BYTESAFEWITHCS

AIG THreat analysis simulation

Project Case Study: Brute-Force Decryption Key Discovery Using Wordlist Attack

Client: Internal Security Audit – AIG Cyber & Information Security Team
Project Type: Cybersecurity – Encryption Analysis & Penetration Testing
Date: April 2025
Duration: 1 day
Tools Used: Python, PyCryptodome, rockyou.txt wordlist

Objective

This internal project’s objective was to assess an encrypted file’s vulnerability to brute-force password attacks using common wordlists. The AIG Cyber & Information Security Team initiated this test as part of a broader effort to evaluate encryption strength and password hygiene across internal systems.

Approach

A password-protected encrypted file was submitted for analysis. The encryption method was assumed to be AES in CBC mode, with a 128-bit key potentially derived from a weak password. The industry-standard rockyou.txt wordlist was used, containing thousands of the most commonly used passwords.

A custom Python script was developed using the PyCryptodome library. The script automated the brute-force process by:

  1. Reading the encrypted file and attempting decryption using each password from the wordlist.
  2. Deriving a 128-bit AES key using the MD5 hash of each password.
  3. Attempting to decrypt the ciphertext using the generated key and a predefined IV.
  4. Checking for valid padding to determine if the decryption was successful.

Results

The script was executed in a controlled environment. It successfully decrypted the file after iterating through several thousand passwords, identifying a weak password present in the rockyou.txt list. The recovered plaintext confirmed the encryption method and password weakness, validating the test hypothesis.

Impact

This project underscored the importance of strong, complex passwords and modern encryption practices. Key recommendations included:

  • Avoiding use of common passwords.
  • Employing strong key derivation functions such as PBKDF2 or bcrypt.
  • Regular security audits to detect and patch weak encryption implementations.

Conclusion

The brute-force simulation served as a valuable exercise in demonstrating real-world password vulnerabilities. It reinforced the need for continuous education on password security and highlighted the risks of using widely known passwords for encryption.