Cryptography and the Penetration Tester

Julius Caesar is known to have used encryption – a method known today as Caesar's cipher. You might think the cipher of one of history's best-known military generals would be a fine example of security, but the method – a simple alphabet shift substitution cipher – is probably the easiest kind of code to break. It's said that it was considered secure in his time because most of the people who might intercept his messages couldn't read. Now that you have a fun tidbit of history, let's be reminded that cryptography has come a very long way since then, and your pen testing clients will not be using Caesar's cipher.

Cryptography is a funny topic in penetration testing: it's such a fundamental part of the entire science of information security, but also often neglected in security testing. We already toyed around with communications that are meant to be protected with encryption when we demonstrated SSL stripping attacks; however, this wasn't an attack on encryption. In fact, we were actively avoiding the task of attacking encryption by finding ways to trick an application into sending plaintext data. In this chapter, we're going to take a look at a few examples of direct attacks against cryptographic implementations. We will cover the following:

• Bit-flipping attacks against cipher block chaining algorithms
• Sneaking in malicious requests by calculating a hash that will pass verification; we'll see how cryptographic padding helps us
• Padding oracle attack; as the name suggests, we continue to look at the padding concept
• How to install a powerful web server stack
• Installation of two deliberately vulnerable web applications for testing in your home lab