Maybe most of you reading this knew this but I have to admit that I did not. I was reading the WEB SECURITY TESTING COOKBOOK by Paco Hope and Ben Walther and came across a snippet of code where they show that you can use openssl to generate a Base64-encoded blob of data.
I did not know that you could do this with OpenSSL. I also didn’t know that it could do a lot more than that in the encoding/decoding realm.
Check it out:
Decoding a Base64-encoded string
This is why I love using Linux when testing systems. A simple command line can be used over and over again to perform various tasks. Multi-use is key here.
So, let’s say you come across a Base64-encoded blob of data and you want to decode it. Sure, there are plenty of online decoders out there.
Let’s say the blob of data is:
QWRtaW5pc3RyYXRvcjpwYXNzd2QK
Let’s decode this using openssl:
user@host:~# echo “QWRtaW5pc3RyYXRvcjpwYXNzd2QK” | openssl base64 –d
What do you get?
“Administrator:passwd”
Congratulations! You’ve successfully decoded a username/password pair.
Encoding a Base64-encoded string
Now, let’s say you wanted to be able to manipulate a base64-encoded blob of data and substitute your own information into it. This would entail you encoding your data for insertion. OpenSSL helps there, too.
Now, let’s say you wanted to be able to manipulate a base64-encoded blob of data and substitute your own information into it. This would entail you encoding your data for insertion. OpenSSL helps there, too.
Let’s say, instead of the username/password pair we discovered up above, we wanted to somehow include our own in that blob of data. Let’s say we wanted to take “Charlie:Winning” into the blob and we need to base64-encode it.
Our data:
“Charlie:Winning”
Encoding it:
user@host:~# echo “Charlie:Winning” | openssl base64 –e
It will return the following:
Q2hhcmxpZTpXaW5uaW5nCg
We can then paste this into wherever we’re using that base64-encoded data and we’re ready to rock.
Generating Hashes
Now, let’s say you wanted to be able to generate an MD5 hash of a value, for use in web testing. If you had a value (let’s say “Charlie:Winning” again … ) and you needed to calculate an MD5 hash of that value to append to a string being submitted to a web server, you can accomplish this with OpenSSL, as well.
Now, let’s say you wanted to be able to generate an MD5 hash of a value, for use in web testing. If you had a value (let’s say “Charlie:Winning” again … ) and you needed to calculate an MD5 hash of that value to append to a string being submitted to a web server, you can accomplish this with OpenSSL, as well.
Generating an MD5 Hash
Our value:
“Charlie:Winning”
Our command to generate an MD5 hash from it:
user@host:~# echo “Charlie:Winning” | openssl dgst –md5
The result:
428a9b9b18360150aadfe3480189a1f8
Generating a SHA-1 Hash
You can use the same command, changing the digest being used (from –md5 to –sha1) to generate a SHA-1 hash.
Our value:
“Charlie:Winning”
Our command to generate an MD5 hash from it:
user@host:~# echo “Charlie:Winning” | openssl dgst –sha1
The result:
23d7fc7c0819c20d0e83d88bb142537e8f87cc6c
Conclusion
OpenSSL has a thousand different uses and you should try to become as familiar with it as you can. I never realized how many cool things it can do and was always looking around for different tools to perform all these functions above.
Now I know I don’t need all those tools. I’ve got one tool that handles all of that for me.
Excellent pieces. Keep posting such kind of information on your blog. I really impressed by your blog.
ReplyDeleteGoogle android app development| IPhone App Development|