For this lab, you’ll need a Kali Linux VM.
XOR encryption is the simplest encryption technique. It is popular for this reason and often seen within malicious code because it is easy to implement.
- Windows Defender, for example, is a signature-based (Key Sec+ Term) technology. It looks for specific patterns of 0’s and 1’s. For example, suppose you try downloading Mimikatz (Key Sec+ Application: We’ll work with it later in the course). In that case, Windows Defender will recognize it as a malicious program and attempt to quarantine it because the Mimikatz code matches a specific pattern within the Windows Defender database. A simple encryption method like XOR can transform the original series of 0’s and 1’s into a seemingly random series, bypassing signature-based checks.
- The Point: XOR is a relatively easy, reliable way to slip malicious code past signature-based technologies. It is frequently used.
XOR encrypted text also frequently pops up in CTFs and Red-Team engagements. National Cyber League, for example, will always have XOR encryption challenges. The ability to break XOR encryption, or at least understand how to break XOR encryption, via brute force using a language like Python could be considered a baseline skill
In this lab:
- We’ll cover the fundamentals of XOR encryption/decryption.
- We’ll create Python scripts that implement XOR encryption/decryption.
- We’ll create some helpful code allowing you to break XOR encryption when the original encryption key is unknown.
How does XOR encryption work?
Encryption: XOR Utilizes Simple Bit Comparison. Data in memory or on disk is simply a series of 0s and 1s. We can produce an encrypted string by performing a comparison operation to some other series of zeros and ones (e.g., a key or password).
XOR LOGIC CHART
- 1 XOR 1 = 0
- 0 XOR 0 = 0
- 1 XOR 0 = 1
- 0 XOR 1 = 1
Decryption: To retrieve the original message or decrypt it, you perform the XOR operation again between the encrypted code and the secret key used to encrypt the data initially. Key Concept: XOR Encryption is easily reversed using the secret key to encrypt the original data.
XOR Process: A Simple Example.
- Step 1: Pick some plaintext to encrypt and select a Key.
- For this example, we’ll use the plaintext ‘Password’.
- For this example, we’ll use the secret key ‘ABC’.
- Step 2: Convert the plaintext to binary and the secret key to binary. (Assume ASCII)
- Step 3: Perform an XOR operation (see the chart above) using the secret key's corresponding bits on each plaintext bit. This will produce a new series of zeros and ones.