Crate rsacracker

Expand description

§RSA Cracker

Powerful RSA cracker for CTFs. Supports RSA, X509, OPENSSH in PEM and DER formats.

RsaCracker provides a simple interface to crack RSA keys and ciphers. With a collection of thousands of attacks, no key can survive against RsaCracker!

§Installation

From crates.io:

cargo install rsacracker

Note: To build on windows, you need to use MSYS2. This is required because of the rug dependency. See building-on-windows for more information.

§Usage

Powerful RSA cracker for CTFs. Supports RSA, X509, OPENSSH in PEM and DER formats.

Usage: rsacracker [OPTIONS]

Options:
  -r, --raw <RAW>                  Retrieve values from raw file
  -c, --cipher <CIPHER>            Cipher: the message to uncipher
  -f, --cipherfile <CIPHERFILE>    Cipher file: the file to uncipher
  -o, --outfile <OUTFILE>          Write unciphered data to a file. If many unciphered data are found, they will be written to files suffixed with _1, _2, ...
  -n <N>                           Modulus
  -e <E>                           Public exponent. Default: 65537 [default: 65537]
  -p <P>                           Prime number p
  -q <Q>                           Prime number q
  -d <D>                           Private exponent
      --phi <PHI>                  Phi or Euler's totient function of n. (p-1)(q-1)
      --dp <DP>                    dP or dmp1 CRT exponent. (d mod p-1)
      --dq <DQ>                    dQ or dmq1 CRT exponent. (d mod q-1)
      --qinv <QINV>                qInv or iqmp CRT coefficient. (q^-1 mod p)
      --pinv <PINV>                pInv or ipmq CRT coefficient. (p^-1 mod q)
      --sum-pq <SUM_PQ>            The sum of the two primes p and q
      --dlog                       Discrete logarithm attack. When c and e are swapped in the RSA encryption formula. (e^c mod n)
  -k, --key <KEY>                  Public or private key file. (RSA, X509, OPENSSH in PEM and DER formats.)
      --password <PASSWORD>        Private key password/passphrase if encrypted
      --public                     Print the public key in PEM format
      --private                    Print the private key in PEM format
      --addpassword <ADDPASSWORD>  Add a password/passphrase to the private key
      --showinputs                 Print all the input parameters
      --dump                       Print the private RSA key variables n, e, p, q and d
      --dumpext                    Print the extended RSA key variables n, e, p, q, d, dP, dQ, pInv and qInv
      --factors                    Print all factors of n
  -t, --threads <THREADS>          Number of threads to use. Default: number of CPUs [default: 12]
  -a, --attack <ATTACK>            Specify attacks to run. Default: all. (e.g. --attacks ecm,wiener,sparse)
      --exclude <EXCLUDE>          Specify attacks to exclude. Default: none. (e.g. --exclude ecm,wiener,sparse)
      --list                       List all available attacks
  -h, --help                       Print help
  -V, --version                    Print version

You can also use a dump as input:

rsacracker [OPTIONS] < challenge.txt
[RESULTS]
$ cat challenge.txt | rsacracker [OPTIONS]
[RESULTS]
$ cat challenge.txt
c: 7839407718[...]0577093673
n = 9359619564[...]3745124619
e= 1595235523[...]6275096193

§Examples

§Uncipher a message from a public key and write it to a file

rsacracker --key public.pem -c 0xdeadbeef -o result.txt

§Uncipher a message from n and e

rsacracker -c 0xdeadbeef -n 123...789 -e 65537

§Uncipher a message from n, e and other known values

rsacracker -c 0xdeadbeef -n 123...789 -e 65537 --phi 123 --dp 123 --dq 123 --qinv 123 --pinv 123

§Uncipher a file from a public key

rsacracker --key public.pem -f secret.txt.enc

§Run a specific attack with arguments

rsacracker --attack known_phi -n 123...789 -e 65537 --phi 0xdeadbeef

§Generate a private key from a public key

rsacracker --key public.pem --private

§Generate a public key from e and n

rsacracker -e 65537 -n 0xdeadbeef --public

§Dump private key secrets

rsacracker --key private.pem --dump
$ rsacracker --key private.pem --dumpext

§Remove password from a private key

rsacracker --key private.pem --password R54Cr4ck3R --private

§Add password to a private key

rsacracker --key private.pem --addpassword R54Cr4ck3R --private

§Show all factors of n

rsacracker -n 123...789 --factors

§Run discrete logarithm attack: when c and e are swapped in the RSA encryption formula (e^c mod n)

rsacracker --key public.pem -c 0xdeadbeef --dlog

§Docker

From dockerhub:

docker pull skyf0l/rsacracker
docker run -it --rm -v $PWD:/data skyf0l/rsacracker [args]

Or build it yourself:

DOCKER_BUILDKIT=1 docker build . --file Dockerfile -t rsacracker
docker run -it --rm -v $PWD:/data rsacracker [args]

§License

Licensed under either of

Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

§Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Structs§

ATTACKS: List of attacks
BrentAttack: Pollard rho with brent’s optimization attack
CipollaAttack: Cipolla’s algorithm attack
ComfactCnAttack: Common factor shared in plaintext / ciphertext attack
CubeRootAttack: Cube root attack (m^e < n and small e)
CunninghamChainAttack: Factorization using primes from famous Cunningham Chains
EcmAttack: Lenstra’s ECM factorization attack
FACTORIZATION_ATTACKS: List of attacks
FactorDbAttack: Factordb attack
FactorialGcdAttack: Factorial GCD attack (try to find a common factor with Factorial (+ or - 1) numbers) E.g. 1, 1, 2, 6, 24, 120, 720, 5040, 40320, 362880, 3628800, …
Factors: Factors of a number.
FermatAttack: Fermat factorization attack
FermatGcdAttack: Fermat GCD attack (try to find a common factor with Fermat numbers) E.g. 3, 5, 17, 257, 65537, 4294967297, 18446744073709551617, …
FibonacciGcdAttack: Fibonacci GCD attack (try to find a common factor with Fibonacci numbers) E.g. 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, …
GaaAttack: Ghafar-Ariffin-Asbullah key recovery attack (lsb of p and q are known)
HartAttack: Hart factorization method attack
IntegerArg: Struct used to parse integers from different bases and formats
JacobsthalGcdAttack: Jacobsthal GCD attack (try to find a common factor with Jacobsthal numbers) E.g. 0, 1, 1, 3, 5, 11, 21, 43, 85, 171, 341, 683, 1365, 2731, 5461, …
KnownDAttack: Known phi attack
KnownFactorsAttack: Known factors attack
KnownPhiAttack: Known phi attack
KraitchikAttack: Kraitchi factorization attack
LeakedCrtCoefficientAttack: Leaked CRT coefficient attack
LeakedCrtExponentAttack: Leaked CRT exponent attack
LeakedCrtExponentsAttack: Recover modulus and primes from CRT exponents dP, dQ and qInv
LeakedPQAttack: Leaked p and/or q attack
LondahlAttack: Londahl close-prime factorization attack
LucasGcdAttack: Lucas GCD attack (try to find a common factor with Lucas numbers) E.g. 1, 3, 4, 7, 11, 18, 29, 47, 76, 123, 199, 322, 521, 843, 1364, …
MersenneGcdAttack: Mersenne GCD attack (try to find a common factor with Mersenne (+ or - 1) numbers) E.g. 3, 5, 7, 9, 15, 17, 31, 33, 63, 65, 127, 129, 255, 257, 511, 513, …
MersennePrimeAttack: Mersenne prime factorization attack
NonCoprimeExpAttack: Recover plaintext encrypted with a non-coprime exponent (d can’t be computed)
Parameters: Known parameters
PartialDAttack: Partial d leaked attack (more that half of the bits of d are known)
PollardPM1Attack: Pollard p-1 factorization attack
PollardRhoAttack: Pollard rho factorization attack
PowerAttack: Factorize n when n = p^k
PrimeModulusAttack: N is a prime modulus attack
PrimorialGcdAttack: Primorial GCD attack (try to find a common factor with Primorial (+ or - 1) numbers) E.g 1, 3, 5, 7, 29, 31, 209, 211, 2309, 2311, …
PrivateKey: RSA private key
SEQUENCE_ATTACKS: List of attacks
SmallEAttack: Small e attack (m^e = c + k * n, with k small)
SmallPrimeAttack: Small prime attack
Solution: Attack’s result
SparseAttack: P and q differ by only a few bits
SqufofAttack: Shank’s square forms factorization attack
SumPQAttack: Leaked sum of p and q attack (0 = x^2 - xsum + n)
TwinPrimeAttack: Twin prime factorization attack
WienerAttack: Wiener’s attack (too small d)
XYGcdAttack: XYXZ attack (p = next_prime(x^y) with x prime)

Enums§

AttackKind: Attack kind
AttackSpeed: Attack speed
Error: Attack error
KeyError: Attack error

Traits§

Attack: Abstract attack trait

Functions§

bytes_to_integer: Convert a byte vector to a rug::Integer.
integer_to_bytes: Convert a rug::Integer to a byte vector.
integer_to_string: Convert a rug::Integer to a string.
run_attacks: Run all attacks on all available CPU cores.
run_attacks_with_threads: Run all attacks on a given number of threads.
run_specific_attacks: Run specific attacks on all available CPU cores.
run_specific_attacks_with_threads: Run specific attacks on a given number of threads.
string_to_integer: Convert a string to a rug::Integer.

Crate rsacrackerCopy item path