# Log Decryptor

The Python script aes_base64_log_decryptor.py will decrypt standard AES-base64 encrypted+encoded log files generated by implants and other red team tools. The expect log file format is as follows:

  • Each line is a base64-encoded IV+ciphertext blob, where the blob is the ciphertext appended to the initialization vector.
  • The underlying ciphertext was encrypted using only one of the following ciphers:
    • AES (128- or 256-bit) either CTR (big endian) or CBC mode.
    • XOR encryption
  • In other words, each line is of the format: base64(IV + encryption(IV, plaintext)) if the encryption cipher uses an initialization vector, or base64(encryption(plaintext)) if the cipher does not use an initialization vector.

# Usage 

python3 aes_base64_log_decryptor.py -i /path/to/encrypted/log -o /path/to/output/file -k [KEY IN HEX]
                                    [--aes-256-cbc|--aes-128-cbc|--aes-256-ctr|--aes-128-ctr|--xor]
                                    [-l|--log DEBUG|INFO|WARNING|ERROR|CRITICAL]

Note that you must select only one of the following for decryption modes:

  • --aes-256-cbc for 256-bit AES CBC
  • --aes-128-cbc for 128-bit AES CBC
  • --aes-256-ctr for 256-bit AES CTR
  • --aes-128-ctr for 128-bit AES CTR
  • --xor for XOR encryption

Examples:

python3 aes_base64_log_decryptor.py -i /tmp/encrypted.log -o decrypted.log -k 0000000000000000000000000000000000000000000000000000000000000000 --aes-256-ctr

# Requirements

Python v3.9+, pycryptodome:

pip install pycryptodome

# Testing

A unit test Python script test_aes_base64_log_decryptor.py is provided - be sure to update this script with additional unit tests if extending the log decryptor script to support more decryption modes.

To run the unit test script:

python3 test_aes_base64_log_decryptor.py [-l|--log DEBUG|INFO|WARNING|ERROR|CRITICAL]

Example output:

$ python3 test_aes_base64_log_decryptor.py
INFO:root:Performing test suite: aes-128-cbc
INFO:root:aes-128-cbc PASSED
INFO:root:Performing test suite: aes-256-cbc
INFO:root:aes-256-cbc PASSED
INFO:root:Performing test suite: aes-128-ctr
INFO:root:aes-128-ctr PASSED
INFO:root:Performing test suite: aes-256-ctr
INFO:root:aes-256-ctr PASSED
INFO:root:Performing test suite: xor
INFO:root:xor PASSED
INFO:root:Performing test suite: aes-128-ctr
INFO:root:aes-128-ctr PASSED
INFO:root:Performing test suite: aes-128-cbc
INFO:root:aes-128-cbc PASSED
INFO:root:7 TOTAL TESTS: 7 PASSED, 0 FAILED, 0 EXCEPTIONS