Monday, January 6, 2014

Kali Forensics: rahash2

Menu: Forensics -> Hashing Tools
Directory: N/A
Official website:
License: GPL 2/3

rahash2 is another hashing tool in the distribution, it's part of the radare2 malware reverse engineering toolkit. The unique thing about this application, is that it's capable hash only part of a file, or blocks of a file. It supports the following hashes: md4, md5, sha1, sha256, sha384, sha512, crc16, crc32, xor, xorpair, parity, mod255, hamdist, entropy, pcprint

Let's see it in action:

We can do regular hashes with specifying the algorithm (by default it's SHA-1), as with any other hashing tool:

root@kali:~# rahash2 -a sha1
0x00000000-0x0036e170 sha1: 980fd175cc48b18707c92b9fbb05b4c33f88282c

root@kali:~# rahash2 -a md5
0x00000000-0x0036e170 md5: 43cef41da5239d0a24d7d8497810c1d6

To calculate hashes of smaller blocks, we need to specify the blocksize (-b) and need to instruct to show per-block hashes (-B); if we forget this it will show only the full file hash, regardless of the block size.

root@kali:~# rahash2 -b 0x100000 -B
0x00000000-0x00100000 md5: 0409937fa5b8b4a9f86699ec690c91e9
0x00100000-0x00200000 md5: 05415f5dc59d38838db5bba658c4f695
0x00200000-0x00300000 md5: 81086380efabe5889e5fb9f2ca47c605
0x00300000-0x00400000 md5: 1b15a320dc9721aa5955300a434b8778
0x00000000-0x00100000 sha1: 1a50ae2df3f64f3b8c9a7669cbdafd308dc2b586
0x00100000-0x00200000 sha1: 2b7a3a1b63ed09feaf65197cef44397276463e80
0x00200000-0x00300000 sha1: 774f15a66c8b507e737818fa2cbe1110f71b4cf4
0x00300000-0x00400000 sha1: dfa5632239204ee50982ab870d2a7e0d4f058a1f

If we want we can calculate hashes only of a sub-portion of the file, with specifying the from (-f) and to (-t) options.

root@kali:~# rahash2 -b 0x100000 -B -f 0x100000 -t 0x200000
0x00100000-0x00200000 md5: 05415f5dc59d38838db5bba658c4f695
0x00100000-0x00200000 sha1: 2b7a3a1b63ed09feaf65197cef44397276463e80

No comments: