nanog mailing list archives
Re: Synful Knock questions...
From: Jake Mertel <jake.mertel () ubiquityhosting com>
Date: Tue, 15 Sep 2015 11:54:30 -0700
Indeed -- While there are methods that can be used to "pack" a file so that it collides with a desirable checksum, that would be nearly impossible to do in this scenario. I suspect that you're right in all regards -- that taking the image file and checking it on another host would show obvious indications of change, that local verification would be impossible since the malware could presumably change the verification output, and that the primary motivation for keeping the file size the same was to prevent simple differential checks like those done by rancid from picking up the change. -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Tue, Sep 15, 2015 at 11:50 AM, Michael Douglas <Michael.Douglas () ieee org> wrote:
Wouldn't the calculated MD5/SHA sum for the IOS file change once it's modified (irrespective of staying the same size)? I'd be interested to see if one of these backdoors would pass the IOS verify command or not. Even if the backdoor changed the verify output; copying the IOS file off the router and MD5/SHA summing it on another host should show a difference. I guess maintaining the file size is to prevent something like RANCID firing off a diff on the flash dir output.
Current thread:
- Synful Knock questions... eric-list (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Ricky Beam (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jared Mauch (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Marcin Cieslak (Sep 15)
- Re: Synful Knock questions... Stephen Satchell (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Alain Hebert (Sep 15)
- Re: Synful Knock questions... Blake Hudson (Sep 15)
- Re: Synful Knock questions... Paul Ferguson (Sep 15)
- Re: Synful Knock questions... Roland Dobbins (Sep 15)