A pure python tool to implement/exploit the hash length extension attack
Project description
HashTools
This is a pure python project implementing hash length extension attack. It also supports the implementation of some popular hashing algorithms.
Currently Supported Algorithms
| Algorithm | Implementation | Length Extension Attack |
|---|---|---|
| MD5 | :white_check_mark: | :white_check_mark: |
| SHA1 | :white_check_mark: | :white_check_mark: |
| SHA224 | :white_check_mark: | :x: |
| SHA256 | :white_check_mark: | :white_check_mark: |
| SHA384 | :white_check_mark: | :x: |
| SHA512 | :white_check_mark: | :white_check_mark: |
Installation
pip install HashTools
Usage
Using algorithm normally
Using update method (like python hashlib)
import HashTools
magic = HashTools.new(algorithm="sha256")
magic.update(b"Hello World!")
print(magic.hexdigest())
or just one line
import HashTools
msg = b"Hello World!"
print(HashTools.new(algorithm="sha256", raw=msg).hexdigest())
Using hash length extension attack
Using extension method
import HashTools
from os import urandom
# setup context
secret = urandom(16) # idk ¯\_(ツ)_/¯
original_data = b"&admin=False"
sig = HashTools.new(algorithm="sha256", raw=secret+original_data).hexdigest()
# attack
append_data = b"&admin=True"
magic = HashTools.new("sha256")
new_data, new_sig = magic.extension(
secret_length=16, original_data=original_data,
append_data=append_data, signature=sig
)
Testing
- Compare my implementation with python hashlib
def test_imple():
algorithms = [
"md5", "sha1", "sha224", "sha256", "sha384", "sha512"
]
print("> Implementation test...")
for alg in algorithms:
msg = urandom(randint(0, 1024))
py_hash = hashlib.new(alg)
my_hash = HashTools.new(alg)
py_hash.update(msg)
my_hash.update(msg)
test1 = py_hash.hexdigest()
test2 = my_hash.hexdigest()
if test1 != test2:
print(f"[!] {alg.ljust(6)} failed the validation test!")
print(test1)
print(test2)
exit(1)
else:
print(f"[+] {alg.ljust(6)} passed the validation test!")
print("> All test passed!!!")
- Testing length extension attack
def test_attack():
algorithms = [
"md5", "sha1", "sha256", "sha512"
]
print("> Implementation test...")
for alg in algorithms:
# setup context
length = randint(0, 1024)
secret = urandom(length) # idk ¯\_(ツ)_/¯
original_data = b"admin=False"
sig = HashTools.new(algorithm=alg, raw=secret + original_data).hexdigest()
# attack
append_data = b"admin=True;"
magic = HashTools.new(alg)
new_data, new_sig = magic.extension(
secret_length=length, original_data=original_data,
append_data=append_data, signature=sig
)
if new_sig != HashTools.new(algorithm=alg, raw=secret + new_data).hexdigest():
print(f"[!] Our attack didn't work with {alg.ljust(6)}")
exit(1)
else:
print(f"[+] {alg.ljust(6)} passed")
print("> All test passed!!!")
License
References
- Pub, F. I. P. S. (2012). Secure hash standard (shs). Fips pub, 180(4).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file length-extension-tool-0.1.0.tar.gz.
File metadata
- Download URL: length-extension-tool-0.1.0.tar.gz
- Upload date:
- Size: 10.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
591df10c57a28f81fd0a82dbc758bd869383422daa35d168f1937b6396796822
|
|
| MD5 |
5ee9b6cec50ec2a6d975064f2728f9cf
|
|
| BLAKE2b-256 |
8a3f80d4ca8259e7ebbb740d2bf2e00a324b53b5f8f8f84b09f3888f231af390
|
File details
Details for the file length_extension_tool-0.1.0-py3-none-any.whl.
File metadata
- Download URL: length_extension_tool-0.1.0-py3-none-any.whl
- Upload date:
- Size: 18.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
13880f649024a1485c411510faf43888051e551113788a27e1d5df977dd193ae
|
|
| MD5 |
ba992e75aefa015e0dada109ed7609a1
|
|
| BLAKE2b-256 |
24146dba5adb7207f0c30bc78391eb107ee41cef27435415dd4a72eb3fdace11
|
