Skip to content
logo
Red tradecraft
Hash length extension attack
  • Privacy greenhouse
  • Defence blues
  • Purple crossroads
  • Indigo observatory
  • Contact
Initializing search
    • In: Where the falcons and foxes roam
    • Through: Where the raccoons burrow and rummage
      • The art of staying where you are not wanted
      • Overflowing the bin on purpose
      • Reverse engineering
      • Steganography
      • Crypto-attacks
        • Field notes from the bin-raider’s handbook
        • Crypto-attack runbooks
        • Picking the locks of logic
          • Old tricks, new treats: Unmasking classical ciphers
          • Secret recipes for digital mischief
          • AES: Faults, flips, and forgery
          • Riding the currents: Stream cipher exploits
          • Hash function vulnerabilities
            • DCC Hash
            • DCC2 Hash
            • LM Hash
            • Message Digest 5
            • NT Hash
            • SHA-2 Hash
            • CISCO Salted Password
            • Hash length extension attack
              • Resources
              • Counter moves
            • SHA-3 Hash
          • Unlocking RSA: Asymmetric mischief
          • Curves ahead: Navigating elliptic curve cryptography
          • The curiosity cabinet
      • Slipping through the cracks
    • Out: Where squirrels swipe the crown jewels
    • Fungolia earthworks
    • Unseen University Power & Light Co.
    • The Scarlet Semaphore
    • Resources
    • Counter moves

    Hash length extension attack¶

    RootMe challenge: Service - Hash length extension attack: H(key ∥ message)

    You can use Stephen Bradshaw’s hlextend module.

    Resources¶

    • Everything-you-need-to-know-about-hash-length-extension-attacks (blog.skullsecurity.org)

    Counter moves¶

    A length-extension attack abuses naive MAC-by-hash constructions. HMAC, rather than hash-of-secret-and-message, is the fix. The defender’s view is in the blue notes on the application layer as a target.

    2026-06-14 18:23
    © Copyright 2025, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2025, with a forest garden fostered by /ut7