Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Data encoding - crackable?
Posted by: Perow
Date: December 20, 2009 07:18PM

Hey all,
I've been trying to decipher the cookie structure of a website and am hopeful some of you have more experience in this matter.

There is a certain passphrase in the website's cookie that allows the user to be logged in without explicitly entering any user data. The cookie comes with a lot of extra useless data, because I found that it's possible to reduce the complete cookie string to only the specific part and it would still work.
Now, I was able to find a different part of the cookie that is also stored on the website. Let's call this the input code "in".

What I'm interested in, is whether or not it's possible to find the ouput hash with help of the input code on the site's server. Below is a list of in&out combinations I have generated, that may help you to decide how or if it's possible to generate "out" from "in".

in: 93335735519988197224117
out: b6e61a57b71e9e805af2de6d4f6aa5ab8bb53cfb

in: 26195435616488197224117
out: 440ea6883091823653dafb01520713d4d6fba522

in: 45411135623788197224117
out: b1a32caf51f12de9f3b0eb9c6a4ed797a292c066

in: 01935335659288197224117
out: 5f64da5e645f3367c4ba0311b2063471563b5b58

in: 34029335659488197224117
out: 3efac60e094404311c306a98caf4711bc7417048

in: 24941135659688197224117
out: d575dbba4c7634d877b0696d9db96ea85b24b11c

in: 24665335659888197224117
out: a4955c063cae03039511e932d29aa7308f0e9a3c

in: 48274935660088197224117
out: f6b73696395d44bc0ddd98db2cccc2e94b18f1c6

in: 54058135660288197224117
out: c5cd59f1639a0d943ca7e273e46ca8e933f89c1b

in: 64959135660488197224117
out: 77ec22260b4503c7591a7fa590a1a8633b874d99

in: 64955535660688197224117
out: d76d7501c66d6f7a4eb0798c86b5f60c25246059

in: 79520035661188197224117
out: faba8080c07b0ca455f2940a93d21ba0f51004e1

in: 06291335661488197224117
out: 0144a1df977226f993d67e89bb8ee11bf721316f

in: 39539235661688197224117
out: 8dc7099f26b942cc0c7fd9e2e257906b30166d08

in: 29120835661888197224117
out: a19f2d206fd154ac70e0994b803b1fe2569f99c1

in: 38387535662088197224117
out: 883c069b719a2b71a4c50fa28060a027b52a46b5

in: 47230635662288197224117
out: 3f8e958366dd48bab8ef34d1a7c7b05a3c418417

in: 69501335662488197224117
out: ee06c267ed970b36a24bd54c88a42e330c078788

in: 16766335666288197224117
out: 092d28d8786382785118b1b80c50465c62fb1c6e

in: 27683335666488197224117
out: dda146137769e62607b842e5a659e3d9f89e4127

in: 30534435666688197224117
out: 8c9230934d6797fae76850af74b34d3333949ffc

in: 18607535666888197224117
out: eaaf196f69e3d087bf54c19a6d9cd97cd3dd0e7f

in: 07154035667088197224117
out: 8a08a3631f531ab2b9c2c3ca7b193c3d96849473

in: 04457435667288197224117
out: ae49a2888c3a1445171b6d87dd95ba24ce21c22c

in: 33087635667488197224117
out: 91b55929d7a5f5cd35715dfbfc6d811b4043db11

in: 36115435667688197224117
out: b2179689e8c16df7229b24b6c145401f8b561159

in: 36958935667888197224117
out: d2dca1254b96c5be66c34892dca3897accea7e38

in: 44517835668088197224117
out: 531494e84e2336404a1ee9d473204c9843eb92f5

Thanks.



Edited 1 time(s). Last edit at 12/20/2009 07:48PM by Perow.

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: barbarianbob
Date: December 20, 2009 08:24PM

Well, it's hashing them, and I assume it's sha1() since it's 40 chars long.
What happens if you enter a value multiple times? As in 44517835668088197224117, wait a few seconds, and 44517835668088197224117 again. What's some of the other data that comes out?

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: Perow
Date: December 21, 2009 03:08AM

I cannot try to enter the same value multiple times, because this is how it works:

1. log in to website: the site generates the "in" code and stores it on their servers.
2. the site generates the output hash from the input file (and possibly some other data?)
3. a cookie gets stored. it contains the in code, as well as the output hash.
4. I can reduce the cookie to only the part containing the output hash and it still works to log in.

So every time I log in, a new input is used, disabling me to get the same output twice. I still think it's possible to generate the output from the input because the reduced cookie can let me log in. I think the site just rehashes the input code they store on their servers and compare it to the cookie string.

All of the strings above were generated for the same user.

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: barbarianbob
Date: December 21, 2009 01:52PM

See what information you can gather from the "in" value.
Here's what I see so far:

format: xxxxxxyyyyyyzzzzzzzzzzz
x - random
y - related to either timestamp or a login id
z - constant; might be user id

Can you try logging in twice on the same second (server time), to see how y changes? The lazy way is to open two tabs, while using the firefox addon HttpFox to log the data. If both have the same Date response header, then check the "in" cookie values.

Also see what changes when you log into a different account.

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: Perow
Date: December 21, 2009 05:25PM

Thanks for the idea. Below is the output of something I tried: I set up a multi-threaded script to log in several times on three different accounts. This is what I learnt.

x - Turns out to be not so random. Every time I ran the program, the values were kind of close together. I'm guessing it might be a number of miliseconds?
y - Is definitely a timestamp. In the output below, the timestamps are all identical (per run).
z - can not be the user id, because it is the same for all users I try it with. I think it's probably some kind of temporary constant shared among all users?

The output might look interesting to people who know a bit more about this than I do. All I noticed is that the (probably) SH1 hash turned out the same for some tries with different input.

PS - I removed the usernames but gave them clear names so you can see what belongs to whom. I also printed the thread number after the username.
PPS - The spacing in the IN paramater were added by me to make it more readable.

<USER1:0>
in: 751742 436106 193190253147
out: b96b7ab1efa991e4bd98fa04b456295e2bcb8153

<USER1:1>
in: 775424 436106 193190253147
out: 670f6d00ff112acc61c250b3c72bb44aa3d401d9

<USER1:3>
in: 707345 436106 193190253147
out: 670f6d00ff112acc61c250b3c72bb44aa3d401d9

<USER1:2>
in: 709467 436106 193190253147
out: 5342f078b3dd746fdabd98f191442fa0c5543e04

<USER2:4>
in: 711520 436106 193190253147
out: 52633aff95e6d79af42e37d06faa2da6d945c9bb

<USER2:6>
in: 761698 436106 193190253147
out: 52633aff95e6d79af42e37d06faa2da6d945c9bb

<USER2:7>
in: 706059 436106 193190253147
out: 52633aff95e6d79af42e37d06faa2da6d945c9bb

<USER2:5>
in: 805119 436106 193190253147
out: ac78229d2714720496c660aa8692ebc41db4151b

***

<USER2:5>
in: 579155 436495 193190253147
out: 1765b939adb77fdd4441dc0099e9c1ecf7fbc2aa

<USER2:4>
in: 623072 436495 193190253147
out: e5d1c19454d786a9d9f3c9af22bf00509fcf995f

<USER2:6>
in: 677815 436495 193190253147
out: 0458fc8976c8ccb4a89238c9480f86d4f443ed8f

<USER3:10>
in: 709763 436495 193190253147
out: 9f207937f9e3eb013e7a256bc089823e15016d2c

<USER3:8>
in: 677207 436495 193190253147
out: 5f4a9a9bf470d5049140c9d7aadae4a34122e549

<USER3:11>
in: 613721 436495 193190253147
out: 805bc4ea7998b6ea40397786f8c71772691ab97b

<USER1:0>
in: 647900 436495 193190253147
out: b5dce8da48670be899310ae035528007d31931f5

<USER1:3>
in: 639711 436495 193190253147
out: 2d1b72852ff5d83efd9359eb7c0f1a09f9e9d95b

<USER1:1>
in: 694139 436495 193190253147
out: 76d38393b2c22c544679f6a8070a5b6a1a2e27ce

<USER1:2>
in: 830006 436495 193190253147
out: 76d38393b2c22c544679f6a8070a5b6a1a2e27ce


***

<USER2:6>
in: 558724 436650 193190253147
out: 2f9223bd2db1f95068e0ed347c7deed72aab6598

<USER2:5>
in: 552689 436650 193190253147
out: 6cbb2c33217d43f8ac262d61f9a8b35b13114f0c

<USER2:7>
in: 546384 436650 193190253147
out: 6cbb2c33217d43f8ac262d61f9a8b35b13114f0c

<USER2:4>
in: 565900 436650 193190253147
out: 6cbb2c33217d43f8ac262d61f9a8b35b13114f0c

<USER3:11>
in: 586881 436650 193190253147
out: 14083e1a4950dae1ddb3d6928f5b4c9f77967aac

<USER3:10>
in: 835875 436650 193190253147
out: cac7ffb574a6f965199be49e57205cfae3b65396

<USER3:8>
in: 553437 436650 193190253147
out: cac7ffb574a6f965199be49e57205cfae3b65396

<USER3:9>
in: 611176 436650 193190253147
out: 7791fb46a662b3ba193a027a9554f0464581e31c

<USER1:0>
in: 638917 436650 193190253147
out: b56dc61fc639bbd8083f8f0802f1ff62761b2320

<USER1:1>
in: 547212 436650 193190253147
out: e351e0965e94aeb3db6178bd837bfb455faca2ad

<USER1:3>
in: 653580 436650 193190253147
out: aa30bc3165853b9eba3edccd69ecd45cbe4ff59e

***

<USER2:6>
in: 000502 436788 193190253147
out: f74753e2f85754152cc92e1e5a2aa4a16b30eac8

<USER2:5>
in: 067736 436788 193190253147
out: 4cce44f667af6c1fe13a5817f1483cf90712d1d8

<USER2:4>
in: 133465 436788 193190253147
out: da7fabead838175eb9d511ac456546fd8ffc5c27

<USER3:10>
in: 013285 436788 193190253147
out: 35cbb612fd6fd2f633a4ef7fa983dd61d014cd0d

<USER3:9>
in: 018139 436788 193190253147
out: e2063172fe266e7aa129fe16bad22b40d968267e

<USER3:8>
in: 126620 436788 193190253147
out: d4f5882ee453b87d220c96dc655843d437d8d081

<USER1:2>
in: 121206 436788 193190253147
out: b8fdfefed46918c69108d24359acc31ff81e7fad

<USER1:1>
in: 234347 436788 193190253147
out: 1ea4abddae562d5349e3b67c95e7e033ca40009b

<USER1:0>
in: 134169 436788 193190253147
out: 37879afa15cb9d9f9c816523c789ccea8dc804e5


***

<USER2:7>
in: 928062 436869 193190253147
out: 28e3f5be55b9c4009ab2e9af2a9588271d7667c2

<USER2:6>
in: 984465 436869 193190253147
out: e8435f8d23f56857c5e8f91f231f81cd2d028150

<USER2:5>
in: 003029 436870 193190253147
out: e8435f8d23f56857c5e8f91f231f81cd2d028150

<USER2:4>
in: 945768 436869 193190253147
out: f3a322151ef908cc7d16498a03ed6d5978b90ecf

<USER3:9>
in: 836975 436869 193190253147
out: be453efc4642f2b6c31f4bff6e376ec4a59da017

<USER3:10>
in: 847820 436869 193190253147
out: 71792048c261e84ac6e62ae2b7ec9b9f0f0f9533

<USER3:8>
in: 894029 436869 193190253147
out: 3b34ca85f8ddb39552dd4866898d5c54ce30c47f

<USER1:3>
in: 951477 436869 193190253147
out: d8172923028a90785199489252c273eb248cff35

<USER1:1>
in: 898867 436869 193190253147
out: 5f8c58c78cc4cabd346264072923aaca0ec9ed43

<USER1:0>
in: 904879 436869 193190253147
out: 664eff0ed62bd38c5fa00f886cc03416ac72ca1e

<USER1:2>
in: 903745 436869 193190253147
out: 664eff0ed62bd38c5fa00f886cc03416ac72ca1e

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: rvdh
Date: December 26, 2009 03:48PM

What language/platform? .NET, PHP, JSP, Ruby? answers to that could help.

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: Perow
Date: December 29, 2009 07:59AM

Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a PHP/5.1.6
X-Powered-By: PHP/5.1.6

Is that what you were looking for?

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: clayfox
Date: January 29, 2010 09:09AM

The 40 character string definitely screams SHA1. I think you were correct in thinking that the input is hashed with something else. That something else is often the IP address. Try hashing the in with the IP concatenated on the beginning or the end.

-clayfox

Options: ReplyQuote
Re: Data encoding - crackable?
Posted by: cykyc
Date: January 31, 2010 06:58PM

As you noted, you're getting collisions on the hash throughout your testing. I wonder if either the application is having threading issues or if the hash is based on something not fully related to "in" value. Try slowing down your requests a bit and see if you still get collisions.

Options: ReplyQuote


Sorry, only registered users may post in this forum.