Skip to content

viensea1106/hash-length-extension

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

.github/workflows

.github/workflows

 
 

HashTools

HashTools

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

CHANGELOG.md

CHANGELOG.md

 
 

License.txt

License.txt

 
 

MANIFEST.in

MANIFEST.in

 
 

README.md

README.md

 
 

pyproject.toml

pyproject.toml

 
 

setup.cfg

setup.cfg

 
 

setup.py

setup.py

 
 

Repository files navigation

length-extesion-tool

This is a pure python project implementing hash length extension attack. It also supports the implementation of some popular hashing algorithms.

Currently Supported Algorithms

Algorithm Implementation Length Extension Attack
MD5
SHA1
SHA224
SHA256
SHA384
SHA512

Installation

pip install length-extension-tool

Usage

Using algorithm normally

Using update method (like python hashlib)

import HashTools

magic = HashTools.new(algorithm="sha256")
magic.update(b"Hello World!")
print(magic.hexdigest())

or just one line

import HashTools

msg = b"Hello World!"
print(HashTools.new(algorithm="sha256", raw=msg).hexdigest())

Using hash length extension attack

Using extension method

import HashTools
from os import urandom

# setup context
secret = urandom(16)        # idk ¯\_(ツ)_/¯
original_data = b"&admin=False"
sig = HashTools.new(algorithm="sha256", raw=secret+original_data).hexdigest()

# attack
append_data = b"&admin=True"
magic = HashTools.new("sha256")
new_data, new_sig = magic.extension(
    secret_length=16, original_data=original_data,
    append_data=append_data, signature=sig
)

Testing

def test_imple():
    algorithms = [
        "md5", "sha1", "sha224", "sha256", "sha384", "sha512"
    ]

    print("> Implementation test...")
    for alg in algorithms:
        msg = urandom(randint(0, 1024))

        py_hash = hashlib.new(alg)
        my_hash = HashTools.new(alg)

        py_hash.update(msg)
        my_hash.update(msg)

        test1 = py_hash.hexdigest()
        test2 = my_hash.hexdigest()
        
        if test1 != test2:
            print(f"[!] {alg.ljust(6)} failed the validation test!")
            print(test1)
            print(test2)
            exit(1)
        else:
            print(f"[+] {alg.ljust(6)} passed the validation test!")

    print("> All test passed!!!")
  • Testing length extension attack
def test_attack():
    algorithms = [
        "md5", "sha1", "sha256", "sha512"
    ]

    print("> Implementation test...")
    for alg in algorithms:
        # setup context
        length = randint(0, 1024)           
        secret = urandom(length)            # idk ¯\_(ツ)_/¯
        original_data = b"admin=False"
        sig = HashTools.new(algorithm=alg, raw=secret + original_data).hexdigest()
        
        # attack
        append_data = b"admin=True;"
        magic = HashTools.new(alg)
        new_data, new_sig = magic.extension(
            secret_length=length, original_data=original_data,
            append_data=append_data, signature=sig
        )

        if new_sig != HashTools.new(algorithm=alg, raw=secret + new_data).hexdigest():
            print(f"[!] Our attack didn't work with {alg.ljust(6)}")
            exit(1)
        else:
            print(f"[+] {alg.ljust(6)} passed")

    print("> All test passed!!!")

License

References

  • Pub, F. I. P. S. (2012). Secure hash standard (shs). Fips pub, 180(4).

About

A pure python tool to implement/exploit the hash length extension attack

Topics

md5 sha1 sha256 sha512 sha384 sha224 ctf-tools length-extension-attack

Resources

Readme

License

MIT license
Activity

Stars

15 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Aug 12, 2023

Languages