In this new version of hash.py, a tool to calculate hashes, I add “hash” checksum8.
Checksum8 calculates the sum of all bytes contained in the provided file(s), each byte is interpreted as an unsigned, 8-bit integer.
I recently had to validate that the path of a URL was a “valid” Meterpreter identifier. When the least significant byte of the 8-bit checksum of the path is equal to 92 (0x5C), then we have a valid URL for a Windows Meterpreter stager.
Take this URL: http://127.0.0.1/RVdP. Could this be a “Windows Meterpreter” URL? Let’s calculate the checksum of RVdP:
The 8-bit checksum of RVdP is 0x015C. The least significant byte is 0x5C, or 92: this matches URI_CHECKSUM_INITW, e.g. this could indeed be a URL used by a reverse http Meterpreter payload.
Besides this new feature, hash.py comes with other features like “pack expressions” and various bug fixes.