Detecting and Preventing Anonymous Proxy Usage - SANS Institute

Download PDF
0 downloads 140 Views 415KB Size Report
Comment
create a few dozen anonymous proxy servers (or a few dozen names which you ... Once the html is retrieved to a local fil
Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Detecting and Preventing Anonymous Proxy Usage Many organizations filter the Internet sites that their users may view. They do this for legitimate reasons that include preventing hostile work environments for their users, protecting network assets and ?var=" then strip it out.

20

if (($TempElement =~ m/.*\?*=/) && ($EqualPos < $ElementLength - 4)) {

te

#Take the string after the = character.

Ins titu

$TempElement = substr($TempElement,index($TempElement,"=") + 1); $ElementLength = length($TempElement); };

# If Base64 encoding ended with an "=" sign at the end, it will likely be "URL" encoded # as the "=" sign has meaning within a URL. The value it has is "%3D".

{

NS

if ($TempElement =~ m/(%3D)+/)

$TempElement =~ s/%3D/=/;

SA

};

# Clean off any trailing variables like "&b=52"

©

if ($TempElement =~ m/.*&.*/) { $TempElement = substr($TempElement,0,index($TempElement,"&"));

45

© SANS Institute 2008,

Author retains full rights.

. hts

Detecting and Preventing Anonymous Proxy Usage

rig

$ElementLength = length($TempElement); };

# Base64 is always on a 4 byte boundary (padded with "=" if needed.) If we get a 0 from Length MOD 4

ful l

# then we know the length is right for a Base64 string. $DivByFour = $ElementLength%4;

ins

# It's not Base64 if it has a: .%!_ in it. Also, Base64 is in 4 byte blocks so if # the string is not divisible by 4, it's not Base64. A caveat is that some anonymous

eta

# proxies drop the padding instead of URL encoding it. The result is that it still decodes # correctly, but it's not "proper" Base64. I set up a strict variable so it can be set to

# '0' if you want strict Base64 checking or '1' if you want loose checking. Loose checking

rr

# will result in more false positives output.

tho

if ( (not $TempElement =~ m/[.%!_]+/) && (($DivByFour == 0) || ($Strict == 0)) ) { # print "got here\n";

Au

$DecodedValue = MIME::Base64::decode($TempElement);

# If we've decoded a non-Base64 value, the ASCII value will probably not be

08 ,

# one of the first 128 regular characters and give a value > 128. This extra # check willFA27 prevent some998D false FDB5 positives. Key fingerprint = AF19 2F94 DE3D F8B5 06E4 A169 4E46 $Len = length($DecodedValue);

20

$PosInString = 0; $NotB64 = 0;

print "PosInString: ".$PosInString." Length: ".$Len."\n";

te

#

Ins titu

while ($PosInString < $Len) {

$CurChar = substr($DecodedValue,$PosInString,1); # Get current character's ASCII value $ASCIIval = ord($CurChar);

NS

# We don't want non printable, space, or extended ASCII codes if (($ASCIIval > 128) || ($ASCIIval < 33))

SA

{

$NotB64 = 1;

};

©

$PosInString = $PosInString + 1;

}; # There are several invalid character combinations that can result if decoding a string

46 © SANS Institute 2008,

Author retains full rights.

. rig

# that wasn't really Base64 encoded. Look for them here and, if found, flag as notBase64. # These include "+-", "'^", "~)", "+^", ”~*”, ”*^” if ($DecodedValue =~ m/.*((\+-)|(\'\^)|(~\))|(\+\^)|({)|(~\*))|(\*\^).*/)

ful l

{ $NotB64 = 1;

eta

# If not detected to be notBase64 and the string is atleast 4 characters...

ins

};

if ((not $NotB64 == 1) && ($PosInString >= 4)) {

print "Str: ".$TempElement." Decode: ".$DecodedValue." Ordinal: ".$CHRChar."\n";

rr

#

hts

Detecting and Preventing Anonymous Proxy Usage

tho

if ($weburl ne $previousurl) { $FindingNumber +=1;

Au

$previousurl = $weburl; };

08 ,

print ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n"); = $Matches + 1; FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint =$Matches AF19 FA27 2F94 998D print OUTFILE ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n");

20

};

}; # end Element Length

}; # EOF

Ins titu

}; #end Current pos

te

}; # end TempElement

print $Matches." matches on ".$FindingNumber." URLs out of ".$LineCt." rows processed.\n"; close CHECKFILE;

©

SA

NS

close OUTFILE;

47

© SANS Institute 2008,

Author retains full rights.

Last Updated: September 16th, 2017

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location Rocky Mountain Fall 2017

Denver, COUS

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS Baltimore Fall 2017

Baltimore, MDUS

Sep 25, 2017 - Sep 30, 2017

Live Event

Data Breach Summit & Training

Chicago, ILUS

Sep 25, 2017 - Oct 02, 2017

Live Event

SANS Copenhagen 2017

Copenhagen, DK

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS London September 2017

London, GB

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS Oslo Autumn 2017

Oslo, NO

Oct 02, 2017 - Oct 07, 2017

Live Event

SANS DFIR Prague 2017

Prague, CZ

Oct 02, 2017 - Oct 08, 2017

Live Event

SANS Phoenix-Mesa 2017

Mesa, AZUS

Oct 09, 2017 - Oct 14, 2017

Live Event

SANS October Singapore 2017

Singapore, SG

Oct 09, 2017 - Oct 28, 2017

Live Event

Secure DevOps Summit & Training

Denver, COUS

Oct 10, 2017 - Oct 17, 2017

Live Event

SANS Tysons Corner Fall 2017

McLean, VAUS

Oct 14, 2017 - Oct 21, 2017

Live Event

SANS Brussels Autumn 2017

Brussels, BE

Oct 16, 2017 - Oct 21, 2017

Live Event

SANS Tokyo Autumn 2017

Tokyo, JP

Oct 16, 2017 - Oct 28, 2017

Live Event

SANS Berlin 2017

Berlin, DE

Oct 23, 2017 - Oct 28, 2017

Live Event

SANS Seattle 2017

Seattle, WAUS

Oct 30, 2017 - Nov 04, 2017

Live Event

SANS San Diego 2017

San Diego, CAUS

Oct 30, 2017 - Nov 04, 2017

Live Event

SANS Gulf Region 2017

Dubai, AE

Nov 04, 2017 - Nov 16, 2017

Live Event

SANS Miami 2017

Miami, FLUS

Nov 06, 2017 - Nov 11, 2017

Live Event

SANS Milan November 2017

Milan, IT

Nov 06, 2017 - Nov 11, 2017

Live Event

SANS Amsterdam 2017

Amsterdam, NL

Nov 06, 2017 - Nov 11, 2017

Live Event

SANS Paris November 2017

Paris, FR

Nov 13, 2017 - Nov 18, 2017

Live Event

Pen Test Hackfest Summit & Training 2017

Bethesda, MDUS

Nov 13, 2017 - Nov 20, 2017

Live Event

SANS Sydney 2017

Sydney, AU

Nov 13, 2017 - Nov 25, 2017

Live Event

SANS London November 2017

London, GB

Nov 27, 2017 - Dec 02, 2017

Live Event

SANS San Francisco Winter 2017

San Francisco, CAUS

Nov 27, 2017 - Dec 02, 2017

Live Event

SIEM & Tactical Analytics Summit & Training

Scottsdale, AZUS

Nov 28, 2017 - Dec 05, 2017

Live Event

SANS Khobar 2017

Khobar, SA

Dec 02, 2017 - Dec 07, 2017

Live Event

SANS Munich December 2017

Munich, DE

Dec 04, 2017 - Dec 09, 2017

Live Event

European Security Awareness Summit 2017

London, GB

Dec 04, 2017 - Dec 07, 2017

Live Event

SANS Austin Winter 2017

Austin, TXUS

Dec 04, 2017 - Dec 09, 2017

Live Event

SANS Frankfurt 2017

Frankfurt, DE

Dec 11, 2017 - Dec 16, 2017

Live Event

SANS Bangalore 2017

Bangalore, IN

Dec 11, 2017 - Dec 16, 2017

Live Event

SANS SEC504 at Cyber Security Week 2017

OnlineNL

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS OnDemand

Books & MP3s OnlyUS

Anytime

Self Paced