Hasty Briefsbeta

Bilingual

Decrypting View State Messages

4 hours ago
  • #ASP.NET cryptography
  • #IIS security
  • #view state decryption
  • A user found a malicious encrypted view state in Windows event logs but only had a disk image and autogenerated keys from the Windows registry.
  • Decrypting view state varies from trivial for legacy setups (using CyberChef) to complex for modern ones (using Blacklist3r or reflection).
  • Autogen keys are 1024-byte blobs stored in the registry or LSA secrets, generated via SetAutogenKeys() with random bytes and IIS functions.
  • For legacy crypto, master validation and decryption keys are extracted from the autogen key at specific offsets (64 and 24 bytes).
  • Final machine keys in legacy setups derive from master keys using hashes of app virtual paths or IDs via GetNonRandomizedStringComparerHashCode.
  • Modern crypto uses HMACSHA512 with purposes (e.g., 'MachineKeyDerivation') and secondary parameters (like IsolateApps) to derive master keys.
  • Key sizes cause compatibility issues: AES supports 24/32 bytes, TripleDES only 24, DES only 8, leading to errors with auto-generated keys.
  • Final machine keys in modern setups derive similarly, with purposes based on app directory, page type, and optional view state user key.
  • Decryption involves base64 decoding, stripping validation hash, and decrypting with the final key (legacy uses IV of zeros, modern extracts IV).
  • VSRipper is a tool introduced to automate view state decryption, supporting all modern/legacy payloads and brute-forcing with autogen keys.