Jump to content

Search the Community

Showing results for tags 'hash'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 13 results

  1. Dagon - Advanced Hash Manipulation Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more. Note: Dagon comes complete with a Hash Guarantee: I personally guarantee that Dagon will be able to crack your hash successfully. At any point Dagon fails to do so, you will be given a choice to automatically create a Github issue with your hash. Once this issue is created, I will try my best to crack your hash for you. The Github issue is completely anonymous, and no questions will be asked. This is my way of thanking you for using Dagon. There are alternatives to using the automatic issue creator. If you do not want your hash publicly displayed, and feel Dagon has failed you, feel free to create your own issue. Or send an email with the hash information to dagonhashguarantee@gmail.com Screenshots Bruteforcing made easy with a built in wordlist creator if you do not specify one. The wordlist will create 100,000 strings to use Verify what algorithm was used to create that hash you're trying to crack. You can specify to view all possible algorithms by providing the -L flag (some algorithms are not implemented yet) Random salting, unicode random salting, or you can make your own choice on the salt. Demo video Download Preferable you can close the repository with git clone https://github.com/ekultek/dagon.git alternatively you can download the zip or tarball here Basic usage For full functionality of Dagon please reference the homepage here or the user manual python dagon.py -h This will run the help menu and provide a list of all possible flags python dagon.py -c <HASH> --bruteforce This will attempt to bruteforce a given hash python dagon.py -l <FILE-PATH> --bruteforce This will attempt to bruteforce a given file full of hashes (one per line) python dagon.py -v <HASH> This will try to verify the algorithm used to create the hash python dagon.py -V <FILE-PATH> This will attempt to verify each hash in a file, one per line Installation Dagon requires python version 2.7.x to run successfully. git clone https://github.com/ekultek/dagon.git cd Dagon pip install -r requirements.txt This should install all the dependencies that you will need to run Dagon Contributions All contributions are greatly appreciated and helpful. When you contribute you will get your name placed on the homepage underneath contributions with a link to your contribution. You will also get massive respect from me, and that's a pretty cool thing. What I'm looking for in contributions is some of the following: Hashing algorithm creations, specifically; A quicker MD2 algorithm, full Tiger algorithms, Keychain algorithms for cloud and agile More wordlists to download from, please make sure that the link is encoded Rainbow table attack implementation More regular expressions to verify different hash types Source: https://github.com/Ekultek/dagon
  2. Salut, Am vrut sa lucrez ceva in .NET si fiind inspirat de encoderul de pe Crypo.com si de toolul lui Gecko am decis sa scriu aceasta aplicatie. E simplu de folosit si isi face treaba... Suporta urmatorii algoritmi: Reverse Hexadecimal Binary ASCII Base64 Caesar MD5 SHA RC4 AES ROT13 ATOM128 Aici aveti un screenshot cu aplicatia: http://i.imgur.com/XgxdTTL.png Download de pe site-ul meu: http://adrenalinetech.xyz/downloads/CipherGuru/ Sursa pe github: https://github.com/adrenalinetech/CipherGuru Daca aveti nemultumiri sau vreti sa adaug un algoritm va rog sa imi spuneti. Multumesc.
  3. BlackWire calling spoof crack password! GirlShare - Download BlackWire.rar BlackKeys:fDeW5ISMx8jeKJMGB%2BJZrHTwgI0MgVSITg4M%2Bq7KHJzz8TZ9D%2ByTQ027KSrWscID%2Fpb2%2FC9TXvg9yT4S%0AZ28e3W1v7sC0YRn0GqNLxu350yk%3D
  4. Hi guys,catch my first program!Link. 1.Mutlithread 2.No use proxy 3.Quick work 4.Brute SHA1/MD5
  5. Bozok Server : File Name: eqdt.exe File Size: 107768 Bytes MD5 Hash: 343D7EA16B4028DA9A7A534FA52F5452 SHA1 Hash: 075857329a2664a5326109f59457067f8d22298e Date & Time: 14/06/2015 13:59:07 Detections: 0/35 Status: Clean AVG Free-File Clean!. Avast-File Clean!. AntiVir (Avira)-File Clean!. BitDefender-File Clean!. Clam Antivirus-File Clean!. COMODO Internet Security-File Clean!. Dr.Web-File Clean!. eTrust-Vet-File Clean!. F-PROT Antivirus-File Clean!. F-Secure Internet Security-File Clean!. G Data-File Clean!. IKARUS Security-File Clean!. Kaspersky Antivirus-File Clean!. McAfee-File Clean!. MS Security Essentials-File Clean!. ESET NOD32-File Clean!. Norman-File Clean!. Norton Antivirus-File Clean!. Panda Security-File Clean!. A-Squared-File Clean!. Quick Heal Antivirus-File Clean!. Solo Antivirus-File Clean!. Sophos-File Clean!. Trend Micro Internet Security-File Clean!. VBA32 Antivirus-File Clean!. Zoner AntiVirus-File Clean!. Ad-Aware-File Clean!. BullGuard-File Clean!. FortiClient-File Clean!. K7 Ultimate-File Clean!. NANO Antivirus-File Clean!. Panda CommandLine-File Clean!. SUPERAntiSpyware-File Clean!. Twister Antivirus-File Clean!. VIPRE-File Clean!. Download: Download CRYpTE.rar Pass:wd+IDx5TDd+3E1cGwd+G(TIGO-3FX)
  6. The road towards phasing out the ageing SHA-1 crypto hash function is likely to be littered with potholes, security experts warn. SHA-1 is a hashing (one-way) function) that converts information into a shortened "message digest", from which it is impossible to recover the original information. This hashing technique is used in digital signatures, verifying that the contents of software downloads have not been tampered with, and many other cryptographic applications. The ageing SHA-1 protocol – published in 1995 – is showing its age and is no longer safe from Collision Attacks, a situation where two different blocks of input data throw up the same output hash. This is terminal for a hashing protocol, because it paves the way for hackers to offer manipulated content that carries the same hash value as pukka packets of data. Certificate bodies and others are beginning to move on from SHA-1 to its replacement, SHA-2. Microsoft announced its intent to deprecate SHA-1 in Nov 2013. More recently, Google joined the push with a decision to make changes in he latest version of its browser, Chrome version 42, so that SHA-1 certificates are flagged up as potentially insecure. Nudge Ken Munro, a director at security consultancy Pen Test Partners, warned that this type of behaviour creates the danger that while SHA-2 is being phased in, trust in certificates will suffer. "The risk of not updating could see users learn not to trust your site (reduced custom) or could encourage them to accept less-than-perfect encryption or even invalid certificates," Munro explained. Just updating to SHA-2 is not as simple as it might seem, because of compatibility issues with Android and Windows XP. More specifically, Android before 2.3 and XP before SP3 are incompatible with the change (a fuller compatibility matrix maintained by digital certificate firm GlobalSign can be found here). Windows XP may have been put out to pasture last year, but it's still widely used. Older versions of Android also present a problem. Around one per cent of devices used for Google Play are still <2.3 (Froyo) or below. Whilst the current Play Store version doesn't work pre 2.2, that still indicates that around 20 million active devices are in use that aren’t compatible with SHA-2, according to Munro. "The fact that SHA-2 can’t be used with older browsers and OS’s means that untrusted certificate warnings are going to become commonplace," Munro explained. "And if that happens, the danger is that many users will simply ride rough-shod over such pop-ups, potentially creating the ideal opportunity for man-in-the-middle (MitM) attacks." Ivan Ristic, a software engineer and founder of SSL Labs, agreed with Munro that there might be some trouble with the phasing out of SHA-1, "as with all older technologies". "Websites with older audiences might consider deploying with dual certificates; older SHA-1 for older clients and newer SHA-2 for modern clients," Ristic told El Reg. "Not all web servers support this, however." "To prevent warnings in Chrome, sites must upgrade to SHA-2 by the end of this year. However, it's possible to continue to use SHA-1 certificates at least until the end of 2016. So this gives sites at least about 1.5 years." Baseline requirements from industry group the CA/Browser Forum (PDF) offer "room for a reasonably safe dual-cert deployment" for even longer, if really necessary, up until the start of 2017. Macro signing Browser compatibility is not the only issue. SHA-2 compatibility for macro signing isn’t great, according to Munro, who said "it simply doesn’t work for Office 2003/2007 macro signing". Office 2010 does support SHA-2 macro signing, but only with a hotfix. Munro added: "There are plenty of other systems out there that are unlikely to ever accept SHA-2: what about the web interfaces for SCADA and other industrial control systems? What about other highly customised environments in the military: fire control systems built on old hardened versions of Windows XP?" Microsoft made some changes/exceptions for code signing, according to Ristic. ® Bootnote Microsoft's IE will allow "CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA-2 certificates only”. Google's Chrome will handle sites with end-entity (“leaf”) certificates that expire on or after 1 January 2017, and which include an SHA-1-based signature as part of the certificate chain, as “secure, but with minor errors”. Mozilla, makers of Firefox, has developed a policy that SHA-1 certificates should not be issued after January 1 2016, nor trusted after January 1 2017. Source
  7. scan stub File Name: KILL.exe File Size: 151552 Bytes MD5 Hash: 632E21C3C737F1F3691CAD6DF0296CCDCD1D6360A152CDF3706F0FED6890E57E SHA1 Hash: 9bc1f1a8a2626c893d0594936d4ad72faf0ae66a Date & Time: 02/04/2015 09:48:10 a.m. Detections: 0/35 Status: Clean Report by: Most-Security Desktop Scanner v2.0 AVG Free-File Clean!. Avast-File Clean!. AntiVir (Avira)-File Clean!. BitDefender-File Clean!. Clam Antivirus-File Clean!. COMODO Internet Security-File Clean!. Dr.Web-File Clean!. eTrust-Vet-File Clean!. F-PROT Antivirus-File Clean!. F-Secure Internet Security-File Clean!. G Data-File Clean!. IKARUS Security-File Clean!. Kaspersky Antivirus-File Clean!. McAfee-File Clean!. MS Security Essentials-File Clean!. ESET NOD32-File Clean!. Norman-File Clean!. Norton Antivirus-File Clean!. Panda Security-File Clean!. A-Squared-File Clean!. Quick Heal Antivirus-File Clean!. Solo Antivirus-File Clean!. Sophos-File Clean!. Trend Micro Internet Security-File Clean!. VBA32 Antivirus-File Clean!. Zoner AntiVirus-File Clean!. Ad-Aware-File Clean!. BullGuard-File Clean!. FortiClient-File Clean!. K7 Ultimate-File Clean!. NANO Antivirus-File Clean!. Panda CommandLine-File Clean!. SUPERAntiSpyware-File Clean!. Twister Antivirus-File Clean!. VIPRE-File Clean!. scan spynert File Name: spypnet.exe File Size: 449104 Bytes MD5 Hash: 632E21C3C737F1F3691CAD6DF0296CCDCD1D6360A152CDF3706F0FED6890E57E859BBA77095E26E0F14764F96D81F0E9 SHA1 Hash: f20a9e6f4eab457dd1f3cc39a567b781f2b3d0c4 Date & Time: 02/04/2015 09:49:37 a.m. Detections: 0/35 Status: Clean Report by: Most-Security Desktop Scanner v2.0 AVG Free-File Clean!. Avast-File Clean!. AntiVir (Avira)-File Clean!. BitDefender-File Clean!. Clam Antivirus-File Clean!. COMODO Internet Security-File Clean!. Dr.Web-File Clean!. eTrust-Vet-File Clean!. F-PROT Antivirus-File Clean!. F-Secure Internet Security-File Clean!. G Data-File Clean!. IKARUS Security-File Clean!. Kaspersky Antivirus-File Clean!. McAfee-File Clean!. MS Security Essentials-File Clean!. ESET NOD32-File Clean!. Norman-File Clean!. Norton Antivirus-File Clean!. Panda Security-File Clean!. A-Squared-File Clean!. Quick Heal Antivirus-File Clean!. Solo Antivirus-File Clean!. Sophos-File Clean!. Trend Micro Internet Security-File Clean!. VBA32 Antivirus-File Clean!. Zoner AntiVirus-File Clean!. Ad-Aware-File Clean!. BullGuard-File Clean!. FortiClient-File Clean!. K7 Ultimate-File Clean!. NANO Antivirus-File Clean!. Panda CommandLine-File Clean!. SUPERAntiSpyware-File Clean!. Twister Antivirus-File Clean!. VIPRE-File Clean!. DOWNLOAD: Download CrypterFUDSlowet.rar RAR PASSWORD: slowet NU SCANATI CRYPTERU PE VIRUSTOTAL!
  8. oclHashcat+ Advanced GPU Hash Cracking Utility 1.32 Download clHashcat For NVidia 1.32 Download
  9. Introduction In this mini-course, we will learn about various aspects of cryptography. We’ll start with cryptography objectives, the need for it, various types of cryptography, PKI, and we’ll look at some practical usage in our daily digital communication. In this mini-course, I will explain every detail with an example which end users can perform on their machines. What is cryptography and why it is required? Today, digital communication has become far more important than what it was a decade ago. We use internet banking, social networking sites, online shopping, and online business activities. Everything is online these days, but the internet is not the most secure means to conduct all those activities. Nobody would want to do an online transaction with communication from their machine to their bank through an open channel. With cryptography, the channel secured between different entities which helps to do business activity in a more secure fashion. Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read it. Cryptography is a broad term which includes sub disciplines and very important concepts such as encryption. Let’s get into the main objectives of cryptography. Cryptography Objectives C-Confidentiality: Ensuring the information exchanged between two parties is confidential between them and is not visible to anyone else. I-Integrity: Ensuring that message integrity is not changed while in transit. A-Availability: Ensuring systems are available to fulfill requests all the time. Here are some additional concepts: Authentication: To confirm someone’s identity with the supplied parameters, such as usernames, passwords, and biometrics. Authorization: The process to grant access to a resource to the confirmed identity based on their permissions. Non-Repudiation: To make sure that only the intended endpoints have sent the message and later cannot deny it. Cryptography key definitions Here’s some cryptographic key terminology: Plaintext: The original raw text document onto which encryption needs to be applied. Ciphertext: When we apply encryption to a plaintext document, the output is ciphertext. Encryption: Encryption is the process of converting plaintext to ciphertext using an encryption algorithm. We have different types of encryption available today like symmetric, asymmetric and hybrid encryption. We will discuss them in depth later in the course. Encryption algorithm: An encryption algorithm is a mathematical procedure for converting plaintext into ciphertext with a key. Various examples of encryption algorithms include RSA, AES, DES, and 3DES. Key-length: Choosing an encryption algorithm with an appropriate keysize is an important decision to make. The strength of the key is usually determined by keysize, or the number of bits. Thus, the larger the bit size of a key, the more difficult it is to break the key. For example, with a key which has a bit length of 5, the key will have only 2^5 or 32 combinations. That’s pretty easy to break considering today’s computation methods. That’s why older algorithms like WEP (40 bits) & DES (56 bits) are considered obsolete and now much more powerful algorithms with larger key sizes, such as AES (128 bits), are now used. Hash: A hash value, also called a message digest, is a number generated from a string of text. As per the hash definition, no two different texts should produce the same hash value. If an algorithm can produce the same hash for a different string of text, then that algorithm is not collision free and can be cracked. Various examples of hash algorithm are MD2, MD5 and SHA-1 etc. Digital signature: Digital signature is the process of making sure that the two entities talking with each other can establish a trust relationship among them. We will take a look at its practical demonstration later in this document. Source Part2 Part3 Part4 Part5
  10. Methods for detecting affine image files forpix is a forensic program for identifying similar images that are no longer identical due to image manipulation. Hereinafter I will describe the technical background for the basic understanding of the need for such a program and how it works. From image files or files in general you can create so-called cryptologic hash values, which represent a kind of fingerprint of the file. In practice, these values have the characteristic of being unique. Therefore, if a hash value for a given image is known, the image can be uniquely identified in a large amount of other images by the hash value. The advantage of this fully automated procedure is that the semantic perception of the image content by a human is not required. This methodology is an integral and fundamental component of an effective forensic investigation. Due to the avalanche effect, which is a necessary feature of cryptologic hash functions, a minimum -for a human not to be recognized- change of the image causes a drastic change of the hash value. Although the original image and the manipulated image are almost identical, this will not apply to the hash values any more. Therefore the above mentioned application for identification is ineffective in the case of similar images. A method was applied that resolves the ineffectiveness of cryptologic hash values. It uses the fact that an offender is interested to preserve certain image content. In some degree, this will preserve the contrast as well as the color and frequency distribution. The method provides three algorithms to generate robust hash values of the mentioned image features. In case of a manipulation of the image, the hash values change either not at all or only moderately similar to the degree of manipulation. By comparing the hash values of a known image with those of a large quantity of other images, similar images can now be recognized fully automated. Download: http://rojak.de/le/forpix1.02_eng.7z Tutorial In order to launch the program on a Windows machine run the included batch file "forpix.bat". Otherwise, the program runs on all Java-capable machines with a 32 bit Java-VM. Just use the Java flag "-jar -Xmx1024m forpix.jar" in the command prompt. To perform a comparison following steps are necessary. The execution of the steps are very simple in practice. Creating an image database. Analyzing images of a seized media and import the images and hash values into the image database in one step. Analyzing a reference image and performing an automated image comparison in one step. As a result, you get for each reference image a list of the most similar images from the database. The very short tutorial: Create a database: menu "Database > Create ..." Choose a name along with a directory for the new database by pressing "Directory" Press "OK" Import images into the database: menu "Image > Import" Optionally you can insert your user name, case number/identifier, evidence number. Then choose the directory where the images were stored. Press "Start" Wait a moment... A message will be shown at the end. Press "OK" To compare a image with all images in the database: menu "Image > comparison..." Choose a reference image by pressing "file" to open the reference image file. For comparison press "Start". Wait a moment... A message will be shown at the end. Press "OK" After that you will see a list of images, similar to the reference image. To show each image just single click on each entry in the list. To show the reference image just click "Reference Image" in the menu bar. Read more: forpix | martin rojak
  11. Rainbow Maker is a python based tool for Cracking hash signatures & Creating Rainbow Table. Introduction OWASP Rainbow Maker is a tool aimed to break hash signatures. It allows testers to insert a hash value and possible keywords and values that might used by the application to create it, then it tried multiple combinations to find the format used to generate the hash value. Description give it a hash value, and a possible words that might led to create this value - the tool has a delimiter list (){} ;,'[]"~, etc. and it goes over all the words inserted and tries all possible combinations... for example: if you entered: password, pass, Pass, Password, secret123 it will try all kind of combinations such as: [password:secret123] "Pass";"secret12" {Password,secret123} etc. etc. Its other use is to produce a Rainbow Table out of the given word-list. Download: https://www.owasp.org/index.php/OWASP_Rainbow_Maker_Project
  12. You can grab the hash_extender tool on Github! (Administrative note: I’m no longer at Tenable! I left on good terms, and now I’m a consultant at Leviathan Security Group. Feel free to contact me if you need more information!) Awhile back, my friend @mogigoma and I were doing a capture-the-flag contest at https://stripe-ctf.com. One of the levels of the contest required us to perform a hash length extension attack. I had never even heard of the attack at the time, and after some reading I realized that not only is it a super cool (and conceptually easy!) attack to perform, there is also a total lack of good tools for performing said attack! After hours of adding the wrong number of null bytes or incorrectly adding length values, I vowed to write a tool to make this easy for myself and anybody else who’s trying to do it. So, after a couple weeks of work, here it is! Now I’m gonna release the tool, and hope I didn’t totally miss a good tool that does the same thing! It’s called hash_extender, and implements a length extension attack against every algorithm I could think of: MD4 MD5 RIPEMD-160 SHA-0 SHA-1 SHA-256 SHA-512 WHIRLPOOL I’m more than happy to extend this to cover other hashing algorithms as well, provided they are “vulnerable” to this attack — MD2, SHA-224, and SHA-384 are not. Please contact me if you have other candidates and I’ll add them ASAP! The attack An application is susceptible to a hash length extension attack if it prepends a secret value to a string, hashes it with a vulnerable algorithm, and entrusts the attacker with both the string and the hash, but not the secret. Then, the server relies on the secret to decide whether or not the data returned later is the same as the original data. It turns out, even though the attacker doesn’t know the value of the prepended secret, he can still generate a valid hash for {secret || data || attacker_controlled_data}! This is done by simply picking up where the hashing algorithm left off; it turns out, 100% of the state needed to continue a hash is in the output of most hashing algorithms! We simply load that state into the appropriate hash structure and continue hashing. TL;DR: given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix. Example Let’s look at a step-by-step example. For this example: let secret = “secret” let data = “data” let H = md5() let signature = hash(secret || data) = 6036708eba0d11f6ef52ad44e8b74d5b let append = “append” The server sends data and signature to the attacker. The attacker guesses that H is MD5 simply by its length (it’s the most common 128-bit hashing algorithm), based on the source, or the application’s specs, or any way they are able to. Knowing only data, H, and signature, the attacker’s goal is to append append to data and generate a valid signature for the new data. And that’s easy to do! Let’s see how. Padding Before we look at the actual attack, we have to talk a little about padding. When calculating H(secret + data), the string (secret + data) is padded with a ’1? bit and some number of ’0? bits, followed by the length of the string. That is, in hex, the padding is a 0×80 byte followed by some number of 0×00 bytes and then the length. The number of 0×00 bytes, the number of bytes reserved for the length, and the way the length is encoded, depends on the particular algorithm and blocksize. With most algorithms (including MD4, MD5, RIPEMD-160, SHA-0, SHA-1, and SHA-256), the string is padded until its length is congruent to 56 bytes (mod 64). Or, to put it another way, it’s padded until the length is 8 bytes less than a full (64-byte) block (the 8 bytes being size of the encoded length field). There are two hashes implemented in hash_extender that don’t use these values: SHA-512 uses a 128-byte blocksize and reserves 16 bytes for the length field, and WHIRLPOOL uses a 64-byte blocksize and reserves 32 bytes for the length field. The endianness of the length field is also important. MD4, MD5, and RIPEMD-160 are little-endian, whereas the SHA family and WHIRLPOOL are big-endian. Trust me, that distinction cost me days of work! In our example, length(secret || data) = length(“secretdata”) is 10 (0x0a) bytes, or 80 (0×50) bits. So, we have 10 bytes of data (“secretdata”), 46 bytes of padding (80 00 00 …), and an 8-byte little-endian length field (50 00 00 00 00 00 00 00), for a total of 64 bytes (or one block). Put together, it looks like this: 0000 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00 secretdata...... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 ........P....... Breaking down the string, we have: “secret” = secret “data” = data 80 00 00 … — The 46 bytes of padding, starting with 0×80 50 00 00 00 00 00 00 00 — The bit length in little endian This is the exact data that H hashed in the original example. The attack Now that we have the data that H hashes, let’s look at how to perform the actual attack. First, let’s just append append to the string. Easy enough! Here’s what it looks like: 0000 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00 secretdata...... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 ........P....... 0040 61 70 70 65 6e 64 append The hash of that block is what we ultimately want to a) calculate, and get the server to calculate. The value of that block of data can be calculated in two ways: By sticking it in a buffer and performing H(buffer) By starting at the end of the first block, using the state we already know from signature, and hashing append starting from that state The first method is what the server will do, and the second is what the attacker will do. Let’s look at the server, first, since it’s the easier example. Server’s calculation We know the server will prepend secret to the string, so we send it the string minus the secret value: 0000 64 61 74 61 80 00 00 00 00 00 00 00 00 00 00 00 data............ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 50 00 00 00 00 00 00 00 61 70 70 65 6e 64 ..P.......append Don’t be fooled by this being exactly 64 bytes (the blocksize) — that’s only happening because secret and append are the same length. Perhaps I shouldn’t have chosen that as an example, but I’m not gonna start over! The server will prepend secret to that string, creating: 0000 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00 secretdata...... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 ........P....... 0040 61 70 70 65 6e 64 append And hashes it to the following value: 6ee582a1669ce442f3719c47430dadee For those of you playing along at home, you can prove this works by copying and pasting this into a terminal: echo ' #include <stdio.h> #include <openssl/md5.h> int main(int argc, const char *argv[]) { MD5_CTX c; unsigned char buffer[MD5_DIGEST_LENGTH]; int i; MD5_Init(&c); MD5_Update(&c, "secret", 6); MD5_Update(&c, "data" "\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x50\x00\x00\x00\x00\x00\x00\x00" "append", 64); MD5_Final(buffer, &c); for (i = 0; i < 16; i++) { printf("%02x", buffer); } printf("\n"); return 0; }' > hash_extension_1.c gcc -o hash_extension_1 hash_extension_1.c -lssl -lcrypto ./hash_extension_1 All right, so the server is going to be checking the data we send against the signature 6ee582a1669ce442f3719c47430dadee. Now, as the attacker, we need to figure out how to generate that signature! Client’s calculation So, how do we calculate the hash of the data shown above without actually having access to secret? Well, first, we need to look at what we have to work with: data, append, H, and H(secret || data). We need to define a new function, H?, which uses the same hashing algorithm as H, but whose starting state is the final state of H(secret || data), i.e., signature. Once we have that, we simply calculate H?(append) and the output of that function is our hash. It sounds easy (and is!); have a look at this code: echo ' #include <stdio.h> #include <openssl/md5.h> int main(int argc, const char *argv[]) { int i; unsigned char buffer[MD5_DIGEST_LENGTH]; MD5_CTX c; MD5_Init(&c); MD5_Update(&c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 64); c.A = htonl(0x6036708e); /* <-- This is the hash we already had */ c.B = htonl(0xba0d11f6); c.C = htonl(0xef52ad44); c.D = htonl(0xe8b74d5b); MD5_Update(&c, "append", 6); /* This is the appended data. */ MD5_Final(buffer, &c); for (i = 0; i < 16; i++) { printf("%02x", buffer); } printf("\n"); return 0; }' > hash_extension_2.c gcc -o hash_extension_2 hash_extension_2.c -lssl -lcrypto ./hash_extension_2 The the output is, just like before: 6ee582a1669ce442f3719c47430dadee So we know the signature is right. The difference is, we didn’t use secret at all! What’s happening!? Well, we create a MD5_CTX structure from scratch, just like normal. Then we take the MD5 of 64 ‘A’s. We take the MD5 of a full (64-byte) block of ‘A’s to ensure that any internal values — other than the state of the hash itself — are set to what we expect. Then, after that is done, we replace c.A, c.B, c.C, and c.D with the values that were found in signature: 6036708eba0d11f6ef52ad44e8b74d5b. This puts the MD5_CTX structure in the same state as it finished in originally, and means that anything else we hash — in this case append — will produce the same output as it would have had we hashed it the usual way. We use htonl() on the values before setting the state variables because MD5 — being little-endian — outputs its values in little-endian as well. Result So, now we have this string: 0000 64 61 74 61 80 00 00 00 00 00 00 00 00 00 00 00 data............ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 50 00 00 00 00 00 00 00 61 70 70 65 6e 64 ..P.......append And this signature for H(secret || data || append): 6ee582a1669ce442f3719c47430dadee And we can generate the signature without ever knowing what the secret was! So, we send the string to the server along with our new signature. The server will prepend the signature, hash it, and come up with the exact same hash we did (victory!). The tool You can grab the hash_extender tool on Github! This example took me hours to write. Why? Because I made about a thousand mistakes writing the code. Too many NUL bytes, not enough NUL bytes, wrong endianness, wrong algorithm, used bytes instead of bits for the length, and all sorts of other stupid problems. The first time I worked on this type of attack, I spent from 2300h till 0700h trying to get it working, and didn’t figure it out till after sleeping (and with Mak’s help). And don’t even get me started on how long it took to port this attack to MD5. Endianness can die in a fire. Why is it so difficult? Because this is crypto, and crypto is immensely complicated and notoriously difficult to troubleshoot. There are lots of moving parts, lots of side cases to remember, and it’s never clear why something is wrong, just that the result isn’t right. What a pain! So, I wrote hash_extender. hash_extender is (I hope) the first free tool that implements this type of attack. It’s easy to use and implements this attack for every algorithm I could think of. Here’s an example of its use: $ ./hash_extender --data data --secret 6 --append append --signature 6036708eba0d11f6ef52ad44e8b74d5b --format md5 Type: md5 Secret length: 6 New signature: 6ee582a1669ce442f3719c47430dadee New string: 64617461800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005000000000000000617070656e64 If you’re unsure about the hash type, you can let it try different types by leaving off the –format argument. I recommend using the –table argument as well if you’re trying multiple algorithms: $ ./hash_extender --data data --secret 6 --append append --signature 6036708eba0d11f6ef52ad44e8b74d5b --out-data-format html --table md4 89df68618821cd4c50dfccd57c79815b data80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000P00000000000000append md5 6ee582a1669ce442f3719c47430dadee data80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000P00000000000000append There are plenty of options for how you format inputs and outputs, including HTML (where you use %NN notation), CString (where you use \xNN notation, as well as \r, \n, \t, etc.), hex (such as how the hashes were specified above), etc. By default I tried to choose what I felt were the most reasonable options: Input data: raw Input hash: hex Output data: hex Output hash: hex Here’s the help page for reference: -------------------------------------------------------------------------------- HASH EXTENDER -------------------------------------------------------------------------------- By Ron Bowes See LICENSE.txt for license information. Usage: ./hash_extender <--data=|--file=> --signature= --format= [options] INPUT OPTIONS -d --data= The original string that we're going to extend. --data-format= The format the string is being passed in as. Default: raw. Valid formats: raw, hex, html, cstr --file= As an alternative to specifying a string, this reads the original string as a file. -s --signature= The original signature. --signature-format= The format the signature is being passed in as. Default: hex. Valid formats: raw, hex, html, cstr -a --append= The data to append to the string. Default: raw. --append-format= Valid formats: raw, hex, html, cstr -f --format= [REQUIRED] The hash_type of the signature. This can be given multiple times if you want to try multiple signatures. 'all' will base the chosen types off the size of the signature and use the hash(es) that make sense. Valid types: md4, md5, ripemd160, sha, sha1, sha256, sha512, whirlpool -l --secret= The length of the secret, if known. Default: 8. --secret-min= --secret-max= Try different secret lengths (both options are required) OUTPUT OPTIONS --table Output the string in a table format. --out-data-format= Output data format. Valid formats: none, raw, hex, html, html-pure, cstr, cstr-pure, fancy --out-signature-format= Output signature format. Valid formats: none, raw, hex, html, html-pure, cstr, cstr-pure, fancy OTHER OPTIONS -h --help Display the usage (this). --test Run the test suite. -q --quiet Only output what's absolutely necessary (the output string and the signature) Defense So, as a programmer, how do you solve this? It’s actually pretty simple. There are two ways: Don’t trust a user with encrypted data or signatures, if you can avoid it. If you can’t avoid it, then use HMAC instead of trying to do it yourself. HMAC is designed for this. HMAC is the real solution. HMAC is designed for securely hashing data with a secret key. As usual, use constructs designed for what you’re doing rather than doing it yourself. The key to all crypto! [pun intended] And finally, you can grab the hash_extender tool on Github! Source: blog.skullsecurity.org
  13. 26964ace12341c64d4c2d617639798c9 PM pt ajutor!
×
×
  • Create New...