Skip to content
/ hashes Public
forked from ribeirux/hashes

Cross-plataform tool that injects keys with the same hash code in order to test web applications against hash collision attacks.

License

Apache-2.0 license
0 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

5l1v3r1/hashes

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits

bin

bin

 
 

core

core

 
 

dist

dist

 
 

etc

etc

 
 

ui

ui

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

NOTICE

NOTICE

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Hashes

About

Hashes is a Cross-plataform tool, that generates and injects different keys with the same hash code, in order to test web applications against hash collision attacks (28th Chaos Communication Congress).

Supported web application technologies:

  • java (equivalent substrings)
  • php (equivalent substrings)
  • asp.net (multithreaded meet in the middle)
  • v8 (multithreaded meet in the middle)

This video describes how a hash collision attack works.

Hashes is released under the terms of the Apache License Version 2.0.

Building distribution

Requirements

  • Maven 2.1.0 or above
  • Java 6 or above

To build hashes:

  1. Download the source from here.
  2. Unzip the contents and in the project root directory execute: mvn clean install -Pdistribution. This will build hashes and run all tests. To skip the tests when building execute mvn clean install -Pdistribution -DskipTests
  3. Grab the hashes distribution located in dist/target/hashes-${version}-bin.zip and unzip the contents into a new folder.

Usage

Use only for testing purposes, not for evil.

usage: hashes [options...] <POST url>
 -a,--asp <seed>                             Build ASP payload using MITM algorithm (default: OFF)
 -b,--connection-timeout <timeout>           Connection timeout in seconds, zero to disable timeout (default: 60)
 -c,--clients <clients>                      Number of clients to run (default: 1)
 -d,--read-timeout <timeout>                 Read timeout in seconds, zero to disable timeout (default: 60)
 -e,--header <header>                        Use extra header (overrides internal header with same name)
 -g,--v8 <seed>                              Build V8 payload using MITM algorithm (default: OFF)
 -h,--help                                   Print this message
 -j,--java                                   Build JAVA payload using equivalent substrings algorithm (default: OFF)
 -k,--keys <keys>                            Number of keys to inject per request (default: 85000)
 -m,--progress-bar                           Display hash collision generation progress (default: OFF)
 -n,--new                                    Generate new keys instead of using pre-built collisions (default: OFF)
 -p,--php                                    Build PHP payload using equivalent substrings algorithm (default: ON)
 -r,--requests <requests>                    Number of requests to submit per client (default: 1)
 -s,--save <file>                            Save keys to file (default: OFF)
 -t,--mitm-worker-threads <worker threads>   Number of MITM worker threads (default: number of available processors)
 -w,--wait                                   Wait for response (default: OFF)

About

Cross-plataform tool that injects keys with the same hash code in order to test web applications against hash collision attacks.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Java 99.1%
  • Shell 0.9%