Murmur support was primarily developed to facilitate threat hunting via Shodan. As such, the Murmur operation only returns a 32-bit signed hash, which can be used to perform Shodan queries using the http.html_hash and http.favicon.hash facets.
For web servers, the crawlers also calculate a numeric hash of the website. To find identical websites there's the
http.html_hashproperty, search filter and facet.http.html_hashis a numeric hash of the HTML for the website (as stored in thehttp.htmlproperty).
Simply paste in the expected HTML / response into the CyberChef Input area. Use the Murmur operation, setting the version as 3, and the Seed value to 0. The value returned in the Output can be used to perform a http.html_hash query.
Generating a Shodan-compliant hash requires a few additional steps:
- Loading a favicon into the Input area
- Converting the input to Base64
- Inserting a newline
\n, every 76 characters - Adding a final newline
\nat the very end of the output - Processing the output through the Murmur operation
Alternatively, the following recipe can be loaded into CyberChef using the Load Recipe button in the Recipe area:
To_Base64('A-Za-z0-9+/=')
Find_/_Replace({'option':'Regex','string':'(.{76})'},'$1\\n',true,true,true,true)
Find_/_Replace({'option':'Regex','string':'$'},'\\n',true,false,false,false)
Murmur('3',0)
The resulting output can then be used with the http.favicon.hash facet.
Whilst a compiled version of CyberChef with Murmur support is available on the Releases page, it is highly advisable that users compile the tool using the Master branch of CyberChef.
git clone https://github.com/gchq/CyberChef.git- Follow the installation instructions on the CyberChef Wiki
- Update
/src/core/config/Categories.jsonto include an entry forMurmurunderHashing - Copy Murmur.mjs to
/src/core/operations - Copy murmurhash.js to
/src/core/vendor - Follow the remaining instructions on the CyberChef Wiki to compile CyberChef with native Murmur support (use of
--forcemay be necessary)
- Scan't Touch This - Proactively Detect Adversaries Beyond Your Environment
- Pivoting with Property Hashes
- Weaponizing favicon.ico for BugBounties , OSINT and what not
- Shodan Favicon Hashes
This version of Murmur hash support within CyberChef is based on Gary Court's implementation, subsequently ported for node-js.
Due to conflicting licensing terms, it is not possible to submit pull requests to the CyberChef Master branch without re-implementing the Murmur hash implementation.
License (MIT)
Copyright (c) 2020 Gary Court, Derek Perez, Sajid Nawaz Khan
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.