Using Sysinternals sigcheck to verify a file's hash

A file's MD5 or SHA-1 file hash is what I often check to verify a particular file's validity. Software developers often publish these hashes to help users determine if the file has been tampered with.

With the Sysinternals tools is a file and signature viewer called sigcheck. Here a short tutorial on how to use sigcheck to get the file hash from a file.

1. Obtain the file hash from the software developer's website or distribution site.
2. Download sigcheck from Microsoft Sysinternals, or better yet get the whole Sysinternals Suite
3. Run sigcheck.exe with the -h parameter against the file.

It will show the file version and the file hashes of the file. Here is an example of sigcheck in action. Here, I used the lophtcrack password auditing software from http://www.lophtcrack.com. The website offers a CNET website and an alternative download site. Let's compare the file hashes.

Lophtcrack website says the file must have these hashes:

MD5 Hash: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1 Hash: 142590a4751fa26919cc902d91aa9c92c8e602fd

Here's the hashes obtained from the executable file obtained from the CNET website:

C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h cnet_lc6setu
p_v6_0_12a_exe.exe

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Documents and Settings\machine\My Documents\Downloads\cnet_lc6setup_v6_0_12a_exe.exe:

Verified: Signed
Signing date: 5:58 AM 7/19/2011
Publisher: CBS Interactive
Description: CNET Download.com Installer
Product: CNET Download.com Installer
Version: 1.2.3.0
File version: 1.2.3.0
MD5: 5a888686e6b6744afd3e1c19d84a2b10
SHA1: dadee7f3da2ac8e4916d414fcd500ac85d40cb48
SHA256: a5528ab0650d406a2d526c5608fac24404fe07a49ca90bb4bc1c5dfdc5c912f8

Here's the file obtained directly from lophtcrack's site:

C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h lc6setup_v6.
0.12a.exe

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Documents and Settings\machine\My Documents\Downloads\lc6setup_v6.0.12a.exe:
Verified: Unsigned
File date: 3:03 PM 8/23/2011
Publisher: L0pht Holdings, LLC
Description:
Product: L0phtCrack 6
Version: 6.0
File version: 6.0
MD5: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1: 142590a4751fa26919cc902d91 aa9c92c8e602fd
SHA256: 786800c069a0aa6db8ca44f9ec9617294ece72d7d0b5154a88ef77d73784d450

Might be a good idea to use the 2nd file in this instance and not to trust the file from the CNET download.com website

Do you have a better methodology to check if a file has been tampered with or contains malware?

Even Microsoft's Bing gets its search results from Google (Hilarious)

I was looking for the Internet Explorer 9 Beta URL and saw that Google's first result for the keyword "Internet Explorer 9" leads to www.google.com/chrome


It was really hilarious that when I searched for the same keyword in Microsoft's Search engine, bing.com, the same results came up! :D

Finding a file from the Windows command line

Been using this for a while on Windows machines. dir /S lists and effectively searches for the file you're looking for, on the drive that you executed the command.

Nifty command. Maybe you'd have a better way to search stuff from the command line?

Configuring iptables, daemons and network settings in CentOS 5

I just wanted to share my notes on how to configure CentOS 5 without a GUI from the command line but need to a more user friendly way of configuring runlevels, iptables and network configuration.

These are ncurses programs that are interface to their esoteric command line equivalents:

1. Configure startup / disable daemons(services) from starting by using ntsysv:

2. Using system-config-network to adjust the Network Interface card configuration:

3. Using system-config-network still to configure DNS and the machine's hostname:

4.. Enabling and Disabling SELinux and configuring what ports are open on the machine using system-config-securitylevel-tui

Hope this helps, maybe you guys have a better way of doing these tasks? Comments and feedback are welcome :)

Altiris Reporting Console - "Wrong number of arguments or invalid property assignment"

What I've observed when this error happens, is because of:

1. The Altiris ActiveX controls are not installed properly
2. The ActiveX controls could not be installed because of the lack of local Windows administrator privileges of initially opening the Altiris console.

Ensuring that I have the privileges to install the controls and deleting all browser history in IE made it work for me.

Did you encounter the same problem? How did you solve it?

Rake error - no such file to load -- sqlite3 on Fedora 10

I encountered this error as I was trying to do a rake db:migrate:

[root@julia migrate]# rake db:migrate
(in /home/xander/tickets)
rake aborted!
no such file to load -- sqlite3

Apparently, the sqlite3 gem needs to be installed in Fedora 10. After installation, the migration went smoothly.

[root@julia migrate]# yum install rubygem-sqlite3-ruby



Running Transaction
Installing : rubygem-sqlite3-ruby 1/1

Installed:
rubygem-sqlite3-ruby.i386 0:1.2.4-1.fc10

Complete!
[root@julia migrate]# rake db:migrate
(in /home/xander/tickets)
== CreateTickets: migrating ==================================================
-- create_table(:tickets)
-> 0.0035s
== CreateTickets: migrated (0.0039s) =========================================

Adding a SCSI Disk in Fedora Core 9 Linux

This is a short guide that provides procedures on how to be able to use a new SCSI disk in Linux. This is based on my own notes. Your comments and suggestions are welcome J

After physically attaching the disk, as root, use fdisk –l to check if the physical disk can now be seen by Linux. 

The first disk that I had originally is also a SCSI disk (thus the device name is /dev/sda and the second disk is sdb). We can see that Linux now sees the second SCSI disk, at the device, /dev/sdb. Linux’s naming convention for SCSI devices are usually /dev/sd[a-p]. 

Now, after confirming the device name of the new disk, (e.g /dev/sdb) you may now use fdisk to create a new partition or initialize the whole disk

1. As root, type fdisk /dev/sdb
2. On the command prompt, enter ‘n’ without the quotes to add a new partition.
3. Choose ‘p’ to create a primary partition
4. Choose ‘1’ for the partition number
5. Press enter twice to use the defaults for the cylinder sizes
6. Type ‘w’ to write the changes to disk and exit

 

Now, after creating the partitions, you’d need to specify the file system that the disk will be formatted with. In this case, I’ll be using EXT3. 

1. Type mkfs.ext3 /dev/sdb to start formatting the disk as EXT3
2. When prompted that if you’d want to format the whole disk, choose ‘y’
3. When prompted for the total blocks of the journal, press enter to accept the defaults

After formatting the device, you would need to create a mount point for the device. Mount points are normal directories that users use to access the device. In this case, we will be creating a directory named disk2 under /opt/disks/ 

1. Type mkdir –p /opt/disks/disk2

Now we need to add the mount point and information regarding the new disk into Linux’s fstab. fstab is a file that Linux uses to get information about the various filesystems.

1. Add the line above at the end of the fstab file, /etc/fstab
2. Reboot or mount /dev/sdb to be able to access the device
3. Create directories on the mount point (/opt/disks/disk2/), accessible to non-root users, using the chown command to give them the ownership to the directories.
4. You may want to create links users to access these directories

After these steps, the second SCSI disk should now be accessible and users will be able to create/access files from the disk. For further details on fstab and other useful information, please visit fstab’s manpage.