https://github.com/Kibouo/rustpad

Multi-threaded Padding Oracle attacks against any service. Written in Rust.
https://github.com/Kibouo/rustpad

cli cryptography infosec padding-oracle-attacks pentesting pentesting-tools rust tui web

Last synced: 21 days ago
JSON representation

Multi-threaded Padding Oracle attacks against any service. Written in Rust.

• Host: GitHub
• URL: https://github.com/Kibouo/rustpad
• Owner: Kibouo
• License: gpl-3.0
• Created: 2021-11-10T22:29:20.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2023-03-05T11:34:53.000Z (almost 2 years ago)
• Last Synced: 2024-10-07T19:19:04.182Z (2 months ago)
• Topics: cli, cryptography, infosec, padding-oracle-attacks, pentesting, pentesting-tools, rust, tui, web
• Language: Rust
• Homepage:
• Size: 336 KB
• Stars: 92
• Watchers: 1
• Forks: 14
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - Kibouo/rustpad - Multi-threaded Padding Oracle attacks against any service. Written in Rust. (Rust)

README

        
# rustpad





    

    

    





    





    











## 👇🏃 Download

| 
Arch linux
                                                                                                                                             | 
Kali / Debian
                                                                                                                         | 
Others
                                                                                                                                   |

| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |

| `yay -Syu rustpad`                                                                                                                                                           | See releases                                                                                                                                 | `cargo install rustpad`                                                                                                                                        |

| 
 | 
 | 
 |


## 🔪🏛️ A multi-threaded what now?

`rustpad` is a multi-threaded successor to the classic [`padbuster`](https://github.com/AonCyberLabs/PadBuster), written in Rust. It abuses a [Padding Oracle vulnerability](https://en.wikipedia.org/wiki/Padding_oracle_attack) to decrypt any cypher text or encrypt arbitrary plain text **without knowing the encryption key**!

## 🦀💻 Features

- Decryption of cypher texts

- Encryption of arbitrary plain text

- Multi-threading on both block and byte level

- Modern, real-time and interactive TUI!

- No-TTY support, so you can just pipe output to a file

- Supports *Web* server oracles...

- ... and *Script*-based oracles. For when you need just that extra bit of control.

- Automated calibration of web oracle's (in)correct padding response

- Progress bar and automated retries

- Tab auto-completion

- Block-level caching

- Smart detection of cypher text encoding, supporting: `hex`, `base64`, `base64url`

- No IV support

- Written in purely safe Rust, making sure you don't encounter nasty crashes

## 🗒️🤔 Usage

Using `rustpad` to attack a padding oracle is easy. It requires only 4 pieces of information to start:

- type of oracle (`web`/`script`, see below)

- target oracle (`--oracle`)

- cypher text to decrypt (`--decrypt`)

- block size (`--block-size`)

### Web mode

Web mode specifies that the oracle is located on the web. In other words, the oracle is a web server with a URL.

For a padding oracle attack to succeed, an oracle must say so if a cypher text with incorrect padding was provided. `rustpad` will analyse the oracle's responses and automatically calibrate itself to the oracle's behaviour.

### Script mode

Script mode was made for power users ~~or CTF players 🏴‍☠️ who were given a script to run~~. The target oracle is a local shell script.

Scripts allow you to run attacks against local oracles or more exotic services. Or you can use script mode to customise and extend `rustpad`'s features. However, if you're missing a feature, feel free to open an issue on [GitHub](https://github.com/Kibouo/rustpad/issues)!

### Shell auto-completion

`rustpad` can generate tab auto-completion scripts for most popular shells:

```sh

rustpad setup 

```

Consult your shell's documentation on what to do with the generated script.

## 🕥💤 Coming soon

- [ ] smarter URL parsing

- [ ] advanced calibration: response text should contain "x", time-based

- [ ] automated block size detection

- [ ] .NET URL token encoding?