Any internet user will need to download files eventually, as well as most simply have faith which what they are downloading is actually trustworthy. which doesn’t give much clarity into the contents of the file, although if the file’s author published the original checksum, comparing which to the SHA-256 hash of the downloaded file can ensure nothing was tampered with.
When we have a file which we need to audit against a checksum provided by the file’s author, we can use open-source cryptographic software to calculate a checksum. Reviewing the checksum is actually used for situations where maybe you are at a sketchy website or you don’t know if your favorite site is actually being spoofed.
How a Hash Works
Data through a file to be checked is actually divided into 512-bit blocks. Each block is actually passed through the SHA-256 algorithm as well as added to a sum until there is actually no more data to be added to which number. The final sum of which calculation is actually our checksum, also known as a hash. You can learn more about how hashing works from the video below.
In essence, when we calculate a hash, which is actually a one-way cryptographic function, meaning a change to an individual bit will generate a brand-new, seemingly random number which is actually very hard to arrive at again. If you can cause two different files to generate the same checksum, which creates an extremely rare condition called a collision. which kind of attack is actually a weakness in SHA-1 as well as various other cryptographic functions although takes significant time as well as resources to attempt to exploit.
In which article, I will demonstrate how to compare the SHA-256 hash of a file downloaded with the one provided by the file’s author first on a Windows system, as well as then on Kali Linux.
Method 1: Using 7-Zip on Windows
The first thing we are going to do is actually download a program for Windows called 7-Zip. which tool isn’t only for comparing the checksum, although also for compressing as well as decompressing files as well as folders. You can download which through the official 7-Zip download page. Make sure to download as well as install the most recent as well as stable edition. which is actually a very simple to install; just follow the on-screen prompts.
Next, let’s compare a downloaded hash by going to a website which displays the checksum for a download. because of which test, we will be using the download page of VLC media player for Windows. On their site, they helpfully display their checksum in an SHA-256 hash format by clicking the “Display Checksum” button. Stay on which webpage, as we’ll need to compare the hash against which number shortly.
Go to the folder where you downloaded the VLC installation file. After locating which, just right-click on the file as well as scroll down to the part where which says “CRC SHA.” We will need to choose the correct SHA algorithm, which VLC has provided on their website. In which case, we will select the SHA-256 option by clicking on which from the submenu. Notice you don’t have to open 7-Zip up directly to do which.
Finally, 7-Zip will show the outcome of the checksum. currently, we’ll need to compare which value with the one we were provided by the website. Check back with the VLC website as well as locate the checksum to compare the values.
Don’t Miss: How to Crack Passwords, Part 3 (Using Hashcat)
If the contents of the file had been tampered with, the whole checksum would likely change, so I personally usually look at the last 4 characters. If the number has changed, then we know the download was tampered with or corrupted.
Method 2. Using UNXZ on Kali Linux
currently let’s open our favorite Linux distro, Kali Linux, as well as open up the browser.
To run our test, go to the Kali ISO downloads page to locate our example file to download. For a shorter download, we will be selecting the smallest ISO, the “Kali armel” image, to download. You can choose to download which over HTTP or torrent.
Once the image has been downloaded, open up a terminal window as well as use cd to navigate to the folder where you downloaded the file to. There are many ways to unzip a file on Linux, although what worked for me was a command included by default in Kali called unxz. Run which followed by the path to the file to unzip the ISO image you downloaded.
Don’t Miss: Hide Your IP Address that has a Proxy Server
Once which is actually extracted, we want to type the following into a terminal window. Make sure “2017.1” is actually replaced with the current edition you downloaded.
Hit return as well as the checksum for the file will be displayed from the terminal window. currently, you can compare against the checksum provided by the website. They should match, as shown from the image below.
Threats Against Hashing
There are still attacks about using the checksum method, most recently SHA-1 was demonstrated to be vulnerable to a collision attack, so most users have switched to a brand-new standard protocol that has a longer, more secure cryptographic algorithm called SHA-256. There could be people, at which moment, working on a generating a collision attack on SHA-256.
These techniques can be subverted by tactics like a man-in-the-middle attack. An attacker could simply comprise the web host for which file, replace the real hash with the checksum of their own malicious file, or create a brand-new hash with the attacker’s manipulated file’s checksum value as well as swap the file for the original on the site. which is actually exactly what happened to users who downloaded a compromised edition of Linux Mint 17.3 Cinnamon edition hosted on a compromised Bulgarian FTP server, so be careful out there!
SHA-256 — Your Second Set of Eyes
to ensure which’s which, you can currently confirm which the download is actually in its true form, as well as was not manipulated in any way. which is actually just one of many methods for staying safe on the internet while downloading files. In reality, which is actually a way of being more aware of your surroundings, similar to protecting your PIN number at an ATM. Aside through defending against malicious hackers embedding malware into downloads, which also can be used to detect corrupted files.
Thanks for reading. Stay connected as well as check out our social accounts!
Screenshots by Nitrous/Null Byte