Still using SHA for hashes senselessly? Consider not using cryptographic hashes for everything in your life
I previously shilled xxHash (https://pentester.wtf/blog/2020-10-13-xxhash/), but I’m pretty happy when I see malware using fast hashes for non security related tasks, rather than just using SHA/Bcrypt/whatever and being terribly slow. With that in mind, I’d like to reiterate:
If you’re writing code malware, and need to generate deterministic identifiers for data - such as if you’re scraping a website comparing processes on an endpoint to ones you care about (i.e. msbuild), and your code looks like this:
>>> import hashlib
>>> import psutil
>>> # SUPER SECRET PROCESS WE DON'T WANT PEOPLE TO KNOW WE'RE LOOKING FOR
>>> NOT-SECRET-OBVIOUS-HASH = d4c5d22baf120b953ceb85a4d142f1c5fef2b002b2f1a050345ec1e90c5aeaa8
>>> # Dump processes, iterate over them one by one
>>> for p in psutil.process_iter():
>>> m = hashlib.sha256()
>>> m.update(str.encode(p.name()))
>>> if m.hexdigest() == NOT-SECRET-OBVIOUS-HASH:
>>> # Inject into memory, be naughty, etc
Then you’re burning CPU cycles a lot, for properties you probably didn’t want: i.e. taking forever to defeat someone just bruteforcing a password dump.
Instead, consider using something like xxHash (https://github.com/Cyan4973/xxHash), which is going to be significantly quicker, and save a lot of resources.
Instead, consider doing what the authors of SUNSPOT did, and just use ELFhash! https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
Obviously tongue in cheek, but it’s cool to see the use of non-cryptographic hashes for appropriate applications, instead of just mindlessly applying SHA everywhere.
Plus, to the inexperienced SOC/Blue teamer, they’re not going to reverse that hashing algorithm - it’s more likely they’re going to be lazy and look for SHA primatives or just imports.