Keyfinder - A Tool For Finding Together With Analyzing Someone (And Public) Fundamental Files, Including Back Upwards For Android Apk Files
CERT Keyfinder is a utility for finding in addition to analyzing commutation files on a filesystem equally good equally contained inside Android APK files. CERT Keyfinder evolution was sponsored yesteryear the U.S. of America Department of Homeland Security (DHS). Installation requirements:
- Python (3.x recommended)
- androguard
- python-magic
- PyOpenSSL
- apktool
- grep
- OpenSSL
- Java
Installation
- Obtain the Keyfinder code. This tin live accomplished yesteryear performing a
git cloneof the Keyfinder repository, or yesteryear downloading a zip file of the repository. - Install Python dependencies:
$ pip3 install androguard python-magic PyOpenSSLOn Windows platforms, usage thepython-magic-binbundle instead ofpython-magic. This volition render the DLL required to analyze file magic.
Keyfinder Usage
$ python3 keyfinder.py usage: Influenza A virus subtype H5N1 tool for analyzing commutation files, amongst Android APK back upward [-h] [-e EXTRACT_APK] [-u] [-k CHECK_KEYFILE] [-p PASSWORD] [-v] [-d] [apkpath] positional arguments: apkpath APK file or directory optional arguments: -h, --help exhibit this care message in addition to travel out -e EXTRACT_APK, --extract EXTRACT_APK Extract specified APK using apktool -u, --checkused Check if the commutation file is referenced yesteryear the app (slow) -k CHECK_KEYFILE, --key CHECK_KEYFILE Key file or directory -p PASSWORD, --password PASSWORD Specify password -v, --verbose Verbose output -d, --debug Debug output Key Parsing
CERT Keyfinder tin live used to scan the files on your system, reporting alone person and/or password-protected commutation files yesteryear default.
Simple Example
For example, running Keyfinder on the
directory on a CERT Tapioca system:$ python keyfinder.py -k /tapioca keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.p12 type: pkcs12 protected: True ===================== keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-ca.pem private: True protected: False iskey: True iscert: True encoding: pem type: pkcs8 certhash: 902073e933d0bf9b3da49a3a120d0adecdf031960f87576947bdc3157cd62d8e keyhash: 3aae8d85450bae20aaf360d046bc0d90b2998800b3a7356f0742ef6a8824e423 =====================Verbose Output
If nosotros wishing to teach to a greater extent than details, nosotros tin run the same dominance line, but amongst the verbose
-v flag:$ python keyfinder.py -k /tapioca -v keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.cer x509text: Certificate: Data: Version: three (0x2) Serial Number: 15259797775478 (0xde0f2d36476) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=mitmproxy, O=mitmproxy Validity Not Before: May 8 19:16:17 2018 GMT Not After : May nine 19:16:17 2021 GMT Subject: CN=mitmproxy, O=mitmproxy Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:91:be:f6:cc:62:5f:fd:af:9e:48:1e:b9:c5: 59:ca:36:f0:02:a7:e5:62:48:5c:26:1b:78:c1:3a: 74:02:0f:af:85:74:0c:d7:24:5f:85:4c:ce:e0:9b: 2f:3f:0a:85:ba:8f:36:3e:bc:4b:3b:3c:13:d8:8f: b9:46:38:42:69:9c:b2:7e:51:fa:cc:ab:fc:57:95: 49:89:45:5c:a2:17:b9:6c:fc:a3:f6:0c:df:50:9e: 36:28:71:1e:43:d2:e7:13:0a:ec:25:e1:5d:27:a5: 69:5d:48:75:f2:4c:44:3f:b6:cd:33:a2:db:49:d3: 97:4d:4f:2c:60:ac:a0:4f:4a:96:19:52:d9:4d:b9: ce:70:49:e6:2d:eb:99:c6:cb:45:8c:5b:df:79:0a: 10:53:44:ac:c2:a3:6c:fd:7d:a3:04:93:73:5e:2e: d2:d9:b9:c9:f2:5d:ad:a0:68:6e:b9:43:31:2e:2b: 31:b5:8d:2b:09:04:7b:63:1e:79:5a:0b:cc:02:16: 7e:6c:7e:0b:04:d0:07:d6:3b:f9:6d:f8:80:e4:b5: e2:36:73:ee:c2:6a:a2:b3:ad:20:ac:42:00:24:61: ad:ff:ed:8d:3d:e7:9f:36:ed:51:a1:91:cf:13:60: b4:40:1c:e4:82:29:4e:d5:05:43:36:2d:04:b2:37: c5:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 18:85:41:4C:5B:CD:3F:32:0B:BE:12:F2:C8:6E:98:78:6E:B6:EA:33 Signature Algorithm: sha256WithRSAEncryption 9a:84:35:8c:50:81:ae:53:46:cd:25:31:24:22:3a:25:a3:b0: c9:bd:68:d9:7f:06:3c:88:cd:23:0e:24:00:06:55:c6:91:0f: 81:a9:b6:1d:3d:01:58:54:8b:bc:e6:38:f3:0b:1d:fb:6c:d8: 67:46:d4:0e:cc:5c:ff:17:a4:e6:d0:95:e7:8c:c3:95:4c:80: 40:51:5b:b7:32:65:2d:50:25:26:0b:4a:d4:9d:35:59:f0:d9: cc:1e:2b:54:47:24:02:64:6d:f3:01:85:02:c8:4e:7d:02:13: 30:0c:92:c8:7c:48:2a:c6:dd:64:54:5f:8e:65:ce:c6:91:27: 61:e9:c6:51:25:f2:f4:f7:33:7e:48:c5:0e:a1:c1:86:83:6a: 5a:84:b7:3d:73:28:0b:0c:5a:98:eb:64:1f:a8:72:fd:ca:71: 3c:e7:37:b4:ff:94:ce:15:3d:d5:f4:e0:18:75:41:3c:f9:63: 01:6e:de:73:73:1e:bf:e2:02:d7:47:a6:4a:9e:70:2d:ce:06: c4:a9:e5:a5:3b:b9:5f:d8:b6:9d:33:58:fc:38:ce:fb:80:0b: ad:5d:6f:56:62:ca:81:d1:27:36:5e:6f:03:7b:2b:75:29:bd: 85:d3:cd:11:a3:32:b7:72:09:d2:87:10:cd:fd:4b:bb:88:28: ce:15:3e:d2 SHA256 Fingerprint=90:20:73:E9:33:D0:BF:9B:3D:A4:9A:3A:12:0D:0A:DE:CD:F0:31:96:0F:87:57:69:47:BD:C3:15:7C:D6:2D:8E -----BEGIN CERTIFICATE----- MIIDoTCCAomgAwIBAgIGDeDy02R2MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTE4MDUwODE5MTYxN1oX DTIxMDUwOTE5MTYxN1owKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwkb72zGJf /a+eSB65xVnKNvACp+ViSFwmG3jBOnQCD6+FdAzXJF+FTM7gmy8/CoW6jzY+vEs7 PBPYj7lGOEJpnLJ+UfrMq/xXlUmJRVyiF7ls/KP2DN9QnjYocR5D0ucTCuwl4V0n pWldSHXyTEQ/ts0zottJ05dNTyxgrKBPSpYZUtlNuc5wSeYt65nGy0WMW995ChBT RKzCo2z9faMEk3NeLtLZucnyXa2gaG65QzEuKzG1jSsJBHtjHnlaC8wCFn5sfgsE 0AfWO/lt+IDkteI2c+7CaqKzrSCsQgAkYa3/7Y0955827VGhkc8TYLRAHOSCKU7V BUM2LQSyN8XLAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC AQYwHQYDVR0OBBYEFBiFQUxbzT8yC74S8shumHhutuozMA0GCSqGSIb3DQEBCwUA A4IBAQCahDWMUIGuU0bNJTEkIjolo7DJvWjZfwY8iM0jDiQABlXGkQ+BqbYdPQFY VIu85jjzCx37bNhnRtQOzFz/F6Tm0JXnjMOVTIBAUVu3MmUtUCUmC0rUnTVZ8NnM HitURyQCZG3zAYUCyE59AhMwDJLIfEgqxt1kVF+OZc7GkSdh6cZRJfL09zN+SMUO ocGGg2pahLc9cygLDFqY62QfqHL9ynE85ze0/5TOFT3V9OAYdUE8+WMBbt5zcx6/ 4gLXR6ZKnnAtzgbEqeWlO7lf2LadM1j8OM77gAutXW9WYsqB0Sc2Xm8Deyt1Kb2F 080RozK3cgnShxDN/Uu7iCjOFT7S -----END CERTIFICATE----- private: False protected: False type: certificate ===================== keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-dhparam.pem private: False type: DH ===================== keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.p12 type: pkcs12 protected: True ===================== keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-ca.pem private: True protected: False iskey: True iscert: True encoding: pem type: pkcs8 certhash: 902073e933d0bf9b3da49a3a120d0adecdf031960f87576947bdc3157cd62d8e x509text: Certificate: Data: Version: three (0x2) Serial Number: 15259797775478 (0xde0f2d36476) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=mitmproxy, O=mitmproxy Validity Not Before: May 8 19:16:17 2018 GMT Not After : May nine 19:16:17 2021 GMT Subject: CN=mitmproxy, O=mitmproxy Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:91:be:f6:cc:62:5f:fd:af:9e:48:1e:b9:c5: 59:ca:36:f0:02:a7:e5:62:48:5c:26:1b:78:c1:3a: 74:02:0f:af:85:74:0c:d7:24:5f:85:4c:ce:e0:9b: 2f:3f:0a:85:ba:8f:36:3e:bc:4b:3b:3c:13:d8:8f: b9:46:38:42:69:9c:b2:7e:51:fa:cc:ab:fc:57:95: 49:89:45:5c:a2:17:b9:6c:fc:a3:f6:0c:df:50:9e: 36:28:71:1e:43:d2:e7:13:0a:ec:25:e1:5d:27:a5: 69:5d:48:75:f2:4c:44:3f:b6:cd:33:a2:db:49:d3: 97:4d:4f:2c:60:ac:a0:4f:4a:96:19:52:d9:4d:b9: ce:70:49:e6:2d:eb:99:c6:cb:45:8c:5b:df:79:0a: 10:53:44:ac:c2:a3:6c:fd:7d:a3:04:93:73:5e:2e: d2:d9:b9:c9:f2:5d:ad:a0:68:6e:b9:43:31:2e:2b: 31:b5:8d:2b:09:04:7b:63:1e:79:5a:0b:cc:02:16: 7e:6c:7e:0b:04:d0:07:d6:3b:f9:6d:f8:80:e4:b5: e2:36:73:ee:c2:6a:a2:b3:ad:20:ac:42:00:24:61: ad:ff:ed:8d:3d:e7:9f:36:ed:51:a1:91:cf:13:60: b4:40:1c:e4:82:29:4e:d5:05:43:36:2d:04:b2:37: c5:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 18:85:41:4C:5B:CD:3F:32:0B:BE:12:F2:C8:6E:98:78:6E:B6:EA:33 Signature Algorithm: sha256WithRSAEncryption 9a:84:35:8c:50:81:ae:53:46:cd:25:31:24:22:3a:25:a3:b0: c9:bd:68:d9:7f:06:3c:88:cd:23:0e:24:00:06:55:c6:91:0f: 81:a9:b6:1d:3d:01:58:54:8b:bc:e6:38:f3:0b:1d:fb:6c:d8: 67:46:d4:0e:cc:5c:ff:17:a4:e6:d0:95:e7:8c:c3:95:4c:80: 40:51:5b:b7:32:65:2d:50:25:26:0b:4a:d4:9d:35:59:f0:d9: cc:1e:2b:54:47:24:02:64:6d:f3:01:85:02:c8:4e:7d:02:13: 30:0c:92:c8:7c:48:2a:c6:dd:64:54:5f:8e:65:ce:c6:91:27: 61:e9:c6:51:25:f2:f4:f7:33:7e:48:c5:0e:a1:c1:86:83:6a: 5a:84:b7:3d:73:28:0b:0c:5a:98:eb:64:1f:a8:72:fd:ca:71: 3c:e7:37:b4:ff:94:ce:15:3d:d5:f4:e0:18:75:41:3c:f9:63: 01:6e:de:73:73:1e:bf:e2:02:d7:47:a6:4a:9e:70:2d:ce:06: c4:a9:e5:a5:3b:b9:5f:d8:b6:9d:33:58:fc:38:ce:fb:80:0b: ad:5d:6f:56:62:ca:81:d1:27:36:5e:6f:03:7b:2b:75:29:bd: 85:d3:cd:11:a3:32:b7:72:09:d2:87:10:cd:fd:4b:bb:88:28: ce:15:3e:d2 SHA256 Fingerprint=90:20:73:E9:33:D0:BF:9B:3D:A4:9A:3A:12:0D:0A:DE:CD:F0:31:96:0F:87:57:69:47:BD:C3:15:7C:D6:2D:8E -----BEGIN CERTIFICATE----- MIIDoTCCAomgAwIBAgIGDeDy02R2MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTE4MDUwODE5MTYxN1oX DTIxMDUwOTE5MTYxN1owKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwkb72zGJf /a+eSB65xVnKNvACp+ViSFwmG3jBOnQCD6+FdAzXJF+FTM7gmy8/CoW6jzY+vEs7 PBPYj7lGOEJpnLJ+UfrMq/xXlUmJRVyiF7ls/KP2DN9QnjYocR5D0ucTCuwl4V0n pWldSHXyTEQ/ts0zottJ05dNTyxgrKBPSpYZUtlNuc5wSeYt65nGy0WMW995ChBT RKzCo2z9faMEk3NeLtLZucnyXa2gaG65QzEuKzG1jSsJBHtjHnlaC8wCFn5sfgsE 0AfWO/lt+IDkteI2c+7CaqKzrSCsQgAkYa3/7Y0955827VGhkc8TYLRAHOSCKU7V BUM2LQSyN8XLAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC AQYwHQYDVR0OBBYEFBiFQUxbzT8yC74S8shumHhutuozMA0GCSqGSIb3DQEBCwUA A4IBAQCahDWMUIGuU0bNJTEkIjolo7DJvWjZfwY8iM0jDiQABlXGkQ+BqbYdPQFY VIu85jjzCx37bNhnRtQOzFz/F6Tm0JXnjMOVTIBAUVu3MmUtUCUmC0rUnTVZ8NnM HitURyQCZG3zAYUCyE59AhMwDJLIfEgqxt1kVF+OZc7GkSdh6cZRJfL09zN+SMUO ocGGg2pahLc9cygLDFqY62QfqHL9ynE85ze0/5TOFT3V9OAYdUE8+WMBbt5zcx6/ 4gLXR6ZKnnAtzgbEqeWlO7lf2LadM1j8OM77gAutXW9WYsqB0Sc2Xm8Deyt1Kb2F 080RozK3cgnShxDN/Uu7iCjOFT7S -----END CERTIFICATE----- keyhash: 3aae8d85450bae20aaf360d046bc0d90b2998800b3a7356f0742ef6a8824e423 ===================== keyfile: /home/tapioca/tapioca/.mitmproxy/mitmproxy-ca-cert.pem x509text: Certificate: Data: Version: three (0x2) Serial Number: 15259797775478 (0xde0f2d36476) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=mitmproxy, O=mitmproxy Validity Not Before: May 8 19:16:17 2018 GMT Not After : May nine 19:16:17 2021 GMT Subject: CN=mitmproxy, O=mitmproxy Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:91:be:f6:cc:62:5f:fd:af:9e:48:1e:b9:c5: 59:ca:36:f0:02:a7:e5:62:48:5c:26:1b:78:c1:3a: 74:02:0f:af:85:74:0c:d7:24:5f:85:4c:ce:e0:9b: 2f:3f:0a:85:ba:8f:36:3e:bc:4b:3b:3c:13:d8:8f: b9:46:38:42:69:9c:b2:7e:51:fa:cc:ab:fc:57:95: 49:89:45:5c:a2:17:b9:6c:fc:a3:f6:0c:df:50:9e: 36:28:71:1e:43:d2:e7:13:0a:ec:25:e1:5d:27:a5: 69:5d:48:75:f2:4c:44:3f:b6:cd:33:a2:db:49:d3: 97:4d:4f:2c:60:ac:a0:4f:4a:96:19:52:d9:4d:b9: ce:70:49:e6:2d:eb:99:c6:cb:45:8c:5b:df:79:0a: 10:53:44:ac:c2:a3:6c:fd:7d:a3:04:93:73:5e:2e: d2:d9:b9:c9:f2:5d:ad:a0:68:6e:b9:43:31:2e:2b: 31:b5:8d:2b:09:04:7b:63:1e:79:5a:0b:cc:02:16: 7e:6c:7e:0b:04:d0:07:d6:3b:f9:6d:f8:80:e4:b5: e2:36:73:ee:c2:6a:a2:b3:ad:20:ac:42:00:24:61: ad:ff:ed:8d:3d:e7:9f:36:ed:51:a1:91:cf:13:60: b4:40:1c:e4:82:29:4e:d5:05:43:36:2d:04:b2:37: c5:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 18:85:41:4C:5B:CD:3F:32:0B:BE:12:F2:C8:6E:98:78:6E:B6:EA:33 Signature Algorithm: sha256WithRSAEncryption 9a:84:35:8c:50:81:ae:53:46:cd:25:31:24:22:3a:25:a3:b0: c9:bd:68:d9:7f:06:3c:88:cd:23:0e:24:00:06:55:c6:91:0f: 81:a9:b6:1d:3d:01:58:54:8b:bc:e6:38:f3:0b:1d:fb:6c:d8: 67:46:d4:0e:cc:5c:ff:17:a4:e6:d0:95:e7:8c:c3:95:4c:80: 40:51:5b:b7:32:65:2d:50:25:26:0b:4a:d4:9d:35:59:f0:d9: cc:1e:2b:54:47:24:02:64:6d:f3:01:85:02:c8:4e:7d:02:13: 30:0c:92:c8:7c:48:2a:c6:dd:64:54:5f:8e:65:ce:c6:91:27: 61:e9:c6:51:25:f2:f4:f7:33:7e:48:c5:0e:a1:c1:86:83:6a: 5a:84:b7:3d:73:28:0b:0c:5a:98:eb:64:1f:a8:72:fd:ca:71: 3c:e7:37:b4:ff:94:ce:15:3d:d5:f4:e0:18:75:41:3c:f9:63: 01:6e:de:73:73:1e:bf:e2:02:d7:47:a6:4a:9e:70:2d:ce:06: c4:a9:e5:a5:3b:b9:5f:d8:b6:9d:33:58:fc:38:ce:fb:80:0b: ad:5d:6f:56:62:ca:81:d1:27:36:5e:6f:03:7b:2b:75:29:bd: 85:d3:cd:11:a3:32:b7:72:09:d2:87:10:cd:fd:4b:bb:88:28: ce:15:3e:d2 SHA256 Fingerprint=90:20:73:E9:33:D0:BF:9B:3D:A4:9A:3A:12:0D:0A:DE:CD:F0:31:96:0F:87:57:69:47:BD:C3:15:7C:D6:2D:8E -----BEGIN CERTIFICATE----- MIIDoTCCAomgAwIBAgIGDeDy02R2MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTE4MDUwODE5MTYxN1oX DTIxMDUwOTE5MTYxN1owKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwkb72zGJf /a+eSB65xVnKNvACp+ViSFwmG3jBOnQCD6+FdAzXJF+FTM7gmy8/CoW6jzY+vEs7 PBPYj7lGOEJpnLJ+UfrMq/xXlUmJRVyiF7ls/KP2DN9QnjYocR5D0ucTCuwl4V0n pWldSHXyTEQ/ts0zottJ05dNTyxgrKBPSpYZUtlNuc5wSeYt65nGy0WMW995ChBT RKzCo2z9faMEk3NeLtLZucnyXa2gaG65QzEuKzG1jSsJBHtjHnlaC8wCFn5sfgsE 0AfWO/lt+IDkteI2c+7CaqKzrSCsQgAkYa3/7Y0955827VGhkc8TYLRAHOSCKU7V BUM2LQSyN8XLAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC AQYwHQYDVR0OBBYEFBiFQUxbzT8yC74S8shumHhutuozMA0GCSqGSIb3DQEBCwUA A4IBAQCahDWMUIGuU0bNJTEkIjolo7DJvWjZfwY8iM0jDiQABlXGkQ+BqbYdPQFY VIu85jjzCx37bNhnRtQOzFz/F6Tm0JXnjMOVTIBAUVu3MmUtUCUmC0rUnTVZ8NnM HitURyQCZG3zAYUCyE59AhMwDJLIfEgqxt1kVF+OZc7GkSdh6cZRJfL09zN+SMUO ocGGg2pahLc9cygLDFqY62QfqHL9ynE85ze0/5TOFT3V9OAYdUE8+WMBbt5zcx6/ 4gLXR6ZKnnAtzgbEqeWlO7lf2LadM1j8OM77gAutXW9WYsqB0Sc2Xm8Deyt1Kb2F 080RozK3cgnShxDN/Uu7iCjOFT7S -----END CERTIFICATE----- private: False protected: False type: certificate ===================== APK Parsing
CERT Keyfinder started its life equally component of the framework used to perform my experiment to honour person keys inwards Android apps. As such, Keyfinder includes the powerfulness to parse Android application APK files.
Simple APK Example
$ python3 keyfinder.py com.shopgate.android.app21760.apk Reached a NAMESPACE_END without having the namespace stored before? Prefix ID: 24, URI ID: 25 testapks/com.shopgate.android.app21760.apk distributes its signing commutation as: res/raw/keystore.jks testapks/com.shopgate.android.app21760.apk includes private,protected key: res/raw/keystore.jks (Java KeyStore) testapks/com.shopgate.android.app21760.apk includes protected key: res/raw/shopgate_bks_neu.bks (BouncyCastle Keystore V1) test@test-virtual-machine:/mnt/v1/keyfinder$res/raw/keystore.jks contains the person commutation used to sign the Android application itself. Google indicates that managing your commutation in addition to keeping it secure are real important, both for y'all in addition to for your users, but inwards this instance the application writer has distributed it to the public!crt.sh Checking
For whatever commutation constitute yesteryear Keyfinder, the key's SHA256 signature is queried inwards the crt.sh website. This website monitors several certificate transparency sources to banking firm gibe whether a commutation or certificate has been seen inwards the wild. The commons argue for this is because an HTTPS spider web server is using a specified commutation or a certificate. CERT Keyfinder volition query crt.sh using 2 sources of information:
- The hash of a certificate that is located inwards a keystore that contains a person key
- The hash of a populace commutation that has been extracted from a person key
$ python3 keyfinder.py apks/ireland.numt.aplykey.apk apks/ireland.numt.aplykey.apk includes person key: assets/sample-keys/ca.key (pkcs5) apks/ireland.numt.aplykey.apk includes person key: assets/sample-keys/client.key (pkcs5) Enter travel yesteryear phrase for keys/ireland.numt.aplykey/assets/sample-keys/pass.key:apks/ireland.numt.aplykey.apk includes private,protected key: assets/sample-keys/pass.key (pkcs5) apks/ireland.numt.aplykey.apk includes protected key: assets/sample-keys/pkcs12.p12 (pkcs12) apks/ireland.numt.aplykey.apk includes person key: assets/sample-keys/server.key (pkcs5) apks/ireland.numt.aplykey.apk commutation assets/sample-keys/server.key is listed inwards crt.sh: https://crt.sh/?spkisha256=493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681 $assets/sample-keys/server.key is listed inwards crt.sh as: https://crt.sh/?spkisha256=493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681. Because this query is for a populace commutation hash, rather than a certificate itself, nosotros necessitate to click through to whatever of the seen certificates to teach details virtually what the person commutation may live used for. By clicking through to https://crt.sh/?id=35604116, nosotros tin run across that the certificate was issued yesteryear Comodo CA Limited for the domain names oxsv.meta-level.de in addition to www.oxsv.meta-level.de. Because this certificate expired inwards 2013, this number is perchance non terribly important. However, 1 mightiness wonder how the person commutation assets/sample-keys/server.key ended upward inwards a publicly-released Android application, in addition to also was used yesteryear a publicly-available server. The touching of such a commutation leak may depend on how the server inwards inquiry is existence used.Key File Usage
Keyfinder includes simply about other capability that tin care to create upward one's heed the functionality of a commutation used yesteryear an Android application. By using the
-u option, Keyfinder volition extract the APK contents using apktool in addition to and then banking firm gibe for APK contents that reference that commutation file. For example:$ python3 keyfinder.py apks/by_sha256/06/14/49/06144936809844bcb120d360ecc148679e33fd013c2bdac8bd9d7b63d71a57a4/tntapp.trinitymember.apk -u I: Using Apktool 2.3.1-dirty on tntapp.trinitymember.apk I: Loading resources table... I: Decoding AndroidManifest.xml amongst resources... I: Loading resources tabular array from file: /tmp/tntapp.trinitymember/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets in addition to libs... I: Copying unknown files... I: Copying master copy files... res/raw/sm_private is referenced yesteryear extracted/tntapp.trinitymember/smali/tntapp/trinitymember/R$raw.smali res/raw/sm_private is referenced yesteryear extracted/tntapp.trinitymember/res/values/public.xml apks/by_sha256/06/14/49/06144936809844bcb120d360ecc148679e33fd013c2bdac8bd9d7b63d71a57a4/tntapp.trinitymember.apk includes person key: res/raw/sm_private (pkcs5) R$raw.smali makes reference to the sm_private commutation file. If nosotros expect at the R$raw.smali file, nosotros tin run across 1 reference to sm_private:.field populace static lastly sm_private:I = 0x7f0600010x7f060001 inwards the application's code, nosotros tin run across that it's referenced inwards smali/tntapp/trinitymember/model/RSA.smali const v18, 0x7f060001 invoke-virtual/range {v17 .. v18}, Landroid/content/res/Resources;->openRawResource(I)Ljava/io/InputStream; move-result-object v7 .line 114 .local v7, "is":Ljava/io/InputStream; new-instance v3, Ljava/io/BufferedReader; new-instance v17, Ljava/io/InputStreamReader; const-string v18, "UTF-8" move-object/from16 v0, v17 move-object/from16 v1, v18 ... populace static byte[] decryptRSA(Context arg20, String arg21) throws Exception { System.out.println(":" + arg21); byte[] v14 = Base64.decode(arg21.getBytes("UTF-8"), 0); BufferedReader v3 = novel BufferedReader(new InputStreamReader(arg20.getResources().openRawResource(0x7F060001), "UTF-8")); ArrayList v13 = novel ArrayList(); while(true) { String v12 = v3.readLine(); if(v12 == null) { break; } ((List)v13).add(v12); } ...decryptRSA, which is opening the person key, which is referenced equally resources 0x7F060001. If nosotros delineate farther into the application code, nosotros tin teach a ameliorate thought of what the person commutation is existence used for. But we'll leave of absence that equally an practise for the reader.