{% extends 'core/Cryptographic Failures/cryptographic_failures.html' %} {% load static %}
First of all, let's ask ourselves, are we using any data encryption at all? And if so, are they not deprecated? Some newer frameworks will have some encryption already built in, such as Django or PHP, but you need to do it yourself most of the time. Now let's see an example of an encrypted password with the AES algorithm.
password = 'password123'
Cypher Mode = 'ECB'
Key size in bits = '128'
Secret Key = 'sd13dAsc2lKn8,js'
Result = 'gqLNfljVLcHC0J4mx1KEqw=='
As you can see, the result of encryption is nothing like the original. For encryption, we use keys, and we
What algorithms should you use? There are so many to pick from. It would be best if you never stayed fixated
on one algorithm since new algorithms are created often, and old ones are being cracked. You need to be
ready to upgrade your encryption every few years.
Some algorithms you could use are:
And here are some you should avoid:
Let's look at how we can easily break weak or outdated algorithms such as, in this case, MD5.
import hashlib
def md5_crack(passwords, encrypted):
for password in passwords:
guess = hashlib.md5(password.encode('utf-8')).hexdigest()
if guess == encrypted:
print(f'[+] Password found: {password}')
exit(0)
else:
print(f'[-] Guess: {password} incorrect... {guess}')
print(f'Password not found in wordlist...')
def main():
encrypted = 'ac58b1e8c4d2d0dc8b69b553d36c2758'
with open('passwords.txt') as f:
passwords = f.read().splitlines()
md5_crack(passwords, encrypted)
if __name__ == '__main__':
main()
As you can see, this is a very simple function that cycles through a list of strings (passwords from a text
file) and encrypts them. Then it compares the output to the one provided by the user, which should be an
already hashed password obtained by unspecified means. It counts on the fact
that the user knows what algorithm was used for hashing.
For this reason, you should always implement newer algorithms combined with hashing, salting, or other
security measures to ensure
maximum web application security.
Output of the MD5 cracker.
Feel free to try it out and play around with it yourself.
For correct functionality, you need both files.