How do I convert a Bit Torrent info_hash (obtained from Wireshark) to a SHA1 hash

Question

I'm running Snort which detects some P2P activity, specifically the BitTorrent announce request. I see the HTTP GET /announce.php?info_hash=XXX... request and I'm trying to convert this XXX into a proper SHA1 hash to try and get an idea of what is being downloaded.

I've read various things that say this is URL encoded, and others that say just remove the % character - however I am unable to reproduce this.

Can anyone suggest how to do this?

Answer 1

Okay, know I know. info_hash is an SHA1 hash. And an example of it is: %5d%97%dbA%d7a%2b%92%f5%c2%ef%dcv%bf%e7%e6%03%24%85%0a. If you use $_GET['info_hash'], it will not work, because of the %s. You need to use $_SERVER['QUERY_STRING']. Code example how to get SHA1 hash of info_hash in PHP:

$arye = $_SERVER['QUERY_STRING'];
$arye = explode('info_hash=', $arye)[1];
$arye = explode('&', $arye)[0];
$arye = explode('%', $arye);
$arp = '';
foreach($arye as $ara) {
    if (strlen($ara) == 2) {
        $arp .= $ara;
    }else{
        $e1 = substr($ara, 0, 2);
        $e2 = substr($ara, 2, 1);
        $e2 = unpack('H*', $e2)[1];
        $arp .= $e1;
        $arp .= $e2;
    }
}

echo $arp; // This will be your SHA1 hash

Hash: %5d%97%dbA%d7a%2b%92%f5%c2%ef%dcv%bf%e7%e6%03%24%85%0a -> 5d97db41d7612b92f5c2efdc76bfe7e60324850a

Answer 2

info_hash is an SHA1 hash. It's a binary hash, URL-encoded for inclusion in a URL.

If you want to turn it into a hex-encoded hash, you will need to extract it from the URL, URL-decode, and hex-encode. For example in Python:

>>> '%00%01%02%20%25ABC+XYZabc%7F%80%81%FE%FF'
'%00%01%02%20%25ABC+XYZabc%7F%80%81%FE%FF'
>>> urllib.unquote_plus(_)
'\x00\x01\x02 %ABC XYZabc\x7f\x80\x81\xfe\xff'
>>> _.encode('hex')
'00010220254142432058595a6162637f8081feff'

Answer 3

No, you can,

infohash == sha1(torrentfile["info"])

But you could use info_hash as key to search it on DHT network