Friday, March 27, 2015

Search for files by MD5 Hash

If you're not familiar with an MD5 hash, how to find one, or it's uses I suggest you first read this prior blog.

Let's say you want to check if there is a particular malicious file on your computer. You know the MD5 Hash, but you have no idea where it might be located or what the name of the file might be. The attacker has done a good job obfuscating it. The good news is there is the perfect tool for this. It's the free md5deep tool. It support recursive traversal, which you can then combine with a quick Powershell trick to find only the specific MD5 hash you're looking for.

> .\md5deep.exe -r c:\ | Select-String "77b5b1c8b3f7b8a183f55737d9a392234"

Just replace your hash with my hash and you're good to go! As a sample below, i searched for this MD5 hash just against my temp folder and in a matter of seconds it found it! There are 2 parts to this command. The first half is just the md5deep tool recursively searching the c:\ drive as it should. But default behavior is for it to spit out the MD5 hash of EVERY file. So use the powershell Select-String command to only display the file you wanted. If it returns nothing, then it didn't find it.

Happy hunting!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment