SHA1 base 64 (methinks) - help setting up tools
Hey all. I found a HUGE vulnerability in an application we're forced to use at school, and decided to download their entire library and upload to my own mirror, edit the JNLP file to point to my server, and edit whatever I want.
The glory streak ended when I opened a JAR file to edit a file, replacing the file, uploading the JAR, and deploying the program, only to have it say the signing failed (joy…).
From my googled results (I now have 6 chrome windows up with about 100 tabs each…) I've deduced that it is SHA1-base64, but tell me if it's wrong:
markupHp0t9HWv+V78JpW2rmFOG4gnE1Q=
Background: I 'know' what rainbow tables are (i think - I believe they are just hash->original value pairs, right?), but unfortunately it would be extremely difficult making one seeing as how the hashes are generated by looking at file contents - most of which are huge and/or images.
Any way I could set this up? I have a shitload of the hashes along with the filenames they were generated from, but just dunno how to set them up correctly. I have PasswordsPro, but obviously that wont help i don't think in this case.
Reverse lookup databases aren't much help either…
Also, anything that can map with computers? I have about 400 of them at my disposal if need be, all with 1gb network connections; my teacher is looking for something fun to do with it anyways…
Any help with this? Thanks :)
-Intocksify
Well, I guess it's the luck of me: right after I posted this, I found a site (http://hogehoge.tk/tool-i/) that encodes it exactly how it should be. I wrote a simple PHp script to open image files, etc. and output the hex, in which I input there and get the appropriate sha1 base64 hash.
Now the problem is is that the manifest file is fine, but the other file isn't - ill explain:
Manifest file (the hashes in this file are the ones that can be generated using the site above):
Manifest-Version: 1.0
X-CL-build-date: 2008-06-06 00:07:33
Created-By: 1.4.2-86 ("Apple Computer, Inc.")
Ant-Version: Apache Ant 1.7.0
Name: Splash-Screen.gif
SHA1-Digest: FjTUGHsryxkht2jUUdmVyJmHnF4=
Name: SummarySplash-Screen.gif
SHA1-Digest: CjAA2uFhchC5Ae+rb5RWZCsG7lg=
Name: TTSplash-Screen.gif
SHA1-Digest: yB6ef9vMaQbvEZe9GvA02LLsRR8=
And the strange file "CL.SF":
Signature-Version: 1.0
Created-By: 1.4.2_16 (Apple Computer, Inc.)
SHA1-Digest-Manifest: v5vTiiASLNJMqOAUguGIoVyq7t4=
Name: Splash-Screen.gif
SHA1-Digest: 2/Pj3FuAKO8YcRI/RkaeQbnSLDw=
Name: SummarySplash-Screen.gif
SHA1-Digest: JCdHYs1XT/t4UoJy/gTAvJ7Lznk=
Name: TTSplash-Screen.gif
SHA1-Digest: piTi1mwqq9maDvb6fDasQuRt13c=
The other files in that directory are a simple list of files (which is obvious) and a file that appears to be a verisign certificate with the filename "CL.RSA", which is too close to "CL.SF" to be a coincidence.
Any further help?
-Intocksify
A bit of background since JAR files are signed to prevent tampered files from being passed.
http://www.ibm.com/developerworks/library/j-jar/index.html
signing ads a .sf file, sample:
Signature-Version: 1.0
SHA1-Digest-Manifest: HBstZOJBuuTJ6QMIdB90T8sjaOM=
Created-By: 1.3.0 (Sun Microsystems Inc.)
Name: Sample.java
SHA1-Digest: qipMDrkurQcKwnyIlI3Jtrnia8Q=
Name: Sample.class
SHA1-Digest: pT2DYby8QXPcCzv2NwpLxd8p4G4=
Surely there must be a way to get valid hashes for the .sf file…
If I have the hash that I can recreate for file A, and the hash for file A that I cannot find or recreate (the unknown salt, etc.), and I have a lot of these, could I make a rainbow table with the known hash and the unknown hash? Or is that not how they work?
Is there another method to do this?
Thanks for the replies.
-Intocksify
EDIT: Just saw the comment of bypassing the hash check - any tips on how to do that?
Thanks.
Intocksify wrote: LULZ wow. Java fails - download the JDK, make your own certificate ("keystore"), and co-sign the jar. Bam - you bypass the hash checking.
Wow, look at me being completely wrong five posts ago. Nicely done!
Thanks for the input guys
I think it's -you- we need to thank for your input!