Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

Seriously, SHA3 where art thou?

Published: 2020-05-26
Last Updated: 2020-05-26 19:18:42 UTC
by Jim Clausing (Version: 1)
0 comment(s)

A couple weeks ago, Rob wrote a couple of nice diaries. In our private handlers slack channel I was joking after the first one about whether he was going to rewrite CyberChef in PowerShell. After the second I asked what about SHA3? So, he wrote another one (your welcome for the diary ideas, Rob). I was only half joking.

SHA2 (SHA256 --or more accurately SHA2-256-- being the most common version in use) was first adopted in 2001. SHA3 was adopted in 2015. Fortunately, because we've known about the weaknesses in MD5 and SHA1 for years, those have been phased out for integrity purposes over the last decade. And, fortunately, I'm not aware of any weakneses in SHA2, yet, but it is only a matter of time. Having said that, I still see a lot of malware or forensic reports that will include MD5 or SHA1, fortunately usually these days also with SHA256, but I don't believe that even VirusTotal is calculating SHA3 hashes for new samples. I understand the arguments that using both MD5 and SHA1 is probably sufficient for the moment for malware sample identification purposes, but the new standard has been out there for 5 years now and the hash that is being used is almost 20 years old. What is the hold up? In my own personal malware database, I added a column for SHA3 back when NIST first announced that they were going to have a competition to choose the new hash. Python has included SHA3 in hashlib since 3.6 and it was backported to 2.7-3.5 in pysha3. The Perl Digest::SHA3 module has been around since the standard was adopted. I added it to my sigs.py tool more than 3 years ago, more specifically, I use SHA3-384 (as did Jesse Kornblum's beta of sha3deep, though I don't see a final release of that). So, what is the hold up? Why aren't we using the current standard? I, for one, plan to include both SHA2-256 and SHA3-384 hashes in all of my reports going forward. Thoughts?

 

References:

https://isc.sans.edu/forums/diary/Base+Conversions+and+Creating+GUI+Apps+in+PowerShell/26122/
https://isc.sans.edu/forums/diary/Hashes+in+PowerShell/26128/
https://isc.sans.edu/diary/SHA3+Hashes+%28on+Windows%29+-+Where+Art+Thou%3F/26130
https://isc.sans.edu/diary/SHA1+Phase+Out+Overview/20423
https://isc.sans.edu/diary/New+tool%3A+sigs.py/22181

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: sha3
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Zloader Maldoc Analysis With xlm-deobfuscator
May 25th 2020
1 day ago by DidierStevens (0 comments)

Wireshark 3.2.4 Released
May 24th 2020
2 days ago by DidierStevens (0 comments)

AgentTesla Delivered via a Malicious PowerPoint Add-In
May 23rd 2020
3 days ago by Xme (0 comments)

Some Strings to Remember
May 22nd 2020
4 days ago by DidierStevens (0 comments)

Malware Triage with FLOSS: API Calls Based Behavior
May 21st 2020
5 days ago by Xme (0 comments)

Microsoft Word document with malicious macro pushes IcedID (Bokbot)
May 20th 2020
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

IP Address from Hex
created Apr 15th 2020
1 month ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
1 month ago by ismicok (0 replies)

testgvbgjbhjb.com
created Mar 10th 2020
2 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
2 months ago by Anonymous (0 replies)

Setting up a security champions network.
created Feb 24th 2020
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
11 months ago by Brad (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
11 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Verifying Running Processes against VirusTotal - Domain-Wide
Jun 28th 2019
10 months ago by Rob VandenBrink (0 comments)