SHA3 Hashes (on Windows) - Where Art Thou?

Published: 2020-05-15
Last Updated: 2020-05-15 19:51:56 UTC
by Rob VandenBrink (Version: 1)
4 comment(s)

No sooner had posted on doing file and string hashes in PowerShell, when I (again) got asked by Jim - "What about SHA3?  Shouldn't we be using Quantum Safe algorithms if we have them?"

Looking around, support for SHA3 is pretty sparse no matter what the OS.  For Windows there's a decent solution in bouncycastle (https://www.bouncycastle.org/), but the install is likely more than folks want to tackle, especially if it gets rolled into PowerShell at some future date.  Similarly, the SCCM ConfigurationManager module does implement them in some fashion, but that's kind of a dead-end for most of us too.

In a pinch, hashify.net has a public API that supports just about any hashing algorithm you'd care to mention:

curl --location --request GET "api.hashify.net/hash/sha3-512/hex?value=CQCQCQ"
{"Digest":"bcc7a070db5dd926bfbef21c6c5e8081402a79e45f96c4cd7fedc405e1a7fcb6b047cff266235f19f0d1219d2f0fd9299b93cd28d69517d7aefec8cf0c9ffdcc","DigestEnc":"hex","Type":"SHA3-512","Key":""}

The problem with that is - if the information you are hashing (presumably to verify against either now or later) is important or sensitive enough to warrant using one of the fancy SHA3 algorithms, it's likely not data that you want sent to a public website in the clear.

I eventually decided to use the functionality in OpenSSL, with the rationale that anyone who needs this function will likely have OpenSSL already installed locally, at most we'd be asking them to upgrade - you'll need OpenSSL 1.1.1 or better for SHA3-xxx hash support.  The syntax is:

echo "some string" | openssl dgst -hashalgorithm

or

type "somefilespec" | openssl dgst -hashalgorithm

where "hashalgorithm" is any of:

blake2b512                blake2s256                md4
md5                       md5-sha1                  mdc2
ripemd                    ripemd160                 rmd160
sha1                      sha224                    sha256
sha3-224                  sha3-256                  sha3-384
sha3-512                  sha384                    sha512
sha512-224                sha512-256                shake128
shake256                  sm3                       ssl3-md5
ssl3-sha1                 whirlpool

So for implementing this in PowerShell, it's as easy as creating the command in a string, then calling it with "Invoke-Expression" (shortened to "iex" in the examples below).

So for now, until Microsoft rolls better support for SHA3 family of hashing algorithms, my quick-and-dirty implementation for the newer, shinier hash algorithms is below.  Note that if OpenSSL isn't in the path, I've got a variable pointed to the path to the binary (update this variable to match your install).  In any "real" code you would put this in a config file of course (because we all need more config files in our life right?)

$OpenSSLPath = "C:\openssl-1.1.1h\bin\"

function Get-StringHash-OpenSSL ( [String] $InputString, $HashAlgo )

    {

    $QT = "`""

    $cmd = "echo " + $QT + $InputString + $QT + " | " + $OpenSSLPath + "openssl.exe dgst -" + $HashAlgo

    $callcmd = iex $cmd

    $callcmd.split(" ")[1]

    }

$hash = get-stringhash-openssl "CQ CQ CQ" "SHA3-256"

$hash

5b960a5284843bb23af5e249c8692bd6d831645cc5070d501b4cef3e94d6983e

 

$OpenSSLPath = "C:\openssl-1.1.1h\bin\"

function Get-FileHash-OpenSSL ( [String] $InputFileSpec, $HashAlgo )

    {

    $QT = "`""

    $cmd = "type " + $QT + $InputFileSpec + $QT + " | " + $OpenSSLPath + "openssl.exe dgst -" + $HashAlgo

    $callcmd = iex $cmd

    $callcmd.split(" ")[1]

    }

$hash = get-FileHash-OpenSSL "c:\windows\system32\cmd.exe" "Sha3-512"

$hash

0cacd8c85b44eed57101fee1431434278319dc441aee26354f811b483a30ff7861ecc88f4c90791e941e49dcb124a975d9eb301
e5d715a4e80ee918ea2f5f844

If you've worked out a way to get these algorithms into PowerShell without IEX or any 3rd party installs, please share using our comment form. 

(And yes, I did riff on the title of Mark Baggett's presentation next week - Tech Tuesday Workshop - O Hacker, Where Art Thou?: A Hands-On Python Workshop for Geolocating Attackers  https://www.sans.org/webcasts/hacker-art-thou-hands-on-python-workshop-geolocating-attackers-115340 )

===============
Rob VandenBrink
www.coherentsecurity.com

4 comment(s)

Hashes in PowerShell

Published: 2020-05-15
Last Updated: 2020-05-15 14:18:00 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

As a follow up to yesterday's how-to, I thought hashing might a thing to cover.  We use hashes all the time, but it's annoying that md5sum, sha1sum and sha256sum aren't part of the windows command set - or are they?  Yup, it turns out that they most definitely are part of PowerShell:

Get-FileHash -path $filename -Algorithm $algo

Where the Algorithm is a string, any one of:
"SHA1","SHA256","SHA384","SHA512","MACTripleDES","MD5","RIPEMD160"

$a = get-filehash -Path .\somefile.txt -Algorithm SHA256

$a

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          0ACDA2996D999257BD8E4EE7AD43065626A14105A06DC00973959F9B032DE0E9       somefile.txt

$a.Hash
0ACDA2996D999257BD8E4EE7AD43065626A14105A06DC00973959F9B032DE0E9

But what about string values?  If you want to hash a string, there doesn't seem to be a function for that.  It turns out that while it's not part of PowerShell as a separate thing, it's pretty easy to access it using the string as an "inputstring" variable:

$stringAsStream = [System.IO.MemoryStream]::new()

$writer = [System.IO.StreamWriter]::new($stringAsStream)

$writer.write("RADIO CHECK")

$writer.Flush()

$stringAsStream.Position = 0

Get-FileHash -Algorithm "SHA256" -InputStream $stringAsStream | Select-Object Hash

Hash

----

A450215BE7B1BC6006D41FF62A9324FEB4CD6D194462CB119391CE21555658BB

So, this gets the job done but it's a bit cludgy, let's drop it into a function, then call the function:

function Get-StringHash ( [String] $InputString, $HashAlgo)

    {

    $stringAsStream = [System.IO.MemoryStream]::new()

    $writer = [System.IO.StreamWriter]::new($stringAsStream)

    $writer.write($InputString)

    $writer.Flush()

    $stringAsStream.Position = 0

    Get-FileHash -Algorithm $HashAlgo -InputStream $stringAsStream | Select-Object Hash

    }

$a =  get-stringhash "LOUD AND CLEAR" "SHA256"

$a

Hash

----

7FE22308D7B971EDCADB8963188E46220E9D5778671C256216AEA712A33D4A3E

$a.Hash

7FE22308D7B971EDCADB8963188E46220E9D5778671C256216AEA712A33D4A3E

This "common infosec functions in PowerShell" thing kinda got started by accident, and got extended when Jim Clausing asked me if I was going to re-write CyberChef in PowerShell?.  Of course my answer was "If you're going to put down a dare like that, challenge accepted" - so look for more stories of this type in future.  As I introduce more functions, I'll roll them into the same GUI as I presented yesterday, code will get updated in my github ( https://github.com/robvandenbrink ).

===============
Rob VandenBrink
www.coherentsecurity.com

0 comment(s)
ISC Stormcast For Friday, May 15th 2020 https://isc.sans.edu/podcastdetail.html?id=6998

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives