Monday, June 24, 2013

Hash Detector Tool

Since 2009 when I wrote: "The string Decoding Process" (published by hakin9 magazine) I use crafted tools to automatically decode strings (some of them have been published on this blog). Decoding strings results pretty hard especially nowadays where many encoding algorithms are commonly used over planty "daily life tools". Understanding what encoding we are facing becomes really important if we are analyzing Hashing. Let's assume we 've just got a file including hundreds of different hash strings, how to identify what kind of hashing algorithm have been used ? Having a list o hashes, that potentially could "hide" passwords or important data, having  the power of a bruteforce machine and the right tools to attack the hash list without knowing what algorithm have been used could be pretty nesty for attackers. Indeed attackers might have difficult time in attacking hashes without knowing what is the generation algorithm. 

Surfing on this "painful wave" I decided to share a pretty python code that helped me out in solving this specific problem. The script can be downloaded here (pastebin). The following image shows how simple the script is, and how could be really easy to update it within new hashing algorithms. If you are planning to add new features to the script, please give me the diff file, so that we can create a more generic tool able to detect as many different hashing algorithms as possible. (click to enlarge)

The script is quite modular and easy to update. What you need to to is to add your new hashing function within its own identifier into the "algorithms" array (lets see the following image).

Algorithms array list: easy to expand (click to enlarge)

After having filled up the "algorithms" array, you need to add the new function which finds out if the string you are processing might be generated (or not) from the hash algorithm you 've just "declared" in the "algorithms" array. The following image shows to you some examples already implemented.

Function that perform the detection (click to enlarge)

Finally, in a very quick'n dirty way you want to process the input string by adding the generated function to the main flow. 

Adding functions to control flow (click to enlarge)

Hope it could be useful to everybody, enjoy your new hash detector tool !


unixfreaxjp said...

Hello Marco,

I am @unixfreaxjp of #MalwareMustDie, NPO Research Group.
We found this script is very useful for malware research, and would like to have your permission to post this in into our Google Code MalwareMustDie Project as Malware Research Tool. We will make a good example of the usage in the wiki pages too in the project page.

Please kindly approve & your response will be greatly appreciated.



Marco Ramilli said...

Hi Unixfreaxjp,

thank you very much for your interest on my blog.
Please feel free to use the script as you like. Just consider I stared the scripts years ago, but what you see right now, is the result of many improvements coming from many different people such as: my past students, friends, people on PasteBin and so forth and so on.

unixfreaxjp said...

Thank you very much I will add into our Google Code along with your notes.



unixfreaxjp said...

The tool's page is up here.

Thank you very much, we promise to maintain & use it for the good purpose.

Marco Ramilli said...

I'm sure,
thank you unixfreaxjp !

Jettro Thullle said...

Some one like to get unfair credit ?

Marco Ramilli said...

Dear Jettro Thulle,
as I wrote on June 26, 2013 The script has been forked many times from my students, friends and people from PasteBIN. Although I am quite sure this version is the last that I had.

We posted it on PasteBin years ago (aproximately 2). I do not exclude that there could be more recent versions updated from people I dont know, but I am sure it is the last version of my deck.

Amber said...

This is cool!

Pain Management Doctors In NJ said...

Dr. Ajay Kumar promovierte to MEDIZIN der renommierten All India Institute of Medical Sciences, New Delhi, Indien. Er tat residencey Sein und für Physikalische MEDIZIN rehabiliatation der Temple University Hospital, Philadelphia.