Tuesday, September 25, 2012

Quick base64 decode


You can quickly decode base64 while doing analysis from the shell by using the Linux base64 command.
In the data below, we have a base64 encoded string that our IDS has alerted on.

src=\"data:text/html;base64,PGh0bWw+PGhlYWQ+PGJhc2UgdGFyZ2V0PSdfdG9wJyAvPgo8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CmZ1bmN0aW9uIG5ld193aW5kb3coKSB7Cgl2YXIgYW5jaG9ycyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdhJyk7CgkJZm9yKHZhciBpID0gMDsgaSA8IGFuY2hvcnMubGVuZ3RoOyBpKyspIHsKCQlhbmNob3JzW2ldLnRhcmdldCA9ICdfdG9wJzsKCQkJfQoJCX0Kd2luZG93Lm9ubG9hZCA9IG5ld193aW5kb3c7Cjwvc2NyaXB0Pgo8L2hlYWQ+PGJvZHk+PGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+PHA+PGltZyBzcmM9Imh0dHA6Ly9jMzkuc21hYXRvLm5ldC9vYXBpL2ltZy9hZHNwYWNlci5naWY/ZT0xMDYiIGFsdD0iIiAvPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==\" target=\"_top\" width=\"100%\" style=\"min-height: 48px; max-height: 52px;\" ......

To decode this (assuming we got the full packet(s) and have the entire string, we can copy the base 64 string and echo it into base64, using the –d parameter to decode:

[jeff@analysis3 wgets]# echo 'PGh0bWw+PGhlYWQ+PGJhc2UgdGFyZ2V0PSdfdG9wJyAvPgo8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CmZ1bmN0aW9uIG5ld193aW5kb3coKSB7Cgl2YXIgYW5jaG9ycyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdhJyk7CgkJZm9yKHZhciBpID0gMDsgaSA8IGFuY2hvcnMubGVuZ3RoOyBpKyspIHsKCQlhbmNob3JzW2ldLnRhcmdldCA9ICdfdG9wJzsKCQkJfQoJCX0Kd2luZG93Lm9ubG9hZCA9IG5ld193aW5kb3c7Cjwvc2NyaXB0Pgo8L2hlYWQ+PGJvZHk+PGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+PHA+PGltZyBzcmM9Imh0dHA6Ly9jMzkuc21hYXRvLm5ldC9vYXBpL2ltZy9hZHNwYWNlci5naWY/ZT0xMDYiIGFsdD0iIiAvPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==' | base64 -d

Output:


[jeff@analysis3 wgets]#

No comments:

Blog Archive