Sunday, September 30, 2012

DerbyCon

I'm at DerbyCon this weekend, and I can recommend some of the talks as being of special interest to intrusion analysts.

Bart Hooper did an excellent talk called "Hunting Evil", where he spoke on the subject of obfuscated malware, especially JavaScript, and methods on decoding it. He did a nice walk through of deobfuscating a BlackHole Exploit landing page, using a new tool he wrote called Spondulas. Spondulas was written to extend and update the work that other  tools such as Malzilla (one of my favorites) do. It supports POST requests, GET requests and Ajax persistent connections and has a monitor mode that will systematically requery the site and record changes that have been made to it. It will follow through the redirect chain and pull down each site and file it for inspection.

Doug Burks did a great talk on the new beta version of Security Onion. If you're not familiar with Security Onion, it's a distribution  with pre-configured versions of Snort, Sguil, Snorby, Elsa, PRADS, Bro, Suricata, Network Miner, Squert and more. Doug has taken the project from originally being a Live CD to a enterprise level project supporting a network of distributed sensors. This is really the easiest way to get up and running with IDS and analysis tools. If you're just starting out and want a platform to to work with and learn on, the sensor and console can both be installed on the same box with a few clicks and a few answers to some basic questions.

H.D. Moore of Metasploit fame did the first talk of the conference on the "Wild West" of the Internet, sharing results from his massive survey of ports, services and platforms. The results are somewhat shocking, as we haven't come nearly as far as we'd like to think in locking down our infrastructure. The basic security tenants of patching, upgrading, shutting down unneeded services and not exposing unneeded services to the public are still not being heeded.

Finally, the talk by Jeff Moss was excellent. Jeff spoke on the general direction of network and information security, he talked about his current tenure with ICANN, and laid out the political and financial forces that are shaping the direction of the Internet. Highly recommended.

Tuesday, September 25, 2012

Quick base64 decode


You can quickly decode base64 while doing analysis from the shell by using the Linux base64 command.
In the data below, we have a base64 encoded string that our IDS has alerted on.

src=\"data:text/html;base64,PGh0bWw+PGhlYWQ+PGJhc2UgdGFyZ2V0PSdfdG9wJyAvPgo8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CmZ1bmN0aW9uIG5ld193aW5kb3coKSB7Cgl2YXIgYW5jaG9ycyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdhJyk7CgkJZm9yKHZhciBpID0gMDsgaSA8IGFuY2hvcnMubGVuZ3RoOyBpKyspIHsKCQlhbmNob3JzW2ldLnRhcmdldCA9ICdfdG9wJzsKCQkJfQoJCX0Kd2luZG93Lm9ubG9hZCA9IG5ld193aW5kb3c7Cjwvc2NyaXB0Pgo8L2hlYWQ+PGJvZHk+PGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+PHA+PGltZyBzcmM9Imh0dHA6Ly9jMzkuc21hYXRvLm5ldC9vYXBpL2ltZy9hZHNwYWNlci5naWY/ZT0xMDYiIGFsdD0iIiAvPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==\" target=\"_top\" width=\"100%\" style=\"min-height: 48px; max-height: 52px;\" ......

To decode this (assuming we got the full packet(s) and have the entire string, we can copy the base 64 string and echo it into base64, using the –d parameter to decode:

[jeff@analysis3 wgets]# echo 'PGh0bWw+PGhlYWQ+PGJhc2UgdGFyZ2V0PSdfdG9wJyAvPgo8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CmZ1bmN0aW9uIG5ld193aW5kb3coKSB7Cgl2YXIgYW5jaG9ycyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdhJyk7CgkJZm9yKHZhciBpID0gMDsgaSA8IGFuY2hvcnMubGVuZ3RoOyBpKyspIHsKCQlhbmNob3JzW2ldLnRhcmdldCA9ICdfdG9wJzsKCQkJfQoJCX0Kd2luZG93Lm9ubG9hZCA9IG5ld193aW5kb3c7Cjwvc2NyaXB0Pgo8L2hlYWQ+PGJvZHk+PGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+PHA+PGltZyBzcmM9Imh0dHA6Ly9jMzkuc21hYXRvLm5ldC9vYXBpL2ltZy9hZHNwYWNlci5naWY/ZT0xMDYiIGFsdD0iIiAvPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==' | base64 -d

Output:


[jeff@analysis3 wgets]#

Blog Archive