Monday, September 28, 2015

OpenSSL Conversion, Display and Encryption Commands for Pentesters

Every time I pull out OpenSSL to perform a particular task I end up having to refer to Google or random text files on my hard drive to remind myself of the correct syntax. Consequently, I'm doing a writeup here of all of the OpenSSL commands that I make use of in various penetration tests and CTF challenges that involve encryption, mainly as a personal reference, but also in case anyone else finds this useful.

The following commands are sorted by category, and may be added to in the future if I find more commands that I find useful.

Asymmetric keyfile conversion

Conversion of asymmetric keys between various different storage formats.

DER to PEM

Convert der certificate to pem format.

openssl x509 -inform der -outform pem -in certificate.crt -out certificate.pem


PEM to DER

Convert pem certificate to der format.

openssl x509 -inform pem -outform der -in certificate.pem -out certificate.crt

PEM Key and Certificate to PKCS12

Convert private key and certificate to pkcs12 format.

openssl pkcs12 -export -out keys.p12 -inkey private.pem -in certificate.pem

Displaying data from asymmetric keyfiles

Displaying of informational data from various forms of asymmetric key files.

PKCS12 Files


Print nodes from a pkcs12 file.

openssl pkcs12 -in keys.p12 -nodes


Public Keys

 Display a variety of data from a public key.

openssl rsa -inform pem -pubin -text -noout -in publickey.pem

Display the modulus from a public key.

openssl rsa -inform pem -pubin -modulus -noout -in publickey.pem


Private Keys


Display a variety of data from a private key.

openssl rsa -inform pem -text -noout -in privatekey.pem

Display the modulus from a private key.

openssl rsa -inform pem -modulus -noout -in privatekey.pem

Certificates

 Display a variety of data from a certificate.

openssl x509 -inform pem -text -noout -in certificate.pem

Display the modulus from a certificate.

openssl x509 -inform pem -modulus -noout -in certificate.pem

Different Key Formats for Private/Public Keys and Certificates

The Public/Private/Certificate commands immediately above all make use of the pem format in the file that they read.  This can be changed to 'der' or 'net' to use an alternate format.

Encryption and decryption using asymmetric cryptography

Encryption and decryption of data using asymmetric cryptography.

Decryption


Decryption using a private key.

openssl rsautl -decrypt -in encryptedfile -out decryptedfile -inkey ./privatekey.pem

Encryption

 Encryption using a public key.

openssl rsautl -encrypt -pubin -in plaintextfile -out encryptedfile -inkey ./publickey.pem

Encryption using a certificate.

openssl rsautl -encrypt -certin -in plaintextfile -out encryptedfile -inkey ./certificate.pem


Padding Modifiers


These examples all assume a default padding type of PKCS 1.5. The following options can be used to try different types of padding, or none at all.

-pkcs, -oaep, -ssl, -raw

Encryption and decryption using symmetric cryptography

Encryption and decryption of data using asymmetric cryptography.

Encryption


Encrypt a file using AES in CBC mode with a keyfile.

openssl enc -aes-256-cbc -in ./plaintext.txt -out ./encrypted.bin -pass file:./passwordfile.bin

Decryption


Decrypt a file using AES in CBC mode with a keyfile.

openssl enc -d -aes-256-cbc -in ./encrypted.bin -out ./plaintext.txt -pass file:./passwordfile.bin

Encryption modifiers and alternate algorithms

 The following switches can be used to modify the way the encryption process occurs.

-salt adds a salt to the file 
-base64 base64 encodes/decodes depending on encryption mode

There are also a wide variety of other encryption algorithms and cipher modes that can be used, which can be listed by the following.

openssl enc -h