--- tags: Facebook, \#PWD_BROWSER, password, crypto, encryption title: Demistify the Facebook client-side password encryption description: "Demistify the Facebook client-side password encryption ! Are you wondering where this famous #PWD_BROWSER comes from, and how the encryption is generated? All is revealed here" image: https://wi-images.condecdn.net/image/oYAW0MbXYMg/crop/1620/f/encryption_1.jpg --- # Demistify the Facebook client-side password encryption ## Introduction Some time ago, I developed a private API of instagram to be able to perform some actions I needed. The API was working very well until one day in 2020, when the parameters sent to the server to authenticate changed. Indeed, the password was no longer sent in clear text, but encrypted in this way: `#PWD_BROWSER:5:1617376020:AdhQAKb3zEewux6J98xFvie1HjaFRlSTWesGmeAuwW03KpZ1ia4jCMf4jv6ekezoGltbU5QPqbC2alzFutmA7xOQ2M1S1Lkge9qGB94F6rWeWMDqHchFb8uD8MRY9oid0QTZm5nOumSR24lfTaVO29xh2Q==`. It was still possible to authenticate by sending your credentials in clear text, but I asked how the encrypted password was generated. I didn't find anything concrete, so I wanted to search by myself, in order to understand and be able to generate this encrypted password and authenticate myself with it. ## Trace analysis Let's make a connection request with the following identifiers: email: `test@test.com` password: `mysuperpassword` In the fields of our POST request, we notice the following field: `encpass="#PWD_BROWSER:5:1617376020:AdhQAKb3zEewux6J98xFvie1HjaFRlSTWesGmeAuwW03KpZ1ia4jCMf4jv6ekezoGltbU5QPqbC2alzFutmA7xOQ2M1S1Lkge9qGB94F6rWeWMDqHchFb8uD8MRY9oid0QTZm5nOumSR24lfTaVO29xh2Q=="` The name of the field is quite explicit, we strongly assume that it is our encrypted password. At first glance, it looks like the /etc/shadow file format used under Linux or UNIX-like system. Field 5 could be SHA-256. Let's have a look at it. Since it is necessarily encrypted on the client side, we analyze the trace of our POST request to find the function that encrypts the password. ![traces](https://i.imgur.com/YqxqFQa.png) Fig. 1 And bingo! We notice a function named `_encryptBeforeSending` ! It's time to open the file on line 36 as shown. ![functions](https://i.imgur.com/ijf5sHV.png) Fig. 2 Let's get this line and display it in a more readable way. ## _encryptBeforeSending: High-layer encryption function ```javascript= __d("LoginFormController", ["AsyncRequest", "Button", "Cookie", "DOM", "DeferredCookie", "Event", "FBBrowserPasswordEncryption", "FBLogger", "Form", "FormTypeABTester", "LoginServicePasswordEncryptDecryptEventTypedLogger", "WebStorage", "bx", "ge", "goURI", "guid", "promiseDone"], (function(a, b, c, d, e, f) { var g, h = { init: function(a, c, d, e, f) { h._initShared(a, c, d, e, f), h.isCredsManagerEnabled = !1, !f || !f.pubKey ? b("Event").listen(a, "submit", h._sendLoginShared.bind(h)) : b("Event").listen(a, "submit", function(b) { b.preventDefault(), h._sendLoginShared.bind(h)(), h._encryptBeforeSending(function() { a.submit() }) }) }, ... _encryptBeforeSending: function(a) { a = a.bind(h); var c = h.loginFormParams && h.loginFormParams.pubKey; if ((window.crypto || window.msCrypto) && c) { var d = b("DOM").scry(h.loginForm, 'input[id="pass"]')[0], e = b("FBBrowserPasswordEncryption"), f = Math.floor(Date.now() / 1e3).toString(); b("promiseDone")(e.encryptPassword(c.keyId, c.publicKey, d.value, f), function(c) { c = b("DOM").create("input", { type: "hidden", name: "encpass", value: c }); h.loginForm.appendChild(c); d.disabled = !0; a() }, function(c) { var d = "#PWD_BROWSER", e = 5, g = b("LoginServicePasswordEncryptDecryptEventTypedLogger"); new g().setError("BrowserEncryptionFailureInLoginFormControllerWWW").setGrowthFlow("Bluebar/main login WWW").setErrorMessage(c.message).setPasswordTag(d).setPasswordEncryptionVersion(e).setPasswordTimestamp(f).logVital(); a() }) } else a() }, ... ``` Even without necessarily understanding all the variables displayed, it is generally understood that the `init` function is the entry point (see also Fig. 1) and calls the `_encryptBeforeSending(a)` function. This parameter passed as an argument is a function that allows to submit the connection form. Note the function `__d`. The function `__d` is API for RequireJS used to define a Module. Refered to the RequireJS doc: ```javascript= //Explicitly defines the "foo/title" module: define("foo/title", ["my/cart", "my/inventory"], function(cart, inventory) { //Define foo/title object in here. } ); ``` Then call the module as follow: ```javascript= require("foo/title") ``` By the way, we strongly assume that the `b` function refers to the `require` function. We then notice in the `_encryptBeforeSending` function that an input with `name: "encpass"` is created with the value `c`, returned by the call to the function `e.encryptPassword(c.keyId, c.publicKey, d.value, f)`. This is the POST field we observed earlier, which contained the encrypted password. This input is well created before the call to `a()`, which submits the form. Before going into the code of this function in more detail, we will try to understand where the arguments given to this function come from. ### Middle-layer encryption function, call parameters #### c.keyId & c.publicKey parameters Going back to `c`, we see that this object is created higher as follows: `var c = h.loginFormParams && h.loginFormParams.pubKey;` So now we have to go back to `h`. We notice quite quickly that `h` corresponds to the current module, so we will use the firefox console to display it, and see if we can find these `keyId` and `pubKey`. ![](https://i.imgur.com/iAFlGOo.png) Fig. 3 Nice, it contains the public key and the identifier of this key. ``` Object { publicKey: "53d38c45d2b6ff5bb0b843dfef4e060446596a93f970510b5fe615671ef3c457", keyId: 216 } ``` :::info Note that the public key and the identifier change every day. ::: #### d.value & f parameters For `d.value`, this is the user's password; and `f` the timestamp. We can now look at the contents of the `encryptPassword` function, called by the `FBBrowserPasswordEncryption` module. We find this module in the same file as Fig. 2, and we proceed to the same manipulation. ## encryptPassword: Middle-layer encryption function ```javascript= __d("FBBrowserPasswordEncryption", ["EnvelopeEncryption", "regeneratorRuntime", "tweetnacl-util"], (function(a, b, c, d, e, f) { "use strict"; f.encryptPassword = a; function a(keyID, publicKey, pass, timestamp) { var padding, g, passUTF8, timestampUTF8, encryptedPass; return b("regeneratorRuntime").async(function(k) { while (1) switch (k.prev = k.next) { case 0: padding = "#PWD_BROWSER"; g = 5; passUTF8_decoded = b("tweetnacl-util").decodeUTF8(pass); timestampUTF8_decoded = b("tweetnacl-util").decodeUTF8(timestamp); k.next = 6; return b("regeneratorRuntime").awrap(b("EnvelopeEncryption").encrypt(keyID, publicKey, passUTF8_decoded, timestampUTF8_decoded)); case 6: encryptedPass = k.sent; return k.abrupt("return", [padding, g, timestamp, b("tweetnacl-util").encodeBase64(j)].join(":")); case 8: case "end": return k.stop() } }, null, this) } }), null); ``` We find our `encryptPassword` function in which all the variable names are also letters, but I have manually replaced some variable names in order to see more clearly. We notice on line 18 that a `join` function is called on an array containing all the elements of the encrypted password pattern. We find there in the order: * The id `#PWD_BROWSER`, * The number 5, * The timestamp, * `j` returned by the `case 0`, encoded in base64. The first 3 values are trivial to obtain, what really interests us is this value `j`, obtained by calling `b("EnvelopeEncryption").encrypt(keyID, publicKey, passUTF8_decoded, timestampUTF8_decoded)`. This is the 3rd nested "encrypt" function, maybe the last one haha. Let's see what it contains. ## encrypt: Low-layer encryption function ```javascript= __d("EnvelopeEncryption", ["Promise", "regeneratorRuntime", "tweetnacl-sealedbox-js"], (function(a, b, c, d, e, f) { "use strict"; f.encrypt = a; var g = window.crypto || window.msCrypto, h = 64, i = 1, j = 1, k = 1, l = b("tweetnacl-sealedbox-js").overheadLength, m = 2, n = 32, o = 16, p = j + k + m + n + l + o; function q(a, c) { return b("tweetnacl-sealedbox-js").seal(a, c) } function r(a) { var b = []; for (var c = 0; c < a.length; c += 2) b.push(parseInt(a.slice(c, c + 2), 16)); return new Uint8Array(b) } function a(a, c, d, e) { var f, s, t, u, v, w, x; return b("regeneratorRuntime").async(function(y) { while (1) switch (y.prev = y.next) { case 0: f = p + d.length; if (!(c.length != h)) { y.next = 3; break } throw new Error("public key is not a valid hex sting"); case 3: s = r(c); if (s) { y.next = 6; break } throw new Error("public key is not a valid hex string"); case 6: t = new Uint8Array(f); u = 0; t[u] = i; u += j; t[u] = a; u += k; v = { name: "AES-GCM", length: n * 8 }; w = { name: "AES-GCM", iv: new Uint8Array(12), additionalData: e, tagLen: o }; x = g.subtle.generateKey(v, !0, ["encrypt", "decrypt"]).then(function(a) { var c = g.subtle.exportKey("raw", a); a = g.subtle.encrypt(w, a, d.buffer); return b("Promise").all([c, a]) }).then(function(a) { var b = new Uint8Array(a[0]); b = q(b, s); t[u] = b.length & 255; t[u + 1] = b.length >> 8 & 255; u += m; t.set(b, u); u += n; u += l; if (b.length !== n + l) throw new Error("encrypted key is the wrong length"); b = new Uint8Array(a[1]); a = b.slice(-o); b = b.slice(0, -o); t.set(a, u); u += o; t.set(b, u); return t })["catch"](function(a) { throw a }); return y.abrupt("return", x); case 16: case "end": return y.stop() } }, null, this) } }), null); ``` This function seems to be the right one, the one that finally generates the encrypted key. We notice towards the end, the call to the `generateKey` function, so we'll first focus directly on this part of the code: ### sublte.generateKey ```javascript= x = g.subtle.generateKey(v, !0, ["encrypt", "decrypt"]).then(function(a) { var c = g.subtle.exportKey("raw", a); a = g.subtle.encrypt(w, a, d.buffer); return b("Promise").all([c, a]) }).then(function(a) { var b = new Uint8Array(a[0]); b = q(b, s); t[u] = b.length & 255; t[u + 1] = b.length >> 8 & 255; u += m; t.set(b, u); u += n; u += l; if (b.length !== n + l) throw new Error("encrypted key is the wrong length"); b = new Uint8Array(a[1]); a = b.slice(-o); b = b.slice(0, -o); t.set(a, u); u += o; t.set(b, u); return t })["catch"](function(a) { throw a }); return y.abrupt("return", x); ``` By inquiring about the `generateKey` function, we learn that is a method of the SubtleCrypto interface to generate a new key (for symmetric algorithms) or key pair (for public-key algorithms). In our case, the variable `g` corresponds to `window.crypto`. This object allows web pages to run various cryptographic operations on the browser side. Here is the syntax of the `generateKey` function: `const result = crypto.subtle.generateKey(algorithm, extractable, keyUsages);` with: * `algorithm` is a dictionary object defining the type of key to generate and providing extra algorithm-specific parameters. * `extractable` is a Boolean indicating whether it will be possible to export the key using SubtleCrypto.exportKey() or SubtleCrypto.wrapKey(). * `keyUsages` is an Array indicating what can be done with the newly generated key. In our case, `algorithm` is `v`, corresponding to the following object: ```javascript= v = { name: "AES-GCM", length: n * 8 }; ``` `length` is the length in bits of the key to generate. Here, `n` is a variable defined above, equal to 32. So we learn that the generated key will be a symmetrical key, AES-GCM, of 256 bits. But wait, the format `#PWD_BROWSER:5:1617376020:...` was leading us into error after all? It's not SHA-256? It looks like it, let's continue `extractable` is set to true, and `keyUsages` indicates that it is possible to encrypt and decrypt with the generated key. Finally, `result` is a Promise that fulfills with a CryptoKey (for symmetric algorithms) or a CryptoKeyPair (for public-key algorithms). For our case, it's a CryptoKey. Now let's look at the first part of the code, the result of the first Promise: ```javascript= g.subtle.generateKey(v, !0, ["encrypt", "decrypt"]).then(function(a) { var c = g.subtle.exportKey("raw", a); a = g.subtle.encrypt(w, a, d.buffer); return b("Promise").all([c, a]) }) ``` The freshly generated AES-GCM key is exported in the `c` variable. It is stored in `raw`, in an `ArrayBuffer`. Then the `encrypt` function is called. This function has the following signature: `const result = crypto.subtle.encrypt(algorithm, key, data); ` In our case, `algorithm` corresponds to `w`, which is the next object: ```javascript= w = { name: "AES-GCM", iv: new Uint8Array(12), additionalData: e, tagLen: o }; ``` :::info * iv: A BufferSource — the initialization vector. This must be unique for every encryption operation carried out with a given key. * additionalData: A BufferSource. This contains additional data that will not be encrypted but will be authenticated along with the encrypted data. If additionalData is given here then the same data must be given in the corresponding call to decrypt(): if the data given to the decrypt() call does not match the original data, the decryption will throw an exception. This gives you a way to authenticate associated data without having to encrypt it. ::: `key` is the `a` CryptoKey generated `d.buffer`, corresponds to the buffer of the `Uint8Array` which contains our password in clear text. The function returns in the variable `a` a Promise that fulfills with an ArrayBuffer containing the "ciphertext". The size of the cipher is equal to the size of the password plus 16 bytes. Now that we have seen the result of this first Promise, let us look at the result of the second: ```javascript= .then(function(a) { var b = new Uint8Array(a[0]); b = q(b, s); t[u] = b.length & 255; t[u + 1] = b.length >> 8 & 255; u += m; t.set(b, u); u += n; u += l; if (b.length !== n + l) throw new Error("encrypted key is the wrong length"); b = new Uint8Array(a[1]); a = b.slice(-o); b = b.slice(0, -o); t.set(a, u); u += o; t.set(b, u); return t }) ``` As we saw before, we know that the argument `a` corresponds to an array `[AES_Key_buffer, CipherText_buffer]`. For the rest of the variables, you just have to look above to make the correspondences. I put the code back after making the variable names more understandable: ```javascript= then(function(a) { var aes_key = new Uint8Array(a[0]); aes_key_encrypted = b("tweetnacl-sealedbox-js").seal(aes_key, publicKey_uint8array); key[u] = aes_key_encrypted.length & 255; key[u + 1] = aes_key_encrypted.length >> 8 & 255; u += m; // u = 4 key.set(aes_key_encrypted, u); u += n ; // u = 36 (n=32) u += l; // u = 84 (l=48) if (aes_key_encrypted.length !== n + l) throw new Error("encrypted key is the wrong length"); cipher = new Uint8Array(a[1]); cipher_rigth_part = cipher.slice(-o); cipher_left_part = cipher.slice(0, -o); key.set(cipher_rigth_part, u); u += o; // u = 100 key.set(cipher_left_part, u); return key }) ``` `b("tweetnacl-sealedbox-js").seal(buffer, publicKey);` is used to encrypt the `buffer` using the public key provided. Here, the encryption key `aes_key` is encrypted using the public key given in parameter. The size of the encrypted buffer is equal to the size of the buffer + 48 bytes of overhead. Here the AES key is 256 bits, or 32 bytes; the size of the encrypted aes key will therefore be 48+32=100 bytes. `key` is a Uint8Array defined above as follows: ```javascript= var h = 64, i = 1, j = 1, k = 1, l = b("tweetnacl-sealedbox-js").overheadLength, // always 48 m = 2, n = 32, o = 16, p = j + k + m + n + l + o; // = 100 ... case 0: f = p + pass.length; // = 100 + pass.length ... case 6: key = new Uint8Array(f); // key.length = 100 + pass.length u = 0; key[u] = i; u += j; key[u] = keyID; u += k; ``` Note that the first values of the key are always fixed by constants. `key[0]=1` `key[1]=keyID` `key[2]=aes_key_encrypted.length & 255 = 80` `key[3]=aes_key_encrypted.length>>8 & 255 = 0` Then, ```javascript= key.set(aes_key_encrypted, u); // u == 4 ``` We store in the key at index `u`, the value of the encrypted aes key. We suspect that Facebook has the private key to decrypt this key. Finally, the last interesting part: ```javascript= // o = 16 cipher = new Uint8Array(a[1]); cipher_rigth_part = cipher.slice(-o); cipher_left_part = cipher.slice(0, -o); key.set(cipher_rigth_part, u); u += o; // u = 100 key.set(cipher_left_part, u); return key ``` The cipher is split from the 16 end bytes. The two parts of the cipher are inverted and added to the key. ## Resume The key is finally complete and valid. Here is a short summary of the contents of the key: ![](https://i.imgur.com/z1groBM.png) Fig. 4 The key is generated, but a small detail is missing. Indeed, remember, this key is then encoded in base 64. Let's go back to the previous function: ```javascript= case 0: padding = "#PWD_BROWSER"; g = 5; passUTF8_decoded = b("tweetnacl-util").decodeUTF8(pass); timestampUTF8_decoded = b("tweetnacl-util").decodeUTF8(timestamp); k.next = 6; return b("regeneratorRuntime").awrap(b("EnvelopeEncryption").encrypt(keyID, publicKey, passUTF8_decoded, timestampUTF8_decoded)); case 6: encryptedPass = k.sent; return k.abrupt("return", [padding, g, timestamp, b("tweetnacl-util").encodeBase64(j)].join(":")); ``` A simple call to `b("tweetnacl-util").encodeBase64(j)` on our freshly generated key, and we have our base64 key. We `join` the whole thing and we have a complete and valid key, ready to send to the Facebook server.
Last changed by  
Ostrym
5989

Read more

Write-Up - DGHack - 2020 - Jobboard

Catégorie: Web | Difficulté: Difficile Enoncé En cherchant un job d’ingénieur en cybersécurité, vous avez trouvé un site web proposant des annonces très intéressantes, mais il faut des identifiants particuliers pour y accéder. Pourrez-vous en découvrir un ? Il parait que le compte admin permet de visualiser les futures offres en cybersécurité étatique à DGA MI ? En arrivant sur le site, on tâte un peu toutes les pages pour voir ce qu'il y a de beau. On remarque la présence d'une page contact ainsi qu'une page de connection avec laquelle on peut se connecter en tant que test:test.

11/19/2020
Write-Up - DGHack - 2020 - Walter's Blog

Catégorie: Web Enoncé Un ancien stagiaire avait développé ce site web il y a plusieurs années. Malheureusement, ce projet a mal été documenté et nous ne retrouvons plus les accès pour l'administrer... Votre tuteur vous autorise à tout essayer pour récupérer les accès à ce service, soyez inventif ! Le flag est situé dans le fichier /flag.txt . Nous nous rendons sur le site et pouvons voir un beau blog Minecraft, réalisé par le petit Walter. Il y a une gallerie photo et une page contact.

11/18/2020
Write-Up - DGSE/ESIEE - 2020 - ASCII UART

Catégorie: Hardware Enoncé Un informateur a intercepté un message binaire transmis sur un câble. Il a rapidement enregistré via la carte son d'un PC les données en 8 bits signés (ascii_uart.raw). Dans la précipitation, il a oublié de noter la fréquence d'échantillonnage. Retrouvez le message. Le flag est de la forme DGSESIEE{X} avec X le message Pour ce challenge, il était possible de passer par un éditeur de son numérique comme Audacity, pour extraire les informations binaires, ou de faire un petit script. Je vais ici présenter la solution du script :).

11/7/2020
Write-up - DGSE/ESIEE - 2020 - KeyPad Sniffer

Catégorie: Hardware Enoncé Le code d'accès d'un centre militaire de télécommunications est saisi sur un clavier. Un agent a accédé au matériel (Cf. photos face avant et face arrière du clavier) et a inséré un dispositif pour enregister les données binaires qui transitent sur le connecteur du clavier. Le fichier joint (keypad_sniffer.txt) comprend les données binaires (échantillonnées à une fréquence de 15 kHz) au moment où une personne autorisée rentrait le code d'accès. Retrouvez le code d'accès. Le flag est de la forme DGSESIEE{X} où X est le code saisi Analyser les photos Face Dos

11/7/2020
Read more from Ostrym
Published on HackMD