RE: MD5 Exploit Database?

From: Chris Eagle (cseagleat_private)
Date: Sun Jan 26 2003 - 12:45:05 PST

Next message: Talisker: "Re: IDS and forensics"

Previous message: Simson L. Garfinkel: "Re: Returned post for forensicsat_private"
In reply to: Mark G. Spencer: "RE: MD5 Exploit Database?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A potential starting point is packetstorm which publishes an md5 checksum
with each file description.  If you spider'ed through their site, you could
pull file name/md5 pairs and plug them into a database.  I have a tool I
could easily modify to do this sort of thing.  If it might be useful, let me
know.

Chris

-----Original Message-----
From: Mark G. Spencer [mailto:mspencerat_private]
Sent: Sunday, January 26, 2003 9:35 AM
To: forensicsat_private
Subject: RE: MD5 Exploit Database?


Hi James!

I got many replies regarding known good databases, but no one replied to my
question regarding a known bad database.  Since there are a few very good
outlets for known good hashes, but not known bad, I have enlisted some help
to begin work on a known bad resource for the community.

We have a foundation to begin with from bagged web servers we've worked and
some hashes of trojans and malware floating out there.

If anyone wants more (however preliminary) information, such as rationale,
you can contact me directly.  I'll post back soon when we actually have
something up and running that people can play with.

Mark

-----Original Message-----
From: James.Holleyat_private [mailto:James.Holleyat_private]
Sent: Saturday, January 25, 2003 7:04 PM
To: Simson L. Garfinkel
Cc: Chris Reining; forensicsat_private; Mark G. Spencer; Simson L.
Garfinkel; Matt Scarborough
Subject: Re: MD5 Exploit Database?


I know this thread started out with looking for a database of MD5s of
known exploits. I am not aware of where that database might be. But the
thread seems to have migrated to a question of hashes of known good files.

NIST produces an MD5 and SHA-1 database of over (currently) 7 million
known good hashes. It is called the National Software Reference Library
(NSRL). You can find references here:

http://www.nsrl.nist.gov/

James

<snip>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Talisker: "Re: IDS and forensics"
Previous message: Simson L. Garfinkel: "Re: Returned post for forensicsat_private"
In reply to: Mark G. Spencer: "RE: MD5 Exploit Database?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 12:21:15 PST