Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Ebryx/AES-Killer

Burp Plugin to decrypt AES encrypted traffic on the fly
https://github.com/Ebryx/AES-Killer

aes-decryption aes-encryption aes-encryption-key aes-killer burp burp-extensions burp-plugin burp-ui burpsuite burpsuite-extender burpsuite-plugin burpsuite-tools decryptor frida-script

Last synced: 3 months ago
JSON representation

Burp Plugin to decrypt AES encrypted traffic on the fly

Awesome Lists containing this project

README 

        
# AES Killer (Burpsuite Plugin)

[![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)

[![GitHub version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=gh&type=0.3&v=3.0&x2=0)](http://badge.fury.io/gh/boennemann%2Fbadges)

[![Open Source Love](https://badges.frapsoft.com/os/mit/mit.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)



**Burpsuite Plugin to decrypt AES Encrypted traffic on the fly**






### Requirements

- Burpsuite



### Tested on

- Burpsuite 2021.4

- Windows 10 

- Ubuntu & PopOS



### What it does

- The IProxyListener decrypt requests and encrypt responses, and an IHttpListener than encrypt requests and decrypt responses. 

- Burp sees the decrypted traffic, including Repeater, Intruder and Scanner, but the client/mobile app and server see the encrypted version.



***NOTE:*** Currently support `AES/CBC/PKCS5Padding` && `AES/ECB/PKCS5Padding` encryption/decryption.



### How it works

- Require **Secret Key** and **Initialize Vector** which can be obtained by using aes-hook.js and frida-hook.py or by reversing the application (For iOS please use Frida iOS Hook to get AES Secret Key and IV)

- A detailed usage guide can be found at AES Killer - Usage Guide

- This article will help you in Decrypting Mobile App Traffic using AES Killer and Frida



### How to Build 

```

$ git clone https://github.com/Ebryx/AES-Killer/

$ cd AES-Killer

$ ./gradlew clean build

```



## Variants

- AES_Killer for JSON request AES_Killer-JSON.java

- AES_Killer for random/alternate Parameters on different endpoints AES_Killer-Parameters.java



***AES_Killer-Parameters.java:*** Let's say if application enforcing encryption on few parameters in request and these parameters will change every time with respect to  endpoint/request so all you need to do is as follow


- Add endpoints by adding this.endpoints.add("abc"); in registerExtenderCallbacks function

- Add parameters which will be encrypted in `String[][] parameters`

- Add rest of parameter in grant_type or make blank entry



and let the code do the magic for you.



- AES_Killer_v3.0 a generic variant for alternate parameters on different endpoints with GET, POST (JSON, Form) support AES_Killer_v3.0.java



***AES_Killer_v3.0.java:*** This variant is generic and can deal with any type of request format i-e GET, POST(Form, JSON) with alternate parameters on different endpoints


- Clone the project and replace the BurpExtender.java with AES_Killer_v3.0.java code

- Modify the endpoints and parameters of each request type in order as shown below

- Update SecretKey and IV parameters and other required methods

- Build the project and you are good to go







- AES_Killer_v4.0.java for multi-level encryption on request _(Support Form, JSON and XML formats)_



***AES_Killer_v4.0.java:*** This variant is for Multi-Level encryption where application is encrypting few request parameters with one key and later on encrypting the whole request body with another key


- Clone the project and replace the BurpExtender.java with AES_Killer_v4.0.java code

- Modify the endpoints and parameters as shown below

- Update Secret Keys and other required methods

- Build the project and add jar file to your extender







***NOTE:*** These variants will not work for you directly due to nature of your request so might need little tweaking.



### How to Install

Download jar file from Release and add in burpsuite






### Original Request/Response




### Getting AES Encryption Key and IV

- First setup frida server on IOS and Android device.

- Launch Application on mobile device.

- Run aes-hook.js and frida-hook.py on your host machine to get AES Encryption Key and IV as shown in this post.






### Decrypt Request and Response

- Provide SecretSpecKey under `Secret Key` field

- Provide IV under `Initialize Vector` field

- Provide Host/URL to filter request and response for encryption and decryption

- Select appropriate Request and Response options

- Press `Start AES Killer`






### AES Killer with Repeater, Intruder and Scanner

Once we start AES Killer, it takes control of Burp `IHttpListener.processHttpMessage` which is responsible for handling all outgoing and incoming traffic and AES Killer do the following



- Before sending the final request to a server, `ProcessHttpMessage` encrypt the request 

- Upon receiving a response,  `ProcessHttpMessage` decrypt the response first before showing it to us



So we'll only be getting the Plain Text Response and can play with Plain Text request.






### Manual Encryption and Decryption 

We can also manually encrypt and decrypt strings using AES Killer. Let's take an encrypted string from the request `TYROd49FWJjYBfv02oiUzwRQgxWMWiw4W3oCqvNf8h3bnb7X0bobypFzMt797CYU` and decrypt it using AES Killer. Similarly, we can perform the encryption too.






Download Demo App from here