tags:

views:

109

answers:

2

I have some strings and some hashes of them, but I don't know which hash function is used. Any idea?

String        hash

NN34W    f8b46bcdc3b3c92
EM3M3    d8015ca876fd051
HXDKD    a740e97464e5dfe
AKREJ    aa7aa2dadfcbe53
3bNMK    0f11440639191d9

Edit:

Thank for answers, it's a hash of the captcha.

https://registracia.azet.sk/

If you check URL of captcha image, on the end is HASH value. This

On the server are send in HTTP POST are send TEXT: (P92M4) and HASH (72fec89a2e0ade2) and other values.

I like know how comptute hash of the TEXT P92M4, and control with HASH value, which is send on server.

Because I like make own captcha system for my school project, so I first analyzing situation and weakness.

+1  A: 

Seems smaller than any industry hash... possibly it's propriety? A bit more info would help though, what language, where did you get it from?

DaveShaw
It's not a truncation of SHA1, MD5, or any of the standard SHA-2 variants.
Borealid
@Borealid: they could be using salt
Amnon
+4  A: 

As I understand your situation, a POST request sends both the "text" and the "hash" to the CAPTCHA server. This then uses whatever hash function they use to hash your text, checks to see if it matches the hash, and decides whether or not you succeeded. Presumably, the server sends you the image, as well as the hash, and then you enter the text.

As such, if you figured out the hashing function, you'd have completely broken this CAPTCHA system: All you would need to do is hash any string using their hashing function, and then when sending your POST request, ignore the hash they sent you and merely send them your computed text and hash pair. Thus, you could very easily automate successfully passing the CAPTCHA challenge.

To illustrate how difficult "reversing" the hash might be, consider the following hash that they very well might use:

  • Split the TEXT up alternating letters: thus ABCDE becomes ACE and BD
  • md5 the two halves using salts "fj49w0utw4a" and "r8h3wlsd"
    • md5("fj49w0utw4a"."ACE") is 115c05f0e5300f958ba01caa64b989f
    • md5("r8h3wlsd"."BD") is 74eecae86ef46382eb95443a1b1fa8f5
  • Take every 3rd char of the first string and every 4th char of the second, and alternate them until you have 15 chars
    • 115c05f0e5300f958ba01caa64b989f becomes 55e09b1ab9
    • 74eecae86ef46382eb95443a1b1fa8f5 becomes e8425af5
    • Final hash value for "ABCDE": 5e58e40295ba1fa

There is really no way you are ever going to reverse engineer that.


UPDATE
Note that CAPTCHAs as described above (and implemented on that site) are extremely insecure, as they only require one valid text/hash combination to be known

To demonstrate, use Firebug or equivalent and navigate to the CAPTCHA area of the form. We will be editing some hidden values.

  • Change the form[captcha_url] value from https://pokec.azet.sk/sluzby/system/captcha/[somehash] to https://pokec.azet.sk/sluzby/system/captcha/ee2be1f239e5d17
  • Change the form[captcha_hash] value from [somehash] to ee2be1f239e5d17
  • Regardless of what the picture says, type "P22KD" for the CAPTCHA

There are several ways to mitigate this vulnerability. As Tangrs suggested, you can store the hash value in a session variable so that it cannot be manipulated by the client. Less elegant but also effective is to store the submitted CAPTCHA in a database and not allow duplicate CAPTCHAs, as is implemented on the link in the question. This is fine, until you start running out of unused CAPTCHAs and end up getting collisions.

Mala
you could go into how they could mitigate the weakness e.g. salts and secrets
Will
Store the hash in a session variable. Actually, you could just store the plain text of the Captcha in a session variable.Probably will have problems if the user has multiple forms open though.
Tangrs
I've sent the site technical contact an email about this issue.
Lasse V. Karlsen
@Tangrs: There are many ways to mitigate the vulnerability I described above. The sad fact of the matter is that the form linked to in the question uses none of these, and will allow the shenanigans I posted.
Mala
@Lasse: Thank you, that is the responsible thing to do :) I just don't speak the language
Mala
Mala u dont have a right. I create 3 HTTP POST request with them same value of form[captcha_url] form[captcha_hash] form[captha_text] for every call. But the registration failed. I check server response, and the captcha was differnt.
Tom159
@Tom159: You are correct, but only because I simply used your first text/hash you supplied (NN34W / f8b46bcdc3b3c92) without checking if it's correct, which it apparently isn't. Try it with P22KD / ee2be1f239e5d17
Mala
@Mala : But the values u can use only ONE, no for secod registration.I used this value, make accout, but secod registration with this same values failed.
Tom159
@Tom159: I took another look and they appear to be storing the captcha in the user database, ensuring that no two users sign up with the same captcha. Inelegant but effective. More alarmingly, this indicates that the 5 examples in your question and the one in my answer have all been used to register accounts on that site. Please do not use SO to try to circumvent others' security systems. I have emailed their technical contact and suggested that they examine the accounts reg'ed with the above captchas.
Mala