NFC Implant-base RSA Encrypted Messagging application

Related tags

Security related resourcesNFC-Implant-base-RSA-Encrypted-Messaging-Application
Overview


   N.I.R.E.M.A.

NFC Implant-base RSA Encrypted Messagging application



This project aims to develop an NFC implant-based RSA encrypted messaging application that ensures secure communication between the users and lets the user be the only one who can decrypt the exchanged messages. Besides secure transmission, this application focuses on saving the user private key on an external underskin implant. Thanks to the Mifare DESFire chip’s security, the user can keep out-system the private key used to sign and encrypt the communications. Therefore, the only way to access the messages will be with the possession of the unique implant.

Installation steps on Linux Debian base

Hardware required

Documentations

Proxmark3 client version

ATM this application is not working with the last version of the Iceman proxmark firmware. (There are problems related to the dinanic memory). HERE there is the last tested working version, released 20,2021 (ea80ea2).

The proxmark firmware and client should be matching every time. But as I have tested the firmware of the 4-11-2021 with the client of the 20-5-2021, I can confirm that it is working for this occasion. ( I am explain that so if you have a proxmark3 with the last firmware you do not need to reflash it with an old one.)

Installation Server Side (Linux Debian base)

  • cloning the repo

git clone https://github.com/Kaosxx88/NFC-Implant-base-RSA-Encrypted-Messaging-Application.git

  • cd in the folder

cd NFC-Implant-base-RSA-Encrypted-Messaging-Application.git

  • python 3.7+

sudo apt-get install python3

  • pip3

sudo apt-get install python3-pip

  • Requirements Installation

python3 -m pip install -r requirements.txt

Installation Client Side (Linux Debian base)

  • cloning the repo

git clone https://github.com/Kaosxx88/NFC-Implant-base-RSA-Encrypted-Messaging-Application.git

  • cd in the folder

cd NFC-Implant-base-RSA-Encrypted-Messaging-Application.git

  • python 3.7+

sudo apt-get install python3

  • pyqt5

sudo apt-get install python3-pyqt5

  • install python3 pip

sudo apt-get install python3-pip

  • Requirements Installation

python3 -m pip install -r requirements.txt

IMPORTANT

The file 'pmx3_read_keys_from_desfire.py' in the client folder of the repo, need to be modified accordly. In line 22 the variable self.pm3_path must be change to the user path where the proxmark client have been dowloaded.


Kali linux ONLY


(Setting up a virtual environment top avoid conflict with the python3 modules "serial" / "pyserial" )
  • installation of virtual environment

sudo apt-get install python3-venv

  • creation virtual environment

python3 -m venv path/to/the/folder

  • activation of the virtual environment

source /path/to/the/environment/bin/activate

Start the server application

  • change directory into the repo

cd /path/to/the/repo

  • change directory into the server folder

cd server

  • run the file server.py

python3 server.py

Start the client application

  • change directory into the repo

cd /path/to/the/repo

  • change directory into the server folder

cd client

  • run the file ui.controller.py

python3 ui_controller.py

proxmark3

The Proxmark is one of the most must-have of a hacker inventory. It is a cards reader that can read, write, force, and simulate many different types of chips on the market. In this project, the proxmark3 easy have been used to read and write the keys on the MIFARE DESFire chip.

ACR

The ACR122U is a card reader able to communicate with the MIFARE DESFire chip using the Application Protocol Data Unit called ADPU. This device has been used to change the standard key of the chip MIFARE DESFire. The sample DESFire cards have been bought directly from an abroad supplier, and they come with a standard key formed of all 0 digits.

MIFARE DESfire

The Mifare Desfire chip is one of the most secure chips in the market right now (the same chip that is present on the card of the London Underground, known as Oyster Card ). It offers an Advanced Encryption Standard of 128 bit and has enough storage capacity to store a public key pair of 4096 bit. The same chip has been embedded in an implant from a company called [Dangerous things](https://dangerousthings.com/) .

N.I.R.E.M.A. file structure



Registration

The Nirema registration screen has three main buttons that can be pressed. The first one, called “Create a new key pair,” helps the user create new keys if he does not own them already. The second button, called “ Load key pair from files”, allows the user to select the key from a user-chosen folder. The last button, called “ Load key from DESFire”, allows the user to load the keys directly from the MIFARE DESFire chip

The first and the second button are bringing the user to two different pages, but they are almost the same in graphical. In the following picture, there is a comparison of them. On the left one, the user has to choose the path to save the keys, and on the right one, the user has to select the path from where to load the keys.

Both of the above screenshots show the need for the passphrase location to encrypt or decrypt the private key. The back and next buttons are helping the user to move in between the registration process. If the user selects the load key from the DESFire button, the screen on the left picture will appear. As in the login screen, the COM port will be automatically detected, and the first one available will be set as the default one. The user will be able to change the default port with another one by clicking on it and selecting another port to use. Elements 2 is the passphrase entry for the private key. Without it, the application will not be able to load the key in the system.

The three previously explained application screens are bringing the user to the final part of the registration. In this section, point 1 shows the rules to follow in the nickname selection. Point 2 is where the user has to input the nickname that he wants to use. The registration button on the left side of the image, once pressed, will send the registration request to the server, and if the chosen name is available, the registration process will be authorised and completed. At this point, the left screen will appear. The top label will show a congratulations message to the user, and the bottom label will confirm the correct registration of the user. After the registration process is concluded, the user will be redirected to the login screen, and he can finally log in to the Nirema application. The following image shows the pseudocode of the registration process. The pseudocode is an informal language that helps the programmer to develop the algorithm. It is giving a better understanding of the registration code behind the user interface. It is crucial to keep in mind the final code is much more complex.

Login

The first screen of the Nirema application is the log in one. There are many elements; let’s take a look at all of them one by one. Points 1 and 2 are the user nickname and the private key passphrase input; the 3 and 4 are the tabs selection for the upload method of the keys. The NFC tab allows the user to load the keys by scanning the MIFARE DESFire chip. On the other side, the File tab, let the user search for the keys in the system directory (There will be another screenshot explaining this part). Point 5 show the available COM port connected to the system. This is the port where the Proxmark or any other card reader will be connected. Point 6 is the login button, and point 7 redirect the user to the registration screen.

The Files tab allow the user to select the key set from the system. Once button one or button two are pressed from the uses, a window with a file selection will appear. It is essential to state that only key file with the extension (.pem) are allowed to be imported. The button’s label shows the actual path selected. As a standard path, the application will look up the presence of the keys inside a dedicated folder called keys inside the Nirema main installation folder.

Chat GUI

  1. Application logo
  2. Name and version of the application.
  3. Logged user nickname.
  4. Entry to search for new users
  5. Button to send the request to the server to search the new user.
  6. Label that shows an intro message to the user with instruction
  7. Instruction label

  1. The top chat label will show the selected chat user destination.
  2. The delete button, delete all the conversation with the user from the server.
  3. The search button, search in the chat any corresponding text.
  4. The message entry allows the user to write the message.
  5. The left user list shows all the linked user and conversation in the account
  6. The send button sends the message and clears the message entry.
  7. The Chatbox will display the conversation.
  8. The clear button will clear the message entry box.

  1. New message notification
  2. New user on the user list

MIFARE DESfire structure

The MIFARE DESFire chip can store up to 28 different applications; each application can have up to 32 files between standards, backup, value file, record file and cycling recording file. Each Desfire chip has a card master key, and each application on it have a maximum of 14 different keys that can be assigned to write, read and delete data in the chip (NXP, 2015). For the realisation of this project, two applications have been written to the DESFire cards. The first one with the Application ID number 0x888888 has been assigned to the public key, and the second application with the AID 0x999999 has been allocated to the encrypted private key. The picture on the left side shows the enumeration of the Desfire chip using the proxmark3 easy. It is possible to notice the two applications written on the chip ( Green arrow). Each of them has one file with the keys inside ( Blue arrow). The files have free read permission but need a predefined key to be written on the card to avoid any unauthorised alteration (Orange arrow). All the keys and the linked authorisation are customisable on the application and file creation. When read from the smart card reader, the internal structure of the MIFARE DESFire chip will be displayed as in the following picture. Please keep in mind that the next image only shows part of the saved private key.

As is possible to notice from the picture above, the displayed memory is around 240 bit ( left bottom corner). To give an idea of the private keys’ real size, the number of 240 bit has to reach 3296 bit. Therefore the saved key will be more or less 14 times longer than the sowed picture. The same idea must be applied to the public key representation, but it will reach only 784 bit of size. The two keys added together will form a public key pair 4096 bit. Therefore it is simple to understand that a lot of data have been written to the card.

Requests schema

The server side of the Nirema application is in charge of handling the requests and the connections coming from the clients. The servers configuration allows it to accept only specific requests and reject the not recognised or unauthorised ones. The following schema shows the requests of the server.

As is possible to notice in the above picture, all the requests and responses are encrypted apart for the public key request. It is essential to keep in mind that the server uses SSL/TLS certificates. Therefore even if the public key request is not encrypted directly, it is encrypted at the socket level. The symbol (PK) on the above schema’s encryption section means that the communication is encrypted using the counterpart public key and signed using the sender’s private key. Using this encryption method, the recipient of the request/response is sure of the authenticity and the confidentiality of the content. The symbol (RSA) means that the communication is encrypted using RSA at a 256-bit algorithm based on a shared secret key.

Analysing the above request, the utmost level is the SSL/TLS certificate, which protects its content. At the current moment, the server uses a self-signed certificate, but on the day of the Nirema lunch, it will be necessary to buy a certificate for the domain. The second level is the RSA 256 bit encryption. This encryption is based on a secret exchanged between the server and the client on the public key request. Inside the kernel of the request, there are five elements. The first one is the nickname of the recipient of the message. It is needed for the server to redirect the message to the correct user. Therefore the server needs to be able to read this information. The other four elements are not being decrypted from the server because the server does not have the private key to do it. The only way to decrypt the encrypted messages is to be in possession of the sender or recipient private key. Talking about the last four elements looks like they are present twice on the request. It is accurate, but for a reason. For the sender of a message to be able to download the conversation from the server in the future and do not keep the conversation decrypted locally, it is needed to keep on the server a copy of the message that he can read and decrypted. In the case that only the version of the message that is destinated to a recipient is kept on the server, the sender will not be able to decrypt it anymore because only the recipient’s private keys can do it.

Application flow

The above picture shows the concept flow of the N.I.R.E.M.A. application. The utilisation of the local public key database and the (public) public key database NEED TO BE IMPLEMENTED as 2FA and 3FA.

Database structure

The above image show the structure of the server database in which the message are stored. The structure is former of:

  1. Message number
  2. Sender Nickname
  3. Recipient Nickname
  4. Message encrypted with the sender public key
  5. Message sign
  6. Message encrypted with the recipient publick key
  7. Message sign

Creation of a DESFIRE MIFARE apps

(WORK IN PROGRESS)

Colors and logos

The color palette has been inspirated from Kali Linux theme design ( 2020.1). The following N.I.R.E.M.A. logos are available on the client side folder.

Credits


A big thanks go to Fausto Fasan for the N.I.R.E.M.A. application logos

Owner
GitHub Repository
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
A terminal based web shell controller

shell-hack Tribute to Chinese ant sword; A Powerful terminal based webshell controller; Usage : Usage : python3 shell-hack.py --url [URL] --w

s1mple 10 Dec 28, 2021
A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Log4Pot A honeypot for the Log4Shell vulnerability (CVE-2021-44228). License: GPLv3.0 Features Listen on various ports for Log4Shell exploitation. Det

Thomas Patzke 79 Dec 27, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM <= 8.0.1

CVE-2021-45897 PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM = 8.0.1 This vulnerability was repor

Manuel Zametter 17 Nov 09, 2022
Mips script decompiles MIPS assembly instructions & bot functionality

mips mips is a python-based script that decodes MIPS instructions. Usage cd into mips and run python decode.py command or open decode.py to run the sc

Anthony Tedja 0 Mar 30, 2022
Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary.

Midas ELF64 Injector Description Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary. All you n

midas 20 Dec 24, 2022
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

2 Nov 20, 2021
Discord Region Swapping Exploit (VC Overload)

Discord-VC-Exploit Discord Region Swapping Exploit (VC Overload) aka VC Crasher How does this work? Discord has multiple servers that lets people arou

Rainn 11 Sep 10, 2022
It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

Mr. Cl0wn - H4ck1ng C0d3r 56 Dec 27, 2022
The ultimate Metasploit apk binder with legit apk written in python3

Infector is a python3 based script which is officially made for linux based distro . It binds metasploit payload with original apk with avast antivirus bypassed .

27 Dec 25, 2022
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Vadi 329 Jan 01, 2023
Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.

PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits

Hocky Harijanto 0 Jan 10, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

258 Jan 02, 2023
The self-hostable proxy tunnel

TTUN Server The self-hostable proxy tunnel. Running Running: docker run -e TUNNEL_DOMAIN=Your tunnel domain -e SECURE=True if using SSL ghcr.io/to

Tom van der Lee 2 Jan 11, 2022
A Safer PoC for CVE-2022-22965 (Spring4Shell)

Safer_PoC_CVE-2022-22965 A Safer PoC for CVE-2022-22965 (Spring4Shell) Functionality Creates a file called CVE_2022-22965_exploited.txt in the tomcat

Colin Cowie 46 Nov 12, 2022
CVE-2022-22963 PoC

CVE-2022-22963 CVE-2022-22963 PoC Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-R

Nicolas Krassas 104 Dec 08, 2022
SPV SecurePasswordVerification

SPV SecurePasswordVerification Its is python module for doing a secure password verification without sharing the password directly. Features The passw

Merwin 1 Feb 12, 2022