{"id":13539477,"url":"https://github.com/ebryx/aes-killer","last_synced_at":"2025-04-02T06:30:56.978Z","repository":{"id":47726437,"uuid":"150087691","full_name":"Ebryx/AES-Killer","owner":"Ebryx","description":"Burp Plugin to decrypt AES encrypted traffic on the fly","archived":false,"fork":false,"pushed_at":"2022-08-03T16:38:14.000Z","size":212,"stargazers_count":635,"open_issues_count":7,"forks_count":120,"subscribers_count":25,"default_branch":"master","last_synced_at":"2024-11-03T04:32:38.448Z","etag":null,"topics":["aes-decryption","aes-encryption","aes-encryption-key","aes-killer","burp","burp-extensions","burp-plugin","burp-ui","burpsuite","burpsuite-extender","burpsuite-plugin","burpsuite-tools","decryptor","frida-script"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ebryx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-09-24T10:41:41.000Z","updated_at":"2024-11-01T02:37:45.000Z","dependencies_parsed_at":"2022-09-15T19:41:48.415Z","dependency_job_id":null,"html_url":"https://github.com/Ebryx/AES-Killer","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ebryx%2FAES-Killer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ebryx%2FAES-Killer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ebryx%2FAES-Killer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ebryx%2FAES-Killer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ebryx","download_url":"https://codeload.github.com/Ebryx/AES-Killer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767717,"owners_count":20830540,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes-decryption","aes-encryption","aes-encryption-key","aes-killer","burp","burp-extensions","burp-plugin","burp-ui","burpsuite","burpsuite-extender","burpsuite-plugin","burpsuite-tools","decryptor","frida-script"],"created_at":"2024-08-01T09:01:26.431Z","updated_at":"2025-04-02T06:30:56.626Z","avatar_url":"https://github.com/Ebryx.png","language":"Java","readme":"# AES Killer (Burpsuite Plugin)\r\n[![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)\r\n[![GitHub version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=gh\u0026type=0.3\u0026v=3.0\u0026x2=0)](http://badge.fury.io/gh/boennemann%2Fbadges)\r\n[![Open Source Love](https://badges.frapsoft.com/os/mit/mit.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)\r\n\r\n**Burpsuite Plugin to decrypt AES Encrypted traffic on the fly**\r\n\r\n\u003cimg src=\"https://i.imgur.com/LKYQMoj.png\" /\u003e\r\n\r\n### Requirements\r\n- Burpsuite\r\n\r\n### Tested on\r\n- Burpsuite 2021.4\r\n- Windows 10 \r\n- Ubuntu \u0026 PopOS\r\n\r\n### What it does\r\n- The IProxyListener decrypt requests and encrypt responses, and an IHttpListener than encrypt requests and decrypt responses. \r\n- Burp sees the decrypted traffic, including Repeater, Intruder and Scanner, but the client/mobile app and server see the encrypted version.\r\n\r\n***NOTE:*** Currently support `AES/CBC/PKCS5Padding` \u0026\u0026 `AES/ECB/PKCS5Padding` encryption/decryption.\r\n\r\n### How it works\r\n- Require **Secret Key** and **Initialize Vector** which can be obtained by using \u003ca href=\"https://github.com/d3vilbug/demo-example-code-snippets/blob/master/AES_Killer%20-%20Mobile%20App%20Demo/aes-hook.js\" target=\"_blank\"\u003eaes-hook.js\u003c/a\u003e and \u003ca href=\"https://github.com/d3vilbug/demo-example-code-snippets/blob/master/AES_Killer%20-%20Mobile%20App%20Demo/frida-hook.py\" target=_blank\u003efrida-hook.py\u003c/a\u003e or by reversing the application (For iOS please use \u003ca href=\"https://github.com/noobpk/frida-ios-hook\"\u003eFrida iOS Hook\u003c/a\u003e to get AES Secret Key and IV)\r\n- A detailed usage guide can be found at \u003ca href=\"https://n00b.sh/posts/aes_killer-usage-guide/\" target=_blank\u003eAES Killer - Usage Guide\u003c/a\u003e\r\n- This article will help you in \u003ca href=\"https://n00b.sh/posts/aes-killer-mobile-app-demo/\" target=_blank\u003eDecrypting Mobile App Traffic using AES Killer and Frida\u003c/a\u003e\r\n\r\n### How to Build \r\n```\r\n$ git clone https://github.com/Ebryx/AES-Killer/\r\n$ cd AES-Killer\r\n$ ./gradlew clean build\r\n```\r\n\r\n## Variants\r\n- AES_Killer for JSON request \u003ca href=\"https://gist.github.com/d3vilbug/853d6823a015cfe20656bd24ad8dd410\" target=\"_blank\"\u003eAES_Killer-JSON.java\u003c/a\u003e\r\n- AES_Killer for random/alternate Parameters on different endpoints \u003ca href=\"https://gist.github.com/d3vilbug/391cc26b27de37e49f5e75682f65ed5b\" target=\"_blank\"\u003eAES_Killer-Parameters.java\u003c/a\u003e\r\n\r\n***AES_Killer-Parameters.java:*** Let's say if application enforcing encryption on few parameters in request and these parameters will change every time with respect to  endpoint/request so all you need to do is as follow\r\n\u003cpre\u003e\r\n- Add endpoints by adding \u003ccode\u003e\u003cbold\u003ethis.endpoints.add(\"abc\");\u003c/bold\u003e\u003c/code\u003e in registerExtenderCallbacks function\r\n- Add parameters which will be encrypted in `String[][] parameters`\r\n- Add rest of parameter in grant_type or make blank entry\r\n\u003c/pre\u003e\r\nand let the code do the magic for you.\r\n\r\n- AES_Killer_v3.0 a generic variant for alternate parameters on different endpoints with GET, POST (JSON, Form) support \u003ca href=\"https://gist.github.com/d3vilbug/0a55139c24b183b36dd1d4e9fa2658e0\" target=\"_blank\"\u003eAES_Killer_v3.0.java\u003c/a\u003e\r\n\r\n***AES_Killer_v3.0.java:*** This variant is generic and can deal with any type of request format i-e GET, POST(Form, JSON) with alternate parameters on different endpoints\r\n\u003cpre\u003e\r\n- Clone the project and replace the BurpExtender.java with AES_Killer_v3.0.java code\r\n- Modify the endpoints and parameters of each request type in order as shown below\r\n- Update SecretKey and IV parameters and other required methods\r\n- Build the project and you are good to go\r\n\u003c/pre\u003e\r\n\r\n\u003cimg src=\"https://i.imgur.com/1mpZeEg.png\" /\u003e\r\n\r\n\r\n- \u003ca href=\"https://gist.github.com/d3vilbug/0225423e124605f9eb58d439fcc50234\" target=\"_blank\"\u003eAES_Killer_v4.0.java\u003c/a\u003e for multi-level encryption on request _(Support Form, JSON and XML formats)_\r\n\r\n***AES_Killer_v4.0.java:*** This variant is for Multi-Level encryption where application is encrypting few request parameters with one key and later on encrypting the whole request body with another key\r\n\u003cpre\u003e\r\n- Clone the project and replace the BurpExtender.java with AES_Killer_v4.0.java code\r\n- Modify the endpoints and parameters as shown below\r\n- Update Secret Keys and other required methods\r\n- Build the project and add jar file to your extender\r\n\u003c/pre\u003e\r\n\r\n\u003cimg src=\"https://i.imgur.com/JVDhKLX.png\" /\u003e\r\n\r\n***NOTE:*** These variants will not work for you directly due to nature of your request so might need little tweaking.\r\n\r\n### How to Install\r\n\u003cpre\u003eDownload jar file from \u003ca href=\"https://github.com/Ebryx/AES-Killer/releases/download/3.0/AES_Killer.jar\" target=\"_blank\"\u003eRelease\u003c/a\u003e and add in burpsuite\u003c/pre\u003e\r\n\r\n\u003cimg src=\"https://i.imgur.com/6DS04gb.gif\" /\u003e\r\n\r\n### Original Request/Response\r\n\u003cimg src=\"https://i.imgur.com/pr8uLv8.gif\" /\u003e\r\n\r\n### Getting AES Encryption Key and IV\r\n- First setup frida server on \u003ca href=\"https://www.frida.re/docs/ios/\" target=\"_blank\"\u003eIOS\u003c/a\u003e and \u003ca href=\"https://www.frida.re/docs/android/\" target=\"_blank\"\u003eAndroid\u003c/a\u003e device.\r\n- Launch Application on mobile device.\r\n- Run \u003ca href=\"https://github.com/d3vilbug/demo-example-code-snippets/blob/master/AES_Killer%20-%20Mobile%20App%20Demo/aes-hook.js\" target=\"_blank\"\u003eaes-hook.js\u003c/a\u003e and \u003ca href=\"https://github.com/d3vilbug/demo-example-code-snippets/blob/master/AES_Killer%20-%20Mobile%20App%20Demo/frida-hook.py\" target=_blank\u003efrida-hook.py\u003c/a\u003e on your host machine to get AES Encryption Key and IV as shown in \u003ca href=\"https://n00b.sh/posts/aes-killer-mobile-app-demo/\" target=_blank\u003ethis post\u003c/a\u003e.\r\n\r\n\u003cimg src=\"https://i.imgur.com/Bwi17Bb.gif\" /\u003e\r\n\r\n### Decrypt Request and Response\r\n- Provide SecretSpecKey under `Secret Key` field\r\n- Provide IV under `Initialize Vector` field\r\n- Provide Host/URL to filter request and response for encryption and decryption\r\n- Select appropriate Request and Response options\r\n- Press `Start AES Killer`\r\n\r\n\u003cimg src=\"https://i.imgur.com/JfrH65u.gif\" /\u003e\r\n\r\n\r\n### AES Killer with Repeater, Intruder and Scanner\r\nOnce we start AES Killer, it takes control of Burp `IHttpListener.processHttpMessage` which is responsible for handling all outgoing and incoming traffic and AES Killer do the following\r\n\r\n- Before sending the final request to a server, `ProcessHttpMessage` encrypt the request \r\n- Upon receiving a response,  `ProcessHttpMessage` decrypt the response first before showing it to us\r\n\r\nSo we'll only be getting the Plain Text Response and can play with Plain Text request.\r\n\r\n\u003cimg src=\"https://i.imgur.com/MVhBHcS.gif\"\u003e\r\n\r\n\r\n\r\n### Manual Encryption and Decryption \r\nWe can also manually encrypt and decrypt strings using AES Killer. Let's take an encrypted string from the request `TYROd49FWJjYBfv02oiUzwRQgxWMWiw4W3oCqvNf8h3bnb7X0bobypFzMt797CYU` and decrypt it using AES Killer. Similarly, we can perform the encryption too.\r\n\r\n\u003cimg src=\"https://i.imgur.com/rjWDACt.gif\"\u003e\r\n\r\n\r\n\u003cpre\u003eDownload Demo App from \u003ca href=\"https://github.com/11x256/frida-android-examples/blob/master/examples/5/app-release.apk\" target=\"_blank\"\u003ehere\u003c/a\u003e\u003c/pre\u003e\r\n","funding_links":[],"categories":["\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"5b761419863bc686be12c76451f49532\"\u003e\u003c/a\u003e新添加"],"sub_categories":["\u003ca id=\"39e9a0fe929fffe5721f7d7bb2dae547\"\u003e\u003c/a\u003eBurp","\u003ca id=\"285c52a4e04dd2f86646c8e1235c9332\"\u003e\u003c/a\u003e工具"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Febryx%2Faes-killer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Febryx%2Faes-killer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Febryx%2Faes-killer/lists"}