Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 15
Guests Online: 13
Members Online: 2

Registered Members: 82813
Newest Member: VesuviusSentinel
Latest Articles
View Thread

HellBound Hackers | Computer General | Cryptography

Author

SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-12-09 04:14
Hey all. I found a HUGE vulnerability in an application we're forced to use at school, and decided to download their entire library and upload to my own mirror, edit the JNLP file to point to my server, and edit whatever I want.

The glory streak ended when I opened a JAR file to edit a file, replacing the file, uploading the JAR, and deploying the program, only to have it say the signing failed (joy...).

From my googled results (I now have 6 chrome windows up with about 100 tabs each...) I've deduced that it is SHA1-base64, but tell me if it's wrong:

Code
Hp0t9HWv+V78JpW2rmFOG4gnE1Q=




Background: I 'know' what rainbow tables are (i think - I believe they are just hash->original value pairs, right?), but unfortunately it would be extremely difficult making one seeing as how the hashes are generated by looking at file contents - most of which are huge and/or images.

Any way I could set this up? I have a shitload of the hashes along with the filenames they were generated from, but just dunno how to set them up correctly. I have PasswordsPro, but obviously that wont help i don't think in this case.

Reverse lookup databases aren't much help either...

Also, anything that can map with computers? I have about 400 of them at my disposal if need be, all with 1gb network connections; my teacher is looking for something fun to do with it anyways...

Any help with this? Thanks :)

-Intocksify


Author

RE: SHA1 base 64 (methinks) - help setting up tools

SET
Member

Your avatar

Posts: 380
Location: 0
Joined: 22.02.07
Rank:
Moderate
Posted on 11-12-09 04:44
Hp0t9HWv+V78JpW2rmFOG4gnE1Q=

Where did you get this from?

The Devils in the Details


arcset.com/imgs/Comp 1_4.gif
ARCSET.com
Author

RE: SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-12-09 04:47
Have fun finding SHA1 collisions (hint, you'll want to bypass the hash check).


Author

RE: SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-12-09 05:22
Well, I guess it's the luck of me: right after I posted this, I found a site (http://hogehoge.tk/tool-i/) that encodes it exactly how it should be. I wrote a simple PHp script to open image files, etc. and output the hex, in which I input there and get the appropriate sha1 base64 hash.

Now the problem is is that the manifest file is fine, but the other file isn't - ill explain:

Manifest file (the hashes in this file are the ones that can be generated using the site above):
Code

Manifest-Version: 1.0
X-CL-build-date: 2008-06-06 00:07:33
Created-By: 1.4.2-86 ("Apple Computer, Inc.")
Ant-Version: Apache Ant 1.7.0

Name: Splash-Screen.gif
SHA1-Digest: FjTUGHsryxkht2jUUdmVyJmHnF4=

Name: SummarySplash-Screen.gif
SHA1-Digest: CjAA2uFhchC5Ae+rb5RWZCsG7lg=

Name: TTSplash-Screen.gif
SHA1-Digest: yB6ef9vMaQbvEZe9GvA02LLsRR8=





And the strange file "CL.SF":
Code

Signature-Version: 1.0
Created-By: 1.4.2_16 (Apple Computer, Inc.)
SHA1-Digest-Manifest: v5vTiiASLNJMqOAUguGIoVyq7t4=

Name: Splash-Screen.gif
SHA1-Digest: 2/Pj3FuAKO8YcRI/RkaeQbnSLDw=

Name: SummarySplash-Screen.gif
SHA1-Digest: JCdHYs1XT/t4UoJy/gTAvJ7Lznk=

Name: TTSplash-Screen.gif
SHA1-Digest: piTi1mwqq9maDvb6fDasQuRt13c=






The other files in that directory are a simple list of files (which is obvious) and a file that appears to be a verisign certificate with the filename "CL.RSA", which is too close to "CL.SF" to be a coincidence.

Any further help?

-Intocksify


Author

RE: SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-12-09 05:27
A bit of background since JAR files are signed to prevent tampered files from being passed.

http://www.ibm.com/developerworks/library/j-jar/index.html

signing ads a .sf file, sample:

Code
Contents of signature file META-INF/JAMES.SF

Signature-Version: 1.0
SHA1-Digest-Manifest: HBstZOJBuuTJ6QMIdB90T8sjaOM=
Created-By: 1.3.0 (Sun Microsystems Inc.)

Name: Sample.java
SHA1-Digest: qipMDrkurQcKwnyIlI3Jtrnia8Q=

Name: Sample.class
SHA1-Digest: pT2DYby8QXPcCzv2NwpLxd8p4G4=



Author

RE: SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-12-09 17:04
Surely there must be a way to get valid hashes for the .sf file...

If I have the hash that I can recreate for file A, and the hash for file A that I cannot find or recreate (the unknown salt, etc.), and I have a lot of these, could I make a rainbow table with the known hash and the unknown hash? Or is that not how they work?

Is there another method to do this?

Thanks for the replies.

-Intocksify

EDIT: Just saw the comment of bypassing the hash check - any tips on how to do that?

Thanks.




Edited by on 11-12-09 22:12
Author

RE: SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-09 06:50
LULZ wow. Java fails - download the JDK, make your own certificate ("keystore"Wink, and co-sign the jar. Bam - you bypass the hash checking.

Thanks for the input guys - didn't even need hash decryption xDD

-Intocksify


Author

RE: SHA1 base 64 (methinks) - help setting up tools


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-09 09:52
Intocksify wrote:
LULZ wow. Java fails - download the JDK, make your own certificate ("keystore"Wink, and co-sign the jar. Bam - you bypass the hash checking.


Wow, look at me being completely wrong five posts ago. Nicely done!

Thanks for the input guys


I think it's -you- we need to thank for your input!