Introduction to hash length extension attacks and how to use Hashpump installation

Hash length extension attacks (hash lengths extension attacks) are attacks against certain cryptographic hash functions that allow additional information. This attack applies to all hash functions that have taken the H (key ∥ message) construct of this type in cases where the message and the length of the key are known. Merkle–damgård-based algorithms such as MD5 and SHA-1 Show vulnerability to such attacks.

If an application is doing the following:

1. A cipher is prepared and some data is constructed into a string, and a hash function, such as MD5, is used to generate a hash value (so-called signature/signature).
2. Allows an attacker to submit data and hash values, although the attacker does not know the ciphertext
3. The server constructs the submitted data with a cipher string and hashes it to determine if it is equivalent to the hash value submitted.

At this point, the application is vulnerable to length expansion attacks, and the attacker can construct a hash value for {secret | | | | | attacker_controlled_data} .

--------------------------------------------------------------------

This article does not introduce its true principle for the time being (after understanding and then add up well),

Want to know more articles that can be accessed by Hash_extender authors on the following githubs:

Everything need to know about hash length extension attacks

It also does not introduce the installation method of Hash_extender, but introduces Hashpump (because it supports Python extension.) ）

-----------------

1, Hashpump Installation

Hashpump is a tool that implements attacks against multiple hashing functions with OpenSSL, and supports extended attacks on lengths such as MD5, CRC32, SHA1, SHA256, and SHA512. The MD2, SHA224, and SHA384 algorithms are not affected by this attack, because some of them avoid the output of state variables, and do not output all state variables.

(As for the other articles mentioned MD4, RIPEMD-160, SHA-0, whirlpool, etc. can also construct length expansion attacks, and so on later study.) ）

git clone https://github.com/bwall/HashPump
apt-get install g++ libssl-dev
cd HashPump
make
make install

To implement Hashpump in Python, you can use the Hashpumpy plugin:

Pip Install Hashpumpy

(Refer to the GitHub project for instructions on how to use it)

2. Hashpump usage

Here is an example of an experimental bar, the key code is probably as follows:

<?php
$secret="XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!
$username="admin";
$password = $_POST["password"];
if($COOKIE["getmein"] === md5($secret . urldecode($username . $password))){
    echo "Congratulations! You are a registered user.\n";
    die ("The flag is ". $flag);
}else{
    die("Your cookies don‘t match up! STOP HACKING THIS SITE.");
}
?>

In the title you can get:

MD5 ($secret. " Adminadmin ") has a value of 571580B26C65F306376D4F64E53CB5C7

Just a little tidying up what we already know:

$secret is ciphertext, the length is 15, if you count the first admin, the length is 20
And the data is admin
The signature (hash value) is 571580b26c65f306376d4f64e53cb5c7 

At this time we use Hashpump, additional data at least 1 people:

 
# hashpump
Input Signature: 571580b26c65f306376d4f64e53cb5c7
Input Data: admin
Input Key Length: 20 Input Data to Add: pcat

or directly

 
hashpump -s 571580b26c65f306376d4f64e53cb5c7 -d admin -k 20 -a pcat

You'll get

3e67e8f0c05e1ad68020df30bbc505f5admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ X00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x00pcat

The first one is a new signature, set it to the GetMeIn of the cookie.

The second one replaces \x with%, Post commits

Password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8 %00%00%00%00%00%00%00pcat

It can be passed.

-------

PS. provide an online Web site based on Hashpump:

Http://sakurity.com/lengthextension

(may have to turn over the wall to access, additional data at least one, message length is ciphertext + The total length of data, see "Submit" key to refresh or change the browser)

Introduction to hash length extension attacks and how to use Hashpump installation