09-19-2017, 10:55 AM 
		
	
	
		Hi all,
I'm doing an ethical hacking activity and I want to test if developers used a good or bad "secret" for cookie signing.
The software is made with mojolicious that signs his cookie using HMAC-SHA1.
The problem is that the smaller signed cookie I can get from the application is 72 char long!
Using HMAC-SHA1 (150) and giving HASH:cookie (I need to "crack" the key) results in a "Line-length exception".
Am I doing something wrong? The hashcat limitation is something related to the gpu implementation or just a sanity check with passwords in mind?
HMAC is message authentication algo, it sound strange for me that it's impossible to brute a 72 char long text!
Anyone have a good advice for me?
Thank you in advance
Paolo
	
	
	
	
I'm doing an ethical hacking activity and I want to test if developers used a good or bad "secret" for cookie signing.
The software is made with mojolicious that signs his cookie using HMAC-SHA1.
The problem is that the smaller signed cookie I can get from the application is 72 char long!
Using HMAC-SHA1 (150) and giving HASH:cookie (I need to "crack" the key) results in a "Line-length exception".
Am I doing something wrong? The hashcat limitation is something related to the gpu implementation or just a sanity check with passwords in mind?
HMAC is message authentication algo, it sound strange for me that it's impossible to brute a 72 char long text!
Anyone have a good advice for me?
Thank you in advance
Paolo
 
 

 


