Too Many Secrets: A Fiddler Add-On for Cracking Hashes
Automatic hash detector and cracking plugin for Fiddler2
by: Jonathan Boyd
Imagine a website that assigns a user a session cookie when he logs in. Suppose the session cookie is a cryptographic hash of a poorly chosen plaintext. Further, suppose that that hash could be broken by an online hash cracker.
Now, suppose we are penetration testing that application. We fire up Fiddler2 and start browsing the application. Suppose that Fiddler2 detects these hashes. It then parses out these hashes and sends them off-host to be cracked. If it manages to crack one, Fiddler will show a dialog box indicating that it has successfully cracked one of the hashes.
This lets the penetration tester know that the application is using a weak scheme and may also offer indications about how to compromise other accounts based on the broken scheme.
It turns out the usage is pretty easy.
- Install Fiddler2 on a Windows 7 system.
- Copy the “TooManySecrets.dll” into “Scripts” folder and start Fiddler. On my system, that folder is as follows: “C:\Users\jonboyd\Documents\Fiddler2\Scripts\TooManySecrets.dll”
- Browse the web and watch as hilarity ensues!
It should be noted that cracked hashes will be stored on the Desktop in: HashCache.txt. Also, as this relies on a 3rd party web site to crack hashes, the format may change or the site may go down. If that is the case, this probably will not work really well.