COLLECTING FILE HASHES

There are a number of hash databases on the Internet that contain hashes for known-good and known-bad files. Is this the best way of finding malware? Absolutely not! That said, checking hashes is super quick compared to analyzing files with anti-virus software or attempting to reverse engineer them. A good hash database allows you to eliminate a large number of files from consideration. Occasionally you might find malware using hashes. Reducing the number of files you are forced to look at by eliminating know-good files from your analysis is much more useful, however.

Two popular free hash databases include https://www.owasp.org/index.php/OWASP_File_Hash_Repository by the Open Web Applications Security Project (OWASP), and http://www.nsrl.nist.gov/ from the National Institute of Standards and Technology. As of this writing they both support MD5 and SHA-1. Should they support more modern algorithms in the future the script below is easily modified.

send-sha1sum.sh

# Simple script to calculate sha1 sum as part of # initial live incident response.

Warning: This script might take a long time to run! # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com.

usage () { echo “usage: $0 ” echo “Simple script to send SHA1 hash to a log listener” exit 1

}

if [ $# -lt 1 ] ; then usage fi # find only files, don’t descend to other filesystems, # execute command sha1sum -b <filename> for all files found send-log.sh find $1 -xdev -type f -exec sha1sum -b {} \;

Once again we are using find in this script. A new option, -xdev, has appeared. This option tells find not to follow symbolic links to other filesystems. The command sha1sum -b {filename} will compute the SHA1 hash for filename while treating it as a binary file.

Partial results from running this script against the /bin directory on the subject machine are shown in Figure 3.8. The highlighted lines show that /bin/bash and /bin/false have the same hash value. It would appear that the attacker overwrote /bin/false with /bin/bash. This is likely how system accounts such as lightdm were able to login despite the administrator’s attempts to disable login by setting the shell equal to /bin/false.

FIGURE 3.8

Some results from running send-sha1sum.sh against the /bin directory of the subject system. The files /bin/bash and /bin/false have the same hash value which indicates the attacker overwrote /bin/false with /bin/bash.

results matching ""

    No results matching ""