All Articles

Predicting .NET Guid.NewGuid()

… is unfortunately rather difficult. GUID stands for globally unique identifier. It is generally used in databases as the primary key. The main utility lies in the extremely low chance of collision, which means you can reuse the identifier across different systems. Here is one generated using .NET’s Guid.NewGuid():


I thought I had a new hack figured out based on prediciting GUID/UUID generated as tickets for resetting passwords in a webbapplication. If I had a way of predicting the generated GUID using known GUIDs and timestamp, I was hoping to be able to hijack accounts. Turns out there are two version of GUID/UUID which are generally used. The first one (v1) uses MAC address and timestamp, and is therefore very predictable if you have access to an oracle. The second one (v4) uses a random generator to randomly set 122 of the 128 bits. By definition, it does not have to be a secure random generator either and could therefore be predictable too. By definition a GUID/UUID should be unique, not necessarily true random.

Unfortunately, .NET/windows which the webbapplication is using uses CryptGenRandom rng to generate its GUIDs via Guid.NewGuid().

I found the following statement on MSDN:

"For reasons of increased privacy protection for our customers, Microsoft systems beginning with Windows 2000 prefer to generate version 4 GUIDs in which the 122 bits of nonformat information are random. Although only a small minority of version 4 GUIDs require cryptographic randomness, the random bits for all version 4 GUIDs built in Windows are obtained via the Windows CryptGenRandom cryptographic API or the equivalent, the same source that is used for generation of cryptographic keys." - MSDN Source