Left4Code/left4code.neocities.org
1
0
Fork 0
mirror of https://git.qwik.space/left4code/left4code.neocities.org.git synced 2025-07-28 00:13:38 +05:30
Code Issues Packages Projects Releases Wiki Activity

apr 19th changes

Browse Source
This commit is contained in:
Left4Code
2025-04-19 23:15:58 -04:00
parent a157f68243
commit 4d055f0712
20 changed files with 2315 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
courses/hash_forensics/gtkhash.html Normal file
View File

@@ -0,0 +1,89 @@
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" type="image/x-icon" href="favicon/favicon.ico">
<title>Left4Code - (gtkhash)</title>
<base href="../../">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<header>
<span>Left4Code</span>
</header>
<nav>
<div>
<a href="index.html">Home</a>
<a href="blog.html">Blog</a>
</div>
</nav>
<div class="container">
<section>
<h1 class="blog-header">gtkhash for Hashing Files from a GUI <p>(and introduction to hashing)</p></h1>
<p>Since this is the beginning page in the hashing section, I will explain the concept of hashing here, what is it, what it does, why it's useful, how to use it. This should be quite a small introduction as most of gtkhash is very self-explanatory and you can figure everything out yourself just by clicking around if you really wanted to. Personally, I like the GUI sometimes, it's not too complex, you don't have to have the manual up side-by-side with another terminal tab while trying to do something, and while it's not typically as fast as a cli program in terms of use and output, it's still nice to know how to use.</p>
<h3 class="blog-header">What you need to know (To get the most out of this!)</h3>
<div style="white-space: pre-wrap">
<b></b> A tiny bit of familiarity with the terminal.. But don't worry! It's just for installing gtkhash. (you could just use your GUI software installer to install it instead if you really do not like the terminal.)
<b></b> Some determination to read, mentally digest, practice, and learn for yourself. That's it.. Really.
</div>
<h3 class="blog-header">What this page covers (To Not Waste Your Time!)</h3>
<div style="white-space: pre-wrap">
<b></b> Quick introduction to hashing (what is it, why it's useful.)
<b></b> Installing gtkhash
<b></b> Using gtkhash
<b></b> Using different hashing algorithms in gtkhash
<b></b> Saving hash output to a file using gtkhash
<b></b> The different view modes of gtkhash
<b></b> Closing notes
</div>
<h3 class="blog-header">A Quick Introduction to Hashing (The What, and the why!)</h3>
<h4>The What!</h4>
<p>Let's start with the what. What is hashing? From the way I learned it, hashing is the process of taking some input data, running it through a mathematical algorithm, which then spits out a unique alphanumerical string called a hash. Hashing is designed to be only one way and ""Hopefully!"" not reversible through brute force. So when all is right in the world for a hashing algorithm, a string of data has only one equivalent hash, and the original string can not be derived from the hash. </p>
<h4>The Why!</h4>
<p>Why do we need hashing? Well, hashing is useful because with it, you can verify that the integrity of data remains the same, it can increase the security of a password database for example, because all the server needs to do is compare the hash output with the password received instead of comparing strings directly, and it can provide checksums from developers for things like your web browser. Without hashing, data could be modified by anything from another person, to passing electrons or cosmic mysteries without any real way to tell that something has happened!</p>
<h3 class="blog-header">Installing gtkhash</h3>
<p>To install gtkhash, you can either install it using your fancy GUI Linux software store for your specific distribution (synaptic maybe?) or just install it by opening that big scary terminal and typing the following if you're using a debian-based distribution.</p>
<pre class="preformatted">sudo apt install gtkhash</pre>
<p>To use gtkhash, you can either open it up from your extra extra fancy start menu, or open that scary terminal up again (I know, it'll be the last time for this section, I swear.) And type the following command:</p>
<pre class="preformatted">gtkhash &amp;</pre>
<p>Then run:</p>
<pre class="preformatted">disown -r</pre>
<p>this command should run gtkhash as it's own process not directly attached to the terminal, you should then be able to close the terminal and gtkhash stays open... I hope. If not then you'll have to figure out a solution on your own.</p>
<h3 class="blog-header">Using gtkhash</h3>
<p>To use gtkhash, it's pretty simple, upon launching the program you will be greeted with a file box to select a file, a box to check a file against a checksum file or data from a checksum file, and the remaining boxes for the output of the different hashing algorithms. All you need to do is make a file (or pull one from a location in your file-system like /bin) and then click "hash" in the bottom right, which should spit out the hashes for MD5, SHA1, SHA256, and CRC32 by default.</p>
<h3 class="blog-header">Using different hashing algorithms in gtkhash</h3>
<p>I'll be honest, the default 4 hashing algorithms you get will probably be all you need for the rest of time, but let's say you for some reason really need a hash using the GOST algorithm for example, well head over to that tab labeled "edit" in the top left of the gtkhash window and go down to the "preferences". From there you will be quickly overwhelmed with the 7 billion hash functions, just pick the ones you want by clicking the boxes and it will be added to where those original default 4 algorithms were in gtkhash, and if you specifically hate those 4 default ones, you can remove them the same way.</p>
<h3 class="blog-header">Saving the output from gtkhash to a text file</h3>
<p>To save the results of your epic hashing session, head over to the top left of the gtkhash window and click "file", and the go to "save digest file", from there you will be able to name the hash file. What I would recommend is to save the file with the same name as the original file you hashed, and then with the appropriate extension (.sha1, .md5, .sha256, whatever) so if you hashed the file Timothys_Starbucks_Order.txt using sha1, you would save it as Timothys_Starbucks_Order.sha1, this stops gtkhash from getting confused and it should put the hash in the check box like it's supposed to.</p>
<h3 class="blog-header">Using the different View Modes of gtkhash</h3>
<p>In gtkhash, there are multiple different view modes that you can use which allow you to do different things like instead of hashing a file, you can hash the word "test" for example, and instead of hashing a single file, you can hash multiple files! You can do this by clicking the "view" tab, selecting whatever mode you want, and then do what you need with it.</p>
<h4>Conclusion</h4>
<p>gtkhash is a nifty piece of software that you can use without knowledge of the terminal to create digests of files. What I didn't show was the ability to use gtkhash as an extension in your file manager, for example nautilus, but there's probably a guide somewhere on the internet if you're looking for that specifically. If you want to check to see if gtkhash has an addon for your specific file manager, you can use synaptic and search gtkhash to get the list of addons for whatever file manager they support, but they support most of the big ones and I added the package names so all you would need to do is sudo apt install it. thunar (thunar-gtkhash), nemo (nemo-gtkhash), nautilus (nautilus-gtkhash), caja (caja-gtkhash). Just install the package name in parentheses and it should work without a problem.</p>
<p>That's all, we're using the terminal next do to the same thing!</p>
</section>
</div>
</body></html>

109
courses/hash_forensics/shasum.html Normal file
View File

@@ -0,0 +1,109 @@
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" type="image/x-icon" href="favicon/favicon.ico">
<title>Left4Code - (sha*sum)</title>
<base href="../../">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<header>
<span>Left4Code</span>
</header>
<nav>
<div>
<a href="index.html">Home</a>
<a href="blog.html">Blog</a>
</div>
</nav>
<div class="container">
<section>
<h1 class="blog-header">sha*sum for hashing files from the command line</h1>
<p> To clear up any confusion, when I refer to sha*sum, I'm referring to most of the command line hashing programs that come with most linux distributions by default. (md5sum, sha512sum, sha256sum) So just replace sha*sum with the cli hash utility you're currently using. If you want to see what hashing utilities you have on your system, you can have a look in /bin to see what you've got! This is a quick and dirty way to see.</p>
<pre class="preformatted">ls /bin | grep sum</pre>
<h3 class="blog-header">What you need to know (To get the most out of this!)</h3>
<div style="white-space: pre-wrap">
<b></b> Basic understanding of the Linux command line (bash). Specifically, do you understand output and input redirection and pipes ('<b>&gt;</b>', <b>'&lt;'</b>, and '<b>|</b>')
<b></b> Some determination to read, mentally digest, practice, and learn for yourself.
<b></b> How to use the manpages (run "man man" without the double quotes in your terminal if you don't know) this is so you can always use the manpages if this course doesn't get completed or updated. I want to teach you to fish, not give you fish.
<b></b> Whenever I put carat symbols outside of something, don't add them to the command in your actual terminal, ex: &lt;yourfile&gt; should be typed in your terminal as yourfile, or whatever you want to name it, it's just a placeholder, you get it.
</div>
<h3 class="blog-header">What this page covers (To Not Waste Your Time!)</h3>
<div style="white-space: pre-wrap">
<b></b> Quick introduction to hashing things with the command line
<b></b> What can be hashed
<b></b> Some techniques to make hashing more effective
<b></b> Saving hash output to a file
<b></b> Binary mode
<b></b> Taking a hash from a file and comparing it against a file to be hashed
<b></b> Closing notes
</div>
<h3 class="blog-header">A Quick Introduction to Hashing Using the Command Line!</h3>
<p>If you've already read the gtkhash section of the course, you'll know the basics of how hashing works from a high level, and why it's useful for a forensic investigation, to avoid wasting your time, I will quickly explain how to use 99% of command line hashing tools and then go into further detail about some things that are a little more advanced. (moar content!)</p>
<p>Starting off with the basics of the basics, if you want to hash a file using the command line, type the following (obviously remember to change sha*sum to your preferred hash program!)</p>
<pre class="preformatted">sha*sum &lt;file_you_want_to_hash&gt;</pre>
<p>So if all you wanted to know was how to get the hash of a file, that should do it. It will just print the hash of the corresponding file to standard output in the terminal. Now if you want to learn some more things you can do involving bash and these utilities, stick around.</p>
<h3 class="blog-header">What can be hashed?</h3>
<p>Something you might commonly hear after you've used Linux enough is "in Linux, everything is a file". So if that's the case, then technically we could hash anything on the system, couldn't we? Let's see some common examples of things that can be hashed! A fun little list I've cobbled together shows you some of the fun things you can use sha*sum on.</p>
<h4><b>1 —</b> Output from other programs (this will come in handy later!)</h4>
<pre class="preformatted">echo "Hello" | sha*sum</pre>
<h4><b>2 —</b> /dev/null !</h4>
<pre class="preformatted">sha*sum /dev/null</pre>
<h4><b>3 —</b> File Metadata!</h4>
<pre class="preformatted">mat2 -s &lt;your_file&gt; | sha*sum</pre>
<h4><b>4 —</b> The Git Repo for this course!</h4>
<pre class="preformatted">wget https://git.i2pd.xyz/Left4Code/L4C_Forensics_CTF/ -O h1.html &amp;&amp; sha*sum $_</pre>
<p>Basically, you can hash whatever your heart desires if you're thinking hard enough. I'll manipulate some of the above examples to instead be forensics-oriented in the next section.</p>
<h3 class="blog-header">Some Techniques to Make Hashing Effective for Forensics</h3>
<p>Take this scenario for example. You're a forensic investigator and need to always be completely sure that the content given to you by someone (let's say a laptop hard-drive) will keep it's integrity and it can always be verified that nobody has modified it. How would we do that? Well.. With that new knowledge about hashing you just learned, you know that we can use it to hash the files on the drive. But let's go a step further, remember that saying "In Linux, everything is a file"? This includes drives. So instead of hashing out every single file on the drive, just hash the drive file! If anything on the drive changes, the hash will change when verified again and then you can restore from a backup or take the necessary action based on your hashing precaution. To hash a drive, it's pretty simple, you can first use another command line utility (dd) to generate a drive image, then hash it! (In the example below, sdX will need to be changed to the drive you actually want to hash.)</p>
<h4>Quick word of <b><u>WARNING</u></b>, the command below this message will create a complete disk image clone to the actual size of your drive, running this command will effectively fill up all space on your drive. If you still want to run this, maybe get a small usb drive, put some files on it, and create a disk image and hash from that instead to get comfortable with the process.</h4>
<pre class="preformatted">sudo dd if=/dev/sdX of=/&lt;your_dir&gt;/&lt;drive_dump&gt; bs=4M status=progress &amp;&amp; sha*sum &lt;drive_dump&gt;</pre>
<p>Once we generate the .dd file for the target drive and generate the hash for it, we would theoretically be able to pass this to another investigator without the fear of it being modified and nobody knowing about it.</p>
<p>If you don't have the disk space to copy your entire drive to another one. Then you can run this command which will directly generate a hash from your drive and only read from it and not write to it.</p>
<pre class="preformatted">sha*sum /dev/sdX</pre>
<p>If you want to check what drives you have available to be hashed on the system, you can use the following command to check:</p>
<pre class="preformatted">lsblk</pre>
<p>This would only be for the cases where you can't use dc3dd, because it has the ability to hash the .dd file immediately after and this is not necessary. However, using sha*sum on files can still be useful for things like creating hash databases, getting known hashes and inputting them into something like autopsy or sleuthkit to automatically scan for them when looking through a drive, and hashing a live linux system. </p>
<h3 class="blog-header">Saving the output from sha*sum to a text file</h3>
<p>When you normally work with sha*sum, you will not be able to save the output of the hash you generate to a file, there's no -o option and it just prints to standard output so you'll have to use the shell to save the output to a file.</p>
<pre class="preformatted">sha*sum &lt;file_youre_hashing&gt; &gt; &lt;output_file&gt;</pre>
<h3 class="blog-header">Reading files in binary mode</h3>
<p>When specifying sha*sum to read in binary mode with the -b flag, this is specifically used so that binary and other files which need very careful attention to detail are read properly, sha*sum does this by reading the input file byte by byte instead of text character by text character, it is very rare that you will ever use this, but it's good to know that it exists if you need to use it for very specific circumstances where a file is presenting two different hashes depending on the mode specified.</p>
<pre class="preformatted">sha*sum -b &lt;file_youre_hashing&gt; &gt; &lt;output_file&gt;</pre>
<h3 class="blog-header">Comparing hash files to generated hashes with sha*sum</h3>
<p>This is honestly useful even without the forensic context, it's important to verify the hashes of software you're downloading to ensure that the software is coming from the developers and has not been modified by a third party. The complete version of this involves using pgp keys in combination with the hashes, but to keep this simple (and also because I have no idea how to do it, when I figure it out I will update this) I will just show the check functionality for sha*sum</p>
<p>Let's use this scenario: I'm the developer, and I want to prove to the user that the executable they are downloading comes from me and has not been tampered with, I would first hash the executable to a file like so:</p>
<h4>The Developer:</h4>
<pre class="preformatted">sha*sum --tag &lt;the_executable&gt; &gt; &lt;the_hash_file&gt;</pre>
<p>the "--tag" makes it so sha*sum won't throw a beginning error when you check the hash file against the file you're running sha*sum on and sha*sum will add a little more content to the ouput file showing the correlation of the file and the hash, not putting --tag does not negatively impact sha*sum's ability to check the hash file compared to what it is being ran against. I would then include the hash file and the executable file together so that the user can download both, then, as the user, I would download both and then run the following command:</p>
<h4>The User:</h4>
<pre class="preformatted">sha*sum -c &lt;the_executable&gt; &lt;the_hash_file&gt;</pre>
<p>The output of this command should say OK somewhere in the terminal, if it does not, and says FAILED: checksum did not match, then you know someone's up to some funny business and you probably shouldn't install that piece of software.</p>
<h4>Conclusion</h4>
<p>This covers most of the functionality of the sha*sum utilities and the md*sum utilities. With this you should be able to hash basically anything you want and be able to check and verify that hashes you receive are correct and actually coming from a valid source.</p>
</section>
</div>
</body></html>