A potential starting point is packetstorm which publishes an md5 checksum with each file description. If you spider'ed through their site, you could pull file name/md5 pairs and plug them into a database. I have a tool I could easily modify to do this sort of thing. If it might be useful, let me know. Chris -----Original Message----- From: Mark G. Spencer [mailto:mspencerat_private] Sent: Sunday, January 26, 2003 9:35 AM To: forensicsat_private Subject: RE: MD5 Exploit Database? Hi James! I got many replies regarding known good databases, but no one replied to my question regarding a known bad database. Since there are a few very good outlets for known good hashes, but not known bad, I have enlisted some help to begin work on a known bad resource for the community. We have a foundation to begin with from bagged web servers we've worked and some hashes of trojans and malware floating out there. If anyone wants more (however preliminary) information, such as rationale, you can contact me directly. I'll post back soon when we actually have something up and running that people can play with. Mark -----Original Message----- From: James.Holleyat_private [mailto:James.Holleyat_private] Sent: Saturday, January 25, 2003 7:04 PM To: Simson L. Garfinkel Cc: Chris Reining; forensicsat_private; Mark G. Spencer; Simson L. Garfinkel; Matt Scarborough Subject: Re: MD5 Exploit Database? I know this thread started out with looking for a database of MD5s of known exploits. I am not aware of where that database might be. But the thread seems to have migrated to a question of hashes of known good files. NIST produces an MD5 and SHA-1 database of over (currently) 7 million known good hashes. It is called the National Software Reference Library (NSRL). You can find references here: http://www.nsrl.nist.gov/ James <snip> ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 12:21:15 PST