#RSAC

SESSION ID: AIR-R10F

Hashes For the Masses

Brad Antoniewicz Sr. Security Researcher Cisco Umbrella (formally OpenDNS) @brad_anton Agenda Hashes $ md5 -s a MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661 $ md5 -s a MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661

$ md5 -s b MD5 ("b") = 92eb5ffee6ae2fec3ad71c777531578f $ md5 -s a MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661

$ md5 -s b MD5 ("b") = 92eb5ffee6ae2fec3ad71c777531578f

$ md5 -s A MD5 ("A") = 7fc56270e7a70fa81a5935b72eacbe29 md5 sha0 sha1 sha224 sha512 sha3-224 sha sha3-512 sha256 sha384 md4 md2 shake128 shake256 haval md5 md6 ripemd ripemd-128 ripemd-160 ripemd-256 ripemd-320 gost tiger whirlpool blake blake2 haval5

Cryptographic Hash Functions Uniquely identify items Uniquely identify Malware 000080e0 f7 63 64 06 16 04 02 05 00 30 0d 06 09 2a 86 48 |.cd...... 0...*.H| 000080f0 86 f7 0d 01 01 05 05 00 03 82 01 01 00 57 d4 c5 |...... W..| 00008100 21 57 1b 14 da 12 32 2c 11 05 0c 04 0f 95 aa d4 |!W....2,...... | 00008110 e2 fa f2 c4 6d 68 de 52 52 0d 22 73 c8 85 73 1d |....mh.RR."s..s.| 00008120 ef 51 4e f0 8a 49 b0 68 94 65 51 22 df fd 40 8f |.QN..I.h.eQ"..@.| 00008130 35 b4 68 40 52 bb 25 8e cc fa ce 7c 12 56 d8 c0 |5.h@R.%....|.V..| 00008140 d0 55 05 b5 4a b1 b5 61 fc 95 7c 91 5e 72 d1 28 |.U..J..a..|.^r.(| 00008150 b4 1d 2b 6d da 4b 67 9f 05 fc e6 e7 59 4a 43 5e |..+m.Kg.....YJC^| 00008160One minor 1f change7b 84 37 defeatsbe fe ba everything8a 2b 33 05 94 50 83 b8 fe |.{.7....+3..P...| 00008170 9a db 03 bb 8d 62 f2 19 6d 77 93 e3 75 cf 36 59 |.....b..mw..u.6Y| 00008180 31 5e 08 6d 5d 01 1c 65 53 52 93 76 78 9c 17 0b |1^.m]..eSR.vx...| 00008190 10 1e 94 bc 36 90 56 4b 44 2e 98 d9 a6 31 a1 f0 |....6.VKD....1..| 000081a0 1c 66 94 99 54 73 13 b5 51 38 bc 24 a2 a0 30 3b |.f..Ts..Q8.$..0;| 000081b0 7a 65 87 ac c0 bc 15 f4 5e 30 c7 9d a3 2a 04 df |ze...... ^0...*..| 000081c0 c4 cf 47 84 6d 9f fd ff 45 c3 a0 19 ac 3c bb ad |..G.m...E....<..| 000081d0 8f 94 f9 b9 c7 c8 71 36 11 ed e8 01 ba b4 75 48 |...... q6...... uH| 000081e0 82 a4 2a 53 1a 05 05 9b 9d c6 47 1b f5 e8 20 72 |..*S...... G... r| 000081f0 a0 1b 4b e5 be 64 fc 38 0d 9a ff 43 41 31 82 01 |..K..d.8...CA1..| $ python -c 'print "A"*10000 + "A"' > test1 $ ssdeep test1 3:Wttkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk kkkkkkkkkkkkkkkkkkkkkkkkkZ:YLn,"test1”

$ python -c 'print "A"*10000 + "B"' > test2 3:Wttkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk kkkkkkkkkkkkkkkkkkkkkkkkks:YYv, "test2" Similarity ssdeep tlsh bitshred sdhash (bitwise) >>> import pefile >>> pefile.PE(’evil.exe').get_imphash() '0580ee873f5698d357bc06bb429bc19f'

https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html Practical Techniques

Hash Strip whitespace subroutines

Hash asm Strings hash instructions we have plenty of ways to find bad most files are good hash database Malware Hash Databases OWASP FHR Team Cymru MHR VirusShare VirusTotal

Good/Benign-Hash Databases Kaspersky Whitelist Encase (Paid) HashKeeper (?) KnownGoods(?) Rolling your own

Prior Work Shouts: • hashdog (Par!) • hfind • nsrlsvr • hashdig Requirements • Local and API Accessible • Super fast lookup • Lots of hash types • Feature Framework for ML • Store plaintext

Bloom Filter

https://www.nist.gov/sites/default/files/dw-2-aafs-2008-bloom.pdf pyhashdd case study demo! #RSAC Apply What You’ve Learned Today

Identify known-common files in gold images, VMs, and software packages used in your organization Create a hash database using pyhashdd! Regularly use pyhashdd during investigations to weed out good files, and identify known-bad files. Tag any attacker-created files from systems or websites within the hash database to track actors.

26 #RSAC

Thank You!

Contact me on Twitter using @brad_anton