I'm running Snort which detects some P2P activity, specifically the BitTorrent announce request. I see the HTTP GET /announce.php?info_hash=XXX... request and I'm trying to convert this XXX into a proper SHA1 hash to try and get an idea of what is being downloaded.
I've read various things that say this is URL encoded, and others that say just remove the % character - however I am unable to reproduce this.
Can anyone suggest how to do this?
info_hash is an SHA1 hash. It's a binary hash, URL-encoded for inclusion in a URL.
If you want to turn it into a hex-encoded hash, you will need to extract it from the URL, URL-decode, and hex-encode. For example in Python:
>>> '%00%01%02%20%25ABC+XYZabc%7F%80%81%FE%FF'
'%00%01%02%20%25ABC+XYZabc%7F%80%81%FE%FF'
>>> urllib.unquote_plus(_)
'\x00\x01\x02 %ABC XYZabc\x7f\x80\x81\xfe\xff'
>>> _.encode('hex')
'00010220254142432058595a6162637f8081feff'
Okay, know I know. info_hash is an SHA1 hash. And an example of it is: %5d%97%dbA%d7a%2b%92%f5%c2%ef%dcv%bf%e7%e6%03%24%85%0a. If you use $_GET['info_hash'], it will not work, because of the %s.
You need to use $_SERVER['QUERY_STRING'].
Code example how to get SHA1 hash of info_hash in PHP:
$arye = $_SERVER['QUERY_STRING'];
$arye = explode('info_hash=', $arye)[1];
$arye = explode('&', $arye)[0];
$arye = explode('%', $arye);
$arp = '';
foreach($arye as $ara) {
if (strlen($ara) == 2) {
$arp .= $ara;
}else{
$e1 = substr($ara, 0, 2);
$e2 = substr($ara, 2, 1);
$e2 = unpack('H*', $e2)[1];
$arp .= $e1;
$arp .= $e2;
}
}
echo $arp; // This will be your SHA1 hash
Hash: %5d%97%dbA%d7a%2b%92%f5%c2%ef%dcv%bf%e7%e6%03%24%85%0a -> 5d97db41d7612b92f5c2efdc76bfe7e60324850a
