Re: "PenTest" a container file

From: Steve Friedl (steve@unixwiz.net)
Date: Thu Jan 18 2007 - 18:10:56 EST


On Thu, Jan 18, 2007 at 09:55:36AM +0100, Julien wrote:
> I've have to test the security of an encryption application. This
> application create a container file to store all private data. The
> tool use a private encryption type.
> The only hint they gave me is that user have to submit is password to
> open this container.
> The aim of this test is to open the files inside this container file.

If it's a proprietary encryption algorithm, that means it's probably a
lousy one, so the cryptographers among us might be able to get somewhere.
But that's beyond many of us here -- including me.

So we look for other angles (I'll assume Win32 here just for a point
of reference).

*) I'd start by profiling the application with FileMon and RegMon to get a
   sense for what the app is doing at runtime. Is it the usual kind of
   obvious kind of file activity, or are they attempting to be tricky?
   What files and registry keys are used?

   Finding all the resources they use might help find the weakest points.

*) does the application leave any temp files lying around? This might
   leave the cleartext visible (perhaps only for a short time)

*) does the application have a remember-my-password option? This would
   certainly be worth looking into (Hey: it would be dumb to have this
   kind of feature, but if they're doing their own crypto...)

*) I'd certainly look into finding out how they prompt for a password and
   see if that can be intercepted by some other program while it's running.
   It's probably found in some kind of window control, and may even be
   left around after it's decrypted the thing, so some other application
   running as the same user may be able to snag it.

*) If you're really determined, reverse engineer the thing with something like
   IDA Pro - looking at the code might point out some weak points too.

If the front door is strong and well locked, you're not going to get in by
pounding it with your fists. Go around back and look for a screen door :-)

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@unixwiz.net
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:32 EDT