Tuesday, May 13, 2014

Unzip Gzip

New intrusion analysts will find that web traffic is increasingly compressed due to more and more complex sites with lots of multimedia content. You might use wget to pull down a page in your investigation or use something like Spondulas and end up with a file of mostly "garbage", like this one (intentionally shortened).

HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Tue, 27 April 2014 18:44:27 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: __cfduid=dda0ed9839b8fbbaadbee565b711a05951400006667162; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.yadayada.com; HttpOnly
Cache-Control: max-age=10
Expires: Tue, 13 May 2014 18:44:37 GMT
CF-RAY: 12a101e5c86a09ac-ORD
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive

4e5
^_<8b>^H^@^@^@^@^@^@^CWmo6^P_j@^B^T^Gk<9b>&<96><86>"M|Z<8a>0hl1H<95>]<8e>H<93>6<80><8b>u{{x_O/>;#<85>+e6<9a><<98>^S^Yy)#^S@d<91>^R^A<89><96><80><88>H^Vi^D<8a>=BG^_Ab<89>[^V^GvBx^X
=PG^O<80>Z^V+vE<8d>Bi^_^@<96><8f>^SNB<8a>s<96>^D/Ru\<81>^S<96>kESCs]<92>E
...
...
...
0

Notice we see the Content-Encoding field tells us gzip compression is in use.

The Moloch packet capture program has a built-in gzip decompressor, but if you don't have a tool that will do this automatically, it's easily accomplished manually. Open the file in vi or some other text editor and remove the http header, blanks lines, etc down to the block of text (that starts with the first caret). Save the file with a .gz extension or rename it. Then just run gzip with the -d parameter (to decompress) on the filename. gzip -d
The resulting file should now be unzipped and readable (and no longer have the .gz extension).


No comments:

Blog Archive