Weak Cryptography
Vulnerabilities
Many applications still use deprecated cryptographic algorithms that can be attacked. This guide covers how to identify and exploit weak crypto.
Deprecated Algorithms
| Algorithm | Weakness | Replace With |
|---|---|---|
| MD5 | Collision attacks, fast cracking | SHA-256, BLAKE3 |
| SHA-1 | Collision attacks (SHAttered) | SHA-256, SHA-3 |
| DES/3DES | 56-bit key, sweet32 attack | AES-256 |
| RC4 | Biased outputs, WEP attacks | ChaCha20, AES-GCM |
| RSA-1024 | Factorable with resources | RSA-2048+, ECC |
Cracking Weak Hashes
bash
# Hashcat - GPU hash cracking
# MD5
hashcat -m 0 hashes.txt wordlist.txt
# SHA-1
hashcat -m 100 hashes.txt wordlist.txt
# SHA-256
hashcat -m 1400 hashes.txt wordlist.txt
# With rules
hashcat -m 0 hashes.txt wordlist.txt -r rules/best64.rule
# John the Ripper
john --format=raw-md5 hashes.txt --wordlist=wordlist.txt
# Rainbow tables for MD5/NTLM
# Use CrackStation, RainbowCrack
# Online: https://crackstation.net/Unsalted Hashes
Unsalted hashes are vulnerable to rainbow table attacks. Always check if hashes
are salted before attempting to crack.