Difference between revisions of "Hashing"

From ForensicsWiki
Jump to: navigation, search
m
(Dead link MD5 Reverse Hash Services)
 
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
'''Hashing''' is a method for reducing large inputs to a smaller fixed size output. When doing forensics, typically cryptographic hashing algorithms like [[MD5]] and [[SHA-1]] are used. These functions have a few properties useful to forensics.
+
'''Hashing''' is a method for reducing large inputs to a smaller fixed size output. When doing forensics, typically cryptographic hashing algorithms like [[MD5]] and [[SHA-1]] are used. These functions have a few properties useful to forensics. Other types of hashing, such as [[Context Triggered Piecewise Hashing]] can also be used.
  
 
== Tools ==
 
== Tools ==
 
 
There are literally hundreds of hashing programs out there, but a few related to forensics are:
 
There are literally hundreds of hashing programs out there, but a few related to forensics are:
  
 
* [[md5sum]] - Part of the [[GNU]] coreutils suite, this program is standard on many computers.
 
* [[md5sum]] - Part of the [[GNU]] coreutils suite, this program is standard on many computers.
 
* [[md5deep]] - Computes hashes, recursively if desired, and can compare the results to known values.
 
* [[md5deep]] - Computes hashes, recursively if desired, and can compare the results to known values.
 +
* [[ssdeep]] - Computes and matches [[Context Triggered Piecewise Hashes]].
 +
 +
==Hash Databases==
 +
; [[National Software Reference Library ]]
 +
: The largest hash database.
 +
; [[Hashkeeper]]
 +
: National Drug Intelligence Center
 +
; http://sunsolve.sun.com/fileFingerprints.do
 +
: Solaris Fingerprint Database lookup for files distributed by Sun Microsystems
 +
 +
==Online NSRL Lookup==
 +
; http://ionrift.ath.cx/nsrl/
 +
: Allows searching of NSRL 2.17 by MD5 or SHA1. Reportedly the dataset contains 43,103,492 files.
 +
: (Infrequently available, and likely only when the site owner (Jason Spashett) needs to use it himself.)
 +
 +
==MD5 Reverse Hash Services==
 +
There are several online services that allow you to enter a hash code and find out what the preimage might have been.  One way to find these services is to google for 'd41d8cd98f00b204e9800998ecf8427e' (the MD5 of the null string).
 +
 +
Here are some services that we have been able to find:
 +
 +
; http://md5.benramsey.com
 +
: A nice forward and reverse demonstration system, with an XML and AJAX interface.
 +
 +
; http://www.hashcrack.com/
 +
: Reverse hash lookup of MD5, SHA1, MySQL, NTLM, and Lanman hashes. Claims 75 million hashes of 13.2 million unique words.
 +
 +
; http://gdataonline.com/seekhash.php
 +
: MD5 reverse lookup with approximately 1 million entries.
 +
 +
; http://hash.insidepro.com/
 +
: Hash database from InsidePro (MD5, NTLM).
 +
 +
; http://www.xmd5.cn/index_en.htm
 +
; http://www.xmd5.org/index_en.htm
 +
: This site is another simple MD5 reverse lookup. It claims a database with "billions" of entries. Mostly for password cracking. (Who uses straight MD5s for passwords?)
 +
 +
Others:
 +
; http://www.md5this.com/
 +
; http://www.csthis.com/md5/
 +
; http://md5.rednoize.com/
 +
 +
==Online Malware Hash Lookups==
 +
; http://www.team-cymru.org/Services/MHR/
 +
: Malware Hash Registry by Team Cymru.
 +
: Utilizes a DNS query interface to lookup MD5 or SHA-1 Hashes for malware
 +
; http://www.virustotal.com/buscaHash.html
 +
: VirusTotal.com Online hash lookup no api/automation yet like Team Cymru but does frequently have hashes for current new malware

Latest revision as of 11:30, 5 May 2009

Hashing is a method for reducing large inputs to a smaller fixed size output. When doing forensics, typically cryptographic hashing algorithms like MD5 and SHA-1 are used. These functions have a few properties useful to forensics. Other types of hashing, such as Context Triggered Piecewise Hashing can also be used.

Tools

There are literally hundreds of hashing programs out there, but a few related to forensics are:

Hash Databases

National Software Reference Library
The largest hash database.
Hashkeeper
National Drug Intelligence Center
http://sunsolve.sun.com/fileFingerprints.do
Solaris Fingerprint Database lookup for files distributed by Sun Microsystems

Online NSRL Lookup

http://ionrift.ath.cx/nsrl/
Allows searching of NSRL 2.17 by MD5 or SHA1. Reportedly the dataset contains 43,103,492 files.
(Infrequently available, and likely only when the site owner (Jason Spashett) needs to use it himself.)

MD5 Reverse Hash Services

There are several online services that allow you to enter a hash code and find out what the preimage might have been. One way to find these services is to google for 'd41d8cd98f00b204e9800998ecf8427e' (the MD5 of the null string).

Here are some services that we have been able to find:

http://md5.benramsey.com
A nice forward and reverse demonstration system, with an XML and AJAX interface.
http://www.hashcrack.com/
Reverse hash lookup of MD5, SHA1, MySQL, NTLM, and Lanman hashes. Claims 75 million hashes of 13.2 million unique words.
http://gdataonline.com/seekhash.php
MD5 reverse lookup with approximately 1 million entries.
http://hash.insidepro.com/
Hash database from InsidePro (MD5, NTLM).
http://www.xmd5.cn/index_en.htm
http://www.xmd5.org/index_en.htm
This site is another simple MD5 reverse lookup. It claims a database with "billions" of entries. Mostly for password cracking. (Who uses straight MD5s for passwords?)

Others:

http://www.md5this.com/
http://www.csthis.com/md5/
http://md5.rednoize.com/

Online Malware Hash Lookups

http://www.team-cymru.org/Services/MHR/
Malware Hash Registry by Team Cymru.
Utilizes a DNS query interface to lookup MD5 or SHA-1 Hashes for malware
http://www.virustotal.com/buscaHash.html
VirusTotal.com Online hash lookup no api/automation yet like Team Cymru but does frequently have hashes for current new malware