Openssl bruteforce attack

Hi everyone,

I am finally back. I would like to talk about the openssl encryption which currently being used almost everywhere.

During penetration testing, we sometimes get the file which encrypted using openssl but as the penetration tester we need to open it to check what is the important message reside in it.

So let get the exercise, lets encrypt a file

  1. open your console
  2. create a flat text file with name flat
  3. let encrypt it using this using opessl using this command openssl enc -aes-256-cbc -in flat -out encrypted.data -k rioasmara

    Option description
    -aes-256-cbc
    –> encryption algorithm
    -in –> the file that we want to encrypt
    -out –> the encrypted file name
    -k –> the password of the encryption

  4. ok done,now we have an encrypted file
  5. let brute force

The objective of the bruteforce is to know what is the encryption password which definde with option -k (in our sample is rioasmara)

in order to bruteforce, I use a tool to help me which you can download and install from its github https://github.com/glv2/bruteforce-salted-openssl. As usual,  to make the bruteforce effective, I will do bruteforce with provided wordlist

the command will be like bruteforce-salted-openssl -t 1 -f wordlist -c aes-256-cbc -d sha256 encrypted.data -1

Option desciption

-t 1 –> is the number of thread that we want to do the parallel test
-f –> the path to the wordlist
-caes-256-cbc –> is the encryption algorithm *Cypher*
-d sha56 –> is digest algorithm
-1 –> stop at the first known password

output

Tried passwords: 4
Tried passwords per second: inf
Last tried password: rioasmara

Password candidate: rioasmara

as the information shown above, The bruteforce tools found the password candidate which is rioasmara that we defined as the password to encrypt the file

in order to really decrypt the file you can use the openssl as shown openssl enc -d -aes-256-cbc -in encrypted.data -out decrypted -k rioasmara

OK thats all a bit tutorial on how to bruteforce the openssl encryption.

2 thoughts on “Openssl bruteforce attack

  1. Hey there! When I want to run the ./autogen.sh , it says “autoreconf: not found”.
    How am I supposed to install this?
    I am running this on a linux VM.

    Thanks in advance for help!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s