Skip to main content

Unsecure time-based secret exploitation and Sandwich attack implementation.

Project description

Reset Tolkien

Unsecure time-based secret exploitation and Sandwich attack implementation

image.png

This tool is the result of research into "Unsecure time-based secrets" from this article:

To better understand how to use this tool, we strongly recommend that you read it first.

Yeah, this tool is based on a rather grotesque pun.


Installation

Install from pip:

▶ pip install reset-tolkien

Installation from Docker

▶ git clone https://github.com/AethliosIK/reset-tolkien.git
▶ cd reset-tolkien
▶ docker build -t reset-tolkien:latest . 
▶ docker run --rm -it --net=host -v "$PWD:/reset-tolkien/" reset-tolkien:latest -h

Usage

To detect whether a token is time-based, simply use this command:

$ reset-tolkien detect 660430516ffcf -d "Wed, 27 Mar 2024 14:42:25 GMT" --prefixes "attacker@example.com" --suffixes "attacker@example.com" --timezone "-7"
The token may be based on a timestamp: 1711550545.458703 (prefix: None / suffix: None)
The convertion logic is "uniqid"

To attack this token, use this command to export possible tokens:

$ reset-tolkien sandwich 660430516ffcf -bt 1711550546.485597 -et 1711550546.505134 -o output.txt --token-format="uniqid"
Tokens have been exported in "output.txt"

Encoding and hash function supported

The tool recursively tests different token formats:

  • base32
  • base64
  • urlencode
  • hexint
  • hexstr: ASCII integer encoding
  • uniqid: the PHP function uniqid previously studied
  • uuidv1: the format of a time-based UUID Version 1
  • shortuuid: a popular UUID encoding function
  • mongodb_objectid: the Mongo DB data format studied above
  • datetime: the encoding of a date from a custom date format
  • datetimeRFC2822: encoding a date using the format from the RFC2822 standard

The tool also manages the most popular hash functions:

  • md5
  • sha1
  • sha224
  • sha256
  • sha384
  • sha512
  • sha3_224
  • sha3_256
  • sha3_384
  • sha3_512
  • blake_256
  • blake_512

Help

usage: reset-tolkien [-h] [-v] {detect,bruteforce,sandwich} ...

Reset Tolkien can be used to find out whether a provided token is based on a
timestamp, from a timestamp corresponding to the period in which it was
generated.

options:
  -h, --help            show this help message and exit
  -v, --version         Print tool version

action:
  {detect,bruteforce,sandwich}
    detect              Detect the format of reset token
    bruteforce          Attack the reset token
    sandwich            Attack the reset token with sandwich method

The various features of the tool are as follows:

  • detect: detects whether a provided token is based on a date, provided or not:
usage: reset-tolkien detect [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS]
                     [--date-format-of-token DATE_FORMAT_OF_TOKEN]
                     [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]
                     [--int-timestamp-range INT_TIMESTAMP_RANGE]
                     [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]
                     [--timezone TIMEZONE] [-l {1,2,3}] [-t TIMESTAMP]
                     [-d DATETIME] [--datetime-format DATETIME_FORMAT]
                     [--prefixes PREFIXES] [--suffixes SUFFIXES]
                     [--hashes HASHES]
                     token

positional arguments:
  token                 The token given as input.

options:
  -h, --help            show this help message and exit
  -r, --roleplay        Not recommended if you don't have anything else to do
  -v {0,1,2}, --verbosity {0,1,2}
                        Verbosity level (default: 0)
  -c CONFIG, --config CONFIG
                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)
  --threads THREADS     Define the number of parallelized tasks for the
                        decryption attack on the hash. (default: 8)
  --date-format-of-token DATE_FORMAT_OF_TOKEN
                        Date format for the token - please set it if you have
                        found a date as input.
  --only-int-timestamp  Only use integer timestamp. (default: False)
  --decimal-length DECIMAL_LENGTH
                        Length of the float timestamp (default: 7)
  --int-timestamp-range INT_TIMESTAMP_RANGE
                        Time range over which the int timestamp will be tested
                        before and after the input value (default: 60s)
  --float-timestamp-range FLOAT_TIMESTAMP_RANGE
                        Time range over which the float timestamp will be
                        tested before and after the input value (default: 2s)
  --timezone TIMEZONE   Timezone of the application for datetime value
                        (default: 0)
  -l {1,2,3}, --level {1,2,3}
                        Level of search depth (default: 3)
  -t TIMESTAMP, --timestamp TIMESTAMP
                        The timestamp of the reset request
  -d DATETIME, --datetime DATETIME
                        The datetime of the reset request
  --datetime-format DATETIME_FORMAT
                        The input datetime format (default: server date format
                        like "Sun, 30 Jun 2024 01:38:41 UTC")
  --prefixes PREFIXES   List of possible values for the prefix concatenated
                        with the timestamp. Format: prefix1,prefix2
  --suffixes SUFFIXES   List of possible values for the suffix concatenated
                        with the timestamp. Format: suffix1,suffix2
  --hashes HASHES       List of possible hashes to try to detect the format.
                        Format: suffix1,suffix2 (default: all identified hash)
  • bruteforce: provides a list of possible tokens from an arbitrarily defined token format and time frame:
usage: reset-tolkien bruteforce [-h] [-r] [-v {0,1,2}] [-c CONFIG]
                         [--threads THREADS]
                         [--date-format-of-token DATE_FORMAT_OF_TOKEN]
                         [--only-int-timestamp]
                         [--decimal-length DECIMAL_LENGTH]
                         [--int-timestamp-range INT_TIMESTAMP_RANGE]
                         [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]
                         [--timezone TIMEZONE] [-t TIMESTAMP] [-d DATETIME]
                         [--datetime-format DATETIME_FORMAT]
                         [--token-format TOKEN_FORMAT] [--prefix PREFIX]
                         [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]
                         token

positional arguments:
  token                 The token given as input.

options:
  -h, --help            show this help message and exit
  -r, --roleplay        Not recommended if you don't have anything else to do
  -v {0,1,2}, --verbosity {0,1,2}
                        Verbosity level (default: 0)
  -c CONFIG, --config CONFIG
                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)
  --threads THREADS     Define the number of parallelized tasks for the
                        decryption attack on the hash. (default: 8)
  --date-format-of-token DATE_FORMAT_OF_TOKEN
                        Date format for the token - please set it if you have
                        found a date as input.
  --only-int-timestamp  Only use integer timestamp. (default: False)
  --decimal-length DECIMAL_LENGTH
                        Length of the float timestamp (default: 7)
  --int-timestamp-range INT_TIMESTAMP_RANGE
                        Time range over which the int timestamp will be tested
                        before and after the input value (default: 60s)
  --float-timestamp-range FLOAT_TIMESTAMP_RANGE
                        Time range over which the float timestamp will be
                        tested before and after the input value (default: 2s)
  --timezone TIMEZONE   Timezone of the application for datetime value
                        (default: 0)
  -t TIMESTAMP, --timestamp TIMESTAMP
                        The timestamp of the reset request with victim email
  -d DATETIME, --datetime DATETIME
                        The datetime of the reset request with victim email
  --datetime-format DATETIME_FORMAT
                        The input datetime format (default: server date format
                        like "Sun, 30 Jun 2024 01:40:15 UTC")
  --token-format TOKEN_FORMAT
                        The token encoding/hashing format - Format:
                        encoding1,encoding2
  --prefix PREFIX       The prefix value concatenated with the timestamp.
  --suffix SUFFIX       The suffix value concatenated with the timestamp.
  -o OUTPUT, --output OUTPUT
                        The filename of the output
  --with-timestamp      Write the output with timestamp
  • sandwich: provides a list of possible tokens based on a token format and a time frame bounded by two dates:
usage: reset-tolkien sandwich [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS]
                       [--date-format-of-token DATE_FORMAT_OF_TOKEN]
                       [--only-int-timestamp]
                       [--decimal-length DECIMAL_LENGTH]
                       [--int-timestamp-range INT_TIMESTAMP_RANGE]
                       [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]
                       [--timezone TIMEZONE] [-bt BEGIN_TIMESTAMP]
                       [-et END_TIMESTAMP] [-bd BEGIN_DATETIME]
                       [-ed END_DATETIME] [--datetime-format DATETIME_FORMAT]
                       [--token-format TOKEN_FORMAT] [--prefix PREFIX]
                       [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]
                       token

positional arguments:
  token                 The token given as input.

options:
  -h, --help            show this help message and exit
  -r, --roleplay        Not recommended if you don't have anything else to do
  -v {0,1,2}, --verbosity {0,1,2}
                        Verbosity level (default: 0)
  -c CONFIG, --config CONFIG
                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)
  --threads THREADS     Define the number of parallelized tasks for the
                        decryption attack on the hash. (default: 8)
  --date-format-of-token DATE_FORMAT_OF_TOKEN
                        Date format for the token - please set it if you have
                        found a date as input.
  --only-int-timestamp  Only use integer timestamp. (default: False)
  --decimal-length DECIMAL_LENGTH
                        Length of the float timestamp (default: 7)
  --int-timestamp-range INT_TIMESTAMP_RANGE
                        Time range over which the int timestamp will be tested
                        before and after the input value (default: 60s)
  --float-timestamp-range FLOAT_TIMESTAMP_RANGE
                        Time range over which the float timestamp will be
                        tested before and after the input value (default: 2s)
  --timezone TIMEZONE   Timezone of the application for datetime value
                        (default: 0)
  -bt BEGIN_TIMESTAMP, --begin-timestamp BEGIN_TIMESTAMP
                        The begin timestamp of the reset request with victim
                        email
  -et END_TIMESTAMP, --end-timestamp END_TIMESTAMP
                        The end timestamp of the reset request with victim
                        email
  -bd BEGIN_DATETIME, --begin-datetime BEGIN_DATETIME
                        The begin datetime of the reset request with victim
                        email
  -ed END_DATETIME, --end-datetime END_DATETIME
                        The end datetime of the reset request with victim
                        email
  --datetime-format DATETIME_FORMAT
                        The input datetime format (default: server date format
                        like "Sun, 30 Jun 2024 01:40:54 UTC")
  --token-format TOKEN_FORMAT
                        The token encoding/hashing format - Format:
                        encoding1,encoding2
  --prefix PREFIX       The prefix value concatenated with the timestamp.
  --suffix SUFFIX       The suffix value concatenated with the timestamp.
  -o OUTPUT, --output OUTPUT
                        The filename of the output
  --with-timestamp      Write the output with timestamp

VI.4 - Default tests

By default, the tool is configured to detect this type of time-based token generation:

function getToken($level, $email)
{
    switch ($level) {
        case 1:
            return uniqid();
        case 2:
            return hash(time());
        case 3:
            return hash(uniqid());
        case 4:
            return hash(uniqid() . $email);
        case 5:
            return hash(date(DATE_RFC2822));
        case 6:
            return hash($email . uniqid() . $email);
        case 7:
            return uuid1("Test");
    }
}

Customised test configuration

In addition, the tool allows you to define your own token formats before applying a hash function via a TimestampHashFormat object. For example, to test whether the token is generated using this token generation function:

# Generate a formatted token
def generate_token():
    import datetime
    import hashlib
    
    t = datetime.datetime.utcnow().timestamp()
    token = hashlib.md5(uniqid(t).encode()).hexdigest()
    return token

This can be defined in the YAML configuration file:

float-uniqid:
  description: "Uniqid timestamp"
  level: 2
  timestamp_type: float
  formats:
    - uniqid

The "Todo" list

Of course, as with any tool, there is always the possibility of adding new features to complement it.

Among the points that would be very useful:

  • Format management via Abstract syntax tree: the tool currently only manages formats applied in a linear way, so a simple format like md5(timestamp()+1) won't be supported. By configuring formats as a tree, this type of format can be supported by the tool.
  • Better application of user-specific information: when detecting a token format, it is possible to define user-specific information as prefixes or suffixes of the token generation date. Many other configurations could be possible.
  • Management of other dynamic variables: the tool detects formats and allows attacks based on the only variable supported: time. However, some formats can have several variables that evolve.
  • Addition of new supported formats: the tool only supports the time-based functions found during my research, but many other formats should still exist and could also be supported by the tool.

Changelog

You could retrieve changes for each version from CHANGELOG.md.

Licensing

This project is licensed under the MIT license.

Credit

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

reset_tolkien-1.3.2.tar.gz (29.2 kB view details)

Uploaded Source

Built Distribution

reset_tolkien-1.3.2-py3-none-any.whl (28.3 kB view details)

Uploaded Python 3

File details

Details for the file reset_tolkien-1.3.2.tar.gz.

File metadata

  • Download URL: reset_tolkien-1.3.2.tar.gz
  • Upload date:
  • Size: 29.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.11.7

File hashes

Hashes for reset_tolkien-1.3.2.tar.gz
Algorithm Hash digest
SHA256 650352dcf0091cc8cfcb750c0fe8f85ee37366d203a9cea787408355de73ee5e
MD5 199d4199e8b36414b37260c5daf7c547
BLAKE2b-256 2d3d5689e681e30dc04a7c5f809aa826f216c3fa1ef05da4a705838b55a3926c

See more details on using hashes here.

File details

Details for the file reset_tolkien-1.3.2-py3-none-any.whl.

File metadata

File hashes

Hashes for reset_tolkien-1.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 db726de513958ceb8df20867d92a53f500e94bf0cebe25e04bd0f2ab0985e17c
MD5 0cb6044ab8f32a10d17e5296efb34160
BLAKE2b-256 6eefeeb8f1d5c606c99a93c0f6bd02b500d5477a87ea2c8b539927c61eb965e1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page