Some thoughts and tools from an IT Security enthusiast.

Yet another web site regarding IT security from an IT security enthusiast.

I created this web site to share my thoughts, my work and my tools with you.

Your comments and questions are more than welcome.






How “Encrypted and Authenticated” Payload is Constructed

In the past I had published a few blog posts regarding IKEv2, which can be found here, here and here.


A quick refresh of the IKEv2 establishment can be summarised in the following figure: 




For a brief explanation of the used notation, please check my previous blogpost.


Of a special interest for the IKEv2 Establishment is the Encrypted Payload (also known as Encrypted and Authenticated Payload). This payload looks like this when captured by Wireshark


So, in one of my previous blog posts I had a question how this payload is constructed. It is a very good one, because although explained in RFC 7296, it is not that easy to figure this out (I had also several thorough looks to understand it). So. here you go.


In a nutshell, the Encrypted payload is constructed as follows:

where SK header is the header of the Encrypted payload, IV is the Initialisation Vector, int. hash is the integrity hash. 


A snippet Python code would be as follows: 


def encrypt_plain_text(plain,block_size,sk_ei,iv,hash_size):

    padlen = block_size - (len(plain) % block_size) - 1

    plain += b'\x00' * padlen + bytes([padlen])

    ciphertext=crypto.encrypt(sk_ei, bytes(iv), plain)

    encrypted = iv + ciphertext

    encrypted = encrypted + b'\x00' *hash_size

    return encrypted


The key sk_ei is calculated as described here


I hope this clarifies a few things. 


I am planning to release a white paper on the IKEv2 attack surface soon, accompanied by the release of an open source tool to perform the described on the paper tests. 


So, stay tuned ;-) 






A simple - yet effective - CVE Manager

Part of my everyday work is related with the management of vulnerabilities. Thankfully there are many online sources that provide tons of information. 

However, I needed to process them, and assess the ones applicable to our environment, in a place with literally no Internet connection. Getting our info (ie vulns affecting us) to an Internet facing station to check them was not an option. So, I had somehow to download a full CVE database and get it to the place I needed to process them. 


While there are many nice tools suitable for vulnerability assessment in general (commercial as well as open-source), I didn't find something simple yet effective that could fulfill my aforementioned need. So, I decided to write my own python script. 


Specifically, my goal was: 

a. To be able to download from a public reliable source all the known CVEs (NIST NVD was chosen as a source of information - if you have another suggestion, please let me know). 

b. Parse them and extract as a CSV file. 

c. Import them in a database (postgesql is my favourite for a long time now). 


And then, cve_manager was born. 

It is pretty simple. It only requires Python 3 ("psycopg2" and "requests" python libraries).

Then using -d switch it automatically downloads all the CVEs from NIST NVD. 

Using -p -csv it parses them (after having been downloaded) and saves them as CSV files. 


For more info (e.g. how to import them in a database, or even to perform some simple queries) can be found at  its readme. The tool even allows to automatically create the database schema, truncate it, drop it, etc. 


Of course, after importing all this data in a database, you can literally do whatever you want: create complex queries, correlate them with the CVEs that you know are applicable to your environment, etc.


You can get this simple cve_manager from here


Enjoy :-)