Basics

A cryptographic hash function is a mathematical algorithm that takes in data of arbitrary size and converts it to a string of a fixed size, which is designed to also be a one-way function, that is, a function which is infeasible to invert.  See Fig 1.  The idea is that one could input any string and receive a seemingly random irreversible string of fixed length. An input will always reproduce the same output. A single modification to the input will completely change the output and the only way to achieve the same output is by having the original input.

Fig 1. Cryptographic hashing an input. Source: https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Cryptographic_Hash_Function.svg/375px-Cryptographic_Hash_Function.svg.png

 

Hashes aren’t always secure

Hashes can be broken, this is due to the fact that more than one input can result in the same input theoretically. However, as long as this doesn’t occur more than just randomly then the hash is seen as secure as probability can’t be helped. Nevertheless, there have been a few hashing algorithms deemed broken such as MD5 or SHA-1 which have been affected by a collision attack. Meaning that somebody has figured out a way to get two inputs with the same output with more than just chance by finding a flaw in the mathematical algorithm.

Application in Hacking

Cryptographic hashing functions are commonly used for checking file integrity and storing passwords, two things hackers like to mess with. File integrity can be checked by taking in a file, calculating the hash (referred to as the checksum), and then comparing the hash of the original file against the new file. This can be useful when downloading a file and checking for corruption during transfer or checking if a file has been changed or tampered with.

When you use an online service and create an account with a password the website usually (unless it’s very unsecured) generates the hash for your password, ties it to your username, and stores the hash itself and not the plaintext password. This prevents your password from being transmitted and stored in plaintext for anyone to read. The next time you logon, it will hash your password input and compare the result to the hash that is stored in their database.

Conclusion

A hacker could compromise a website and steal their database of hashes and try to crack them to get into that account or even other accounts by the same user if that person happens to reuse passwords. Another hacker could also compromise a file a user may want to download and provide a collided checksum to give the user a false sense of security when they download the hacker’s malware. Make sure you use an up to date long hashing algorithm to prevent these from happening.

Hackmethod is proud to announce Mal_Wear by HM. Exploit/Vulnerability themed nerdy t-shirts! Get them while they last. Dismiss