Breaking Weak RSA Keys

How would you break a very weak RSA key? In my example, I had the public key given:

N = 965210800519627751

e = 162419

The task is to break the public key by calculating the corresponding private key (d).

I used the open source tool YAFU (http://sourceforge.net/projects/yafu/) to factorize the modulus N:

# ./yafu "factor(965210800519627751)"
 
 
fac: factoring 965210800519627751
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
div: primes less than 10000
fmt: 1000000 iterations
Total factoring time = 0.0410 seconds
 
***factors found***
 
P9 = 982451429
P9 = 982451419
 
ans = 1

Now you know that p = 982451429 and q = 982451419 or the other way around. With this knowledge, the RSA key is basically broken!
With some Java, you can easily calculate the corresponding private key d:

BigInteger e = new BigInteger("162419");
BigInteger N = new BigInteger("965210800519627751");
 
BigInteger p = new BigInteger("982451429");
BigInteger q = new BigInteger("982451419");
 
BigInteger phi = (p.subtract(BigInteger.ONE)).multiply(q.subtract(BigInteger.ONE));
BigInteger d = e.modInverse(phi);
 
System.out.println(d.toString());

By knowing d, you are in possession of the private key and able to act as the real key owner. Of course, this approach is limited to (very) weak RSA keys since factoring a big number is very hard and takes exponentially much time.

Keep Track of TCP Sessions with Snort

If you want to create Snort rules that check multiple packets of a TCP session, you need the flowbits option. It allows you to add „tags“ to a TCP stream. If another packet of that stream arrives, other rules can filter for those tags.

Snort Documentation http://manual.snort.org/node470.html:

It allows rules to track states during a transport protocol session.

Example:

Imagine you want to check site accesses in a specific folder on your webserver and would like to receive an alert if a site was not found (had 404 error).
So you need to check the HTTP request from the client to filter for the specific folder, and you need to check the server response to know the HTTP status code.

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"File Access"; pcre:"/GET \/specific_folder\/.*/i"; flowbits:set,specific_folder_access; flowbits:noalert; sid:100000;)

Here you define the first rule that checks the HTTP request. If the access goes into the specific_folder, the flowbit (tag) „specific_folder_access“ will be set. This tag allows us to identify packets that meet this criteria in the second rule. „flowbits:noalert;“ means that – although this rule fired – no alert will be triggered.

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Site in specific_folder not found"; content:"404"; http_stat_code; flowbits:isset,specific_folder_access; sid:100001;)

In the second rule, we require the packet to be part of a TCP stream tagged with the flowbit „specific_folder_access“. If so, and if the status code is 404, an alert is triggered.

You can even set multiple tags and compose multiple rules to filter complex behavior. See manual.snort.org for more information.

Two-Factor Authentication for SSH

Google offers a PAM module to do two-factor authentication using its Google Authenticator app. It seems to be easy to setup up but still brings a huge security improvement.

A good tutorial for Debian/Ubuntu can be found here:
Digitalocean: How To Protect SSH With Two-Factor Authentication