A pure python tool to implement/exploit the hash length extension attack
Project description
HashTools
This is a pure python project implementing hash length extension attack. It also supports the implementation of some popular hashing algorithms.
Currently Supported Algorithms
| Algorithm | Implementation | Length Extension Attack |
|---|---|---|
| MD5 | :white_check_mark: | :white_check_mark: |
| SHA1 | :white_check_mark: | :white_check_mark: |
| SHA224 | :white_check_mark: | :x: |
| SHA256 | :white_check_mark: | :white_check_mark: |
| SHA384 | :white_check_mark: | :x: |
| SHA512 | :white_check_mark: | :white_check_mark: |
Installation
pip install HashTools
Usage
Using algorithm normally
Using update method (like python hashlib)
import HashTools
magic = HashTools.new(algorithm="sha256")
magic.update(b"Hello World!")
print(magic.hexdigest())
or just one line
import HashTools
msg = b"Hello World!"
print(HashTools.new(algorithm="sha256", raw=msg).hexdigest())
Using hash length extension attack
Using extension method
import HashTools
from os import urandom
# setup context
secret = urandom(16) # idk ¯\_(ツ)_/¯
original_data = b"&admin=False"
sig = HashTools.new(algorithm="sha256", raw=secret+original_data).hexdigest()
# attack
append_data = b"&admin=True"
magic = HashTools.new("sha256")
new_data, new_sig = magic.extension(
secret_length=16, original_data=original_data,
append_data=append_data, signature=sig
)
Testing
- Compare my implementation with python hashlib
def test_imple():
algorithms = [
"md5", "sha1", "sha224", "sha256", "sha384", "sha512"
]
print("> Implementation test...")
for alg in algorithms:
msg = urandom(randint(0, 1024))
py_hash = hashlib.new(alg)
my_hash = HashTools.new(alg)
py_hash.update(msg)
my_hash.update(msg)
test1 = py_hash.hexdigest()
test2 = my_hash.hexdigest()
if test1 != test2:
print(f"[!] {alg.ljust(6)} failed the validation test!")
print(test1)
print(test2)
exit(1)
else:
print(f"[+] {alg.ljust(6)} passed the validation test!")
print("> All test passed!!!")
- Testing length extension attack
def test_attack():
algorithms = [
"md5", "sha1", "sha256", "sha512"
]
print("> Implementation test...")
for alg in algorithms:
# setup context
length = randint(0, 1024)
secret = urandom(length) # idk ¯\_(ツ)_/¯
original_data = b"admin=False"
sig = HashTools.new(algorithm=alg, raw=secret + original_data).hexdigest()
# attack
append_data = b"admin=True;"
magic = HashTools.new(alg)
new_data, new_sig = magic.extension(
secret_length=length, original_data=original_data,
append_data=append_data, signature=sig
)
if new_sig != HashTools.new(algorithm=alg, raw=secret + new_data).hexdigest():
print(f"[!] Our attack didn't work with {alg.ljust(6)}")
exit(1)
else:
print(f"[+] {alg.ljust(6)} passed")
print("> All test passed!!!")
License
References
- Pub, F. I. P. S. (2012). Secure hash standard (shs). Fips pub, 180(4).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for length-extension-tool-0.1.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 591df10c57a28f81fd0a82dbc758bd869383422daa35d168f1937b6396796822 |
|
| MD5 | 5ee9b6cec50ec2a6d975064f2728f9cf |
|
| BLAKE2b-256 | 8a3f80d4ca8259e7ebbb740d2bf2e00a324b53b5f8f8f84b09f3888f231af390 |
Close
Hashes for length_extension_tool-0.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 13880f649024a1485c411510faf43888051e551113788a27e1d5df977dd193ae |
|
| MD5 | ba992e75aefa015e0dada109ed7609a1 |
|
| BLAKE2b-256 | 24146dba5adb7207f0c30bc78391eb107ee41cef27435415dd4a72eb3fdace11 |
