create a few dozen anonymous proxy servers (or a few dozen names which you ... Once the html is retrieved to a local fil
Interested in learning more about security?
SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Detecting and Preventing Anonymous Proxy Usage Many organizations filter the Internet sites that their users may view. They do this for legitimate reasons that include preventing hostile work environments for their users, protecting network assets and ?var=" then strip it out.
20
if (($TempElement =~ m/.*\?*=/) && ($EqualPos < $ElementLength - 4)) {
te
#Take the string after the = character.
Ins titu
$TempElement = substr($TempElement,index($TempElement,"=") + 1); $ElementLength = length($TempElement); };
# If Base64 encoding ended with an "=" sign at the end, it will likely be "URL" encoded # as the "=" sign has meaning within a URL. The value it has is "%3D".
{
NS
if ($TempElement =~ m/(%3D)+/)
$TempElement =~ s/%3D/=/;
SA
};
# Clean off any trailing variables like "&b=52"
©
if ($TempElement =~ m/.*&.*/) { $TempElement = substr($TempElement,0,index($TempElement,"&"));
45
© SANS Institute 2008,
Author retains full rights.
. hts
Detecting and Preventing Anonymous Proxy Usage
rig
$ElementLength = length($TempElement); };
# Base64 is always on a 4 byte boundary (padded with "=" if needed.) If we get a 0 from Length MOD 4
ful l
# then we know the length is right for a Base64 string. $DivByFour = $ElementLength%4;
ins
# It's not Base64 if it has a: .%!_ in it. Also, Base64 is in 4 byte blocks so if # the string is not divisible by 4, it's not Base64. A caveat is that some anonymous
eta
# proxies drop the padding instead of URL encoding it. The result is that it still decodes # correctly, but it's not "proper" Base64. I set up a strict variable so it can be set to
# '0' if you want strict Base64 checking or '1' if you want loose checking. Loose checking
rr
# will result in more false positives output.
tho
if ( (not $TempElement =~ m/[.%!_]+/) && (($DivByFour == 0) || ($Strict == 0)) ) { # print "got here\n";
Au
$DecodedValue = MIME::Base64::decode($TempElement);
# If we've decoded a non-Base64 value, the ASCII value will probably not be
08 ,
# one of the first 128 regular characters and give a value > 128. This extra # check willFA27 prevent some998D false FDB5 positives. Key fingerprint = AF19 2F94 DE3D F8B5 06E4 A169 4E46 $Len = length($DecodedValue);
20
$PosInString = 0; $NotB64 = 0;
print "PosInString: ".$PosInString." Length: ".$Len."\n";
te
#
Ins titu
while ($PosInString < $Len) {
$CurChar = substr($DecodedValue,$PosInString,1); # Get current character's ASCII value $ASCIIval = ord($CurChar);
NS
# We don't want non printable, space, or extended ASCII codes if (($ASCIIval > 128) || ($ASCIIval < 33))
SA
{
$NotB64 = 1;
};
©
$PosInString = $PosInString + 1;
}; # There are several invalid character combinations that can result if decoding a string
46 © SANS Institute 2008,
Author retains full rights.
. rig
# that wasn't really Base64 encoded. Look for them here and, if found, flag as notBase64. # These include "+-", "'^", "~)", "+^", ”~*”, ”*^” if ($DecodedValue =~ m/.*((\+-)|(\'\^)|(~\))|(\+\^)|({)|(~\*))|(\*\^).*/)
ful l
{ $NotB64 = 1;
eta
# If not detected to be notBase64 and the string is atleast 4 characters...
ins
};
if ((not $NotB64 == 1) && ($PosInString >= 4)) {
print "Str: ".$TempElement." Decode: ".$DecodedValue." Ordinal: ".$CHRChar."\n";
rr
#
hts
Detecting and Preventing Anonymous Proxy Usage
tho
if ($weburl ne $previousurl) { $FindingNumber +=1;
Au
$previousurl = $weburl; };
08 ,
print ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n"); = $Matches + 1; FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint =$Matches AF19 FA27 2F94 998D print OUTFILE ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n");
20
};
}; # end Element Length
}; # EOF
Ins titu
}; #end Current pos
te
}; # end TempElement
print $Matches." matches on ".$FindingNumber." URLs out of ".$LineCt." rows processed.\n"; close CHECKFILE;
©
SA
NS
close OUTFILE;
47
© SANS Institute 2008,
Author retains full rights.
Last Updated: September 16th, 2017
Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location Rocky Mountain Fall 2017
Denver, COUS
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS Baltimore Fall 2017
Baltimore, MDUS
Sep 25, 2017 - Sep 30, 2017
Live Event
Data Breach Summit & Training
Chicago, ILUS
Sep 25, 2017 - Oct 02, 2017
Live Event
SANS Copenhagen 2017
Copenhagen, DK
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS London September 2017
London, GB
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS Oslo Autumn 2017
Oslo, NO
Oct 02, 2017 - Oct 07, 2017
Live Event
SANS DFIR Prague 2017
Prague, CZ
Oct 02, 2017 - Oct 08, 2017
Live Event
SANS Phoenix-Mesa 2017
Mesa, AZUS
Oct 09, 2017 - Oct 14, 2017
Live Event
SANS October Singapore 2017
Singapore, SG
Oct 09, 2017 - Oct 28, 2017
Live Event
Secure DevOps Summit & Training
Denver, COUS
Oct 10, 2017 - Oct 17, 2017
Live Event
SANS Tysons Corner Fall 2017
McLean, VAUS
Oct 14, 2017 - Oct 21, 2017
Live Event
SANS Brussels Autumn 2017
Brussels, BE
Oct 16, 2017 - Oct 21, 2017
Live Event
SANS Tokyo Autumn 2017
Tokyo, JP
Oct 16, 2017 - Oct 28, 2017
Live Event
SANS Berlin 2017
Berlin, DE
Oct 23, 2017 - Oct 28, 2017
Live Event
SANS Seattle 2017
Seattle, WAUS
Oct 30, 2017 - Nov 04, 2017
Live Event
SANS San Diego 2017
San Diego, CAUS
Oct 30, 2017 - Nov 04, 2017
Live Event
SANS Gulf Region 2017
Dubai, AE
Nov 04, 2017 - Nov 16, 2017
Live Event
SANS Miami 2017
Miami, FLUS
Nov 06, 2017 - Nov 11, 2017
Live Event
SANS Milan November 2017
Milan, IT
Nov 06, 2017 - Nov 11, 2017
Live Event
SANS Amsterdam 2017
Amsterdam, NL
Nov 06, 2017 - Nov 11, 2017
Live Event
SANS Paris November 2017
Paris, FR
Nov 13, 2017 - Nov 18, 2017
Live Event
Pen Test Hackfest Summit & Training 2017
Bethesda, MDUS
Nov 13, 2017 - Nov 20, 2017
Live Event
SANS Sydney 2017
Sydney, AU
Nov 13, 2017 - Nov 25, 2017
Live Event
SANS London November 2017
London, GB
Nov 27, 2017 - Dec 02, 2017
Live Event
SANS San Francisco Winter 2017
San Francisco, CAUS
Nov 27, 2017 - Dec 02, 2017
Live Event
SIEM & Tactical Analytics Summit & Training
Scottsdale, AZUS
Nov 28, 2017 - Dec 05, 2017
Live Event
SANS Khobar 2017
Khobar, SA
Dec 02, 2017 - Dec 07, 2017
Live Event
SANS Munich December 2017
Munich, DE
Dec 04, 2017 - Dec 09, 2017
Live Event
European Security Awareness Summit 2017
London, GB
Dec 04, 2017 - Dec 07, 2017
Live Event
SANS Austin Winter 2017
Austin, TXUS
Dec 04, 2017 - Dec 09, 2017
Live Event
SANS Frankfurt 2017
Frankfurt, DE
Dec 11, 2017 - Dec 16, 2017
Live Event
SANS Bangalore 2017
Bangalore, IN
Dec 11, 2017 - Dec 16, 2017
Live Event
SANS SEC504 at Cyber Security Week 2017
OnlineNL
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced