Image the scene – you’re on a penetration take a look at, in some way you’ve received maintain of a bunch of .NET assemblies for the applying you’re assessing, be it an internet utility or thick shopper. On a thick shopper take a look at, getting a maintain of those information is considerably trivial as they’re proper there in entrance of you. On an internet utility take a look at, nevertheless, issues will not be as simple – but it surely nonetheless is feasible, relying on permissions and such. I gained’t go into “the how-to” so as get these on this weblog publish, as a substitute I’ll assume you’re sitting there, a cup of espresso in hand, watching a bunch of .DLL information decompiled in one thing like dotPeek, ILSpy, and so on.

Wanting on the supply code of decompiled assemblies referring to an utility you’re assessing is an eye-opening expertise. You’ll be taught the internal workings of the applying which is able to help the testing, and sometimes, as a bonus, you’ll discover hardcoded secrets and techniques, largely within the type of person credentials – starting from database connection strings to area accounts. Generally this course of could make you’re employed a little bit bit more durable for the rewards.

You might, for instance, discover no fast wins – no plaintext credentials, no advance to go and gather $200. As a substitute, you might discover one thing like a reference within the supply code to an exterior configuration file. The applying could use this configuration file to lookup some values after which utilise them. Think about a reference within the supply code to one thing just like the beneath, we’ll name the file it references spiderconfig.xml.

Cryptographic Secrets are found in. NET assemblies.

Let’s think about this spiderconfig.xml file pertains to a .NET internet utility, which utilises the area account “SPIDERSpideyAdmin” to hold out privileged performance. The “==” padding proper on the finish of the password worth ought to scream out straight away that that is prone to be base64 encoded. Decode it and revenue? Not fairly! Principally unprintables are returned – not a password on this type.

Cryptographic Secrets are found in. NET assemblies.

Additionally it is value stating at this level that the password may very well be the worth within the config file as is, with none encoding and really incorporates the characters “==” on the finish. I wouldn’t rule this utterly out!

Assuming that this isn’t truly the password, we should return to the meeting in query and discover some cryptographic references. After some searching, a category known as “crypto_component” is discovered, byte object names akin to c_key (32 bytes) and c_iv (16 bytes), references to Rijndael, and so on. I feel we’re onto a winner right here.

Cryptographic Secrets are found in. NET assemblies.

We now have the initialisation vector (IV) and encryption key. The “Rijndael” reference reveals it to be utilizing Superior Encryption Commonplace (AES), a symmetric block cipher. We now have every thing we’d like to have the ability to decrypt the password worth within the spiderconfig.xml file, we’re simply lacking magical crypto stuff.

Enter Python. *faint trumpet noise may be heard within the background*

We import AES from Crypto.Cipher, along with a bunch of helpful issues from binascii.
[1] Each the encryption key (c_key) and iv (c_iv) are loaded into bytes objects.
We setup AES utilizing our key and IV and configure AES in cipher block chaining (CBC) mode.
[2] We offer the bottom64 encoded worth from the configuration file, name “a2b_base64” from binascii on it to show it again into binary information.
[3] We then name AES decrypt on the ciphertext (which makes use of our key and IV).

Cryptographic Secrets are found in. NET assemblies.

We pull the magic crypto levers and one thing which extra doubtless resembles a password is returned: Welcome1
(be aware: the x08 on the finish is simply padding as a result of block measurement of 16 and this being an eight character password)

Only for enjoyable, let’s reverse issues round and encrypt this again, validating that our IV works.

[4] The plaintext “Welcome1” is handed again into AES however this time encrypting it (with our key and IV).
[5] The results of that is then handed into “b2a_base64” from binascii (however not a2b_ like final time), this converts a line of ASCII characters into base64 encoding, as per our configuration file.

Cryptographic Secrets are found in. NET assemblies.

The ultimate consequence matches the bottom64 encoded worth in our configuration file from the beginning, so this confirms that each the important thing and IV we now have work as supposed.

One privileged area account obtained. Time for a cup of tea and biscuits.

aes encryption and decryption in c# with key,c# aes 256 string encryption example,c# aes 256 file encryption example,c# aes encryption example,asp.net core secrets production,.net core aes encryption example,system.security.cryptography c# example,aes encryption c# code project