Question:
What is the name of the executable with the MD5 hash of
cdc47d670159eef60916ca03a9d4a007 that performs a malicious task?
(Don't worry none of these will actually harm your computer).
No
Hint.
Answer:
15832-3645-24173.exe
This
question sounded easy but turned out to be a bit trickier. You are
given the MD5 hash of a file and then asked to give the name of the
file. No hints are given since it is so straight forward. Or is it
really?
Inside
the zipped archive is a large collection of randomly named files of
equal size.
In
Linux you can find the MD5 hash of all the files in the directory by
using “md5sum
*”. MD5sum is a
handy tool that calculates MD5 hashes. You can also get if for
Windows from the win-bash project
(https://sourceforge.net/projects/win-bash/).
After
running the command, you may notice something peculiar, every file in
the directory has the same MD5 hash. Are they all the same file? No.
One of these files is different, and this phenomenon is known as an
MD5 hash collision. So how can we go about figuring out which file is
the one we need? If you were to run the files from the command
prompt, you would eventually figure it out but that method is
impractical.
One
of these files is supposed to be harmful to our computer. If we know
that many of these files are identical, then calculating a hash will
tell use which file is different. This time, we will calculate each
file’s SHA1 hash. It is very, very unlikely that the odd file will
have an identical MD5 and SHA1 hash value as the other files. In
Linux, we can calculate the SHA1 hashes with “sha1sum
*”.
15832-3645-24173.exe
sticks out like a sore thumb with its different SHA1 sum. Running it
in the command it pretends to erase your hard drive.
You
could have also used strings on all the files in the directory and
eventually found which was different.
These
files were created with a tool called Evilize, which generates MD5
hash collisions between similar C programs. To understand more about
why this happens and to download Evilize, check out
https://www.mscs.dal.ca/~selinger/md5collision/.
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
No comments:
Post a Comment