Home/Tools/Security/Hash Lookup

Hash Lookup

Look up MD5, SHA-1, SHA-256 hashes in breach databases to identify compromised passwords and malware

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading Hash Lookup...

Mode

Hash Value

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Suspicious Files on Your Network?

Our incident response team investigates malware, performs forensic analysis, and contains threats.

Learn About 24/7 Detection & Response Explore Penetration Testing

What Is Hash Lookup

Hash lookup searches databases of known file hashes to identify whether a file is recognized as legitimate software, known malware, or previously analyzed by security researchers. By computing a cryptographic hash (MD5, SHA-1, or SHA-256) of a file and querying hash databases, security analysts can instantly classify files without executing them or performing time-consuming manual analysis.

Hash-based file identification is a cornerstone of malware analysis, incident response, and threat intelligence. Services like VirusTotal, NIST NSRL (National Software Reference Library), and CIRCL hashlookup maintain databases of billions of known file hashes. A single hash query can tell you whether a suspicious file is a known malware sample, a legitimate Windows system file, or a common open-source library.

How Hash Lookup Works

Cryptographic hash functions produce a fixed-length fingerprint of any input data. Even a one-bit change in the file produces a completely different hash, making hashes reliable file identifiers:

Algorithm	Output Length	Status	Use Case
MD5	128 bits (32 hex chars)	Deprecated (collisions found)	Legacy databases, quick lookup
SHA-1	160 bits (40 hex chars)	Deprecated (collisions demonstrated)	Transitional; still in some databases
SHA-256	256 bits (64 hex chars)	Current standard	Primary identification hash

Hash database types:

Known-good (allowlist): NIST NSRL catalogs hashes of legitimate software from OS vendors, application developers, and package managers
Known-bad (blocklist): Malware hash databases from antivirus vendors, threat intelligence feeds, and community submissions
Multi-scanner results: VirusTotal aggregates detection results from 70+ antivirus engines for each hash

Limitations: Hash lookup only identifies exact matches. Polymorphic malware that changes its code with each copy, packed executables, and minor file modifications all produce different hashes. Fuzzy hashing (ssdeep, TLSH) addresses this by detecting similar—not identical—files.

Common Use Cases

Malware triage: Quickly determine if a suspicious file is known malware before investing in dynamic analysis
Incident response: Check file hashes found on compromised systems against threat intelligence databases
Allowlist management: Verify that files in your application allowlist match known-good software hashes
Forensic analysis: Identify unknown files on disk images by comparing their hashes to known software databases
Threat hunting: Search for specific malware hashes across endpoint telemetry to detect unreported infections

Best Practices

Always compute SHA-256 — It is the current standard; MD5 and SHA-1 have known collision vulnerabilities
Query multiple databases — No single database is comprehensive; check VirusTotal, NSRL, and threat feeds
Don't rely solely on hash matching — Zero-day malware and polymorphic threats won't appear in any hash database
Use fuzzy hashing for similarity — Tools like ssdeep and TLSH identify files that are similar but not identical to known samples
Maintain an internal hash inventory — Track hashes of approved software in your environment for rapid allowlist checks

References & Citations

Troy Hunt. (2024). Pwned Passwords. Have I Been Pwned. Retrieved from https://haveibeenpwned.com/Passwords (accessed January 2025)
Google. (2024). VirusTotal. Retrieved from https://www.virustotal.com/ (accessed January 2025)
NIST. (2024). National Software Reference Library (NSRL). Retrieved from https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Frequently Asked Questions

Common questions about the Hash Lookup

Hash lookup searches hash values (MD5, SHA-1, SHA-256) in databases of known hashes from data breaches, malware samples, or password dictionaries. Used to identify compromised passwords, detect malware files, or verify file integrity. Compares unknown hash against millions of known values. Faster than brute-force cracking. Common in incident response and security research.

Popular databases: Have I Been Pwned (850M+ password hashes), VirusTotal (malware file hashes), NSRL (National Software Reference Library), MD5decrypt, CrackStation (15B+ hashes), HashKiller. Some free, others paid/API. HIBP uses k-anonymity (sends first 5 chars only). Most focus on passwords; some specialize in malware or file integrity.

No. Hash lookup only finds passwords already in breach databases or common dictionaries. Strong, unique passwords (16+ chars, random) rarely appear in databases. Lookup finds weak/reused passwords in minutes. Strong passwords require brute-force (years/centuries). Use this to verify password strength - if found, it is compromised. Change immediately.

K-anonymity protects privacy during hash lookup. Instead of sending full hash (reveals exact password if database is malicious), send only first 5 characters. API returns all matching hashes. Client checks locally. Example: Hash 5BAA6... - send "5BAA6", receive ~500 matches, check offline. HIBP Pwned Passwords uses this. Prevents database from knowing your exact hash.

Copy file hash (MD5/SHA-1/SHA-256) from malware sample. Search in VirusTotal, MalwareBazaar, or ThreatCrowd. Results show: antivirus detections, malware family, submission date, IOCs (IPs, domains, URLs), related samples. Hash lookup identifies known malware instantly. Unknown hash? Likely new variant - submit for sandbox analysis. Always use isolated VM for malware handling.

Hash not found means the hash does not exist in the database searched. For passwords: good news - not in known breaches (but could still be weak). For files: unknown to that database (not necessarily safe - could be new malware). Search multiple databases. Hash not found ≠ secure. Use additional validation: password strength checks, antivirus scans.

Use SHA-256 for new systems (more secure, collision-resistant). MD5/SHA-1 acceptable only for legacy lookups in older databases. Many breach databases still use MD5 (faster, smaller). For file integrity or security, always use SHA-256+. For lookup: use hash type that matches your source (Windows logs = NTLM, Linux = SHA-512, web = bcrypt).

Yes, when used ethically: checking your own passwords, analyzing malware samples in research, incident response, threat intelligence, password policy validation. Illegal: cracking others passwords without authorization, accessing protected systems, distributing cracked passwords. Follow responsible disclosure. Comply with CFAA (US), Computer Misuse Act (UK). Research-only, no unauthorized access.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.