Saturday, July 4, 2015

Hashing The Good, The Bad and The Similar

The Bad!!

In the previous post we identify the good in hashing. In this post we will focus on the bad.

The two files we are using are "hashing_lab.txt" and "hashing_lab.txt.copy".

In the previous post we also identified that the 2 files are an exact match, so we can confirm the integrity of these files. I will show it here again for clarity.







Simply change any one character (byte) and the hashes of this file differs completely.
Let's add the letter "z" to the file ""hashing_lab.txt.copy"" to see how this one character changes the hashes.
root@securitynik:~# echo "z" >> hashing_lab.txt.copy

Verifying the new hashes
root@securitynik:~# md5sum hashing_lab.txt.copy
f5762153ed2a7aa6e01ee0d90018567f  hashing_lab.txt.copy

As we can see the hash above is now different from that of the original file.

Let's now put these 2 files together to see the results up close and personal.






From the above we see that the two files differ. Now while this may be good to confirm that two files are not the same, it in no way tells us if they are similar. Similarity becomes important when dealing with Polymorphic code.


See you in the next post on Similarity.

Reference:
http://jessekornblum.com/presentations/htcia06.pdf
http://ssdeep.sourceforge.net/usage.html
http://www.fastcolabs.com/3025246/what-is-polymorphic-code

No comments:

Post a Comment