OpenSSL Blowfish Bruteforce Attack
by Joel R. Voss aka. Javantea
Jan 20, 2006

OpenSSL Blowfish Bruteforce Attack 0.2 Source [sig]
OpenSSL Blowfish Bruteforce Attack 0.1 Source [sig]


OpenSSL is a useful tool with many uses. The openssl command is not used much by normal users, but for hackers, it is essential for encryption, generation of keys, encryption attacks, and so forth. A specific command, enc has been used by hackers for encrypting data with various ciphers. An especially useful cipher is Blowfish.

openssl enc -bf-cbc is the command used. A simple bruteforce attack can be successful on bad passwords and good password. Since Blowfish takes a long time to generate keys, it is slow, but works. My code uses any known parts of the password to make the search faster. The attack requires a know file regularity to test the crack. In this case we use tar archive filename plus nulls at the start of the tar archive. A similar known plaintext can be used on a large variety of file types (avi, zip, jpeg, png, etc).

One vulnerability in the openssl enc command is the use of the MD5 hash in creation of the key and iv. To use the SHA1 hash instead, the following switch would need to be added to the openssl enc command: "-md sha1".


OpenSSL's useful utility openssl enc -bf-cbc creates interesting files. They are always between 16 and 32 bytes longer than the original, no matter how long the original is. The first 8 bytes are "Salted__". This is a magic header for the enc utility. The next 8 bytes are the salt.

The algorithm that generates the key and the iv are this:

D_1 = MD5(password + salt)
D_2 = MD5(D_1 + password + salt)
(key, iv) = D_1 + D_2
You can see that the salt is pretty useful. So the second 8 bytes are the salt. In SSL Blowfish Wrapper, there is a description and a manual calculation of the key generation (key_derivation1.txt).

Blowfish's block size is 8, so the size is always a multiple of 8, no matter what length the cipher is.



bf_brute2 mypass000 2>/dev/null is a Blowfish encrypted tar archive file.
mypass000 is the first attempted password. The second will be mypass001 and so on until a match is found. The attack will only increment and will not start over. It also will not attempt longer passwords. Input from John the Ripper is a modification that would be useful. The C file bf_brute2.c is the workhorse of the attack. It runs the equivalent of:
openssl enc -bf-cbc -d -in $file -k "$password" | check_tar
check_tar returns 0 when the first bytes are alphanumeric terminated by null chars.
increment simply takes any text string as an argument and returns the next possible password. It requires plenty of improvement for better attacks.

In version 0.1, I used a shell script that actually called openssl enc, check_tar, and increment. This was extremely slow and reduced the effective speed to 3500 cracks per minute on a P4-2.4 GHz. The new program bf_brute2.c calls each part as a function and increases the speed to 11300 cracks per second, an increase by a factor of 180. Why Bash and calls are so slow is a job for another day.

A rather important memory leak was fixed between the initial release of 0.2 and the current release of 0.2. Please download again if you are in doubt.

If you are interested in developing OpenSSL Blowfish Attacks, feel free to e-mail me.



Comments: 0

Leave a reply »

  • Leave a Reply
    Your gravatar
    Your Name