Multi-threaded Padding Oracle attacks against any service. Written in Rust.

Overview

rustpad

build status shield uses Rust shield license shield

asciinema example run

πŸ‘‡ πŸƒ Download

Arch linux

Kali / Debian

Others

yay -Syu rustpad apt install ./rustpad.deb cargo install rustpad

aur shield

deb shield

crates.io shield

πŸ”ͺ πŸ›οΈ A multi-threaded what now?

rustpad is a multi-threaded successor to the classic padbuster, written in Rust. It abuses a Padding Oracle vulnerability to decrypt any cypher text or encrypt arbitrary plain text without knowing the encryption key!

πŸ¦€ πŸ’» Features

  • Decryption of cypher texts
  • Encryption of arbitrary plain text
  • Multi-threading on both block and byte level
  • Modern, real-time and interactive TUI!
  • No-TTY support, so you can just pipe output to a file
  • Supports Web server oracles...
  • ... and Script-based oracles. For when you need just that extra bit of control.
  • Automated calibration of web oracle's (in)correct padding response
  • Progress bar and automated retries
  • Smart detection of cypher text encoding, supporting: hex, base64, base64url
  • No IV support
  • Written in purely safe Rust, making sure you don't encounter nasty crashes

πŸ—’οΈ πŸ€” Usage

Using rustpad to attack a padding oracle is easy. It requires only 4 pieces of information to start:

  • target oracle (--oracle)
  • cypher text to decrypt (--decrypt)
  • block size (--block-size)
  • type of oracle (web/script, see below)
; rustpad --help
rustpad
Multi-threaded Padding Oracle attacks against any service.

USAGE:
    rustpad [OPTIONS] --block-size 
   
     --decrypt 
    
      --oracle 
      
      
       

OPTIONS:
    -B, --block-size 
       
         Block size used by the cypher [possible values: 8, 16] -D, --decrypt 
        
          Original cypher text, received from the target service, which is to be decrypted -E, --encrypt 
         
           Plain text to encrypt. Encryption mode requires a cypher text to gather necessary data -h, --help Prints help information -n, --no-iv Cypher text does not include an Initialisation Vector -O, --oracle 
          
            The oracle to question with forged cypher texts. This can be a URL or a shell script. See the subcommands `web --help` and `script --help` respectively for further help. -V, --version Prints version information -v, --verbose Increase verbosity of logging SUBCOMMANDS: web Question a web-based oracle script Question a script-based oracle 
          
         
        
       
      
     
    
   

Web mode

Web mode specifies that the oracle is located on the web. In other words, the oracle is a web server with a URL.

For a padding oracle attack to succeed, an oracle must say so if a cypher text with incorrect padding was provided. rustpad will analyse the oracle's responses and automatically calibrate itself to the oracle's behaviour.

; rustpad web --help
rustpad-web
Question a web-based oracle

USAGE:
    rustpad --block-size 
   
     --decrypt 
    
      --oracle 
     
       web [OPTIONS]

OPTIONS:
    -c, --consider-body
            Consider the response body and content length when determining the web oracle's response to (in)correct padding

    -d, --data 
      
            Data to send in a POST request

    -h, --help
            Prints help information

    -H, --header 
     
    
   
  
... HTTP header to send -k, --insecure Disable TLS certificate validation -K, --keyword Keyword indicating the location of the cypher text in the HTTP request. It is replaced by the cypher text's value at runtime [default: CTEXT] -n, --no-iv Cypher text does not include an Initialisation Vector -r, --redirect Follow 302 Redirects -A, --user-agent User-agent to identify with [default: rustpad/ ] -v, --verbose Increase verbosity of logging Indicate the cypher text's location! See `--keyword` for clarification.

Script mode

Script mode was made for power users or CTF players πŸ΄β€β˜ οΈ who were given a script to run. The target oracle is a local shell script.

Scripts allow you to run attacks against local oracles or more exotic services. Or you can use script mode to customise and extend rustpad's features. However, if you're missing a feature, feel free to open an issue on GitHub!

; rustpad script --help
rustpad-script
Question a script-based oracle

USAGE:
    rustpad --block-size 
   
     --decrypt 
    
      --oracle 
     
       script [OPTIONS]

OPTIONS:
    -h, --help
            Prints help information

    -n, --no-iv
            Cypher text does not include an Initialisation Vector

    -v, --verbose
            Increase verbosity of logging


Script must respond with exit code 0 for correct padding, and any other code otherwise. Cypher text is passed as the 1st argument.

     
    
   

πŸ•₯ πŸ’€ Coming soon

  • specify amount of threads & request timeout
  • override/specify encoding
  • send over proxy
  • log to file
  • caching mechanism
  • tab auto-complete
  • smarter URL parsing
  • advanced calibration: response text should contain "x"
  • automated block size detection
  • improve linux binary's file size
  • .NET URL token encoding?
You might also like...
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application. We intend to bring a ful

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs

Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients*, perfect for self-hosted deploy

An impish, cross-platform binary parsing crate, written in Rust
An impish, cross-platform binary parsing crate, written in Rust

libgoblin Documentation https://docs.rs/goblin/ changelog Usage Goblin requires rustc 1.40.0. Add to your Cargo.toml [dependencies] goblin = "0.4" Fea

rd is a record/replay debugger written in rust

rd The Record & Debug Tool The Record & Debug Tool (rd) is a Rust language port of the rr-debugger/rr debugger. With rd you can record Linux program e

Symbolic execution of LLVM IR with an engine written in Rust

haybale: Symbolic execution of LLVM IR, written in Rust haybale is a general-purpose symbolic execution engine written in Rust. It operates on LLVM IR

Simple prepender virus written in Rust
Simple prepender virus written in Rust

Linux.Fe2O3 This is a POC ELF prepender written in Rust. I like writting prependers on languages that I'm learning and find interesting. As for the na

(Toy) Compiler Infrastructure influenced by LLVM written in Rust

Sericum Compiler Infrastructure influenced by LLVM written in Rust Do not expect too much stuff! To Do Implement basic block parameters Make it possib

Linux LPE using polkit-1 written in Rust.

CVE-2021-4024-Rust Linux LPE using polkit-1 written in Rust. Build instructions Install rust if you haven't already git clone https://github.com/deoxy

A simple allocator written in Rust that manages memory in fixed-size chunks.

Simple Chunk Allocator A simple no_std allocator written in Rust that manages memory in fixed-size chunks/blocks. Useful for basic no_std binaries whe

Releases(v1.8.0)
Owner
Kibouo
For personal projects see GitLab
Kibouo
Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

BIDI Character Detector This tool checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks to mitigate

null 5 Aug 26, 2022
Scans for indications of an XSS vuln, Oracle SQLi and filters out words containing MySQL

RustScan Scans for indications of an XSS vuln, Oracle SQLi and filters out words containing MySQL. Best used along side ParamSpider found at https://g

null 22 Dec 26, 2022
Scans for indications of an XSS, Oracle SQLi and filters out words containing MySQL

PizzaHunt A tool to out pizza the hunt. Scans for indications of an XSS vuln (Double quote escapes) , Oracle SQLi (ORA- in response), filters out url

null 22 Dec 26, 2022
A self-hosted Fuzzing-As-A-Service platform

OneFuzz A self-hosted Fuzzing-As-A-Service platform Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior t

Microsoft 2.6k Jan 8, 2023
Rslide - A web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app console or the browser. Currently only supports Windows.

rslide rslide is a web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app conso

Jason Dongheng Lee 3 Jan 1, 2022
Verdict-as-a-Service SDKs: Analyze files for malicious content

Verdict-as-a-Service Verdict-as-a-Service (VaaS) is a service that provides a platform for scanning files for malware and other threats. It allows eas

G DATA CyberDefense AG 31 Dec 9, 2022
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (パむドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 548 Dec 26, 2022
A fast, simple, recursive content discovery tool written in Rust.

A simple, fast, recursive content discovery tool written in Rust ?? Releases ✨ Example Usage ✨ Contributing ✨ Documentation ?? ?? What the heck is a f

epi 3.6k Dec 30, 2022
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

null 427 Dec 24, 2022