Regressive bug where samples will be incorrectly identified as base64 encoded and "decoded".

I've been really digging featherduster since I originally saw it. I've had to install it on a few boxes so far, and I thought that building it into a docker image and committing it to an internal repo would be helpful.

If there is interest, I will commit what I have here to my fork and will make a PR.

Building featherduster

git clone https://github.com/nccgroup/featherduster.git
cd featherduster && docker build .

Running Container

docker run -it my/featherduster
Welcome to FeatherDuster!

To get started, use 'import' to load samples.
Then, use 'analyze' to analyze/decode samples and get attack recommendations.
Next, run the 'use' command to select an attack module.
Finally, use 'run' to run the attack and see its output.

For a command reference, press Enter on a blank line.


FeatherDuster>

Mounting local volume so you can load files

docker run -it -v ${PWD}:/data --entrypoint "python /opt/featherduster/featherduster.py file1.dat" my/featherduster 

Note: the files you want to look at must exist in your current working directory

Thanks!

I'd like to split the cryptanalib module into helpers.py, modern.py, and classical.py. However, I'd like to not have to rewrite everything that uses cryptanalib, that is, import cryptanalib; cryptanalib.some_function() should work the same for any given some_function() as it does today.

Nice

From @alexlauerman:

Can we get some usage info about the ciphertext file format and the types of attacks it supports or identifies?

Yes, Alex, yes you can.

RSA OAEP padding oracle attack [http://dl.acm.org/citation.cfm?id=704143]

Since the detect_plaintext function is used widely in cryptanalib, I suggest a few improvements that I encountered while prototyping my vigenere solver:

• the pt_frequency_table_keys list used for single letter analysis is built up at every call using filter, which causes a substantial performance decrease when using extensive brute-force attacks
• For the final score, the scores from word count and multigraph frequency deviation (two numbers with completely different scales and meanings) are added up in a mathematically ambiguous way. And also this "weighting" of the two scores is hard wired.
• The word count doesn't respect that longer words should contribute more to the score than smaller ones.
• Common english words with a length of two characters are already analyzed by the multigraph analysis and should therefore be ignored when both methods are in use.

Certain attack functions such as Vaudenay's padding oracle attack or the multi-byte XOR solver would benefit from some parallelization, but currently this isn't done.

Would love for this to be in python 3. I work with a lot of other crypto code and mostly it's in 3 now. Switching back and forth between environments can be a pain.

I did a 2-to-3 check on this, and it looks like your ishell reliance will make the transition difficult since they don't support 3 either.

Sometimes people create silly, trolly obfuscation using an odd base-N encoding scheme such as base-34. It should be possible to brute force through all the possible base-N schemes up to base36 with long(string, N), use our cryptanalib.long_to_string() function to convert the number to a string, then score each result, sort, and return the best results.

CTF people love Vigenére challenges as easy-level crypto challenges. Let's write a solver for them.

I ran into a problem recently where an alphanumeric shift was applied after a vigenere cipher. It'd be nice to directly import the new cipher and begin analysis on it as well as the original cipher.

Batch GCD can check a large number of RSA moduli for common primes quickly. An example written in Sage is available on FactHacks.

It was suggested to me that we should have a tutorial for using FD/CA where we walk through the first few sets of cryptopals with it. This is a nice idea! Even if we don't use cryptopals, tutorials on how to use FD/CA would be great.

While I don't see there being a crazy amount of real-world usage of RSA fault attack functionality (hey, I could be wrong!) it is a popular CTF problem, since you can provide a series of faulty signatures in a text file and not have to deal with server costs or hassles. It's also a problem with many faces: If p or q get corrupted during RSA-CRT, a little GCD magic is enough to recover the private component. However, if d or N get corrupted, the math gets more complex.

I've already got a prototype RSA-CRT fault attack function written, and there are a few recent writeups describing the problem and solution with d corruption thanks to the problem's inclusion in the recent CSAW CTF, so I should be able to take a look at a few reference implementations for solutions and write one, especially considering one of them includes a set of captured faulty signatures.

If you cryptanalyze encrypted binary data, or a very large sample, the current output from FeatherDuster (dump the output on your terminal) is really not practical.

Paging large amounts of data sounds relatively straight forward, and there's likely something in Python's stock module set which does that. hexdump -C style output should be easy enough, but how do we dump data in a more usable way, for instance, to some output file? When should we do that instead of just printing it to the terminal?

Add a function for Merkle-Daamgard hash length extension attacks in various algorithms to Cryptanalib and a corresponding FeatherModule.

It would be cool to have a function whose prototype is like:

rebuild_rsa_key(p=None, q=None, d=None, dp=None, dq=None, N=None, e=None, c=None, m=None)

It would step through a bunch of use cases to see if it could reconstruct the rest of the key. Mostly useful for CTF stuff, but would be nice once we have functions that could be used to recover a single factor or some such.

Implement https://en.wikipedia.org/wiki/Wiener%27s_Attack

Web-safe base64 (base64 but with an altered charset to avoid using URL metacharacters) is really common. Let's support it.

There is an attack on ECB where a secret appended to user input, encrypted, and disclosed in encrypted form can be obtained in plaintext form by bytewise brute force with carefully aligned boundaries. This attack is already implemented as cryptanalib.ecb_cpa_decrypt.

This attack ALSO applies to CBC mode when a static IV is in use. It's a common flaw to use a static IV with CBC mode, and as such this is a very practical attack. We should add this attack to cryptanalib.

Hi, I might be interested in working on autocompletion on inputs (filenames and/or paths)?
Would you be interested?
On the tip of my head I was going for the rlcompleter and readline packages that might introduce new dependencies (not sure).
Do you have a better idea of how to do it?

Cheers

My frequency deviation algorithm seems like it would be inferior to the chi square method as chi square produces worse scores for more significant deviation from expected frequency. I'd like to try out this method vs the existing method for long and short plaintexts and see how well it does.

Currently, large parts of Cryptanalib and FeatherDuster assume that the expected frequency distribution for the plaintext of the target samples is American English, as generated for and distributed with Cryptanalib.

Since we provide functions for end users to generate their own frequency data compatible with functions in Cryptanalib, that data should be usable in functions which rely on frequency data.

(Note: If you work on this issue, please add milestones as functions or modules are converted to allow custom frequency data.)

Currently, featherduster is findable via pip search featherduster, however it is not installable:

% pip install featherduster
Collecting featherduster
  Could not find a version that satisfies the requirement featherduster (from versions: )
No matching distribution found for featherduster
[1]    41436 exit 1     pip install featherduster

Sample file: https://github.com/ctfs/write-ups-2017/raw/master/alexctf-2017/cryptography/cr2-many-time-secrets-100/msg

# featherduster /tmp/msg
FeatherDuster> analyze
[+] Analyzing samples...
[+] Messages appear to be ASCII hex encoded, hex decoding and analyzing again.
[+] Messages may be encrypted with a stream cipher or simple XOR.
[!] Individual messages have failed statistical tests for randomness.
[!] This suggests weak crypto is in use.
[!] Consider running single-byte or multi-byte XOR solvers.

[+] Suggested modules:
   alpha_shift          - A brute force attack against an alphabetic shift cipher.
   base_n_solver        - A solver for silly base-N encoding obfuscation.
   single_byte_xor      - A brute force attack against single-byte XOR encrypted ciphertext.
   multi_byte_xor       - A brute force attack against multi-byte XOR encrypted ciphertext.
   many_time_pad        - A statistical attack against keystream reuse in various stream ciphers.
   vigenere             - A module to break vigenere ciphers using index of coincidence for key length detection and frequency analysis.

FeatherDuster> use multi_byte_xor
FeatherDuster> run
[+] Running multi-byte XOR brute force attack...

Best candidate decryptions for )$*c4-+6i',  !...:
----------------------------------------

Trying keysize 26
Processing chunk 26 of 51
Trying keysize 13
Processing chunk 39 of 51
Trying keysize 12
Processing chunk 51 of 51
Dear Friend, This time I understood my mistake and used One time pad encryption scheme, I heard that it is the only encryption method that is mathematically proven to be not cracked ever if the key is kept secure, Let Me know if you agree with me to use this encryption scheme always.
Bfay<Friens0This tgSr.I uhgeyotood zemistakkv`d uufd+Sne tizypad enmLn~tioh#shteme, ^<Jeard tf_c.it op te onln<GncryptgQy.metnld+hhat id<OathemazWtolly&srdjen to7~G not c|_teed cuey<if thr<Iey is e[gz seevrn0 Let Zyknow ihnau aaqen<with zyto use.Jgs eh`rrltion dJeme aly_n}.
Wlao Ww[hes,-Vbic:chmt.I+MjmcosilZi my:oesdwzc {wd<Mqlb1Itfnize<rmh6tnec~tsWl%sunty[! X tkkyr:rean(inmq iyt#Qelh,girxjedit(ayGlfs=rydJ+ed+wcihswvyouogpA3yrrvtkyd7bh"dod:tsareeoaco teyhe qgu ye1mejm o]a|tt*:O[n Ze<ibca1xk7cau:Yewes&f}Je |e<ze+cic-tras:QjardaejQe borlge!{}zgc{"

How to show the key being used?

Add crib dragging tool like CribDrag but one that's compatible with the BSD license.

More entropy tests can't hurt in improving our analysis function, right? ...right?

...I guess I'm not convinced...

Add option to search for already factorized keys on 'factordb.com'.

Add N recovery function as described in this CTF challenge writeup: [http://duksctf.github.io/TUCTF-Secure-Auth/]

One of the more common manifestations of Vaudenay's CBC padding oracle attack is in web applications. Let's write a module to generate a web app specific exploit script.

Running the column_trans module fails. I'll try my hand at making a fix but just letting others know.

↳ python featherduster.py     
Welcome to FeatherDuster!

To get started, use 'import' to load samples.
Then, use 'analyze' to analyze/decode samples and get attack recommendations.
Next, run the 'use' command to select an attack module.
Finally, use 'run' to run the attack and see its output.

For a command reference, press Enter on a blank line.

FeatherDuster> import singlefile
Please enter the filename you want to open: railfence.crypt

FeatherDuster> analyze 
[+] Analyzing samples...
[+] Messages may be encrypted with a stream cipher or simple XOR.
[!] Individual messages have failed statistical tests for randomness.
[!] This suggests weak crypto is in use.
[!] Consider running single-byte or multi-byte XOR solvers.
[!] Ciphertexts match the frequency distribution of a transposition-only ciphertext.
[!] Consider using transposition solvers (rail fence, columnar transposition, etc)

[+] Suggested modules:
   alpha_shift          - A brute force attack against an alphabetic shift cipher. 
   base_n_solver        - A solver for silly base-N encoding obfuscation.          
   single_byte_xor      - A brute force attack against single-byte XOR encrypted ciphertext.
   column_trans         - A brute force attack against columnar transposition ciphers.
   multi_byte_xor       - A brute force attack against multi-byte XOR encrypted ciphertext.
   many_time_pad        - A statistical attack against keystream reuse in various stream ciphers.
   vigenere             - A module to break vigenere ciphers using index of coincidence for key length detection and frequency analysis.

FeatherDuster> use column_trans                                                                      

FeatherDuster> run
Best results of columnar transposition solve:
--------------------------------------------------------------------------------
Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/ishell/console.py", line 102, in loop
    self.walk_and_run(input_)
  File "build/bdist.linux-x86_64/egg/ishell/console.py", line 69, in walk_and_run
    self.walk(command, 0, run=True, full_line=command)
  File "build/bdist.linux-x86_64/egg/ishell/console.py", line 54, in walk
    return cmd.complete(line_commands[1:], buf, state, run, full_line)
  File "build/bdist.linux-x86_64/egg/ishell/command.py", line 69, in complete
    return self.run(full_line.rstrip())
  File "featherduster.py", line 288, in run
    feathermodules.results = feathermodules.selected_attack['attack_function'](feathermodules.samples)
  File "/home/glenn/featherduster/feathermodules/classical/columnar_transposition.py", line 11, in break_columnar_transposition
    print '\n'.join(results)
TypeError: sequence item 0: expected string, list found

[http://www.dsi.unive.it/~focardi/RSA-padding-oracle/#BFKSST12] presents an optimized version of the bleichenbacher algorithm.

When word boundaries are known in a simple sub ciphertext, the QuipQiup algorithm is incredibly good at solving them. Having an offline version implemented in Cryptanalib would be awesome!

I tried cloning the repo and running a simple autopwn on some samples. Everytime I get this:

(...)
Running module: vigenere
Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/ishell/console.py", line 102, in loop
    self.walk_and_run(input_)
  File "build/bdist.linux-x86_64/egg/ishell/console.py", line 69, in walk_and_run
    self.walk(command, 0, run=True, full_line=command)
  File "build/bdist.linux-x86_64/egg/ishell/console.py", line 54, in walk
    return cmd.complete(line_commands[1:], buf, state, run, full_line)
  File "build/bdist.linux-x86_64/egg/ishell/command.py", line 69, in complete
    return self.run(full_line.rstrip())
  File "featherduster.py", line 236, in run
    print feathermodules.module_list[attack]['attack_function'](feathermodules.samples)
  File "/home/roman/bin/packages/re/featherduster/feathermodules/classical/vigenere.py", line 16, in break_vigenere
    coefficient_word_count=float(options['coefficient_word_count']))
  File "/home/roman/bin/packages/re/featherduster/cryptanalib/classical.py", line 325, in break_vigenere
    key_lengths = evaluate_vigenere_key_length(ciphertext, scan_range)[:num_key_lengths]
  File "/home/roman/bin/packages/re/featherduster/cryptanalib/classical.py", line 237, in evaluate_vigenere_key_length
    key_length_best_guesses = map(list, zip(*ioc_best_guesses))[0]
IndexError: list index out of range

Having modules ask users to define options at runtime is clunky for module developers and will lead to inconsistent option parsing and unnecessary duplication of code. Let's move that functionality into FeatherDuster itself.

MSYS2 was suggested as a compatibility layer to allow easier installation of FD and its dependencies (mostly GMP) on Windows.

expected: column transformation analysis of manual import string
what happened: featherduster reports '[*] Module execution failed, please report this issue at https://github.com/nccgroup/featherduster/issues"
how to reproduce: any attempt to run the module column_trans seems to fail, no matter the input string.
version: featherduster-148.1d20594-2
system: arch linux x86_64
original output of featherduster:

FeatherDuster> import manualentry
Please enter your sample: Tlc i dn d kqinimde. Nt kqinl ic ypdy oh kzqiociyt. Nt kqinl ic ypdy oh bzagimg flofel jt wpdy yplt cdt dma ypims, moy wpdy yplt eoos eisl. Nt kqinl ic ypdy oh ozycndqyimg toz, Conlypimg ypdy toz wiee mlxlq hoqgixl nl hoq. Jzy ypl fdcc: YplNlmyoq

FeatherDuster> analyze 
[+] Analyzing samples...
[+] Messages may be encrypted with a stream cipher or simple XOR.
[!] Individual messages have failed statistical tests for randomness.
[!] This suggests weak crypto is in use.
[!] Consider running single-byte or multi-byte XOR solvers.
[!] Ciphertexts match the frequency distribution of a transposition-only ciphertext.
[!] Consider using transposition solvers (rail fence, columnar transposition, etc)

[+] Suggested modules:
   alpha_shift          - A brute force attack against an alphabetic shift cipher. 
   base_n_solver        - A solver for silly base-N encoding obfuscation.          
   single_byte_xor      - A brute force attack against single-byte XOR encrypted ciphertext.
   column_trans         - A brute force attack against columnar transposition ciphers.
   multi_byte_xor       - A brute force attack against multi-byte XOR encrypted ciphertext.
   many_time_pad        - A statistical attack against keystream reuse in various stream ciphers.
   vigenere             - A module to break vigenere ciphers using index of coincidence for key length detection and frequency analysis.

FeatherDuster> use alpha_shift

FeatherDuster> run
Best results of alpha shift solve:
--------------------------------------------------------------------------------
tlc i dn d kqinimde. nt kqinl ic ypdy oh kzqiociyt. nt kqinl ic ypdy oh bzagimg flofel jt wpdy yplt cdt dma ypims, moy wpdy yplt eoos eisl. nt kqinl ic ypdy oh ozycndqyimg toz, conlypimg ypdy toz wiee mlxlq hoqgixl nl hoq. jzy ypl fdcc: yplnlmyoq

FeatherDuster> use base_n_solver

FeatherDuster> run
Best answers for sample: Tlc i dn d kqinimde. Nt kqinl ic ypd

--------------------------------------------------------------------------------

FeatherDuster> use dingle_byte_xor
Invalid module selection. Please try again.

FeatherDuster> use single_byte_xor

FeatherDuster> run
[+] Running single-byte XOR brute force attack...
Best candidate decryptions:
----------------------------------------

'Tlc i dn d kqinimde. Nt kqinl ic ypdy oh kzqiociyt. Nt kqinl ic ypdy oh bzagimg flofel jt wpdy yplt cdt dma ypims, moy wpdy yplt eoos eisl. Nt kqinl ic ypdy oh ozycndqyimg toz, Conlypimg ypdy toz wiee mlxlq hoqgixl nl hoq. Jzy ypl fdcc: YplNlmyoq' (score: 2.439714)
'\\dk(a(lf(l(cyafaelm&(F|(cyafd(ak(qxlq(g`(cryagkaq|&(F|(cyafd(ak(qxlq(g`(jrioaeo(ndgnmd(b|(\x7fxlq(qxd|(kl|(lei(qxae{$(egq(\x7fxlq(qxd|(mgg{(ma{d&(F|(cyafd(ak(qxlq(g`(grqkflyqaeo(|gr$(Kgfdqxaeo(qxlq(|gr(\x7famm(edpdy(`gyoapd(fd(`gy&(Brq(qxd(nlkk2(QxdFdeqgy' (score: 3.585317)
'Ks|?v?{q?{?tnvqvr{z1?Qk?tnvqs?v|?fo{f?pw?tenvp|vfk1?Qk?tnvqs?v|?fo{f?pw?}e~xvrx?yspyzs?uk?ho{f?fosk?|{k?{r~?fovrl3?rpf?ho{f?fosk?zppl?zvls1?Qk?tnvqs?v|?fo{f?pw?pef|q{nfvrx?kpe3?\\pqsfovrx?fo{f?kpe?hvzz?rsgsn?wpnxvgs?qs?wpn1?Uef?fos?y{||%?FosQsrfpn' (score: 3.616359)

FeatherDuster> use column_trans

FeatherDuster> run
[*] Module execution failed, please report this issue at https://github.com/nccgroup/featherduster/issues

Currently, no unit tests exist for FeatherDuster or its modules.

It would be amazingly useful to allow people to identify common substrings in some corpus of plaintexts. We have common words in English in the frequency section of Cryptanalib already, but this is pulled from publicly available data, in contrast to our character and multigraph frequency data, which we have calculated from Charles Dickens' A Tale of Two Cities.

It should be possible to automatically recognize cribs in some provided data, and this should boil down to the Longest repeated substring problem.

The simple sub solver in cryptanalib is currently broken.

Given a series of outputs from an LCG-based PRNG, it is possible to recover the full state of the PRNG and recover past and future states. This blog post series (https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html) is a really nice explainer which uses Java.util.Random as an example.

The same technique should apply to any LCG-based PRNG. For those with known a, c, and m values such as Java.util.Random, and libc's rand (which is coincidentally also Perl's rand), the state recovery function should allow a, c, and m values to be specified to shortcut the steps where those variables are determined. The function prototypes would look something like:

def lcg_get_next_states(known_states_in_order, num_of_states=5, a='unknown', c='unknown', m='unknown')
def lcg_get_prev_states(known_states_in_order, num_of_states=5, a='unknown', c='unknown', m='unknown')

We could also have wrapper functions for specific known LCG-based PRNGs like:

def libc_rand_get_next_states(known_states_in_order, num_of_states=5):
   return lcg_get_next_states(known_states_in_order, num_of_states, a=1103515245, c=12345, m=2**31)

This was done for simplicity of coding very early in the project's lifetime. If a user provides 100 samples 100 bytes long and one sample one byte long, the output will only be the first byte for each, while 100 samples should be more than enough to successfully decrypt all of the samples with a great degree of accuracy. This is not optimal and I'm not immediately sure what the best way to handle this is.

We must truncate the longest sample to match the length of the second longest sample since we can't decrypt the end, but how do we represent that truncation to make it clear to users?

I think the solution will be to pad out the shorter ciphertexts to keep the positioning right for zipping and unzipping.

Since stream ciphertext has no identifiable characteristics [citation needed], it should be the default case in the ciphertext analysis phase. Instead, the analysis as-is will identify lots of stuff that isn't a stream cipher as a stream cipher, such as RSA pubkeys.

Should be easy enough to fix, just make the stream ciphertext reporting the "else" case.

This is just a matter of unblinding the PKCS conformant blinded message after recovery, but I haven't done it yet.

Certain bytes of plaintext are more likely to occur than others, for instance those in the ASCII range.

Let's say that we're bit flipping a character to try to get a one byte PKCS#7 padding (\x01). We'd normally start by XORing with \x01. This would only achieve valid padding if the plaintext character is a NUL, which is statistically rather unlikely. If instead, we XOR with \x21, this would produce valid padding if the plaintext character is \x20, a space, which is rather statistically likely. Given that some oracles are very slow, we can speed up our padding oracle attack dramatically by optimizing for character frequency.

I have no idea why, but as mentioned in #44 the bb98 algorithm as implemented would incorrectly identify the last bit of the message. Oddly, it also seems to have about 9 bytes of random junk at the beginning too. I've applied a hacky fix which just brute forces the correct message by waiting until the set of potential plaintexts is small enough to brute force reasonably, then does so. This provides a small performance increase, but I have no idea why this fix is necessary and as such it should be fixed properly.

Would be useful to be able to recover the state of a Mersenne Twister PRNG from its outputs.

Vaudenay's attack works on more padding schemes than just PKCS#7, we should consider implementing the attack variants for those.