Full Disclosure mailing list archives
Re: Cipher detection
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 8 Apr 2011 15:02:49 -0700
Here're some more examples: dummy () example com GGobQ2bsqd64PXVAmaDiDBg= eummy () example com GWobQ2bsqd64PXVAmaDiDBg= dummy () example co GGobQ2bsqd64PXVAmaDiDA== dummy@example.@ex GGobQ2bsqd64PXVAmaDBBg0= dummy GGobQ2Y= dumm GGobQw== eummy GWobQ2Y= eumm GWobQw== example.com GWcXQ2/AqYi6P2g= dxample.com GGcXQ2/AqYi6P2g= 11111 () example com TS5HHy7sqd64PXVAmaDiDBg= 11111 TS5HHy4= Looks like a base64+xor, am I right? And that's enough information for me.
Yes, it is looking like a fixed key stream XORed with the plaintext. Note that this could mean they're using any number of "good" encryption algorithms (block cipher in OFB mode, stream cipher) with a fixed IV. This means the encryption is very broken, but it doesn't necessarily mean they are using some half-baked custom obfuscation technique. They could be, but be careful with your accusations. HTH, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cipher detection Maksim . Filenko (Apr 07)
- Re: Cipher detection Thor (Hammer of God) (Apr 07)
- Re: Cipher detection Cal Leeming (Apr 07)
- Re: Cipher detection ichib0d crane (Apr 08)
- Re: Cipher detection Cal Leeming (Apr 07)
- Re: Cipher detection Tim (Apr 07)
- Re: Cipher detection Valdis . Kletnieks (Apr 07)
- Message not available
- Re: Cipher detection Maksim . Filenko (Apr 08)
- Re: Cipher detection Tim (Apr 08)
- Re: Cipher detection Brandon Enright (Apr 08)
- Re: Cipher detection Maksim . Filenko (Apr 08)
- Re: Cipher detection Thor (Hammer of God) (Apr 07)