• Stars
    star
    117
  • Rank 301,828 (Top 6 %)
  • Language
    Python
  • License
    Other
  • Created about 10 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pure Python hash length extension module

hlextend

Pure Python Hash Length Extension module.

Currently supports SHA1, SHA256 and SHA512, more algorithms will be added in the future.

Create a hash by calling one of the named constuctor functions: sha1(), sha256(), and sha512(), or by calling new(algorithm).

The hash objects have the following methods:

hash(message):      

    Feeds data into the hash function using the normal interface.

extend(appendData, knownData, secretLength, startHash):

    Performs a hash length extension attack.  Returns the bytestring to
    use when appending data.

hexdigest():        

    Returns a hexlified version of the hash output.

Assume you have a hash generated from an unknown secret value concatenated with a known value, and you want to be able to produce a valid hash after appending additional data to the known value.

If the hash algorithm used is one of the vulnerable functions implemented in this module, is is possible to achieve this without knowing the secret value as long as you know (or can guess, perhaps by brute force) the length of that secret value. This is called a hash length extension attack.

Given an existing sha1 hash value '52e98441017043eee154a6d1af98c5e0efab055c', known data of 'hello', an unknown secret of length 10 and data you wish to append of 'file', you would do the following to perform the attack:

>>> import hlextend
>>> sha = hlextend.new('sha1')
>>> print(sha.extend(b'file', b'hello', 10, '52e98441017043eee154a6d1af98c5e0efab055c'))
b'hello\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xfile'
>>> print(sha.hexdigest())
c60fa7de0860d4048a3bfb36b70299a95e6587c9

The unknown secret (of length 10), that when hashed appended with 'hello' produces a SHA1 hash of '52e98441017043eee154a6d1af98c5e0efab055c', will then produce a SHA1 hash of 'c60fa7de0860d4048a3bfb36b70299a95e6587c9' when appended with the output from the extend function above.

If you are not sure of the exact length of the secret value, simply try the above multiple times specifying different values for the length to brute force.

More Repositories

1

vulnserver

Vulnerable server used for learning software exploitation
C
980
star
2

aws_url_signer

POC tool to create signed AWS API GET requests to bypass Guard Duty alerting of off-instance credential use via SSRF
Python
58
star
3

pentesting_stuff

A place to store my various pentesting related code thats too small/niche to justify its own repository, and a simple website with notes on pentesting.
Python
31
star
4

breakableflask

Simple vulnearable Flask web application
Python
27
star
5

shellcode

Various shell code I have written
Assembly
16
star
6

CVE-2022-46164-poc

Basic POC exploit for CVE-2022-46164
Python
11
star
7

ad_ldap_dumper

Security focused tool for dumping information from Active Directory via LDAP
Python
8
star
8

ssltest

SSL/TLS cipher testing tool
Perl
8
star
9

pygdbdis

Repository for pygdbdis gdb debugging extensions
Python
6
star
10

offsecfeed

RSS feed of offensive security topics http://thegreycorner.com/offsecfeed/
HTML
5
star
11

openwrt_vpn_control

Simple web interface to allow VPNs to be started and stopped easily
PHP
5
star
12

detectionlab_mod

Files related to my own DetectionLab deployment process
PowerShell
4
star
13

BurpPythonGateway

Uses py4j to make Burp Extender internals available to Python code and interactive interpreters like iPython
Python
4
star
14

CSharpInjectorLibrary

Reference injectable DLL in C# that provides a number of example methods for reproducing various TTPs
C#
3
star
15

absentis

Burp extension for identifying files using names with common variations on existing filenames
Python
3
star
16

stephenbradshaw

Github profile repository
3
star
17

stephenbradshaw.github.io

Website
HTML
3
star
18

CSIG

A Burp plugin that generates Intruder payloads for character set manipulation
Java
2
star
19

aws_helpers

Some helper code for doing things in AWS
Python
1
star
20

testing

Stuff
Python
1
star
21

letsencrypt_dns01_server

DNS Server for DNS01 authorisation
Python
1
star
22

burpextensiontemplates

Template files for quickly creating Burp Suite extensions
Python
1
star