Cirrus is an easy-to-use python script that launches RSA common factor attacks on live hosts. If a pair of hosts are found to contain a common factor in their moduli, two SSL private keys are created in the current directory in PEM format. These keys can be converted to working SSL certificates using OpenSSL:
openssl req -key hacked.pem -new -x509 -days 365 -out certificate.crt -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
Ideal targets for Cirrus include:
- Subnets belonging to cloud hosting providers who clone the same VM over and over again.
- Subnets of virtual servers in general.
- IoT devices.
There is a nonzero probability that at least two targets in a large group of hosts falling into any of the above categories share a common RSA key factor.
Targets are specified to Cirrus by either providing an IP range or by providing a list of hosts to scan.
usage: Cirrus.py [-h] [-t THREADS] [-ip [IPRANGE [IPRANGE ...]]] [-l LISTNAME]
[-lk LOADLIST] [-sk SAVELIST] [-c] [-to TIMEOUT]
optional arguments:
-h, --help show this help message and exit
-t THREADS number of threads to scan with
-ip [IPRANGE [IPRANGE ...]]
IP range to scan, specify with [from] [to]
-l LISTNAME list of hosts to scan
-lk LOADLIST load list of saved keys from file
-sk SAVELIST save list of saved keys to file
-c crack loaded RSA keys
-to TIMEOUT timeout in seconds before terminating connections
python Cirrus.py -c -to 2 -ip 192.168.1.1 192.168.1.250 -to 2 -t 10
python Cirrus.py -l targets.txt -c
In order to run Cirrus you must have the ‘gmpy’, ‘pyasn1’, and ‘pyopenssl’ pip packages installed. Additionally, a development installation of gmp is required. In Ubuntu the package name for this is ‘libgmp3-dev’. Running the integration tests requires OpenSSL.
If you are interested in launching common factor attacks against absurdly large swaths of the Internet, check out the EFF SSL Observatory.