Keyfinder – A Tool For Finding And Analyzing Private (And Public) Key Files, Including Support For Android APK Files

0
7
Keyfinder - A Tool For Finding And Analyzing Private (And Public) Key Files, Including Support For Android APK Files

CERT Keyfinder is a utility for locating and analyzing key information on a filesystem in addition to contained inside Android APK information. CERT Keyfinder growth was sponsored by the United States Department of Homeland Security (DHS). Installation necessities:

  1. Python (3.x really helpful)
    • androguard
    • python-magic
    • PyOpenSSL
  2. apktool
  3. grep
  4. OpenSSL
  5. Java


Installation

  1. Obtain the Keyfinder code. This may be achieved by performing a git clone of the Keyfinder repository, or by downloading a zipper file of the repository.
  2. Install Python dependencies: $ pip3 set up androguard python-magic PyOpenSSL On Windows platforms, use the python-magic-bin bundle as an alternative of python-magic. This will present the DLL required to research file magic.

Keyfinder Usage

$ python3 keyfinder.py
utilization: A device for analyzing key information, with Android APK assist
       [-h] [-e EXTRACT_APK] [-u] [-k CHECK_KEYFILE] [-p PASSWORD] [-v] [-d]
       [apkpath]

positional arguments:
  apkpath               APK file or listing

non-compulsory arguments:
  -h, --help            present this assist message and exit
  -e EXTRACT_APK, --extract EXTRACT_APK
                        Extract specified APK utilizing apktool
  -u, --checkused       Check if the important thing file is referenced by the app (gradual)
  -k CHECK_KEYFILE, --key CHECK_KEYFILE
                        Key file or listing
  -p PASSWORD, --password PASSWORD
                        Specify password
  -v, --verbose         Verbose output
  -d, --debug           Debug output

Key Parsing
CERT Keyfinder can be utilized to scan the information in your system, reporting solely personal and/or password-protected key information by default.

Simple Example
For instance, operating Keyfinder on the ~ listing on a CERT Tapioca system:

$ python keyfinder.py -k ~/tapioca
keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.p12
sort: pkcs12
protected: True

=====================

keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-ca.pem
personal: True
protected: False
iskey: True
iscert: True
encoding: pem
sort: pkcs8
certhash: 902073e933d0bf9b3da49a3a120d0adecdf031960f87576947bdc3157cd62d8e
keyhash: 3aae8d85450bae20aaf360d046bc0d90b2998800b3a7356f0742ef6a8824e423

=====================

The above command line will take a look at each file within the specified listing, decide if it’s a doable key file through the use of the file extension and file magic, and at last it’s going to show temporary particulars for any file that’s decided to be a non-public and/or password-protected key file.

Verbose Output
If we want to get extra particulars, we are able to run the identical command line, however with the verbose -v flag:

$ python keyfinder.py -k ~/tapioca -v
keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.cer
x509textual content: 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15259797775478 (0xde0f2d36476)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mitmproxy, O=mitmproxy
        Validity
            Not Before: May  8 19:16:17 2018 GMT
            Not After : May  9 19:16:17 2021 GMT
        Subject: CN=mitmproxy, O=mitmproxy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:91:be:f6:cc:62:5f:fd:af:9e:48:1e:b9:c5:
                    59:ca:36:f0:02:a7:e5:62:48:5c:26:1b:78:c1:3a:
                    74:02:0f:af:85:74:0c:d7:24:5f:85:4c:ce:e0:9b:
                    2f:3f:0a:85:ba:8f:36:3e:bc:4b:3b:3c:13:d8:8f:
                    b9:46:38:42:69:9c:b2:7e:51:fa:cc:ab:fc:57:95:
                    49:89:45:5c:a2:17:b9:6c:fc:a3:f6:0c:df:50:9e:
                    36:28:71:1e:43:d2:e7:13:0a:ec:25:e1:5d:27:a5:
                    69:5d:48:75:f2:4c:44:3f:b6:cd:33:a2:db:49:d3:
                    97:4d:4f:2c:60:ac:a0:4f:4a:96:19:52:d9:4d:b9:
                    ce:70:49:e6:2nd:eb:99:c6:cb:45:8c:5b:df:79:0a:
                    10:53:44:ac:c2:a3:6c:fd:7d:a3:04:93:73:5e:2e:
                    d2:d9:b9:c9:f2:5d:advert:a0:68:6e:b9:43:31:2e:2b:
                    31:b5:8d:2b:09:04:7b:63:1e:79:5a:0b:cc:02:16:
                    7e:6c:7e:0b:04:d0:07:d6:3b:f9:6d:f8:80:e4:b5:
                    e2:36:73:ee:c2:6a:a2:b3:advert:20:ac:42:00:24:61:
                    advert:ff:ed:8d:3d:e7:9f:36:ed:51:a1:91:cf:13:60:
                    b4:40:1c:e4:82:29:4e:d5:05:43:36:2nd:04:b2:37:
                    c5:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: important
                CA:TRUE
            Netscape Cert Type: 
                SSL CA
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto
            X509v3 Key Usage: important
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                18:85:41:4C:5B:CD:3F:32:0B:BE:12:F2:C8:6E:98:78:6E:B6:EA:33
    Signature Algorithm: sha256WithRSAEncryption
         9a:84:35:8c:50:81:ae:53:46:cd:25:31:24:22:3a:25:a3:b0:
         c9:bd:68:d9:7f:06:3c:88:cd:23:0e:24:00:06:55:c6:91:0f:
         81:a9:b6:1d:3d:01:58:54:8b:bc:e6:38:f3:0b:1d:fb:6c:d8:
         67:46:d4:0e:cc:5c:ff:17:a4:e6:d0:95:e7:8c:c3:95:4c:80:
         40:51:5b:b7:32:65:2nd:50:25:26:0b:4a:d4:9d:35:59:f0:d9:
         cc:1e:2b:54:47:24:02:64:6d:f3:01:85:02:c8:4e:7d:02:13:
         30:0c:92:c8:7c:48:2a:c6:dd:64:54:5f:8e:65:ce:c6:91:27:
         61:e9:c6:51:25:f2:f4:f7:33:7e:48:c5:0e:a1:c1:86:83:6a:
         5a:84:b7:3d:73:28:0b:0c:5a:98:eb:64:1f:a8:72:fd:ca:71:
         3c:e7:37:b4:ff:94:ce:15:3d:d5:f4:e0:18:75:41:3c:f9:63:
         01:6e:de:73:73:1e:bf:e2:02:d7:47:a6:4a:9e:70:2nd:ce:06:
         c4:a9:e5:a5:3b:b9:5f:d8:b6:9d:33:58:fc:38:ce:fb:80:0b:
         advert:5d:6f:56:62:ca:81:d1:27:36:5e:6f:03:7b:2b:75:29:bd:
         85:d3:cd:11:a3:32:b7:72:09:d2:87:10:cd:fd:4b:bb:88:28:
         ce:15:3e:d2
SHA256 Fingerprint=90:20:73:E9:33:D0:BF:9B:3D:A4:9A:3A:12:0D:0A:DE:CD:F0:31:96:0F:87:57:69:47:BD:C3:15:7C:D6:2D:8E
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIGDeDy02R2MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTE4MDUwODE5MTYxN1oX
DTIxMDUwOTE5MTYxN1owKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwkb72zGJf
/a+eSB65xVnKNvACp+ViSFwmG3jBOnQCD6+FdAzXJF+FTM7gmy8/CoW6jzY+vEs7
PBPYj7lGOEJpnLJ+UfrMq/xXlUmJRVyiF7ls/KP2DN9QnjYocR5D0ucTCuwl4V0n
pWldSHXyTEQ/ts0zottJ05dNTyxgrKBPSpYZUtlNuc5wSeYt65nGy0WMW995ChBT
RKzCo2z9faMEk3NeLtLZucnyXa2gaG65QzEuKzG1jSsJBHtjHnlaC8wCFn5sfgsE
0AfWO/lt+IDkteI2c+7CaqKzrSCsQgAkYa3/7Y0955827VGhkc8TYLRAHOSCKU7V
BUM2LQSyN8XLAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFBiFQUxbzT8yC74S8shumHhutuozMA0GCSqGSIb3DQEBCwUA
A4IBAQCahDWMUIGuU0bNJTEkIjolo7DJvWjZfwY8iM0jDiQABlXGkQ+BqbYdPQFY
VIu85jjzCx37bNhnRtQOzFz/F6Tm0JXnjMOVTIBAUVu3MmUtUCUmC0rUnTVZ8NnM
HitURyQCZG3zAYUCyE59AhMwDJLIfEgqxt1kVF+OZc7GkSdh6cZRJfL09zN+SMUO
ocGGg2pahLc9cygLDFqY62QfqHL9ynE85ze0/5TOFT3V9OAYdUE8+WMBbt5zcx6/
4gLXR6ZKnnAtzgbEqeWlO7lf2LadM1j8OM77gAutXW9WYsqB0Sc2Xm8Deyt1Kb2F
080RozK3cgnShxDN/Uu7iCjOFT7S
-----END CERTIFICATE-----

personal: False
protected: False
sort: certificates

=====================

keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-dhparam.pem
personal: False
sort: DH

=====================

keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.p12
sort: pkcs12
protected: True

=====================

keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-ca.pem
personal: True
protected: False
iskey: True
iscert: True
encoding: pem
sort: pkcs8
certhash: 902073e933d0bf9b3da49a3a120d0adecdf031960f87576947bdc3157cd62d8e
x509textual content: 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15259797775478 (0xde0f2d36476)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mitmproxy, O=mitmproxy
        Validity
            Not Before: May  8 19:16:17 2018 GMT
            Not After : May  9 19:16:17 2021 GMT
        Subject: CN=mitmproxy, O=mitmproxy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:91:be:f6:cc:62:5f:fd:af:9e:48:1e:b9:c5:
                    59:ca:36:f0:02:a7:e5:62:48:5c:26:1b:78:c1:3a:
                    74:02:0f:af:85:74:0c:d7:24:5f:85:4c:ce:e0:9b:
                    2f:3f:0a:85:ba:8f:36:3e:bc:4b:3b:3c:13:d8:8f:
                    b9:46:38:42:69:9c:b2:7e:51:fa:cc:ab:fc:57:95:
                    49:89:45:5c:a2:17:b9:6c:fc:a3:f6:0c:df:50:9e:
                    36:28:71:1e:43:d2:e7:13:0a:ec:25:e1:5d:27:a5:
                    69:5d:48:75:f2:4c:44:3f:b6:cd:33:a2:db:49:d3:
                    97:4d:4f:2c:60:ac:a0:4f:4a:96:19:52:d9:4d:b9:
                    ce:70:49:e6:2nd:eb:99:c6:cb:45:8c:5b:df:79:0a:
                    10:53:44:ac:c2:a3:6c:fd:7d:a3:04:93:73:5e:2e:
                    d2:d9:b9:c9:f2:5d:advert:a0:68:6e:b9:43:31:2e:2b:
                    31:b5:8d:2b:09:04:7b:63:1e:79:5a:0b:cc:02:16:
                    7e:6c:7e:0b:04:d0:07:d6:3b:f9:6d:f8:80:e4:b5:
                    e2:36:73:ee:c2:6a:a2:b3:advert:20:ac:42:00:24:61:
                    advert:ff:ed:8d:3d:e7:9f:36:ed:51:a1:91:cf:13:60:
                    b4:40:1c:e4:82:29:4e:d5:05:43:36:2nd:04:b2:37:
                    c5:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: important
                CA:TRUE
            Netscape Cert Type: 
                SSL CA
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto
            X509v3 Key Usage: important
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                18:85:41:4C:5B:CD:3F:32:0B:BE:12:F2:C8:6E:98:78:6E:B6:EA:33
    Signature Algorithm: sha256WithRSAEncryption
         9a:84:35:8c:50:81:ae:53:46:cd:25:31:24:22:3a:25:a3:b0:
         c9:bd:68:d9:7f:06:3c:88:cd:23:0e:24:00:06:55:c6:91:0f:
         81:a9:b6:1d:3d:01:58:54:8b:bc:e6:38:f3:0b:1d:fb:6c:d8:
         67:46:d4:0e:cc:5c:ff:17:a4:e6:d0:95:e7:8c:c3:95:4c:80:
         40:51:5b:b7:32:65:2nd:50:25:26:0b:4a:d4:9d:35:59:f0:d9:
         cc:1e:2b:54:47:24:02:64:6d:f3:01:85:02:c8:4e:7d:02:13:
         30:0c:92:c8:7c:48:2a:c6:dd:64:54:5f:8e:65:ce:c6:91:27:
         61:e9:c6:51:25:f2:f4:f7:33:7e:48:c5:0e:a1:c1:86:83:6a:
         5a:84:b7:3d:73:28:0b:0c:5a:98:eb:64:1f:a8:72:fd:ca:71:
         3c:e7:37:b4:ff:94:ce:15:3d:d5:f4:e0:18:75:41:3c:f9:63:
         01:6e:de:73:73:1e:bf:e2:02:d7:47:a6:4a:9e:70:2nd:ce:06:
         c4:a9:e5:a5:3b:b9:5f:d8:b6:9d:33:58:fc:38:ce:fb:80:0b:
         advert:5d:6f:56:62:ca:81:d1:27:36:5e:6f:03:7b:2b:75:29:bd:
         85:d3:cd:11:a3:32:b7:72:09:d2:87:10:cd:fd:4b:bb:88:28:
         ce:15:3e:d2
SHA256 Fingerprint=90:20:73:E9:33:D0:BF:9B:3D:A4:9A:3A:12:0D:0A:DE:CD:F0:31:96:0F:87:57:69:47:BD:C3:15:7C:D6:2D:8E
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIGDeDy02R2MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTE4MDUwODE5MTYxN1oX
DTIxMDUwOTE5MTYxN1owKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwkb72zGJf
/a+eSB65xVnKNvACp+ViSFwmG3jBOnQCD6+FdAzXJF+FTM7gmy8/CoW6jzY+vEs7
PBPYj7lGOEJpnLJ+UfrMq/xXlUmJRVyiF7ls/KP2DN9QnjYocR5D0ucTCuwl4V0n
pWldSHXyTEQ/ts0zottJ05dNTyxgrKBPSpYZUtlNuc5wSeYt65nGy0WMW995ChBT
RKzCo2z9faMEk3NeLtLZucnyXa2gaG65QzEuKzG1jSsJBHtjHnlaC8wCFn5sfgsE
0AfWO/lt+IDkteI2c+7CaqKzrSCsQgAkYa3/7Y0955827VGhkc8TYLRAHOSCKU7V
BUM2LQSyN8XLAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFBiFQUxbzT8yC74S8shumHhutuozMA0GCSqGSIb3DQEBCwUA
A4IBAQCahDWMUIGuU0bNJTEkIjolo7DJvWjZfwY8iM0jDiQABlXGkQ+BqbYdPQFY
VIu85jjzCx37bNhnRtQOzFz/F6Tm0JXnjMOVTIBAUVu3MmUtUCUmC0rUnTVZ8NnM
HitURyQCZG3zAYUCyE59AhMwDJLIfEgqxt1kVF+OZc7GkSdh6cZRJfL09zN+SMUO
ocGGg2pahLc9cygLDFqY62QfqHL9ynE85ze0/5TOFT3V9OAYdUE8+WMBbt5zcx6/
4gLXR6ZKnnAtzgbEqeWlO7lf2LadM1j8OM77gAutXW9WYsqB0Sc2Xm8Deyt1Kb2F
080RozK3cgnShxDN/Uu7iCjOFT7S
-----END CERTIFICATE-----

keyhash: 3aae8d85450bae20aaf360d046bc0d90b2998800b3a7356f0742ef6a8824e423

=====================

keyfile: /residence/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.pem
x509textual content: 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15259797775478 (0xde0f2d36476)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mitmproxy, O=mitmproxy
        Validity
            Not Before: May  8 19:16:17 2018 GMT
            Not After : May  9 19:16:17 2021 GMT
        Subject: CN=mitmproxy, O=mitmproxy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:91:be:f6:cc:62:5f:fd:af:9e:48:1e:b9:c5:
                    59:ca:36:f0:02:a7:e5:62:48:5c:26:1b:78:c1:3a:
                    74:02:0f:af:85:74:0c:d7:24:5f:85:4c:ce:e0:9b:
                    2f:3f:0a:85:ba:8f:36:3e:bc:4b:3b:3c:13:d8:8f:
                    b9:46:38:42:69:9c:b2:7e:51:fa:cc:ab:fc:57:95:
                    49:89:45:5c:a2:17:b9:6c:fc:a3:f6:0c:df:50:9e:
                    36:28:71:1e:43:d2:e7:13:0a:ec:25:e1:5d:27:a5:
                    69:5d:48:75:f2:4c:44:3f:b6:cd:33:a2:db:49:d3:
                    97:4d:4f:2c:60:ac:a0:4f:4a:96:19:52:d9:4d:b9:
                    ce:70:49:e6:2nd:eb:99:c6:cb:45:8c:5b:df:79:0a:
                    10:53:44:ac:c2:a3:6c:fd:7d:a3:04:93:73:5e:2e:
                    d2:d9:b9:c9:f2:5d:advert:a0:68:6e:b9:43:31:2e:2b:
                    31:b5:8d:2b:09:04:7b:63:1e:79:5a:0b:cc:02:16:
                    7e:6c:7e:0b:04:d0:07:d6:3b:f9:6d:f8:80:e4:b5:
                    e2:36:73:ee:c2:6a:a2:b3:advert:20:ac:42:00:24:61:
                    advert:ff:ed:8d:3d:e7:9f:36:ed:51:a1:91:cf:13:60:
                    b4:40:1c:e4:82:29:4e:d5:05:43:36:2nd:04:b2:37:
                    c5:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: important
                CA:TRUE
            Netscape Cert Type: 
                SSL CA
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto
            X509v3 Key Usage: important
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                18:85:41:4C:5B:CD:3F:32:0B:BE:12:F2:C8:6E:98:78:6E:B6:EA:33
    Signature Algorithm: sha256WithRSAEncryption
         9a:84:35:8c:50:81:ae:53:46:cd:25:31:24:22:3a:25:a3:b0:
         c9:bd:68:d9:7f:06:3c:88:cd:23:0e:24:00:06:55:c6:91:0f:
         81:a9:b6:1d:3d:01:58:54:8b:bc:e6:38:f3:0b:1d:fb:6c:d8:
         67:46:d4:0e:cc:5c:ff:17:a4:e6:d0:95:e7:8c:c3:95:4c:80:
         40:51:5b:b7:32:65:2nd:50:25:26:0b:4a:d4:9d:35:59:f0:d9:
         cc:1e:2b:54:47:24:02:64:6d:f3:01:85:02:c8:4e:7d:02:13:
         30:0c:92:c8:7c:48:2a:c6:dd:64:54:5f:8e:65:ce:c6:91:27:
         61:e9:c6:51:25:f2:f4:f7:33:7e:48:c5:0e:a1:c1:86:83:6a:
         5a:84:b7:3d:73:28:0b:0c:5a:98:eb:64:1f:a8:72:fd:ca:71:
         3c:e7:37:b4:ff:94:ce:15:3d:d5:f4:e0:18:75:41:3c:f9:63:
         01:6e:de:73:73:1e:bf:e2:02:d7:47:a6:4a:9e:70:2nd:ce:06:
         c4:a9:e5:a5:3b:b9:5f:d8:b6:9d:33:58:fc:38:ce:fb:80:0b:
         advert:5d:6f:56:62:ca:81:d1:27:36:5e:6f:03:7b:2b:75:29:bd:
         85:d3:cd:11:a3:32:b7:72:09:d2:87:10:cd:fd:4b:bb:88:28:
         ce:15:3e:d2
SHA256 Fingerprint=90:20:73:E9:33:D0:BF:9B:3D:A4:9A:3A:12:0D:0A:DE:CD:F0:31:96:0F:87:57:69:47:BD:C3:15:7C:D6:2D:8E
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIGDeDy02R2MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTE4MDUwODE5MTYxN1oX
DTIxMDUwOTE5MTYxN1owKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwkb72zGJf
/a+eSB65xVnKNvACp+ViSFwmG3jBOnQCD6+FdAzXJF+FTM7gmy8/CoW6jzY+vEs7
PBPYj7lGOEJpnLJ+UfrMq/xXlUmJRVyiF7ls/KP2DN9QnjYocR5D0ucTCuwl4V0n
pWldSHXyTEQ/ts0zottJ05dNTyxgrKBPSpYZUtlNuc5wSeYt65nGy0WMW995ChBT
RKzCo2z9faMEk3NeLtLZucnyXa2gaG65QzEuKzG1jSsJBHtjHnlaC8wCFn5sfgsE
0AfWO/lt+IDkteI2c+7CaqKzrSCsQgAkYa3/7Y0955827VGhkc8TYLRAHOSCKU7V
BUM2LQSyN8XLAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFBiFQUxbzT8yC74S8shumHhutuozMA0GCSqGSIb3DQEBCwUA
A4IBAQCahDWMUIGuU0bNJTEkIjolo7DJvWjZfwY8iM0jDiQABlXGkQ+BqbYdPQFY
VIu85jjzCx37bNhnRtQOzFz/F6Tm0JXnjMOVTIBAUVu3MmUtUCUmC0rUnTVZ8NnM
HitURyQCZG3zAYUCyE59AhMwDJLIfEgqxt1kVF+OZc7GkSdh6cZRJfL09zN+SMUO
ocGGg2pahLc9cygLDFqY62QfqHL9ynE85ze0/5TOFT3V9OAYdUE8+WMBbt5zcx6/
4gLXR6ZKnnAtzgbEqeWlO7lf2LadM1j8OM77gAutXW9WYsqB0Sc2Xm8Deyt1Kb2F
080RozK3cgnShxDN/Uu7iCjOFT7S
-----END CERTIFICATE-----

personal: False
protected: False
sort: certificates

=====================

Here we are able to see public keys and X509 textual content output for certificates.

APK Parsing
CERT Keyfinder began its life as a part of the framework used to carry out my experiment to find private keys in Android apps. As such, Keyfinder consists of the flexibility to parse Android utility APK information.

Simple APK Example

$ python3 keyfinder.py com.shopgate.android.app21760.apk 
Reached a NAMESPACE_END with out having the namespace saved earlier than? Prefix ID: 24, URI ID: 25
testapks/com.shopgate.android.app21760.apk distributes its signing key as: res/uncooked/keystore.jks
testapks/com.shopgate.android.app21760.apk consists of personal,protected key:  res/uncooked/keystore.jks (Java KeyRetailer)
testapks/com.shopgate.android.app21760.apk consists of protected key:  res/uncooked/shopgate_bks_neu.bks (BouncyCastle Keystore V1)
[email protected]:/mnt/v1/keyfinder$

Here we are able to see that the appliance in query features a Java KeyRetailer file that’s protected, and likewise that it features a personal key in it. Even thouth the Java KeyRetailer is protected with a password, the KeyRetailer file does not cover what the contents are. Keyfinder leverages this weak point to change the KeyStore password after which parse the contents utilizing the native Java keytool utility. Also of curiosity on this case is the truth that the personal key res/uncooked/keystore.jks accommodates the personal key used to signal the Android utility itself. Google signifies that managing your key and keeping it secure are very important, both for you and for your users, however on this case the appliance creator has distributed it to the general public!

crt.sh Checking
For any key discovered by Keyfinder, the important thing’s SHA256 signature is queried within the crt.sh web site. This web site displays a number of certificate transparency sources to test whether or not a key or certificates has been seen within the wild. The normal purpose for it is because an HTTPS net server is utilizing a specified key or a certificates. CERT Keyfinder will question crt.sh utilizing two sources of data:

  • The hash of a certificates that’s positioned in a keystore that accommodates a non-public key
  • The hash of a public key that has been extracted from a non-public key

When CERT Keyfinder studies {that a} key’s positioned in crt.sh, that is doubtless a trigger for concern. The purpose for this concern is as a result of a non-public key related to a certificates listed in a certificate transparency database is probably going a key that shouldn’t be accessible to the general public. For instance, any Android APK from the Google Play is clearly publicly obtainable. This isn’t the place for a non-public key for an HTTPS web site key

$ python3 keyfinder.py apks/eire.numt.aplykey.apk
apks/eire.numt.aplykey.apk consists of personal key:  property/pattern-keys/ca.key (pkcs5)
apks/eire.numt.aplykey.apk consists of personal key:  property/pattern-keys/shopper.key (pkcs5)
Enter go phrase for keys/eire.numt.aplykey/property/pattern-keys/go.key:apks/eire.numt.aplykey.apk consists of personal,protected key:  property/pattern-keys/go.key (pkcs5)
apks/eire.numt.aplykey.apk consists of protected key:  property/pattern-keys/pkcs12.p12 (pkcs12)
apks/eire.numt.aplykey.apk consists of personal key:  property/pattern-keys/server.key (pkcs5)
apks/eire.numt.aplykey.apk key property/pattern-keys/server.key's listed in crt.sh: https://crt.sh/?spkisha256=493f34228advert3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681
$

Here we are able to see that the file property/pattern-keys/server.key is listed in crt.sh as: https://crt.sh/?spkisha256=493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681. Because this question is for a public key hash, fairly than a certificates itself, we have to click on via to any of the seen certificates to get particulars about what the personal key could also be used for. By clicking via to https://crt.sh/?id=35604116, we are able to see that the certificates was issued by Comodo CA Limited for the domains oxsv.meta-degree.de and www.oxsv.meta-degree.de. Because this certificates expired in 2013, this situation is probably not terribly vital. However, one would possibly marvel how the personal key property/pattern-keys/server.key ended up in a publicly-launched Android utility, and likewise was utilized by a publicly-obtainable server. The affect of such a key leak might depend upon how the server in query is getting used.

Key File Usage
Keyfinder consists of one other functionality that may assist to find out the performance of a key utilized by an Android utility. By utilizing the -u choice, Keyfinder will extract the APK contents utilizing apktool after which test for APK contents that reference that key file. For instance:

$ python3 keyfinder.py apks/by_sha256/06/14/49/06144936809844bcb120d360ecc148679e33fd013c2bdac8bd9d7b63d71a57a4/tntapp.trinitymember.apk -u
I: Using Apktool 2.3.1-soiled on tntapp.trinitymember.apk
I: Loading useful resource desk...
I: Decoding AndroidManifest.xml with sources...
I: Loading useful resource desk from file: /tmp/tntapp.trinitymember/1.apk
I: Regular manifest bundle...
I: Decoding file-sources...
I: Decoding values */* XMLs...
I: Baksmaling lessons.dex...
I: Copying property and libs...
I: Copying unknown information...
I: Copying authentic information...
res/uncooked/sm_private is referenced by extracted/tntapp.trinitymember/smali/tntapp/trinitymember/R$uncooked.smali
res/uncooked/sm_private is referenced by extracted/tntapp.trinitymember/res/values/public.xml
apks/by_sha256/06/14/49/06144936809844bcb120d360ecc148679e33fd013c2bdac8bd9d7b63d71a57a4/tntapp.trinitymember.apk consists of personal key:  res/uncooked/sm_private (pkcs5)

Here we are able to see that the Anrdoid code R$uncooked.smali makes reference to the sm_private key file. If we take a look at the R$uncooked.smali file, we are able to see one reference to sm_private:

.area public static remaining sm_private:I = 0x7f060001

If we search for 0x7f060001 within the utility’s code, we are able to see that it is referenced in smali/tntapp/trinitymember/mannequin/RSA.smali

    const v18, 0x7f060001
    invoke-digital/vary {v17 .. v18}, Landroid/content material/res/Resources;->openRawResource(I)Ljava/io/InputStream;
    transfer-end result-object v7
    .line 114
    .native v7, "is":Ljava/io/InputStream;
    new-occasion v3, Ljava/io/BufferedReader;
    new-occasion v17, Ljava/io/InputStreamReader;
    const-string v18, "UTF-8"
    transfer-object/from16 v0, v17
    transfer-object/from16 v1, v18
...

smali code is not too fairly to take a look at, so we are able to decompile the code into Java, which is a bit more readable:

    public static byte[] decryptRSA(Context arg20, String arg21) throws Exception {
        System.out.println(":" + arg21);
        byte[] v14 = Base64.decode(arg21.getBytes("UTF-8"), 0);
        BufferedReader v3 = new BufferedReader(new InputStreamReader(arg20.getResources().openRawResource(0x7F060001), "UTF-8"));
        ArrayList v13 = new ArrayList();
        whereas(true) {
            String v12 = v3.readLine();
            if(v12 == null) {
                break;
            }

            ((List)v13).add(v12);
        }
...

Here we are able to clearly see that now we have a perform known as decryptRSA, which is opening the personal key, which is referenced as useful resource 0x7F060001. If we hint additional into the appliance code, we are able to get a greater concept of what the personal key’s getting used for. But we’ll go away that as an train for the reader.

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.