OpenSSL Blowfish Bruteforce Attack
by Joel R. Voss aka. Javantea
Jan 20, 2006
OpenSSL is a useful tool with many uses. The openssl command is not used much by normal users, but for hackers, it is essential for encryption, generation of keys, encryption attacks, and so forth. A specific command, enc has been used by hackers for encrypting data with various ciphers. An especially useful cipher is Blowfish.
openssl enc -bf-cbc is the command used. A simple bruteforce
attack can be successful on bad passwords and good password. Since Blowfish
takes a long time to generate keys, it is slow, but works. My code uses any
known parts of the password to make the search faster. The attack requires a
know file regularity to test the crack.
In this case we use tar archive filename plus nulls at
the start of the tar archive. A similar known plaintext can be used on a
large variety of file types (avi, zip, jpeg, png, etc).
One vulnerability in the openssl enc command is the use of the MD5 hash in creation of the key and iv. To use the SHA1 hash instead, the following switch would need to be added to the openssl enc command: "-md sha1".
OpenSSL's useful utility
openssl enc -bf-cbc creates interesting
files. They are always between 16 and 32 bytes longer than the original, no
matter how long the original is. The first 8 bytes are "Salted__". This is a
magic header for the enc utility. The next 8 bytes are the salt.
The algorithm that generates the key and the iv are this:
D_1 = MD5(password + salt) D_2 = MD5(D_1 + password + salt) (key, iv) = D_1 + D_2You can see that the salt is pretty useful. So the second 8 bytes are the salt. In SSL Blowfish Wrapper, there is a description and a manual calculation of the key generation (key_derivation1.txt).
Blowfish's block size is 8, so the size is always a multiple of 8, no matter what length the cipher is.
bf_brute2 file1.tar.bf mypass000 2>/dev/null
file1.tar.bfis a Blowfish encrypted tar archive file.
mypass000is the first attempted password. The second will be mypass001 and so on until a match is found. The attack will only increment and will not start over. It also will not attempt longer passwords. Input from John the Ripper is a modification that would be useful. The C file bf_brute2.c is the workhorse of the attack. It runs the equivalent of:
openssl enc -bf-cbc -d -in $file -k "$password" | check_tarcheck_tar returns 0 when the first bytes are alphanumeric terminated by null chars.
increment simply takes any text string as an argument and returns the next possible password. It requires plenty of improvement for better attacks.
In version 0.1, I used a shell script that actually called openssl enc, check_tar, and increment. This was extremely slow and reduced the effective speed to 3500 cracks per minute on a P4-2.4 GHz. The new program bf_brute2.c calls each part as a function and increases the speed to 11300 cracks per second, an increase by a factor of 180. Why Bash and calls are so slow is a job for another day.
A rather important memory leak was fixed between the initial release of 0.2 and the current release of 0.2. Please download again if you are in doubt.Permalink