Cryptographic Primitives

First of all I want to stress the fact that I am not a cryptographer, I wish to become one in the future though. What you will read below are my assumptions and the really quick research I have made (you may have read somewhere that in order to learn something you have to write it down…).

With that out of the way, let’s get started.

When reading a book on cryptography, you may encounter the term cryptographic primitives, but most of the time, at least in the ones that I have read there is no specific or formal definition for it.

Knowing that cryptography has a strong mathematical background, I thought that the term may have carried over from it. However, looking at the definitions outlined by Wikipedia for Primitive under the Mathematics category, you can see that there are different kinds of primitives and that they are very heterogeneous in nature.

On the other hand, if you look at the defitions of primitives under the Computing category, you will see that the following words are a common denominator: ‘the simplest…’

So cryptographic primitives are the simplest, low-level cryptographic algorithms that are used to build cryptographic protocols (I know, taken directly from Wikipedia…)

Therefore thinking of them like that actually simplifies things in the already complex world of cryptography.

And for completeness, here you have the most common cryptographic primitives:


Now go encrypt/decrypt something!

Ovaltine Decoder Ring

Ralph Decoding


Update (02/20/2018): The book A Handbook of Applied Cryptography probably has the best treatment of what cryptographic primitives are.

If you would like to make any clarifications please leave them in the comments below. 🙂


Twitter Whisperer + Panic

In my last post I showed you how to control a computer remotely by tweeting your commands in your Twitter account. In that same post I also mentioned the possibility of adding the feature of the Panic Button by redpois0n.

In this post I am including the updated Twitter Whisperer that adds that functionality (I am only using the portion of the code that we need to make it work via Twitter).

If you check the Panic Button’s code, you will be able to see that what it does is that it detaches any TrueCrypt drives before shutting the computer down. Again, this could come in very handy for any activist or someone very concerned with his/her privacy that does not have access to SSH or to a Python shell in his computer network.

So by just tweeting the word “panic” without the quotes and in small caps, the script will detach the TrueCrypt drive(s) and shut the computer down. You can definitely change the word that triggers the Panic Button, and you can even add a specific key if you want to make sure that you are the only one being able to trigger it.

It should work on any platform (Windows, OS X, Linux or BSD).

Here you have the code for the Twitter Whisperer + Panic:

from bs4 import BeautifulSoup as soupy
import urllib.request
import re
import subprocess
import sys
import os

html = urllib.request.urlopen("<Your account here>").read()
soup = soupy(html, "lxml")

x = soup.find("meta", {"name": "description"})['content']
command = re.findall('"([^"]*)"', x)

def panic():

print("Shutting down")

if "win" in sys.platform:
os.popen("shutdown /p /f")
elif "darwin" in sys.platform:
os.popen("shutdown -s now")
elif "linux" in sys.platform or "bsd" in sys.platform:

if "win" in sys.platform:
os.popen("truecrypt /d")
os.popen("truecrypt -d")

if command[0] == "panic":

If you want to try it without detaching the TrueCrypt drives, you can comment out the truecrypt lines.

So again, you just have to tweet:


Run the script (or your scheduled task picks it up) and your console prints Shutting down


Detaches the drives and shuts down.

No run and drill them the F*** out!


You can get the code here.

Twitter Whisperer



A couple of days ago I read this post on how hackers abused Twitter as C&C. It got me wondering on the possibility of controlling your computer via Twitter.

And the answer is: Yes!, you can control your computer via Twitter, without even using its API.

So imagine you don’t have access to SSH, you can send commands to your computer by just tweeting out whatever you want it to do… I know… there are so many security implications involved here. But yes, the possibilities are endless. The are a couple of caveats, the first one is that the computer that you would be controlling remotely would need to have Python installed, and the second one is that it would need to have a task scheduled to run the script,  and so if you setup a time-lapse of 1 minute between runs, that would be the time-lag that you would need to consider if you want to send a command like the Panic-Button to unmount TrueCrypt drives and shut the computer off.

As a very simple POC, I will pop up the Calculator in Windows.

This is the code for Twitter Whisperer, which can be found here:

from bs4 import BeautifulSoup as soupy
import urllib.request
import re
import subprocess

html = urllib.request.urlopen("<your account here>").read()
soup = soupy(html, "lxml")

x = soup.find("meta", {"name": "description"})['content']
command = re.findall('"([^"]*)"', x)[0])

Login to your Twitter account and simply tweet: Calc.exe


Run the script, and watch the calculator pop-up:



I know, it’s just too simple!


I have been following Jerry Gamblin’s (Twitter: @jgamblin) excellent work on dockerizing hacking tools, and decided to try my first project, I wanted to give a shot at dockerizing the infamous Metasploit Framework.

Please be aware that I am very inexperienced with Docker, therefore you may find many different errors or inconsistencies.

The first one is that I basically had to build the container interactively in order to be able to install the Metasploit Framework from Github. I really tried to do it via dockerfile but was not able to, maybe you can give it a try and share yours with me (Twitter: @enocarlos)!

You can pull the Docker image from here. I know the container can use some cleaning because it is huge (1.8Gb.).

The container includes:

Ubuntu 14.04, Metasploit, OpenBox and NoVNC.

To get it started run:

docker run -d -t -i -p 6080:6080 carloss7/msf_browser

And then direct your browser to:


Once it loads you’ll get a black screen in your browser, just right-click on it and then choose Terminal emulator:


You should get a Terminal:


And this is where you can see the other details that I was not able to correct, from there cd /opt/metasploit-framework, then source /usr/local/rvm/scripts/rvm, and then type the so-desired command: msfconsole:


And there you go:


Here is what’s included in the dockerfile:

FROM msf_browser:latest

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update -y &amp;&amp; \
apt-get install -y \
net-tools \
openbox \
git \
x11vnc \
xvfb \
wget \
python \
python-numpy \
unzip \
geany \
iceweasel menu &amp;&amp; \

cd /root &amp;&amp; git clone &amp;&amp; \
cd noVNC/utils &amp;&amp; git clone websockify &amp;&amp; \
cd /root

RUN cd /opt/metasploit-framework
RUN bash -c 'source /usr/local/rvm/scripts/rvm'


RUN chmod 0755 / &amp;&amp; \
apt-get autoremove &amp;&amp; \
rm -rf /var/lib/apt/lists/*


Blog at

Up ↑