Theoretically, If you know the hash of a program one intends to install and you generate another file that hashes to that value what could you do?


If I know the hash of a program you intend to install is d306c9f6c5…, if I generate some other file that hashes to that value, I could wreak all sorts of havoc. – from https://nakamoto.com/hash-functions/

Theoretically, If you know the hash of a program one intends to install and you generate another file that hashes to that value what could you do?

Calculating Time for a Attack on Password Hashes

Suppose I have a database containing hashes. Hashes are obtained from password developed from randomly chosen set of 94 characters such that each password size is of 8 characters. So we have 94^8 passwords. Each of the passwords are converted into hashes i.e 94^8 hashes and stored in the database. Now the attacker gets access to the hashes but he can’t reverse the hashes. So he used pre-computed hashes stored in the rainbow table. How can we calculate the time for finding a match between the hashes stored in the DB and the hashes stored in the rainbow table? Somebody please guide me.

How to crack MD4 hashes when username is known

I have come across a hash and hash-identifier identifies it to be of type I came across this answer which is a very good reference point, however, I wanted to know three things:

  1. Online tools to crack this hash given the password. I did come across hashcat and john the ripper. I tried the latter without giving the username(no results). Hashcat did not have the appropriate documentation for the same.
  2. wordlist to be used to brute-force the password
  3. Is scripting the only way to crack the password? Which library should be used? python3 does not have an md4 function.

How can I maintain and automate a list of download URLs with known hashes?

I’m familiar with the concept of downloading a file and manually checking it against a published checksum. See How to verify the checksum of a downloaded file (pgp, sha, etc.)? and Is there a command line method by which I can check whether a downloaded file is complete or broken? for examples.

I would now like to maintain my own list of target URLs and expected checksums, something like:

https://example.com/file.tar.gz, SHA123456... https://example.org/list.txt, SHA1A1A1A... 

…and automate the download-and-check process.

Before I make the mistake of hacking my own solution, is there an established way to do this on a Debian-based distro?

What is the risk of an attacker inserting new password hashes?

The normal threat model that I see with password hashing is as a kind of defense against if the hash somehow leaks to the wider world. In practice, this appears to usually be via some manner of database breach that ends up with (at least) the user table being dumped out. Given that this has happened or can happen, what are the chances that the attacker is also able to put new values into the database?

In particular, I’m thinking of the attacker either generating a new hash for a known password –or taking the attacker’s own hashed password– and substituting it into another user’s record.

Basically, is this a realistic threat to be guarded against or just my thoughts spinning into security paranoia?

Anonymizing IP addresses using (sha) hashes; how to circumvent rainbow table attacks?

Under GDPR, IP addresses are personal data. I have no need to trace back IP to specific users, but I would like to limit downloads to 1 per IP*. I do not want to store plain IPs.

First “solution”/idea would be to hash the IP. I could store the hash 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0. Problem: hashing all 4294967296 possible IP addresses is simple, and someone will easily find that 127.0.0.1 is the stored IP.

Adding salt holds the same problem, you can calculate all the IPs again with this salt and arrive at the same problem.

Is there a solution for this?

* Use case here is simplified, please do not comment on reasons why I want this 😉

is possible someone break the algorythm of my dice game with hashes

I just want to know how much secure are these games. I coded my own game and now want to know how much secure is.

If for example the hash is visible(before you bet) would be possible decipher this hash trying to break the algorythm and then guess the number in the roll just with this hash? And what i need to learn to know more about this.

For example i will provide some examples of the hashes.

1.c910a1337bc486f621fc1b1d8bf72ebf99fba1eb20bbc3834151649f5fd59e40 2.bf09437579722a8378e51b06afef30b5af337ec3472ac6aa6d34e6a1bbb0cf09 3.6a3df2709858f3313c6651133fbb9c177b27aa2d5a6736e01f692e45fb44c948 4.7b2963c6d959f81dad5388389e43e047e336092c005b57a5bc684d0cc7cb19de 

could someone just with the hashes get the algorythm? and how we can protect of this. how much time would take me to get the algorytm.

Some idea if would be possible to get the algorythm to guess the number?

Add additional rounds on existing SHA-512 salted hashes without knowing clear text password?

Assuming you have a salted SHA-512 password hash with 5000 rounds. For example:

{CRYPT}$  6$  rounds=5000$  6835c5dcf0bb7310$  hVod/jy7uONMSa.FVpLHb/2OrWpAj3lB/.RWdvgd3YaQAnzN3rorGhaziswwGsHfOWZYkLwXhHKnCy5By2CKr0 
  • Could one add more rounds (e.g. another 5000 rounds) to this hashed password without knowing the cleartext password such that the hash value still would be valid if a user’s cleartext password is verified?

  • If this is possible as I think it should be, are there existing tools or code to “add more rounds” to this hash value?

Btw. the cleartext password for the above hash is “password” but assume would not know this.

Creating a file of md5 hashes for all files in a directory in PowerShell

I have been trying to write the md5 hashes for all files in a directory and its subdirectories to a file. Ideally, replicating the output of the Unix command find . -type f -exec md5sum {} + (i.e. two columns: lowercase hashes and relative file paths [with forward slashes] separated by a space and terminated only by a line feed).

With a lot of help from Mark Wragg, LotPings and others on stackoverflow, the following command appears to compute md5 hashes for all files in a directory and its subdirectories (including those files without file extensions and those with square brackets in the filename).

(Get-FileHash -Algorithm MD5 -LiteralPath (Get-ChildItem -Recurse -File).fullname | ForEach-Object{"{0} {1}" -f $  _.Hash.ToLower(),(Resolve-Path -LiteralPath $  _.Path -Relative)} | Out-String) -replace '\r(?=\n)' -replace '\','/' | Set-Content -NoNewline -Encoding ascii $  ENV:USERPROFILE\Desktop\hashes.txt 

The two uses of -LiteralPath seems to help with filenames containing square brackets and (Get-ChildItem -Recurse -File).fullname gets the full path of all nested files, including those without file extensions. The rest is just formatting.

Can any one tell me where I can find more information about .fullname? I’ve tried searching for it on Google but without any luck.

I had used Get-ChildItem "*.*" -Recurse, which gives full file paths but only for files with dots in the filename. Whereas, Get-ChildItem "*" -Recurse doesn’t always give the full path for some reason (and returns both files and folders). Compare:

Get-ChildItem "*.*" -Recurse | foreach-object { "$  _" }  Get-ChildItem "*" -Recurse | foreach-object { "$  _" } 

The order of entries in the hashes file won’t be the same as those from the Unix command but compare-object in PowerShell appears to ignore the order of lines, e.g. (https://serverfault.com/questions/5598/how-do-i-diff-two-text-files-in-windows-powershell)

compare-object (get-content oldHashes.txt) (get-content newHashes.txt) 

or

diff (cat oldHashes.txt) (cat newHashes.txt)