OpenSSL Conversion, Display and Encryption Commands for Pentesters
Every time I pull out OpenSSL to perform a particular task I end up having to refer to Google or random text files on my hard drive to remind myself of the correct syntax. Consequently, I'm doing a writeup here of all of the OpenSSL commands that I make use of in various penetration tests and CTF challenges that involve encryption, mainly as a personal reference, but also in case anyone else finds this useful.The following commands are sorted by category, and may be added to in the future if I find more commands that I find useful.
Asymmetric keyfile conversion
Conversion of asymmetric keys between various different storage formats.DER to PEM
Convert der certificate to pem format.openssl x509 -inform der -outform pem -in certificate.crt -out certificate.pem
PEM to DER
Convert pem certificate to der format.openssl x509 -inform pem -outform der -in certificate.pem -out certificate.crt
PEM Key and Certificate to PKCS12
Convert private key and certificate to pkcs12 format.openssl pkcs12 -export -out keys.p12 -inkey private.pem -in certificate.pem
Displaying data from asymmetric keyfiles
Displaying of informational data from various forms of asymmetric key files.PKCS12 Files
Print nodes from a pkcs12 file.
openssl pkcs12 -in keys.p12 -nodes
Public Keys
Display a variety of data from a public key.openssl rsa -inform pem -pubin -text -noout -in publickey.pem
Display the modulus from a public key.
openssl rsa -inform pem -pubin -modulus -noout -in publickey.pem
Private Keys
Display a variety of data from a private key.
openssl rsa -inform pem -text -noout -in privatekey.pem
Display the modulus from a private key.
openssl rsa -inform pem -modulus -noout -in privatekey.pem
Certificates
Display a variety of data from a certificate.openssl x509 -inform pem -text -noout -in certificate.pem
Display the modulus from a certificate.
openssl x509 -inform pem -modulus -noout -in certificate.pem
Different Key Formats for Private/Public Keys and Certificates
The Public/Private/Certificate commands immediately above all make use of the pem format in the file that they read. This can be changed to 'der' or 'net' to use an alternate format.Encryption and decryption using asymmetric cryptography
Encryption and decryption of data using asymmetric cryptography.Decryption
Decryption using a private key.
openssl rsautl -decrypt -in encryptedfile -out decryptedfile -inkey ./privatekey.pem
Encryption
Encryption using a public key.openssl rsautl -encrypt -pubin -in plaintextfile -out encryptedfile -inkey ./publickey.pem
Encryption using a certificate.
openssl rsautl -encrypt -certin -in plaintextfile -out encryptedfile -inkey ./certificate.pem
Padding Modifiers
These examples all assume a default padding type of PKCS 1.5. The following options can be used to try different types of padding, or none at all.
-pkcs, -oaep, -ssl, -raw
Encryption and decryption using symmetric cryptography
Encryption and decryption of data using asymmetric cryptography.Encryption
Encrypt a file using AES in CBC mode with a keyfile.
openssl enc -aes-256-cbc -in ./plaintext.txt -out ./encrypted.bin -pass file:./passwordfile.bin
Decryption
Decrypt a file using AES in CBC mode with a keyfile.
openssl enc -d -aes-256-cbc -in ./encrypted.bin -out ./plaintext.txt -pass file:./passwordfile.bin
Encryption modifiers and alternate algorithms
The following switches can be used to modify the way the encryption process occurs.-salt adds a salt to the file
-base64 base64 encodes/decodes depending on encryption mode
There are also a wide variety of other encryption algorithms and cipher modes that can be used, which can be listed by the following.
openssl enc -h