those SunBurst / SolarWinds hashes

Royce Williams

If anyone's doing analysis and needs a list of what all of the hashes are used for, I made a reference:
As of this morning, it's complete - all hashes have been cracked. We (my usual cracking collaborators) didn't get the last three stragglers - another researcher, a non-cracking-specialist, had already gotten them all!

One of my crackin' colleagues has also submitted a PR to add each one as comments to this deobfuscated/defanged code, to assist with analysis:

Once that PR is accepted (or if you just pull the submitter's fork), you can read the source code with each hash's solution in context. The etlownoise deobfuscation is one of the best quality, I'm told - and it can even be used in the lab for testing if needed, due to its being defanged (but YMMV, I haven't done this myself, use caution, etc etc.)


Royce Williams
Tech Solvency

Join to automatically receive all group messages.