Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ebryx/aes-killer
Burp Plugin to decrypt AES encrypted traffic on the fly
https://github.com/ebryx/aes-killer
aes-decryption aes-encryption aes-encryption-key aes-killer burp burp-extensions burp-plugin burp-ui burpsuite burpsuite-extender burpsuite-plugin burpsuite-tools decryptor frida-script
Last synced: 11 days ago
JSON representation
Burp Plugin to decrypt AES encrypted traffic on the fly
- Host: GitHub
- URL: https://github.com/ebryx/aes-killer
- Owner: Ebryx
- License: mit
- Created: 2018-09-24T10:41:41.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2022-08-03T16:38:14.000Z (over 2 years ago)
- Last Synced: 2024-08-01T09:24:57.123Z (3 months ago)
- Topics: aes-decryption, aes-encryption, aes-encryption-key, aes-killer, burp, burp-extensions, burp-plugin, burp-ui, burpsuite, burpsuite-extender, burpsuite-plugin, burpsuite-tools, decryptor, frida-script
- Language: Java
- Homepage:
- Size: 207 KB
- Stars: 633
- Watchers: 25
- Forks: 119
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# AES Killer (Burpsuite Plugin)
[![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)
[![GitHub version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=gh&type=0.3&v=3.0&x2=0)](http://badge.fury.io/gh/boennemann%2Fbadges)
[![Open Source Love](https://badges.frapsoft.com/os/mit/mit.svg?v=102)](https://github.com/ellerbrock/open-source-badge/)**Burpsuite Plugin to decrypt AES Encrypted traffic on the fly**
### Requirements
- Burpsuite### Tested on
- Burpsuite 2021.4
- Windows 10
- Ubuntu & PopOS### What it does
- The IProxyListener decrypt requests and encrypt responses, and an IHttpListener than encrypt requests and decrypt responses.
- Burp sees the decrypted traffic, including Repeater, Intruder and Scanner, but the client/mobile app and server see the encrypted version.***NOTE:*** Currently support `AES/CBC/PKCS5Padding` && `AES/ECB/PKCS5Padding` encryption/decryption.
### How it works
- Require **Secret Key** and **Initialize Vector** which can be obtained by using aes-hook.js and frida-hook.py or by reversing the application (For iOS please use Frida iOS Hook to get AES Secret Key and IV)
- A detailed usage guide can be found at AES Killer - Usage Guide
- This article will help you in Decrypting Mobile App Traffic using AES Killer and Frida### How to Build
```
$ git clone https://github.com/Ebryx/AES-Killer/
$ cd AES-Killer
$ ./gradlew clean build
```## Variants
- AES_Killer for JSON request AES_Killer-JSON.java
- AES_Killer for random/alternate Parameters on different endpoints AES_Killer-Parameters.java***AES_Killer-Parameters.java:*** Let's say if application enforcing encryption on few parameters in request and these parameters will change every time with respect to endpoint/request so all you need to do is as follow
- Add endpoints by addingthis.endpoints.add("abc");
in registerExtenderCallbacks function
- Add parameters which will be encrypted in `String[][] parameters`
- Add rest of parameter in grant_type or make blank entry
and let the code do the magic for you.- AES_Killer_v3.0 a generic variant for alternate parameters on different endpoints with GET, POST (JSON, Form) support AES_Killer_v3.0.java
***AES_Killer_v3.0.java:*** This variant is generic and can deal with any type of request format i-e GET, POST(Form, JSON) with alternate parameters on different endpoints
- Clone the project and replace the BurpExtender.java with AES_Killer_v3.0.java code
- Modify the endpoints and parameters of each request type in order as shown below
- Update SecretKey and IV parameters and other required methods
- Build the project and you are good to go- AES_Killer_v4.0.java for multi-level encryption on request _(Support Form, JSON and XML formats)_
***AES_Killer_v4.0.java:*** This variant is for Multi-Level encryption where application is encrypting few request parameters with one key and later on encrypting the whole request body with another key
- Clone the project and replace the BurpExtender.java with AES_Killer_v4.0.java code
- Modify the endpoints and parameters as shown below
- Update Secret Keys and other required methods
- Build the project and add jar file to your extender***NOTE:*** These variants will not work for you directly due to nature of your request so might need little tweaking.
### How to Install
Download jar file from Release and add in burpsuite### Original Request/Response
### Getting AES Encryption Key and IV
- First setup frida server on IOS and Android device.
- Launch Application on mobile device.
- Run aes-hook.js and frida-hook.py on your host machine to get AES Encryption Key and IV as shown in this post.### Decrypt Request and Response
- Provide SecretSpecKey under `Secret Key` field
- Provide IV under `Initialize Vector` field
- Provide Host/URL to filter request and response for encryption and decryption
- Select appropriate Request and Response options
- Press `Start AES Killer`### AES Killer with Repeater, Intruder and Scanner
Once we start AES Killer, it takes control of Burp `IHttpListener.processHttpMessage` which is responsible for handling all outgoing and incoming traffic and AES Killer do the following- Before sending the final request to a server, `ProcessHttpMessage` encrypt the request
- Upon receiving a response, `ProcessHttpMessage` decrypt the response first before showing it to usSo we'll only be getting the Plain Text Response and can play with Plain Text request.
### Manual Encryption and Decryption
We can also manually encrypt and decrypt strings using AES Killer. Let's take an encrypted string from the request `TYROd49FWJjYBfv02oiUzwRQgxWMWiw4W3oCqvNf8h3bnb7X0bobypFzMt797CYU` and decrypt it using AES Killer. Similarly, we can perform the encryption too.Download Demo App from here