 O 31 f 48 w (pad) =
15 P 32 g 49 x
16 Q 33 h 50 y
You can encode base64 by using the same command for uuencode with the
-m option. Although there is a popular program called mpack which can do
this aswell. Mpack comes for a variety of operating systems, the windows
version is located at ftp://ftp.andrew.cmu.edu/pub/mpack/mpack15d.zip the others
are in the /pub/mpack directory. Using mpack should be pretty easy since
it comes with a help file (readme.dos). Mpack doesn't just do base64, it
does a few mime types. To decode base64 you can use uudecode or munpack
(comes with mpack), uudecode will automaticly sense that it is base64 when
decoding so do it just like decoding uuencode. Mpack comes with that
readme.dos file which will explain everything very easily.
Here is an
example of what blah.txt looks like encoded in base64:
begin-base64 644
blah.txt
dGhpcyB0ZXh0IHdhcyBlbmNvZGVkIGluIHV1ZW5jb2RpbmcuCm5vIHRleHQg
d2FzIGhhcm1lZCBpbiB0aGUgY3JlYXRpb24gb2YgdGhpcyBmaWxlLgphbHRo
b3VnaCBhIGZldyBjcHUgY3ljbGVzIHdlcmUgdXNlZCB1cC4KOy0oCg==
====
(note:
the above is a bad example on how b64 is generally smaller than
uue)
Sometimes you will see content-type headers on base64 files, such
as:
Content-Type: application/octet-stream;
name="a.txt"
Content-Transfer-Encoding: base64
Content-Disposition:
inline; filename="a.txt"
Content-MD5:
LByIVUcB0AGQTTnYDyzOjQ==
VGhpcyBpcyBiYXNlNjQsIGFuZCB5b3UganVzdCBkZWNvZGVkIGl0IGNvcnJlY3RseSE=
A
few ways to tell this was base64 is that it says it's
"Content-Transfer-Encoding" is base64. But also it ends in = which is a
big hint, sometimes base64 ends in multiple ='s. Another way to tell is if
the document contains many strings of "ICAg" which is used for a space.
Often in longer base64 encoded files you will find many ICAg's all together
like: ICAgICAgICAgICAgICAgICAgICAgICAg this is a sign that the file is base64
encoded.
Rot-13
Rot-13 is probably
the most basic type of encryption. It just rotates the letters in the
alphabit by 13 characters. Since the alphabit is 26 letters it just moves
letters to a new letter. It isn't really an ecryption type, it is just
kidda a way you can keep msg's from less net swavvy people. Also it is
used sometimes to keep info some people might not want to know hidden, for
example the ending of a movie might be in rot-13 so people who want to know can
read it, and those who don't can watch the movie themselves =) Here is the
rot-13 alphabit...
a = n
b = o
c = p
d = q
e = r
f =
s
g = t
h = u
i = v
j = w
k = x
l = y
m = z
Rot-13
is a type of caesar cipher, which means each letter is replaced by another
letter and the replacement depends only on the plaintext character. To
encrypt or decrypt rot-13 you can use the alphabit above, or just go to http://www.rot13.com/ and fill out the form.
XOR
XOR stands for eXclusive OR.
What it does is it checks 2 values aganist eachother and if they are the same it
will return a false (or 0) value, if they are different it will return a true
(or 1) value. Since xor works on the binary level it only compares 0's and
1's. To decode xor you can write a simple program. In most languages
^ is the xor operator. So it would be: "whateverstring" ^= 1; you can even
use the windows (or any other OS) calculator to do it.
Start->Run->calc.exe then click view and select scientific. Enter in
a number, select the 'bin' (binary) button and then press 'xor', go back to
'dec' (decimal) and enter in a second number (also known as the mask), press
'bin' again and then press '='. It should be something like
this:
170 change to binary you can see it is: 10101010
xor
255
change to binary you can see it is: 11111111
=
1010101 change to decimal:
85
Now, if you followed along above you will know that it checks the
binary values against each other. I'll do it by hand so you can see how it
works.
10101010
11111111
--------
01010101
if you still
don't see it, let me explain:
1 1 - they are the same, so xor returns
0
0 1 - they are different, so xor returns 1
1 1 - they are the same, so
xor returns 0
0 1 - they are different, so xor returns 1
1 1 - they are
the same, so xor returns 0
0 1 - they are different, so xor returns 1
1 1
- they are the same, so xor returns 0
0 1 - they are different, so xor
returns 1
Now here is a perl script for an XOR
encryptor/decryptor:
--- script kiddies grep for 'cut here'
---
#!/usr/bin/perl
#
# encrypt/decrypt xor
#
# Get Otp here:
http://www3.marketrends.net/encrypt/download/Babel_Otp_Rot13.tar
#
use
Otp;
$xor = new Otp;
print 'type e for encrypt, anything
else for decrypt:';
chomp($todo = <STDIN>);
if
($todo eq 'e'){
print 'type in the string you want
encrypted:';
$orignal = <STDIN>;
print 'type in the key you want to use:';
$key =
<STDIN>;
$encrypted =
$xor->Otp($orignal,"$key");
}
else{
print 'type in the string you want decrypted:';
$encrypted = <STDIN>;
print 'type in the key
to decrypt the string:';
$key = <STDIN>;
$orignal = $xor->Otp($encrypted,"$key");
}
print "The original string is: $orignal\n";
print "The encrypted
string is: $encrypted\n";
exit;
--- script kiddies cannot bother
looking at the code, so 'stop cutting here' ---
If you don't know the
mask of xor you can brute force it with a program called Vcrack (Unix
version here)
Although it will have to be a pretty weak password for this to work in a
reasonal amount of time. (don't expect it to crack keys and strings longer than
10 characters).
DES
DES stands for
Data Encryption Standard, it is a very commonly used encryption method. So
common infact that it is used on nearly very *nix machine to encrypt the
password. DES unlike most of the above cannot be easily decrypted by
moving bits or preforming a simple command. There is no reasonable way of
decrypting DES, instead you have to rely on "brute forcing" the password.
What brute forcing means is trying different passwords until you get the right
one, this might be 100 guesses, it might be 100,000,000. It depends on how
good the password the user picked is.
Now this is pretty interesting..
when IBM orignally created DES they used a 128bit key, but when NSA (National
Security Agency) made it standard they lowered it to 56bits. This made the
encryption much weaker. Some people (cough*everyone*cough) think that they
made it weaker because with 128bit they would not beable to brute force
it. Also, it has been reported that the government has tried to stop
research and documentation on more advanced ciphers.
Since brute forcers
usually try all the combinations of letters first it is always smart to add in a
number or two for your passwords. Using both upper and lower case letters
can also help, aswell as adding a spechial character (such as: &)
Now I won't explain how DES works in detail but the basics are that it
takes a message and breaks it into 64 bits groups and takes a key that is 56
bits (actually 64 bits, but every 8th bit is ignored). DES is a block
cipher, what that means is it takes plaintext and groups it into a fixed length
(64-bits) and then does it's encryption algorithm. A seed is kind of the
key to the whole thing, when you encrypt des you get the seed as the first two
characters in the encrypted data. Run the following script and check the
first two characters of your encrypted password with your chosen seed.
To encrypt DES you can use this perl script:
--- script kiddies
grep for 'cut here' ---
#!/usr/local/bin/perl
#
# script to encrypt
des. to decrypt you will need to brute force it.
#
print 'enter
in the username:';
chomp($username = <STDIN>);
$password =
1234567890;
while((length($password)) > 8){
print 'enter in the
password (8 or less characters):'; #remember it is a block cipher of 64 bits (8
bytes)
chomp($password = <STDIN>);
}
$seed =
'not_two';
while ((length($seed)) != 2){
print 'enter in the seed (2
characters):'; #seeds must be 2 characters
chomp($seed =
<STDIN>);
}
$encrypted = crypt($password, $seed);
print
"your username:password is:\n\n";
print
"$username:$encrypted";
exit;
--- script kiddies cannot bother
looking at the code, so 'stop cutting here' ---
To decrypt you need to
use a program that can brute force it. The hackers favoriate is JTR, John The Ripper, avalible for both
windows and *nix systems. I will go over how to use JTR to it's
fullest.
Using JTR
Step one in
using JTR is getting and installing jtr on your computer. Head over to http://www.openwall.com/john/ and get
the version of JTR you would like.
After you finish installing JTR get
out the username and password you would like to crack. If you do not know
what the username and password looks like or do not have a username and password
to crack just use b0iler for the username and YyBWL06.zBiZE for the encrypted
password.
Now to create the file that JTR will crack, put the username
and password in this format
b0iler:YyBWL06.zBiZE
so it's
username:password if you are trying to crack a *nix password file (/etc/shadow)
you can leave it in it's current format. You can also put multiple
username and passwords in
like
b0iler:YyBWL06.zBiZE:0:0:owns:/home/b0iler:/bin/bash
root:Yym34X1Wq86GI:0:0:pansy:/dev/null:/bin/sh
cyrus:YySNBbemZw8pI:9999:10:obese:/slim/fast:/bin/hamburger
All you really need is the username:password, but since the *nix
password file contains more info on users you can just leave them in (it will
make no difference to JTR). Here is a tip, if you do not care which user's
password you crack just run them all. If you want root then take out the
rest, save them in a different file just incase. Save the file in the same
directory as JTR, you can name it anything (ex. pass1.txt).
Now go to a
command prompt, *nix users will know how.. windows users
start->programs->MS-DOS prompt->type in: cd c:\unzipped\john-16w (or
whatever dir it is in) then cd john-16 (or whatever dir) and finally cd
run. This is the directory where you should have saved your password file
you wish to crack. Now run jtr by issuing
john -single
pass1.txt
or use whatever you named your password file. What this
does is do a very basic brute force attack on the password. The -single
attack is a very quick and basic attack which tries to break weak
passwords. If this does not work, or if you know that the users pick
strong passwords I would move onto using JTR's ability to use wordlist
(otherwise known as dictionary) attacks. What this does is allows you to
use a file called a wordlist in JTR's attack. JTR will try every string of
characters in the wordlist file and see if any are the passwords. To use a
wordlist issue this command
john -w:wordlist.txt pass1.txt
you can
get a wordlist at http://wordlist.sourceforge.net/ I
would recomend a wordlist around 3mb, it will crack most standard passwords
people pick.
Now you can add rules to JTR to make it work extremely fast,
but for this you need to know alittle about the . passwordLike if it uses
numbers or only letters, if it is a certain number of characters long, etc..
Most of the time you have no clue, so telling newbies about rules is mostly
pointless and will just be confusing. Just stick with the standard ways
unless you know some info on the passwords. If you know that the password
is 7 characters then by all means please tell JTR that! It will allow JTR to
only try combinations of 7 characters so it will crack the pass ALOT
faster. But as I said, it is rare that you know anything about the
passwords like this :/
The last method you should try is incremental,
this attack tries every possible combination of characters until it gets
it. This means it could take a long long time for JTR to crack it.. but it
will crack it. To do an incremental attack issue this command
john -i:all
pass1.txt
This will go through every possible character, number, and
spechial character until it gets it. If you don't think the users use
spechial characers use
john -i:lanman pass1.txt
This will try
characters, numbers .. but just a few special characters. Now there are
other more advanced ways to use JTR, some are very cool and can save you alot of
time, such as the ability to use mutliple computers on the same password.
This splits up the time it takes by alot. Lets say you use your schools
computer lab for a night. If it has 20 computers you are almost garenteed
that one of them will crack it =)
Also editting the configuration file:
john.ini will allow you more custimization. Since this is more advanced
and not done by normal JTR users I will let the ones who wish to learn about it
visit Monkee's
Advanced JTR Tutorial
Now let JTR run for A LONG TIME, don't email me
asking why it is taking over 12 hours to crack a password. JTR has to
brute force it.. this takes lots of time. Don't be suprized to spend a
long time waitting for it to crack. When I say long, I mean L O N G.
If you think 12 hours is long I will just laugh at you.
While JTR is
running you can check it's status by pressing enter. This will display
where it is at, how fast it is going, and other info you might find
amusing. Once it's done check the default cracked password file: john.pot
.. with any luck you'll get the password and be home free. JTR can also be
used to brue force other forms of encryption.. although I've had problems in the
past trying to use JTR to crack other cryptos.
Conclusion
Well, that's all a newbie would
need to know about crypto to get into it. Encoding, decoding, detecting
the type of crypto used.. that's all you need to know to break the basic types
of crypto widely used. If you wish to get more into crypto you will need
to understand how the algorithms of the encryption work, for this you will need
to be above average in math and be very deticated to it. If you are
interested in learning about more advanced crypto I have heard for many many
people that the book "Applied Cryptography" is the best book ever written for
learning cryptography. A few other encryption methods you might want to
look into include PGP, ssl, twofish, blowfish, tripleDES, and steganography.
Most of the stuff I covered I learned from reading, some from experimenting, and
alittle bit is just my opinion or take on things. I coded all the scripts and
don't care if you distribute them under your name or whatever since they took me
a total of like 12 minutes to to. I didn't even use any leetspeak in this
article :D
extra bonus info for more advanced jtr usage.. taken from
a post on the bsrf message board:
Posted by -= ArkangeL =-
*.uc.nombres.ttd.es - 2001/Oct/31 15:43
optimize John the Ripper
hi all, to optimize at maximum john try this:
change the lines
in 'Makefile'
linux-x86-any-elf:
$(LN)x86-any.h arch.h
$(MAKE)
$(PROJ) \
JOHN_OBJS="$(JOHN_OBJS)x86.o" \
----> CFLAGS="$(CFLAGS)
-m486" <-------
for this:
CFLAGS="$(CFLAGS) -mcpu=i686
-march=i686"
it changes the speed from 44000 passwd/sec to 77000
passwd/sec on a AMD 600 MHz ;)
have a good crack
super bonus
news:
seems litewait put his tutorial on jtr back up! It's a really
great tutorial that will teach you how to use jtr very well, get it at www.alt-fs.com/jtr.html
[-----]
http://b0iler.eyeonsecurity.net/
- A really good site with tons of orignal
tutorials.
[-----]