[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cipher detection

To: Maksim.Filenko@xxxxxxxx
Subject: Re: [Full-disclosure] Cipher detection
From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 8 Apr 2011 15:02:49 -0700

> Here're some more examples:
> 
> dummy@xxxxxxxxxxx GGobQ2bsqd64PXVAmaDiDBg=
> eummy@xxxxxxxxxxx GWobQ2bsqd64PXVAmaDiDBg=
> dummy@xxxxxxxxxx  GGobQ2bsqd64PXVAmaDiDA==
> dummy@example.@ex GGobQ2bsqd64PXVAmaDBBg0=
> dummy             GGobQ2Y=
> dumm              GGobQw==
> eummy             GWobQ2Y=
> eumm              GWobQw==
> example.com       GWcXQ2/AqYi6P2g=
> dxample.com       GGcXQ2/AqYi6P2g=
> 11111@xxxxxxxxxxx TS5HHy7sqd64PXVAmaDiDBg=
> 11111             TS5HHy4=
> 
> Looks like a base64+xor, am I right? And that's enough information for me. 


Yes, it is looking like a fixed key stream XORed with the plaintext.
Note that this could mean they're using any number of "good"
encryption algorithms (block cipher in OFB mode, stream cipher) with a
fixed IV.  This means the encryption is very broken, but it doesn't
necessarily mean they are using some half-baked custom obfuscation
technique.  They could be, but be careful with your accusations.

HTH,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Cipher detection
  - From: Maksim . Filenko
- Re: [Full-disclosure] Cipher detection
  - From: Maksim . Filenko

Prev by Date: Re: [Full-disclosure] ITSEC vendor presentation for dummies
Next by Date: Re: [Full-disclosure] Cipher detection
Previous by thread: Re: [Full-disclosure] Cipher detection
Next by thread: Re: [Full-disclosure] Cipher detection
Index(es):
- Date
- Thread