Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Automatic hash detector and cracking plugin for Fiddler2
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
TooManySecrets
.gitignore
README.md
TooManySecrets.sln

README.md

Too Many Secrets: A Fiddler Add-On for Cracking Hashes

Automatic hash detector and cracking plugin for Fiddler2

by: Jonathan Boyd

Introduction

Imagine a website that assigns a user a session cookie when he logs in. Suppose the session cookie is a cryptographic hash of a poorly chosen plaintext. Further, suppose that that hash could be broken by an online hash cracker.

Now, suppose we are penetration testing that application. We fire up Fiddler2 and start browsing the application. Suppose that Fiddler2 detects these hashes. It then parses out these hashes and sends them off-host to be cracked. If it manages to crack one, Fiddler will show a dialog box indicating that it has successfully cracked one of the hashes.

This lets the penetration tester know that the application is using a weak scheme and may also offer indications about how to compromise other accounts based on the broken scheme.

Usage

It turns out the usage is pretty easy.

  1. Install Fiddler2 on a Windows 7 system.
  2. Copy the “TooManySecrets.dll” into “Scripts” folder and start Fiddler. On my system, that folder is as follows: “C:\Users\jonboyd\Documents\Fiddler2\Scripts\TooManySecrets.dll”
  3. Browse the web and watch as hilarity ensues!

Notes

It should be noted that cracked hashes will be stored on the Desktop in: HashCache.txt. Also, as this relies on a 3rd party web site to crack hashes, the format may change or the site may go down. If that is the case, this probably will not work really well.

Something went wrong with that request. Please try again.