Re: MD5 Exploit Database?

• Previous message: Robinson, Sonja: "RE: IDS and forensics"
• In reply to: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Next in thread: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Next in thread: Jack Crone: "Re: MD5 Exploit Database?"
• Reply: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Reply: Jason Coombs: "RE: MD5 Exploit Database?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 20 Jan 2003 07:25:02 -0500, "Simson L. Garfinkel" wrote
<330A2916-2C72-11D7-B00F-00039303C716at_private>

> Thanks for the pointer to www.knowngoods.org.  Last year I was thinking 
> of starting up an "MD5 collection project" where people could register 
> MD5 codes (and I guess you have to do SHA-1 codes now) from different 
> operating systems or forensics investigations. The theory was that on a 
> first-pass study of a hard drive, the interesting files are files that 
> have never been seen anywhere else. I had stared on an agent that 
> people could run to report MD5s and so on, but for some reason I never 
> finished the project.

As to known goods, an "MD5 collection project," and to the original
poster, it may be helpful to know Microsoft provides MD5s for its OS
files, Service Packs, Hotfixes, etc., in the ANSI text file(s)
UPDATE.VER accompanying each.

Examples follow for Windows 2000, but Windows XP, and Windows 2003
Server, have the same format.

\UPDATE\UPDATE.VER from Q328310_W2K_SP4_X86_EN.EXE
========
[SourceFileInfo]
<snip>
winlogon.exe=CE8EA42D39C0EB42F064BE762925CA0C,00050000089317DC,179472
             |-----------  MD5 -------------| |--  Version --| |bytes|
========

\I386\UPDATE\UPDATE.VER from W2ksp3.EXE
========
[SourceFileInfo]
<snip>
winlogon.exe=96A7495C924CF3FB1D0F857093B6F61F,000500000893150A,178960
             |-----------  MD5 -------------| |--  Version --| |bytes|
========

The SP3 version is 5.0.2195.5386, as in

0x0005 - 5
0x0000 - 0
0x0893 - 2195
0x150A - 5386

and bytes we know how.

Matt Scarborough 2003-01-25

> On Fri, Jan 17, 2003 at 03:01:19PM -0800, Mark G. Spencer wrote:
> >> I'm working on a server that has been "owned" for over a year.  
> >> Needless to
> >> say, there are a significant number of what I would call 
> >> "questionable"
> >> files on the box.  Some of them I can quickly identify, albeit not
> >> authoritatively at this point, (e.g. httpodbc.dll), but others I 
> >> cannot.
> >>
> >> If I MD5 the collection of questionable files, is there a database I 
> >> can
> >> cross-reference my MD5's against to authoritatively identify what 
> >> these
> >> things are?  I understand I may end up with some unknowns depending 
> >> on how
> >> the executables were compressed and/or wrapped.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Previous message: Robinson, Sonja: "RE: IDS and forensics"
• In reply to: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Next in thread: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Next in thread: Jack Crone: "Re: MD5 Exploit Database?"
• Reply: Simson L. Garfinkel: "Re: MD5 Exploit Database?"
• Reply: Jason Coombs: "RE: MD5 Exploit Database?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 09:46:45 PST