Build your own NSRL Server

It's been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn't let the year end without getting at least a few posts up. I promise 2014 will be better as I actually missed blogging this year.

This post will cover how to get your own NSRL server running so you can perform hash checks while you are out on IR engagements, or whatever the "case" may be.

Getting Started

I’m sure you can use another Linux distro, but I already had REMnux installed and configured.


  • remnux@remnux:~/$unzip
  • remnux@remnux:~/$sudo ./configure
  • remnux@remnux:~/$sudo make install
  • remnux@remnux:~/$nsrlsvr

Check if the process is running. It should be quite large as it will load all of the hashes into memory for better performance.

remnux@remnux:~/$ ps aux |grep nsrl

remnux 6984 0.4 62.5 2139288 1938472 ? Ssl 02:03 0:22 nsrlsvr  

You're done. Simple, huh?

On Windows

On a pretty much fresh install of Windows XP SP3 and filtering by "unknown" only you should get something like this. Note that most of those are VMWare Workstation related, which is newer version from when the last time the NSRL hashes were posted.

md5deep.exe -o e -s C:\Windows\System32\* | nsrllookup.exe -s

2ce150705bbeb30e6c8059cc530043aa C:\Windows\System32\Packet.dll  
f8dea29db6acd5e0cdf826f61c57422f C:\Windows\System32\tprdpw32.dll  
d553ed83f09c35d5bfb6d2195b76f491 C:\Windows\System32\TPSvc.dll  
12d82f9b89b41ed2ead173d2843599cd C:\Windows\System32\TPVMMon.dll  
c6bdfd9f093fb16fcc7da5c978defd5a C:\Windows\System32\TPVMMondeu.dll  
ef3d6aa91b07e980db537592d75a1f94 C:\Windows\System32\TPVMMonjpn.dll  
e5d6bda8319a3a8807cdc4c02fb32a1c C:\Windows\System32\TPVMMonUI.dll  
e256cd358572eba41f05ffb1503b79c5 C:\Windows\System32\TPVMMonUIdeu.dll  
b1a817677372f1d0646193ef5aa97136 C:\Windows\System32\TPVMMonUIjpn.dll  
cb2df5c410ac9bb9f522259bbc13c710 C:\Windows\System32\TPVMW32.dll  
b609f11ae55ee952b49a04bfdb141288 C:\Windows\System32\vmGuestLib.dll  
8db91bbc5060d91d9f23adee24f4c1bd C:\Windows\System32\vmGuestLibJava.dll  
8821ebee901b208239fe6ee3414eb062 C:\Windows\System32\vmhgfs.dll  
d2aa64cb308cdbc6034744503d6ee66b C:\Windows\System32\vmwogl32.dll  
28380e517b6ab25c3f1e61a42dc19b1e C:\Windows\System32\vmx_fb.dll  
d053547c06d55a4100b7bf84e9818370 C:\Windows\System32\vmx_mode.dll  
5c68ef9d3a8e424dc404de6430663c02 C:\Windows\System32\vsocklib.dll  
4633b298d57014627831ccac89a2c50b C:\Windows\System32\wpcap.dll  

NOTE I only hashed executable files (-o e). By default nsrllokup.exe will use the -u (unknown) flag, which is most likely what you're going to be using. If you wanted to filter by -k (known) you could use nsrllookup.exe -k -s _ip_. -u is default so you don't have to specify it.

You can customize your list of hashes if you want and pass the -f locationtoyour_set when starting up nsrlsvr. I used NSRL because everyone knows about them. If anyone knows of a more up-to-date or better list of hashes put it in the comments so everyone can use it. I use a combination of NSRL and custom hashes.

Here are the options from nsrlsvr

remnux@remnux:~$ nsrlsvr -h

Usage: nsrlsvr [-vbhsSo -f FILE -p PORT -t TIMEOUT]  
-v : print version information
-b : get information on reporting bugs
-f : specify an alternate RDS (default: /usr/local/share/nsrlsvr/NSRLFile.txt)
-s : allow clients to query server status (default: disabled)
-S : run as a normal process (do not run as a daemon)
-o : only support old (1.0) nsrlsvr protocol
-h : show this help message
-p : listen on PORT, between 1024 and 65535 (default: 9120)
-t : stop after TIMEOUT seconds of inactivity (default: disabled)

Organizations that use a standard baseline should be able automate and leverage this pretty easily within their environment.

Props to RJHansen for writing this tool! Thanks.