Class: Rex::Proto::RFB::Cipher

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/rfb/cipher.rb

Overview

A bit of information about the DES algorithm was found here: www.vidarholen.net/contents/junk/vnc.html

In addition, VNC uses two individual 8 byte block encryptions rather than using any block mode (like cbc, ecb, etc).

Class Method Summary collapse

Class Method Details

.decrypt(cipher, password = "\x17\x52\x6b\x06\x23\x4e\x58\x07") ⇒ Object

NOTE: The default password is that of winvnc/etc which is used for encrypting the password(s) on disk/in registry.



67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/rex/proto/rfb/cipher.rb', line 67

def self.decrypt(cipher, password = "\x17\x52\x6b\x06\x23\x4e\x58\x07")
	key = self.mangle_password(password)

	# pad the cipher text to 9 bytes
	cipher << ("\x00" * (9 - cipher.length)) if cipher.length < 9

	# NOTE: This only does one 8 byte block
	plain = ''
	c = OpenSSL::Cipher::Cipher.new('des')
	c.decrypt
	c.key = key
	c.update(cipher)
end

.encrypt(plain, password) ⇒ Object 



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/rex/proto/rfb/cipher.rb', line 45

def self.encrypt(plain, password)
	key = self.mangle_password(password)

	# pad the plain to 16 chars
	plain << ("\x00" * (16 - plain.length)) if plain.length < 16

	# VNC auth does two 8-byte blocks individually instead supporting some block mode
	cipher = ''
	2.times { |x|
		c = OpenSSL::Cipher::Cipher.new('des')
		c.encrypt
		c.key = key
		cipher << c.update(plain[x*8, 8])
	}

	cipher
end

.mangle_password(password) ⇒ Object 



35
36
37
38
39
40
41
42
43
 
# File 'lib/rex/proto/rfb/cipher.rb', line 35

def self.mangle_password(password)
	key = ''
	key = password.dup if password
	key.slice!(8,key.length) if key.length > 8
	key << "\x00" * (8 - key.length) if key.length < 8

	# We have to mangle the key so the LSB are kept vs the MSB
	[key.unpack('B*').first.scan(/.{8}/).map! { |e| e.reverse }.join].pack('B*')
end