WEBVTT

00:07.370 --> 00:08.450
Good afternoon.

00:08.450 --> 00:09.620
Welcome back.

00:09.650 --> 00:11.570
Uh, we've talked about hashing, right?

00:11.570 --> 00:13.040
We showed you how to use hashing.

00:13.040 --> 00:15.380
If you remember, you can refer back to that video.

00:15.440 --> 00:18.110
Uh, and we know that hashing has to do with file integrity.

00:18.140 --> 00:22.550
We know that we can provide file integrity within a system.

00:22.550 --> 00:24.470
We also call this a checksum.

00:24.620 --> 00:26.780
Uh, we can use this in a variety of different ways.

00:26.780 --> 00:31.340
We've shown you how you can download stuff, say the Kali VirtualBox.

00:31.400 --> 00:37.040
Uh, and you can go through and give you a checksum, and then you can run that checksum or that hash

00:37.040 --> 00:41.480
value on that program you downloaded to make sure that what the website is telling you versus what you

00:41.510 --> 00:48.140
downloaded is exactly the same, and that if anything is in that file or in that program, changes that

00:48.140 --> 00:50.630
you can detect it because the hash values won't match.

00:50.630 --> 00:53.180
And we use that for file integrity on downloading.

00:53.210 --> 00:59.810
We also use it for file integrity when we're talking about making sure that our system didn't change

00:59.810 --> 01:05.480
system files, folders or executables within the operating system.

01:05.480 --> 01:10.400
Now, this can be important if I've got malware or I suspect, malware or malicious activity within

01:10.400 --> 01:11.210
my systems.

01:11.210 --> 01:17.420
I can go through and I can use a program that will quite literally go through and provide a hashing

01:17.420 --> 01:23.240
value for every file or folder on my system, or specific files and folders, depending on how I have

01:23.240 --> 01:24.020
it set up.

01:24.290 --> 01:27.800
And I can go through and make sure that nothing ever changes.

01:27.800 --> 01:34.730
However, that's incredibly hard to go through and actually show, but we can show the manual process,

01:34.730 --> 01:36.770
and that's what we're going to do today.

01:36.770 --> 01:40.310
And we're going to use a program called hashed to accomplish this.

01:40.310 --> 01:44.690
So I'm going to open up my terminal and let me blow it up so you can read my screen.

01:44.810 --> 01:46.970
The first thing I'm going to do is I'm going to do an LZ.

01:46.970 --> 01:50.210
And you can see here that I have a document called Total Sam.

01:50.240 --> 01:51.710
Now it doesn't have to be a document.

01:51.740 --> 01:52.550
It can be anything.

01:52.550 --> 01:58.250
It's just for the purposes of today's exercise, a document makes more sense because we can go in there

01:58.280 --> 01:59.000
and we can change it.

01:59.030 --> 01:59.720
We could add to it.

01:59.750 --> 02:01.460
We're not doing a lot to it.

02:01.520 --> 02:05.510
Uh, and it still provides us the great experience that we're looking for.

02:05.540 --> 02:10.070
Okay, so the first thing I want to do is I'm going to just do a cat total Sam, just so we can see

02:10.070 --> 02:10.640
what's in it.

02:10.640 --> 02:14.780
And you can see that I'm going to pass my CSA plus exam with flying colors.

02:14.780 --> 02:15.740
Thanks, doctor.

02:15.740 --> 02:16.310
Kay.

02:16.340 --> 02:24.380
However, if I wanted to create an audit trail for this right, I could do a very slow, very painful

02:24.380 --> 02:31.940
audit trail by just doing, say, a Sha 256 sum and then just total Sam.

02:31.970 --> 02:32.570
Right.

02:32.600 --> 02:38.300
And I could go through and I could grab this, and then I could put it in a word document or in a notepad,

02:38.300 --> 02:39.440
and I could save it.

02:39.440 --> 02:43.130
And then I could go back through later date to make sure it didn't change and compare.

02:43.130 --> 02:45.050
And that's just a lot of work.

02:45.050 --> 02:50.360
So instead of doing that for this specific thing, we're going to use a program called Hash Shape.

02:50.360 --> 02:58.100
And this is what a lot of times what your system will do automatically if it's a good antivirus system

02:58.100 --> 03:01.820
or if it's got those extra features associated with it.

03:01.850 --> 03:02.240
Right.

03:02.270 --> 03:04.640
So I'm going to do a hash dash just so we can see it.

03:04.640 --> 03:05.720
This is the manual.

03:05.720 --> 03:07.220
This is the help menu for it.

03:07.220 --> 03:10.850
I always like to show this off so that if you get lost or if you want to do something more than what

03:10.850 --> 03:15.860
I'm showing you here today, you can go back through and really explore this on your own.

03:15.890 --> 03:16.490
All right.

03:16.490 --> 03:20.990
The first command I want to do is actually create that audit trail.

03:20.990 --> 03:24.210
So I'm going to do hashtag just like so.

03:24.210 --> 03:27.000
And then I'm going to do the name of the file.

03:27.000 --> 03:29.010
So total sim in this case.

03:29.010 --> 03:35.040
And then I need to do an output I need to provide some type of output for that audit trail to look at.

03:35.040 --> 03:40.500
So instead of just saving it to a text document and having to go through and copy and paste, it literally

03:40.500 --> 03:43.470
goes through and does it for us with that greater than sign.

03:43.500 --> 03:44.130
Right.

03:44.460 --> 03:47.160
Uh, and so I should say that less than sign.

03:47.610 --> 03:49.440
So let's go through let's create that.

03:49.440 --> 03:54.360
I'm just going to do a total and then we'll just call it hash dot txt just like that.

03:54.360 --> 03:56.880
And that's going to provide us with that document.

03:56.880 --> 03:58.590
And we can see here right here.

03:58.860 --> 04:01.680
And I do an LS total hash dot txt.

04:01.710 --> 04:09.150
I can actually read that by typing the cat total sim or I should say total hash just like that.

04:09.150 --> 04:15.840
And we can see that it provides us with the hash for this specific item, and it tells us what's going

04:15.840 --> 04:16.740
on with it.

04:16.740 --> 04:20.760
Uh, and the great part is, is it provides us multiple hashes Right.

04:20.790 --> 04:23.790
So it's providing MD5 here.

04:25.620 --> 04:28.590
Well if you look right here, it's providing us the size that's at 66.

04:28.620 --> 04:30.720
It's providing us the MD5 hash.

04:30.750 --> 04:37.620
Then it's providing us the Sha256 hash, and then it's telling us where the file name actually is in

04:37.620 --> 04:38.280
the process.

04:38.310 --> 04:38.550
Okay.

04:38.580 --> 04:39.750
So we have the hash.

04:39.750 --> 04:42.870
We have the audit trail that we wanted to associate with.

04:42.900 --> 04:45.060
Next thing we want to do is we actually want to change it.

04:45.060 --> 04:46.230
So I'm going to do well.

04:46.230 --> 04:49.020
Let's do a let's check and make sure that it actually matches up.

04:49.020 --> 04:53.190
So let's do a hash DB just like this.

04:53.220 --> 05:00.150
We're going to do a tac a with the total sim just like so this is going to look at the file.

05:00.150 --> 05:01.530
That's what the A is for.

05:01.560 --> 05:03.870
It's saying hey I want to look at this specific file.

05:03.870 --> 05:06.630
And then we have to tell it what to audit against.

05:06.630 --> 05:11.760
So I'm going to do the total sim or I should say total hash dot txt.

05:12.060 --> 05:14.160
Now we can see that the audit passed.

05:14.160 --> 05:15.000
And that's great.

05:15.000 --> 05:15.960
We wanted to pass.

05:15.960 --> 05:17.160
Nothing changed in there.

05:17.160 --> 05:18.510
But let's change it now.

05:18.510 --> 05:24.300
And if I do leafpad and then total sim just like so oops.

05:24.300 --> 05:25.110
There we go.

05:25.140 --> 05:26.220
I could change something.

05:26.220 --> 05:27.480
I'm just going to change.

05:27.510 --> 05:31.470
And I'm going to add that, well, I'm going to add two exclamation marks at the end because why not.

05:31.500 --> 05:32.250
Right.

05:32.610 --> 05:35.700
Uh, and then I'm just going to do File.

05:35.760 --> 05:37.650
Save its resaved.

05:37.650 --> 05:41.460
And let's rerun that command now and it should fail.

05:41.460 --> 05:42.030
And there it is.

05:42.030 --> 05:48.960
It's failed now because the new hash, or the new checksum associated with the hashing file that we

05:48.960 --> 05:50.940
associated with it didn't match up.

05:50.940 --> 05:52.440
And so it does a failure in there.

05:52.470 --> 05:58.740
Now our antivirus programs for file integrity or file integrity programs, depending on how you utilize

05:58.740 --> 06:05.430
it based on those features, they do pretty much the same thing, except instead of doing one file per

06:05.460 --> 06:12.300
or one hash or checksum file per file, they provide a full directory or list, sort of like a table

06:12.330 --> 06:13.920
to cross analyze against it.

06:13.920 --> 06:17.580
And they go through and they're really looking for the different hash values.

06:17.580 --> 06:23.340
And if something does change, i.e. you gave it permission to change and it was supposed to, then it

06:23.340 --> 06:25.830
goes through and it updates that table as needed.

06:25.830 --> 06:28.140
We add files or we add directories.

06:28.140 --> 06:31.410
It does a new hash or new checksum associated with it.

06:31.410 --> 06:37.080
So this was a basic file integrity utilization using the program hash view.

06:37.080 --> 06:40.080
I hope this made sense I hope it kind of clears things up for you.

06:40.080 --> 06:42.420
Until next time, thanks again.