💾 Archived View for radare.org › book › tools › rahash2 › intro.gmi captured on 2024-08-18 at 17:19:36. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
Versatile command-line hashing tool that is part of the radare2 framework. It's designed to compute and verify cryptographic hashes and checksums for files, strings, or even large data streams like hard disks or network traffic.
Key features of rahash2 include:
This is an example usage:
$ rahash2 -a md5 -s "hello world"
Note that rahash2 also permits to read from stdin in a stream, so you don't need 4GB of ram to compute the hash of a 4GB file.
When doing forensics, it is useful to compute partial checksums. The reason for that is because you may want to split a huge file into small portions that are easier to identify by contents or regions in the disk.
This will spot the same hash for blocks containing the same contents. For example, if is filled with zeros.
It can also be used to find which blocks have changed between more than one sample dump.
This can be useful when analyzing ram dumps from a virtual machine for example. Use this command for this:
$ rahash2 -B 1M -b -a sha256 /bin/ls
The rabin2 tool parses the binary headers of the files, but it also have the ability to use the rhash plugins to compute checksum of sections in the binary.
$ rabin2 -K md5 -S /bin/ls
To calculate a checksum of current block when running radare2, use the `ph` command. Pass an algorithm name to it as a parameter. An example session:
$ radare2 /bin/ls [0x08049790]> bf entry0 [0x08049790]> ph md5 d2994c75adaa58392f953a448de5fba7
You can use all hashing algorithms supported by `rahash2`:
[0x00000000]> ph? md5 sha1 sha256 sha384 sha512 md4 xor xorpair parity entropy hamdist pcprint mod255 xxhash adler32 luhn crc8smbus crc15can crc16 crc16hdlc crc16usb crc16citt crc24 crc32 crc32c crc32ecma267 crc32bzip2 crc32d crc32mpeg2 crc32posix crc32q crc32jamcrc crc32xfer crc64 crc64ecma crc64we crc64xz crc64iso
The `ph` command accepts an optional numeric argument to specify length of byte range to be hashed, instead of default block size. For example:
[0x08049A80]> ph md5 32 9b9012b00ef7a94b5824105b7aaad83b [0x08049A80]> ph md5 64 a71b087d8166c99869c9781e2edcf183 [0x08049A80]> ph md5 1024 a933cc94cd705f09a41ecc80c0041def