hacktricks/cryptography/hash-length-extension-attack.md
2022-04-28 15:38:48 +00:00

4 KiB

Support HackTricks and get benefits! Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](7af18b62b3/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
# Hash Length Extension Attack

Summary of the attack

Imagine a server which is signing some data by appending a secret to some known clear text data and then hashing that data. If you know:

  • The length of the secret (this can be also bruteforced from a given length range)
  • The clear text data
  • The algorithm (and it's vulnerable to this attack)
  • The padding is known
    • Usually a default one is used, so if the other 3 requirements are met, this also is
    • The padding vary depending on the length of the secret+data, that's why the length of the secret is needed

Then, it's possible for an attacker to append data and generate a valid signature for the previos data + appended data.

How?

Basically the vulnerable algorithms generate the hashes by firstly hashing a block of data, and then, from the previously created hash (state), they add the next block of data and hash it.

Then, imagine that the secret is "secret" and the data is "data", the MD5 of "secretdata" is 6036708eba0d11f6ef52ad44e8b74d5b.
If an attacker wants to append the string "append" he can:

  • Generate a MD5 of 64 "A"s
  • Change the state of the previously initialized hash to 6036708eba0d11f6ef52ad44e8b74d5b
  • Append the string "append"
  • Finish the hash and the resulting hash will be a valid one for "secret" + "data" + "padding" + "append"

Tool

{% embed url="https://github.com/iagox86/hash_extender" %}

References

You can find this attack good explained in https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks

Support HackTricks and get benefits! Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](7af18b62b3/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**