Hashmash is a tool to aid in generating various hashes from user supplied values. For example password reset functionality that returns an MD5 hash of something. Here’s where Hashmash comes in.
In this example we have access to the user account so we might know, or be in a position to make an educated guess, of some key values that could be used to generate this MD5 hash. Perhaps it’s a combination of all, some or none of; firstname, surname, ID, email address or even a Epoch value. Using Hashmash we can supply a list of variables in a file, choose the hashing algorithm (i.e. MD5, SHA1 etc.) select any delimiters that might have been used to separate the values, for example firstname:surname or firstname & surname, and then generate a hash for each combination. The aim is to try and get a match of the hash we have and therefore we can deduce that the password reset link might be constructed in the form of ID:firstname:emailaddress or Epoch:ID:name etc. With this knowledge we could then potentially change the password for another valid account as we have ‘cracked’ the construction!
Example run:
Let’s say our values.txt file contains the values 1, 2, 3. Running Hashmash in the most basic mode will generate the following combinations.
OK, let’s generate a ‘test’ hash:
e23e4ae268f4ba432e74e625e6600e59 –
Run the script:
And…
Compatibility for v0.1:
Tested on Kali 2.0/Python 2.7.9 and Ubuntu 14.04/Python 2.7.6 platforms.
Tested on Kali 2.0/Python 2.7.9 and Ubuntu 14.04/Python 2.7.6 platforms.
Disclaimer:
I’m not a developer! The code is rough, very very rough. I know this. But it works. Hopefully.
Feedback, improvement suggestions (and additions) are always welcome.
if you enjoy my visitor plz share this artical and Follow me on blogger.
0 Comments