| Name | reset-tolkien JSON |
| Version |
1.1.1
JSON |
| download |
| home_page | None |
| Summary | Unsecure time-based secret exploitation and Sandwich attack implementation. |
| upload_time | 2024-04-21 10:00:11 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.10 |
| license | MIT License Copyright (c) 2024 Tom Chambaretaud Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| keywords |
security
secret
reset
token
tolkien
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
dateparser
hi-dateinfer
python-dateutil
pytz
PyYAML
regex
shortuuid
six
typing_extensions
tzlocal
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# Reset Tolkien
## Unsecure time-based secret exploitation and Sandwich attack implementation
This tool is the result of research into "Unsecure time-based secrets" from this article:
- [\[EN\] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the "Reset Tolkien" tool](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)
To better understand how to use this tool, we strongly recommend that you read it first.
> *Yeah, this tool is based on a rather grotesque pun.*
- - -
## Installation
Install from [pip](https://pypi.org/project/reset-tolkien/):
```
▶ pip install reset-tolkien
```
## Installation from Docker
```
▶ git clone https://github.com/AethliosIK/reset-tolkien.git
▶ cd reset-tolkien
▶ docker build -t reset-tolkien:latest .
▶ docker run --rm -it --net=host -v "$PWD:/reset-tolkien/" reset-tolkien:latest -h
```
## Usage
To detect whether a token is time-based, simply use this command:
```bash
$ reset-tolkien detect 660430516ffcf -d "Wed, 27 Mar 2024 14:42:25 GMT" --prefixes "attacker@example.com" --suffixes "attacker@example.com" --timezone "-7"
The token may be based on a timestamp: 1711550545.458703 (prefix: None / suffix: None)
The convertion logic is "uniqid"
```
To attack this token, use this command to export possible tokens:
```bash
$ reset-tolkien sandwich 660430516ffcf -bt 1711550546.485597 -et 1711550546.505134 -o output.txt --token-format="uniqid"
Tokens have been exported in "output.txt"
```
## Encoding and hash function supported
The tool recursively tests different token formats:
- `base32`
- `base64`
- `urlencode`
- `hexint`
- `hexstr`: ASCII integer encoding
- `uniqid`: the PHP function `uniqid` previously studied
- `uuidv1`: the format of a time-based UUID Version 1
- `shortuuid`: a popular UUID encoding function
- `mongodb_objectid`: the Mongo DB data format studied above
- `datetime`: the encoding of a date from a custom date format
- `datetimeRFC2822`: encoding a date using the format from the RFC2822 standard
The tool also manages the most popular hash functions:
- `md5`
- `sha1`
- `sha224`
- `sha256`
- `sha384`
- `sha512`
- `sha3_224`
- `sha3_256`
- `sha3_384`
- `sha3_512`
- `blake_256`
- `blake_512`
## Help
The various features of the tool are as follows:
- `detect`: detects whether a provided token is based on a date, provided or not:
```bash
usage: reset-tolkien detect [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS] [--date-format-of-token DATE_FORMAT_OF_TOKEN] [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]
[--int-timestamp-range INT_TIMESTAMP_RANGE] [--float-timestamp-range FLOAT_TIMESTAMP_RANGE] [--timezone TIMEZONE] [-l {1,2,3}] [-t TIMESTAMP] [-d DATETIME]
[--datetime-format DATETIME_FORMAT] [--prefixes PREFIXES] [--suffixes SUFFIXES] [--hashes HASHES]
token
positional arguments:
token The token given as input.
options:
-h, --help show this help message and exit
-r, --roleplay Not recommended if you don't have anything else to do
-v {0,1,2}, --verbosity {0,1,2}
Verbosity level (default: 0)
-c CONFIG, --config CONFIG
Config file to set TimestampHashFormat (default: default.yml)
--threads THREADS Define the number of parallelized tasks for the decryption attack on the hash. (default: 8)
--date-format-of-token DATE_FORMAT_OF_TOKEN
Date format for the token - please set it if you have found a date as input.
--only-int-timestamp Only use integer timestamp. (default: False)
--decimal-length DECIMAL_LENGTH
Length of the float timestamp (default: 7)
--int-timestamp-range INT_TIMESTAMP_RANGE
Time range over which the int timestamp will be tested before and after the input value (default: 60s)
--float-timestamp-range FLOAT_TIMESTAMP_RANGE
Time range over which the float timestamp will be tested before and after the input value (default: 2s)
--timezone TIMEZONE Timezone of the application for datetime value (default: 0)
-l {1,2,3}, --level {1,2,3}
Level of search depth (default: 3)
-t TIMESTAMP, --timestamp TIMESTAMP
The timestamp of the reset request
-d DATETIME, --datetime DATETIME
The datetime of the reset request
--datetime-format DATETIME_FORMAT
The input datetime format (default: server date format like "Tue, 12 Mar 2024 16:24:05 UTC")
--prefixes PREFIXES List of possible values for the prefix concatenated with the timestamp. Format: prefix1,prefix2
--suffixes SUFFIXES List of possible values for the suffix concatenated with the timestamp. Format: suffix1,suffix2
--hashes HASHES List of possible hashes to try to detect the format. Format: suffix1,suffix2 (default: all identified hash)
```
- `bruteforce`: provides a list of possible tokens from an arbitrarily defined token format and time frame:
```bash
usage: reset-tolkien bruteforce [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS] [--date-format-of-token DATE_FORMAT_OF_TOKEN] [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]
[--int-timestamp-range INT_TIMESTAMP_RANGE] [--float-timestamp-range FLOAT_TIMESTAMP_RANGE] [--timezone TIMEZONE] [-t TIMESTAMP] [-d DATETIME]
[--datetime-format DATETIME_FORMAT] [--token-format TOKEN_FORMAT] [--prefix PREFIX] [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]
token
positional arguments:
token The token given as input.
options:
-h, --help show this help message and exit
-r, --roleplay Not recommended if you don't have anything else to do
-v {0,1,2}, --verbosity {0,1,2}
Verbosity level (default: 0)
-c CONFIG, --config CONFIG
Config file to set TimestampHashFormat (default: default.yml)
--threads THREADS Define the number of parallelized tasks for the decryption attack on the hash. (default: 8)
--date-format-of-token DATE_FORMAT_OF_TOKEN
Date format for the token - please set it if you have found a date as input.
--only-int-timestamp Only use integer timestamp. (default: False)
--decimal-length DECIMAL_LENGTH
Length of the float timestamp (default: 7)
--int-timestamp-range INT_TIMESTAMP_RANGE
Time range over which the int timestamp will be tested before and after the input value (default: 60s)
--float-timestamp-range FLOAT_TIMESTAMP_RANGE
Time range over which the float timestamp will be tested before and after the input value (default: 2s)
--timezone TIMEZONE Timezone of the application for datetime value (default: 0)
-t TIMESTAMP, --timestamp TIMESTAMP
The timestamp of the reset request with victim email
-d DATETIME, --datetime DATETIME
The datetime of the reset request with victim email
--datetime-format DATETIME_FORMAT
The input datetime format (default: server date format like "Tue, 12 Mar 2024 16:25:07 UTC")
--token-format TOKEN_FORMAT
The token encoding/hashing format - Format: encoding1,encoding2
--prefix PREFIX The prefix value concatenated with the timestamp.
--suffix SUFFIX The suffix value concatenated with the timestamp.
-o OUTPUT, --output OUTPUT
The filename of the output
--with-timestamp Write the output with timestamp
```
- `sandwich`: provides a list of possible tokens based on a token format and a time frame bounded by two dates:
```bash
usage: reset-tolkien sandwich [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS] [--date-format-of-token DATE_FORMAT_OF_TOKEN] [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]
[--int-timestamp-range INT_TIMESTAMP_RANGE] [--float-timestamp-range FLOAT_TIMESTAMP_RANGE] [--timezone TIMEZONE] [-bt BEGIN_TIMESTAMP] [-et END_TIMESTAMP]
[-bd BEGIN_DATETIME] [-ed END_DATETIME] [--datetime-format DATETIME_FORMAT] [--token-format TOKEN_FORMAT] [--prefix PREFIX] [--suffix SUFFIX] [-o OUTPUT]
[--with-timestamp]
token
positional arguments:
token The token given as input.
options:
-h, --help show this help message and exit
-r, --roleplay Not recommended if you don't have anything else to do
-v {0,1,2}, --verbosity {0,1,2}
Verbosity level (default: 0)
-c CONFIG, --config CONFIG
Config file to set TimestampHashFormat (default: default.yml)
--threads THREADS Define the number of parallelized tasks for the decryption attack on the hash. (default: 8)
--date-format-of-token DATE_FORMAT_OF_TOKEN
Date format for the token - please set it if you have found a date as input.
--only-int-timestamp Only use integer timestamp. (default: False)
--decimal-length DECIMAL_LENGTH
Length of the float timestamp (default: 7)
--int-timestamp-range INT_TIMESTAMP_RANGE
Time range over which the int timestamp will be tested before and after the input value (default: 60s)
--float-timestamp-range FLOAT_TIMESTAMP_RANGE
Time range over which the float timestamp will be tested before and after the input value (default: 2s)
--timezone TIMEZONE Timezone of the application for datetime value (default: 0)
-bt BEGIN_TIMESTAMP, --begin-timestamp BEGIN_TIMESTAMP
The begin timestamp of the reset request with victim email
-et END_TIMESTAMP, --end-timestamp END_TIMESTAMP
The end timestamp of the reset request with victim email
-bd BEGIN_DATETIME, --begin-datetime BEGIN_DATETIME
The begin datetime of the reset request with victim email
-ed END_DATETIME, --end-datetime END_DATETIME
The end datetime of the reset request with victim email
--datetime-format DATETIME_FORMAT
The input datetime format (default: server date format like "Tue, 12 Mar 2024 16:25:55 UTC")
--token-format TOKEN_FORMAT
The token encoding/hashing format - Format: encoding1,encoding2
--prefix PREFIX The prefix value concatenated with the timestamp.
--suffix SUFFIX The suffix value concatenated with the timestamp.
-o OUTPUT, --output OUTPUT
The filename of the output
--with-timestamp Write the output with timestamp
```
## VI.4 - Default tests
By default, the tool is configured to detect this type of time-based token generation:
```php
function getToken($level, $email)
{
switch ($level) {
case 1:
return uniqid();
case 2:
return hash(time());
case 3:
return hash(uniqid());
case 4:
return hash(uniqid() . $email);
case 5:
return hash(date(DATE_RFC2822));
case 6:
return hash($email . uniqid() . $email);
case 7:
return uuid1("Test");
}
}
```
## Customised test configuration
In addition, the tool allows you to define your own token formats before applying a hash function via a `TimestampHashFormat` object. For example, to test whether the token is generated using this token generation function:
```python
# Generate a formatted token
def generate_token():
import datetime
import hashlib
t = datetime.datetime.utcnow().timestamp()
token = hashlib.md5(uniqid(t).encode()).hexdigest()
return token
```
This can be defined in the YAML configuration file:
```yaml
float-uniqid:
description: "Uniqid timestamp"
level: 2
timestamp_type: float
formats:
- uniqid
```
## The "Todo" list
Of course, as with any tool, there is always the possibility of adding new features to complement it.
Among the points that would be very useful:
- **Format management via [Abstract syntax tree](https://docs.python.org/3/library/ast.html)**: the tool currently only manages formats applied in a linear way, so a simple format like `md5(timestamp()+1)` won't be supported. By configuring formats as a tree, this type of format can be supported by the tool.
- **Better application of user-specific information**: when detecting a token format, it is possible to define user-specific information as prefixes or suffixes of the token generation date. Many other configurations could be possible.
- **Management of other dynamic variables**: the tool detects formats and allows attacks based on the only variable supported: time. However, some formats can have several variables that evolve.
- **Addition of new supported formats**: the tool only supports the time-based functions found during my research, but many other formats should still exist and could also be supported by the tool.
## Changelog
You could retrieve changes for each version from [CHANGELOG.md](CHANGELOG.md).
## Licensing
This project is licensed under the [MIT license](LICENSE).
## Credit
- Main illustration: service provided by [@valentin.froute](https://www.instagram.com/valentin.froute/).
Raw data
{
"_id": null,
"home_page": null,
"name": "reset-tolkien",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": "Tom CHAMBARETAUD <tom.chambaretaud@protonmail.com>",
"keywords": "security, secret, reset, token, tolkien",
"author": null,
"author_email": "Tom CHAMBARETAUD <tom.chambaretaud@protonmail.com>",
"download_url": "https://files.pythonhosted.org/packages/05/02/a1a48a6f2c575c7e497170f535aed5f7821de43b8de40df1d6b5390acc65/reset_tolkien-1.1.1.tar.gz",
"platform": null,
"description": "# Reset Tolkien\n\n## Unsecure time-based secret exploitation and Sandwich attack implementation \n\n\n\nThis tool is the result of research into \"Unsecure time-based secrets\" from this article:\n- [\\[EN\\] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the \"Reset Tolkien\" tool](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)\n\nTo better understand how to use this tool, we strongly recommend that you read it first.\n\n> *Yeah, this tool is based on a rather grotesque pun.*\n\n- - -\n\n## Installation\n\nInstall from [pip](https://pypi.org/project/reset-tolkien/):\n\n```\n\u25b6 pip install reset-tolkien\n```\n\n## Installation from Docker\n\n```\n\u25b6 git clone https://github.com/AethliosIK/reset-tolkien.git\n\u25b6 cd reset-tolkien\n\u25b6 docker build -t reset-tolkien:latest . \n\u25b6 docker run --rm -it --net=host -v \"$PWD:/reset-tolkien/\" reset-tolkien:latest -h\n```\n\n## Usage\n\nTo detect whether a token is time-based, simply use this command:\n\n```bash\n$ reset-tolkien detect 660430516ffcf -d \"Wed, 27 Mar 2024 14:42:25 GMT\" --prefixes \"attacker@example.com\" --suffixes \"attacker@example.com\" --timezone \"-7\"\nThe token may be based on a timestamp: 1711550545.458703 (prefix: None / suffix: None)\nThe convertion logic is \"uniqid\"\n```\n\nTo attack this token, use this command to export possible tokens:\n\n```bash\n$ reset-tolkien sandwich 660430516ffcf -bt 1711550546.485597 -et 1711550546.505134 -o output.txt --token-format=\"uniqid\"\nTokens have been exported in \"output.txt\"\n```\n\n## Encoding and hash function supported\n\nThe tool recursively tests different token formats:\n- `base32`\n- `base64`\n- `urlencode`\n- `hexint`\n- `hexstr`: ASCII integer encoding\n- `uniqid`: the PHP function `uniqid` previously studied\n- `uuidv1`: the format of a time-based UUID Version 1\n- `shortuuid`: a popular UUID encoding function\n- `mongodb_objectid`: the Mongo DB data format studied above\n- `datetime`: the encoding of a date from a custom date format\n- `datetimeRFC2822`: encoding a date using the format from the RFC2822 standard\n\nThe tool also manages the most popular hash functions:\n- `md5`\n- `sha1`\n- `sha224`\n- `sha256`\n- `sha384`\n- `sha512`\n- `sha3_224`\n- `sha3_256`\n- `sha3_384`\n- `sha3_512`\n- `blake_256`\n- `blake_512`\n\n## Help\n\nThe various features of the tool are as follows:\n- `detect`: detects whether a provided token is based on a date, provided or not:\n\n```bash\nusage: reset-tolkien detect [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS] [--date-format-of-token DATE_FORMAT_OF_TOKEN] [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]\n [--int-timestamp-range INT_TIMESTAMP_RANGE] [--float-timestamp-range FLOAT_TIMESTAMP_RANGE] [--timezone TIMEZONE] [-l {1,2,3}] [-t TIMESTAMP] [-d DATETIME]\n [--datetime-format DATETIME_FORMAT] [--prefixes PREFIXES] [--suffixes SUFFIXES] [--hashes HASHES]\n token\n\npositional arguments:\n token The token given as input.\n\noptions:\n -h, --help show this help message and exit\n -r, --roleplay Not recommended if you don't have anything else to do\n -v {0,1,2}, --verbosity {0,1,2}\n Verbosity level (default: 0)\n -c CONFIG, --config CONFIG\n Config file to set TimestampHashFormat (default: default.yml)\n --threads THREADS Define the number of parallelized tasks for the decryption attack on the hash. (default: 8)\n --date-format-of-token DATE_FORMAT_OF_TOKEN\n Date format for the token - please set it if you have found a date as input.\n --only-int-timestamp Only use integer timestamp. (default: False)\n --decimal-length DECIMAL_LENGTH\n Length of the float timestamp (default: 7)\n --int-timestamp-range INT_TIMESTAMP_RANGE\n Time range over which the int timestamp will be tested before and after the input value (default: 60s)\n --float-timestamp-range FLOAT_TIMESTAMP_RANGE\n Time range over which the float timestamp will be tested before and after the input value (default: 2s)\n --timezone TIMEZONE Timezone of the application for datetime value (default: 0)\n -l {1,2,3}, --level {1,2,3}\n Level of search depth (default: 3)\n -t TIMESTAMP, --timestamp TIMESTAMP\n The timestamp of the reset request\n -d DATETIME, --datetime DATETIME\n The datetime of the reset request\n --datetime-format DATETIME_FORMAT\n The input datetime format (default: server date format like \"Tue, 12 Mar 2024 16:24:05 UTC\")\n --prefixes PREFIXES List of possible values for the prefix concatenated with the timestamp. Format: prefix1,prefix2\n --suffixes SUFFIXES List of possible values for the suffix concatenated with the timestamp. Format: suffix1,suffix2\n --hashes HASHES List of possible hashes to try to detect the format. Format: suffix1,suffix2 (default: all identified hash)\n```\n\n- `bruteforce`: provides a list of possible tokens from an arbitrarily defined token format and time frame:\n\n\n```bash\nusage: reset-tolkien bruteforce [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS] [--date-format-of-token DATE_FORMAT_OF_TOKEN] [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]\n [--int-timestamp-range INT_TIMESTAMP_RANGE] [--float-timestamp-range FLOAT_TIMESTAMP_RANGE] [--timezone TIMEZONE] [-t TIMESTAMP] [-d DATETIME]\n [--datetime-format DATETIME_FORMAT] [--token-format TOKEN_FORMAT] [--prefix PREFIX] [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]\n token\n\npositional arguments:\n token The token given as input.\n\noptions:\n -h, --help show this help message and exit\n -r, --roleplay Not recommended if you don't have anything else to do\n -v {0,1,2}, --verbosity {0,1,2}\n Verbosity level (default: 0)\n -c CONFIG, --config CONFIG\n Config file to set TimestampHashFormat (default: default.yml)\n --threads THREADS Define the number of parallelized tasks for the decryption attack on the hash. (default: 8)\n --date-format-of-token DATE_FORMAT_OF_TOKEN\n Date format for the token - please set it if you have found a date as input.\n --only-int-timestamp Only use integer timestamp. (default: False)\n --decimal-length DECIMAL_LENGTH\n Length of the float timestamp (default: 7)\n --int-timestamp-range INT_TIMESTAMP_RANGE\n Time range over which the int timestamp will be tested before and after the input value (default: 60s)\n --float-timestamp-range FLOAT_TIMESTAMP_RANGE\n Time range over which the float timestamp will be tested before and after the input value (default: 2s)\n --timezone TIMEZONE Timezone of the application for datetime value (default: 0)\n -t TIMESTAMP, --timestamp TIMESTAMP\n The timestamp of the reset request with victim email\n -d DATETIME, --datetime DATETIME\n The datetime of the reset request with victim email\n --datetime-format DATETIME_FORMAT\n The input datetime format (default: server date format like \"Tue, 12 Mar 2024 16:25:07 UTC\")\n --token-format TOKEN_FORMAT\n The token encoding/hashing format - Format: encoding1,encoding2\n --prefix PREFIX The prefix value concatenated with the timestamp.\n --suffix SUFFIX The suffix value concatenated with the timestamp.\n -o OUTPUT, --output OUTPUT\n The filename of the output\n --with-timestamp Write the output with timestamp\n```\n\n- `sandwich`: provides a list of possible tokens based on a token format and a time frame bounded by two dates:\n\n```bash\nusage: reset-tolkien sandwich [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS] [--date-format-of-token DATE_FORMAT_OF_TOKEN] [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]\n [--int-timestamp-range INT_TIMESTAMP_RANGE] [--float-timestamp-range FLOAT_TIMESTAMP_RANGE] [--timezone TIMEZONE] [-bt BEGIN_TIMESTAMP] [-et END_TIMESTAMP]\n [-bd BEGIN_DATETIME] [-ed END_DATETIME] [--datetime-format DATETIME_FORMAT] [--token-format TOKEN_FORMAT] [--prefix PREFIX] [--suffix SUFFIX] [-o OUTPUT]\n [--with-timestamp]\n token\n\npositional arguments:\n token The token given as input.\n\noptions:\n -h, --help show this help message and exit\n -r, --roleplay Not recommended if you don't have anything else to do\n -v {0,1,2}, --verbosity {0,1,2}\n Verbosity level (default: 0)\n -c CONFIG, --config CONFIG\n Config file to set TimestampHashFormat (default: default.yml)\n --threads THREADS Define the number of parallelized tasks for the decryption attack on the hash. (default: 8)\n --date-format-of-token DATE_FORMAT_OF_TOKEN\n Date format for the token - please set it if you have found a date as input.\n --only-int-timestamp Only use integer timestamp. (default: False)\n --decimal-length DECIMAL_LENGTH\n Length of the float timestamp (default: 7)\n --int-timestamp-range INT_TIMESTAMP_RANGE\n Time range over which the int timestamp will be tested before and after the input value (default: 60s)\n --float-timestamp-range FLOAT_TIMESTAMP_RANGE\n Time range over which the float timestamp will be tested before and after the input value (default: 2s)\n --timezone TIMEZONE Timezone of the application for datetime value (default: 0)\n -bt BEGIN_TIMESTAMP, --begin-timestamp BEGIN_TIMESTAMP\n The begin timestamp of the reset request with victim email\n -et END_TIMESTAMP, --end-timestamp END_TIMESTAMP\n The end timestamp of the reset request with victim email\n -bd BEGIN_DATETIME, --begin-datetime BEGIN_DATETIME\n The begin datetime of the reset request with victim email\n -ed END_DATETIME, --end-datetime END_DATETIME\n The end datetime of the reset request with victim email\n --datetime-format DATETIME_FORMAT\n The input datetime format (default: server date format like \"Tue, 12 Mar 2024 16:25:55 UTC\")\n --token-format TOKEN_FORMAT\n The token encoding/hashing format - Format: encoding1,encoding2\n --prefix PREFIX The prefix value concatenated with the timestamp.\n --suffix SUFFIX The suffix value concatenated with the timestamp.\n -o OUTPUT, --output OUTPUT\n The filename of the output\n --with-timestamp Write the output with timestamp\n```\n\n## VI.4 - Default tests\n\nBy default, the tool is configured to detect this type of time-based token generation:\n\n```php\nfunction getToken($level, $email)\n{\n switch ($level) {\n case 1:\n return uniqid();\n case 2:\n return hash(time());\n case 3:\n return hash(uniqid());\n case 4:\n return hash(uniqid() . $email);\n case 5:\n return hash(date(DATE_RFC2822));\n case 6:\n return hash($email . uniqid() . $email);\n case 7:\n return uuid1(\"Test\");\n }\n}\n```\n\n## Customised test configuration\n\nIn addition, the tool allows you to define your own token formats before applying a hash function via a `TimestampHashFormat` object. For example, to test whether the token is generated using this token generation function:\n\n```python\n# Generate a formatted token\ndef generate_token():\n import datetime\n import hashlib\n \n t = datetime.datetime.utcnow().timestamp()\n token = hashlib.md5(uniqid(t).encode()).hexdigest()\n return token\n```\n\nThis can be defined in the YAML configuration file:\n\n```yaml\nfloat-uniqid:\n description: \"Uniqid timestamp\"\n level: 2\n timestamp_type: float\n formats:\n - uniqid\n```\n\n## The \"Todo\" list\n\nOf course, as with any tool, there is always the possibility of adding new features to complement it.\n\nAmong the points that would be very useful:\n- **Format management via [Abstract syntax tree](https://docs.python.org/3/library/ast.html)**: the tool currently only manages formats applied in a linear way, so a simple format like `md5(timestamp()+1)` won't be supported. By configuring formats as a tree, this type of format can be supported by the tool.\n- **Better application of user-specific information**: when detecting a token format, it is possible to define user-specific information as prefixes or suffixes of the token generation date. Many other configurations could be possible.\n- **Management of other dynamic variables**: the tool detects formats and allows attacks based on the only variable supported: time. However, some formats can have several variables that evolve.\n- **Addition of new supported formats**: the tool only supports the time-based functions found during my research, but many other formats should still exist and could also be supported by the tool.\n\n## Changelog\n\nYou could retrieve changes for each version from [CHANGELOG.md](CHANGELOG.md).\n\n## Licensing\n\nThis project is licensed under the [MIT license](LICENSE).\n\n## Credit\n\n- Main illustration: service provided by [@valentin.froute](https://www.instagram.com/valentin.froute/).\n",
"bugtrack_url": null,
"license": "MIT License Copyright (c) 2024 Tom Chambaretaud Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ",
"summary": "Unsecure time-based secret exploitation and Sandwich attack implementation.",
"version": "1.1.1",
"project_urls": {
"Changelog": "https://github.com/AethliosIK/reset-tolkien/blob/master/CHANGELOG.md",
"Homepage": "https://github.com/AethliosIK/reset-tolkien",
"Issues": "https://github.com/AethliosIK/reset-tolkien/issues",
"Repository": "https://github.com/AethliosIK/reset-tolkien"
},
"split_keywords": [
"security",
" secret",
" reset",
" token",
" tolkien"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "f919b30d53e71d61d4449791a61f048299b9b876198361eae237908bb292216e",
"md5": "b80cdba8d8996dfe035d1c4308070686",
"sha256": "67fa9479736698c3d2e9c6e95abf260768ce701a92fa5ed5aebbd3e653d20751"
},
"downloads": -1,
"filename": "reset_tolkien-1.1.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b80cdba8d8996dfe035d1c4308070686",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 27490,
"upload_time": "2024-04-21T10:00:09",
"upload_time_iso_8601": "2024-04-21T10:00:09.661241Z",
"url": "https://files.pythonhosted.org/packages/f9/19/b30d53e71d61d4449791a61f048299b9b876198361eae237908bb292216e/reset_tolkien-1.1.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "0502a1a48a6f2c575c7e497170f535aed5f7821de43b8de40df1d6b5390acc65",
"md5": "386609c5b1db5b35f0d54ecb8dd03c91",
"sha256": "f1781518a71b4d95af7e14312590cdfea89ff919de87d866fae620ed3cbe520b"
},
"downloads": -1,
"filename": "reset_tolkien-1.1.1.tar.gz",
"has_sig": false,
"md5_digest": "386609c5b1db5b35f0d54ecb8dd03c91",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 28128,
"upload_time": "2024-04-21T10:00:11",
"upload_time_iso_8601": "2024-04-21T10:00:11.830034Z",
"url": "https://files.pythonhosted.org/packages/05/02/a1a48a6f2c575c7e497170f535aed5f7821de43b8de40df1d6b5390acc65/reset_tolkien-1.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-21 10:00:11",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "AethliosIK",
"github_project": "reset-tolkien",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "dateparser",
"specs": [
[
"==",
"1.1.8"
]
]
},
{
"name": "hi-dateinfer",
"specs": [
[
"==",
"0.4.6"
]
]
},
{
"name": "python-dateutil",
"specs": [
[
"==",
"2.9.0.post0"
]
]
},
{
"name": "pytz",
"specs": [
[
"==",
"2024.1"
]
]
},
{
"name": "PyYAML",
"specs": [
[
"==",
"6.0.1"
]
]
},
{
"name": "regex",
"specs": [
[
"==",
"2023.12.25"
]
]
},
{
"name": "shortuuid",
"specs": [
[
"==",
"1.0.11"
]
]
},
{
"name": "six",
"specs": [
[
"==",
"1.16.0"
]
]
},
{
"name": "typing_extensions",
"specs": [
[
"==",
"4.10.0"
]
]
},
{
"name": "tzlocal",
"specs": [
[
"==",
"5.2"
]
]
}
],
"lcname": "reset-tolkien"
}
