The gap between academic development of cryptanalysis techniques and their practical application is wide. The application security community was in awe in 2010 when Duong and Rizzo were able to apply Vaudenay's 2002 padding oracle attack technique to not one but three major frameworks, ASP.NET, Ruby on Rails, and Java Server Faces. There are various tools being developed for certain applications of these attacks, but they tend to implement at most a handful of different attacks. One of the difficulties is that flawed cryptography can exist in lots of different kinds of technologies; cryptography can exist in pretty much any place normal data can! As a result, performing practical cryptographic attacks often requires writing your own custom tool. This can be beyond the scope of a pen test due to time restrictions. It may also be beyond the skill of a tester to implement a given attack. Enter Cryptanalib: A library implementing various crypto attacks to make writing crypto attack tools easier! But how do you use it if you can't write code? Enter FeatherDuster: A modular, wizard-like interface to make using cryptanalib as simple as possible, sometimes even requiring the user to write no code whatsoever! This talk will discuss some common cryptographic mistakes and show how to use Cryptanalib and FeatherDuster to exploit them.
Daniel works in infosec since 2004, is the author of the Magical Code Injection Rainbow, and denies all allegations of unicorn smuggling.