killchain-compendium/Cryptography/OpenSSL-Cheatsheet.md

# OpenSSL Cheatsheet

## Read X.509 Certificate

A certificate can be read via

```sh
openssl x509 -in $CERT -text
```

## Generate CSR

A Certificate Signing Request needs a private alongside the request for a cert.
This is done in the following way

```sh
openssl req -new -nodes -newkey rsa:4096 -keyout $PRIVATE_KEY -out $CERT_CSR
```

## Create an X.509 Certificate

Create a X.509 certificate via

```sh
openssl x509 -newkey -nodes rsa:4096 -keyout $PRIVATE_KEY -out $CERT -sha256 -days 365
openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
```

## Extract Keys from PFX Cert

Key and cert form PFX

```sh
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
```

## Extract & Repack PFX Cert

Extract & Repack with another password, e.g. from `mimikatz` to `cqure`

```sh
openssl pkcs12 -in *.pfx -out temp.pem -nodes
openssl pkcs12 -export -out *.pfx -in temp.pem
```

## RSA

### Read Parameters of a RSA Key

Show parameters of the private key

```sh
openssl rsa -in $PRIVATE_KEY -text -noout
```

### Create RSA Key

Generate an OpenSSL RSA key via

```sh
openssl genrsa -out $PRIVATE_KEY 4096
```

Generate an OpenSSl RSA public key from a private key

```sh
openssl rsa -in $PRIVATE_KEY -pubout -out public-key.pem
```

### Encrypt RSA

Encrypt RSA current and deprecated

```sh
openssl pkeyutl -encrypt -in $CLEAR_TEXT -out $CLEAR_TEXT -pubin -inkey $PUBLIC_KEY
openssl rsautl -encrypt -in $CLEAR_TEXT -out $ENCRYPTED -pubin -inkey $PUBLIC_KEY
```

### Decrypt RSA

Decrypt a RSA cipher with the private key

```sh
openssl pkeyutl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
```

Deprecated version of RSA decryption is the following

```sh
openssl rsautl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY
```

## Diffie-Hellman

### Read Parameters of a DH Keys

Output of a DH key is done the following way

```sh
openssl dhparam -in $PRIVATE_KEY  -text -noout
```

### Create DH Key

A Diffie-Hellman key can be created via

```sh
openssl dhparam -out $PRIVATE_KEY 4096
```

## AES

### Encrypt AES

Encrypt AES

```sh
openssl aes-256-cbc -e -in $PLAIN_TEXT -out $CIPHER
```

### Decrypt AES

Decrypt AES

```sh
openssl aes-256-cbc -d -in $CIPHER -out $PLAIN_TEXT
```

## PBKDF2

### Encrypt PBKDF2

Encrypt file via PBKDF2 with 128000 iterations

```sh
openssl aes-256-cbc -pbkdf2 -iter 128000 -e -in $PLAIN_TEXT -out $CIPHER
```

### Decrypt PBKDF2

Decrypt file via PBKDF2 with an iteration of 128000

```sh
openssl aes-256-cbc -pbkdf2 -iter 128000 -d -in $CIPHER -out $PLAIN_TEXT
```

## ECPoint (EC)

* RFC5480

### Read PEM Public Key

```sh
openssl ec -pubin -in publickey.pem -noout -text
```
further restructuring 2022-11-12 23:18:06 +01:00			`# OpenSSL Cheatsheet`

bump 2023-02-09 21:31:25 +01:00			`## Read X.509 Certificate`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`A certificate can be read via`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl x509 -in $CERT -text`
			```

			`## Generate CSR`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`A Certificate Signing Request needs a private alongside the request for a cert.`
bump 2023-02-09 21:31:25 +01:00			`This is done in the following way`
reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00
bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl req -new -nodes -newkey rsa:4096 -keyout $PRIVATE_KEY -out $CERT_CSR`
			```

			`## Create an X.509 Certificate`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Create a X.509 certificate via`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl x509 -newkey -nodes rsa:4096 -keyout $PRIVATE_KEY -out $CERT -sha256 -days 365`
			`openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes`
			```

			`## Extract Keys from PFX Cert`
further restructuring 2022-11-12 23:18:06 +01:00
reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Key and cert form PFX`

further restructuring 2022-11-12 23:18:06 +01:00			```sh
			`openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes`
			`openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys`
			```

			`## Extract & Repack PFX Cert`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			Extract & Repack with another password, e.g. from `mimikatz` to `cqure`

further restructuring 2022-11-12 23:18:06 +01:00			```sh
			`openssl pkcs12 -in *.pfx -out temp.pem -nodes`
			`openssl pkcs12 -export -out *.pfx -in temp.pem`
			```

bump 2023-02-09 21:31:25 +01:00			`## RSA`
further restructuring 2022-11-12 23:18:06 +01:00
bump 2023-02-09 21:31:25 +01:00			`### Read Parameters of a RSA Key`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Show parameters of the private key`

further restructuring 2022-11-12 23:18:06 +01:00			```sh
bump 2023-02-09 21:31:25 +01:00			`openssl rsa -in $PRIVATE_KEY -text -noout`
			```

			`### Create RSA Key`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Generate an OpenSSL RSA key via`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl genrsa -out $PRIVATE_KEY 4096`
			```

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Generate an OpenSSl RSA public key from a private key`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl rsa -in $PRIVATE_KEY -pubout -out public-key.pem`
			```

			`### Encrypt RSA`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Encrypt RSA current and deprecated`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl pkeyutl -encrypt -in $CLEAR_TEXT -out $CLEAR_TEXT -pubin -inkey $PUBLIC_KEY`
			`openssl rsautl -encrypt -in $CLEAR_TEXT -out $ENCRYPTED -pubin -inkey $PUBLIC_KEY`
further restructuring 2022-11-12 23:18:06 +01:00			```
added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00
			`### Decrypt RSA`

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Decrypt a RSA cipher with the private key`

added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			```sh
bump 2023-02-09 21:31:25 +01:00			`openssl pkeyutl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY`
added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			```

reconstruct a private key from a public key 2024-02-18 21:09:29 +01:00			`Deprecated version of RSA decryption is the following`

added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			```sh
bump 2023-02-09 21:31:25 +01:00			`openssl rsautl -decrypt -in $CIPHER -out $PLAIN_TEXT -inkey $PRIVATE_KEY`
added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			```

bump 2023-02-09 21:31:25 +01:00			`## Diffie-Hellman`
added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00
bump 2023-02-09 21:31:25 +01:00			`### Read Parameters of a DH Keys`

cleanup 2024-02-18 21:23:15 +01:00			`Output of a DH key is done the following way`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl dhparam -in $PRIVATE_KEY -text -noout`
			```

			`### Create DH Key`

cleanup 2024-02-18 21:23:15 +01:00			`A Diffie-Hellman key can be created via`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl dhparam -out $PRIVATE_KEY 4096`
			```

			`## AES`

			`### Encrypt AES`

cleanup 2024-02-18 21:23:15 +01:00			`Encrypt AES`
bump 2023-02-09 21:31:25 +01:00
			```sh
			`openssl aes-256-cbc -e -in $PLAIN_TEXT -out $CIPHER`
			```

			`### Decrypt AES`

cleanup 2024-02-18 21:23:15 +01:00			`Decrypt AES`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl aes-256-cbc -d -in $CIPHER -out $PLAIN_TEXT`
			```

			`## PBKDF2`

			`### Encrypt PBKDF2`

cleanup 2024-02-18 21:23:15 +01:00			`Encrypt file via PBKDF2 with 128000 iterations`

bump 2023-02-09 21:31:25 +01:00			```sh
			`openssl aes-256-cbc -pbkdf2 -iter 128000 -e -in $PLAIN_TEXT -out $CIPHER`
			```

			`### Decrypt PBKDF2`

cleanup 2024-02-18 21:23:15 +01:00			`Decrypt file via PBKDF2 with an iteration of 128000`

added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			```sh
bump 2023-02-09 21:31:25 +01:00			`openssl aes-256-cbc -pbkdf2 -iter 128000 -d -in $CIPHER -out $PLAIN_TEXT`
added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			```
added addslashes bypass 2023-02-16 23:15:47 +01:00
			`## ECPoint (EC)`

			`* RFC5480`

			`### Read PEM Public Key`

			```sh
			`openssl ec -pubin -in publickey.pem -noout -text`
			```