Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ebryx/aes-killer

Burp Plugin to decrypt AES encrypted traffic on the fly
https://github.com/ebryx/aes-killer

aes-decryption aes-encryption aes-encryption-key aes-killer burp burp-extensions burp-plugin burp-ui burpsuite burpsuite-extender burpsuite-plugin burpsuite-tools decryptor frida-script

Last synced: 11 days ago
JSON representation

Burp Plugin to decrypt AES encrypted traffic on the fly

Awesome Lists containing this project

README

        

# AES Killer (Burpsuite Plugin)
[![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)
[![GitHub version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=gh&type=0.3&v=3.0&x2=0)](http://badge.fury.io/gh/boennemann%2Fbadges)
[![Open Source Love](https://badges.frapsoft.com/os/mit/mit.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)

**Burpsuite Plugin to decrypt AES Encrypted traffic on the fly**

### Requirements
- Burpsuite

### Tested on
- Burpsuite 2021.4
- Windows 10
- Ubuntu & PopOS

### What it does
- The IProxyListener decrypt requests and encrypt responses, and an IHttpListener than encrypt requests and decrypt responses.
- Burp sees the decrypted traffic, including Repeater, Intruder and Scanner, but the client/mobile app and server see the encrypted version.

***NOTE:*** Currently support `AES/CBC/PKCS5Padding` && `AES/ECB/PKCS5Padding` encryption/decryption.

### How it works
- Require **Secret Key** and **Initialize Vector** which can be obtained by using aes-hook.js and frida-hook.py or by reversing the application (For iOS please use Frida iOS Hook to get AES Secret Key and IV)
- A detailed usage guide can be found at AES Killer - Usage Guide
- This article will help you in Decrypting Mobile App Traffic using AES Killer and Frida

### How to Build
```
$ git clone https://github.com/Ebryx/AES-Killer/
$ cd AES-Killer
$ ./gradlew clean build
```

## Variants
- AES_Killer for JSON request AES_Killer-JSON.java
- AES_Killer for random/alternate Parameters on different endpoints AES_Killer-Parameters.java

***AES_Killer-Parameters.java:*** Let's say if application enforcing encryption on few parameters in request and these parameters will change every time with respect to endpoint/request so all you need to do is as follow


- Add endpoints by adding this.endpoints.add("abc"); in registerExtenderCallbacks function
- Add parameters which will be encrypted in `String[][] parameters`
- Add rest of parameter in grant_type or make blank entry

and let the code do the magic for you.

- AES_Killer_v3.0 a generic variant for alternate parameters on different endpoints with GET, POST (JSON, Form) support AES_Killer_v3.0.java

***AES_Killer_v3.0.java:*** This variant is generic and can deal with any type of request format i-e GET, POST(Form, JSON) with alternate parameters on different endpoints


- Clone the project and replace the BurpExtender.java with AES_Killer_v3.0.java code
- Modify the endpoints and parameters of each request type in order as shown below
- Update SecretKey and IV parameters and other required methods
- Build the project and you are good to go

- AES_Killer_v4.0.java for multi-level encryption on request _(Support Form, JSON and XML formats)_

***AES_Killer_v4.0.java:*** This variant is for Multi-Level encryption where application is encrypting few request parameters with one key and later on encrypting the whole request body with another key


- Clone the project and replace the BurpExtender.java with AES_Killer_v4.0.java code
- Modify the endpoints and parameters as shown below
- Update Secret Keys and other required methods
- Build the project and add jar file to your extender

***NOTE:*** These variants will not work for you directly due to nature of your request so might need little tweaking.

### How to Install

Download jar file from Release and add in burpsuite

### Original Request/Response

### Getting AES Encryption Key and IV
- First setup frida server on IOS and Android device.
- Launch Application on mobile device.
- Run aes-hook.js and frida-hook.py on your host machine to get AES Encryption Key and IV as shown in this post.

### Decrypt Request and Response
- Provide SecretSpecKey under `Secret Key` field
- Provide IV under `Initialize Vector` field
- Provide Host/URL to filter request and response for encryption and decryption
- Select appropriate Request and Response options
- Press `Start AES Killer`

### AES Killer with Repeater, Intruder and Scanner
Once we start AES Killer, it takes control of Burp `IHttpListener.processHttpMessage` which is responsible for handling all outgoing and incoming traffic and AES Killer do the following

- Before sending the final request to a server, `ProcessHttpMessage` encrypt the request
- Upon receiving a response, `ProcessHttpMessage` decrypt the response first before showing it to us

So we'll only be getting the Plain Text Response and can play with Plain Text request.

### Manual Encryption and Decryption
We can also manually encrypt and decrypt strings using AES Killer. Let's take an encrypted string from the request `TYROd49FWJjYBfv02oiUzwRQgxWMWiw4W3oCqvNf8h3bnb7X0bobypFzMt797CYU` and decrypt it using AES Killer. Similarly, we can perform the encryption too.

Download Demo App from here