A tool to exploit the hash length extension attack in various hashing algorithms
C++ Makefile Python
Latest commit 314268e Oct 2, 2016 @bwall committed on GitHub Merge pull request #16 from cebrusfs/master
Fix bug in padding generation of SHA1, SHA256, SHA512
Permalink
Failed to load latest commit information.
.settings Fixed repository file issues Sep 3, 2012
Debug Initial commit to this repository with not yet working MD5 algorithm, Aug 30, 2012
.cproject Added command line arguments as well as fixed the issue with SHA512 Sep 4, 2012
.gitignore Added SHA512 as a supported algorithm Sep 3, 2012
.project Initial commit to this repository with not yet working MD5 algorithm, Aug 30, 2012
CRC32ex.cpp CRC32 added as requested Jun 1, 2014
CRC32ex.h CRC32 added as requested Jun 1, 2014
Extender.cpp Initial commit to this repository with not yet working MD5 algorithm, Aug 30, 2012
Extender.h Added SHA256 to supported hashes Aug 31, 2012
LICENSE.TXT Added license Mar 15, 2014
MANIFEST.in don't install headers with Python module Jun 3, 2015
MD4ex.cpp Added MD4 Sep 11, 2012
MD4ex.h Added MD4 Sep 11, 2012
MD5ex.cpp Finished developing the MD5 support Sep 3, 2012
MD5ex.h Added SHA256 to supported hashes Aug 31, 2012
README.md Update compilation instructions Sep 21, 2015
SHA1.cpp fix padding bug of SHA1 Jun 24, 2016
SHA1.h Added SHA256 to supported hashes Aug 31, 2012
SHA256.cpp fix padding bug of SHA256 Jun 24, 2016
SHA256.h Added SHA256 to supported hashes Aug 31, 2012
SHA512ex.cpp fix padding bug of SHA512 Jun 24, 2016
SHA512ex.h Added SHA512 as a supported algorithm Sep 3, 2012
hashpumpy.cpp Merge pull request #12 from yan12125/python3-support May 31, 2015
main.cpp Addressed memory leak mentioned in #13 May 31, 2015
makefile CRC32 added as requested Jun 1, 2014
setup.py don't install headers with Python module Jun 3, 2015
test.py Add Python 3 support May 25, 2015

README.md

HashPump

A tool to exploit the hash length extension attack in various hashing algorithms.

Currently supported algorithms: MD5, SHA1, SHA256, SHA512.

Help Menu

$ hashpump -h
HashPump [-h help] [-t test] [-s signature] [-d data] [-a additional] [-k keylength]
    HashPump generates strings to exploit signatures vulnerable to the Hash Length Extension Attack.
    -h --help          Display this message.
    -t --test          Run tests to verify each algorithm is operating properly.
    -s --signature     The signature from known message.
    -d --data          The data from the known message.
    -a --additional    The information you would like to add to the known message.
    -k --keylength     The length in bytes of the key being used to sign the original message with.
    Version 1.2.0 with CRC32, MD5, SHA1, SHA256 and SHA512 support.
    <Developed by bwall(@botnet_hunter)>

Sample Output

$ hashpump -s '6d5f807e23db210bc254a28be2d6759a0f5f5d99' --data 'count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo' -a '&waffle=liege' -k 14
0e41270260895979317fff3898ab85668953aaa2
count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02(&waffle=liege

Compile & install

$ git clone https://github.com/bwall/HashPump.git
$ apt-get install g++ libssl-dev
$ cd HashPump
$ make
$ make install

apt-get and make install require root privileges to run correctly. The actual requirement is for -lcrypto, so depending on your operating system, your dependencies may vary.

On OS X HashPump can also be installed using Homebrew:

$ brew install hashpump

Mentions

HashPump has been mentioned in a few write-ups. If you are wondering how you can use HashPump, these are some great examples.

Python Bindings

Fellow Python lovers will be pleased with this addition. Saving me from writing an implementation of all these hash algorithms with the ability to modify states in Python, Python bindings have been added in the form of hashpumpy. This addition comes from zachriggle.

Installation

These Python bindings are available on PyPI and can be installed via pip. pip install hashpumpy

Usage

>>> import hashpumpy
>>> help(hashpumpy.hashpump)
Help on built-in function hashpump in module hashpumpy:

hashpump(...)
    hashpump(hexdigest, original_data, data_to_add, key_length) -> (digest, message)

    Arguments:
        hexdigest(str):      Hex-encoded result of hashing key + original_data.
        original_data(str):  Known data used to get the hash result hexdigest.
        data_to_add(str):    Data to append
        key_length(int):     Length of unknown data prepended to the hash

    Returns:
        A tuple containing the new hex digest and the new message.
>>> hashpumpy.hashpump('ffffffff', 'original_data', 'data_to_add', len('KEYKEYKEY'))
('e3c4a05f', 'original_datadata_to_add')

Python 3 note

hashpumpy supports Python 3. Different from the Python 2 version, the second value (the new message) in the returned tuple from hashpumpy.hashpump is a bytes-like object instead of a string.