and available as a download for Windows operating systems) and in Perl programs. Regular expressions can be both complex
Interested in learning more about security?
SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Detecting and Preventing Anonymous Proxy Usage Many organizations filter the Internet sites that their users may view. They do this for legitimate reasons that include preventing hostile work environments for their users, protecting network assets and ?var=" then strip it out.
20
if (($TempElement =~ m/.*\?*=/) && ($EqualPos < $ElementLength - 4)) {
te
#Take the string after the = character.
Ins titu
$TempElement = substr($TempElement,index($TempElement,"=") + 1); $ElementLength = length($TempElement); };
# If Base64 encoding ended with an "=" sign at the end, it will likely be "URL" encoded # as the "=" sign has meaning within a URL. The value it has is "%3D".
{
NS
if ($TempElement =~ m/(%3D)+/)
$TempElement =~ s/%3D/=/;
SA
};
# Clean off any trailing variables like "&b=52"
©
if ($TempElement =~ m/.*&.*/) { $TempElement = substr($TempElement,0,index($TempElement,"&"));
45
© SANS Institute 2008,
Author retains full rights.
. hts
Detecting and Preventing Anonymous Proxy Usage
rig
$ElementLength = length($TempElement); };
# Base64 is always on a 4 byte boundary (padded with "=" if needed.) If we get a 0 from Length MOD 4
ful l
# then we know the length is right for a Base64 string. $DivByFour = $ElementLength%4;
ins
# It's not Base64 if it has a: .%!_ in it. Also, Base64 is in 4 byte blocks so if # the string is not divisible by 4, it's not Base64. A caveat is that some anonymous
eta
# proxies drop the padding instead of URL encoding it. The result is that it still decodes # correctly, but it's not "proper" Base64. I set up a strict variable so it can be set to
# '0' if you want strict Base64 checking or '1' if you want loose checking. Loose checking
rr
# will result in more false positives output.
tho
if ( (not $TempElement =~ m/[.%!_]+/) && (($DivByFour == 0) || ($Strict == 0)) ) { # print "got here\n";
Au
$DecodedValue = MIME::Base64::decode($TempElement);
# If we've decoded a non-Base64 value, the ASCII value will probably not be
08 ,
# one of the first 128 regular characters and give a value > 128. This extra # check willFA27 prevent some998D false FDB5 positives. Key fingerprint = AF19 2F94 DE3D F8B5 06E4 A169 4E46 $Len = length($DecodedValue);
20
$PosInString = 0; $NotB64 = 0;
print "PosInString: ".$PosInString." Length: ".$Len."\n";
te
#
Ins titu
while ($PosInString < $Len) {
$CurChar = substr($DecodedValue,$PosInString,1); # Get current character's ASCII value $ASCIIval = ord($CurChar);
NS
# We don't want non printable, space, or extended ASCII codes if (($ASCIIval > 128) || ($ASCIIval < 33))
SA
{
$NotB64 = 1;
};
©
$PosInString = $PosInString + 1;
}; # There are several invalid character combinations that can result if decoding a string
46 © SANS Institute 2008,
Author retains full rights.
. rig
# that wasn't really Base64 encoded. Look for them here and, if found, flag as notBase64. # These include "+-", "'^", "~)", "+^", ”~*”, ”*^” if ($DecodedValue =~ m/.*((\+-)|(\'\^)|(~\))|(\+\^)|({)|(~\*))|(\*\^).*/)
ful l
{ $NotB64 = 1;
eta
# If not detected to be notBase64 and the string is atleast 4 characters...
ins
};
if ((not $NotB64 == 1) && ($PosInString >= 4)) {
print "Str: ".$TempElement." Decode: ".$DecodedValue." Ordinal: ".$CHRChar."\n";
rr
#
hts
Detecting and Preventing Anonymous Proxy Usage
tho
if ($weburl ne $previousurl) { $FindingNumber +=1;
Au
$previousurl = $weburl; };
08 ,
print ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n"); = $Matches + 1; FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint =$Matches AF19 FA27 2F94 998D print OUTFILE ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n");
20
};
}; # end Element Length
}; # EOF
Ins titu
}; #end Current pos
te
}; # end TempElement
print $Matches." matches on ".$FindingNumber." URLs out of ".$LineCt." rows processed.\n"; close CHECKFILE;
©
SA
NS
close OUTFILE;
47
© SANS Institute 2008,
Author retains full rights.
Last Updated: March 3rd, 2018
Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Paris March 2018
Paris, FR
Mar 12, 2018 - Mar 17, 2018
Live Event
SANS Secure Osaka 2018
Osaka, JP
Mar 12, 2018 - Mar 17, 2018
Live Event
SANS San Francisco Spring 2018
San Francisco, CAUS
Mar 12, 2018 - Mar 17, 2018
Live Event
SANS Secure Singapore 2018
Singapore, SG
Mar 12, 2018 - Mar 24, 2018
Live Event
SANS Northern VA Spring - Tysons 2018
McLean, VAUS
Mar 17, 2018 - Mar 24, 2018
Live Event
ICS Security Summit & Training 2018
Orlando, FLUS
Mar 18, 2018 - Mar 26, 2018
Live Event
SANS Pen Test Austin 2018
Austin, TXUS
Mar 19, 2018 - Mar 24, 2018
Live Event
SEC487: Open-Source Intel Beta One
McLean, VAUS
Mar 19, 2018 - Mar 24, 2018
Live Event
SANS Secure Canberra 2018
Canberra, AU
Mar 19, 2018 - Mar 24, 2018
Live Event
SANS Munich March 2018
Munich, DE
Mar 19, 2018 - Mar 24, 2018
Live Event
SANS Boston Spring 2018
Boston, MAUS
Mar 25, 2018 - Mar 30, 2018
Live Event
SANS 2018
Orlando, FLUS
Apr 03, 2018 - Apr 10, 2018
Live Event
SANS Abu Dhabi 2018
Abu Dhabi, AE
Apr 07, 2018 - Apr 12, 2018
Live Event
Pre-RSA® Conference Training
San Francisco, CAUS
Apr 11, 2018 - Apr 16, 2018
Live Event
SANS London April 2018
London, GB
Apr 16, 2018 - Apr 21, 2018
Live Event
SANS Zurich 2018
Zurich, CH
Apr 16, 2018 - Apr 21, 2018
Live Event
SANS Baltimore Spring 2018
Baltimore, MDUS
Apr 21, 2018 - Apr 28, 2018
Live Event
SANS Seattle Spring 2018
Seattle, WAUS
Apr 23, 2018 - Apr 28, 2018
Live Event
Blue Team Summit & Training 2018
Louisville, KYUS
Apr 23, 2018 - Apr 30, 2018
Live Event
SANS Riyadh April 2018
Riyadh, SA
Apr 28, 2018 - May 03, 2018
Live Event
SANS Doha 2018
Doha, QA
Apr 28, 2018 - May 03, 2018
Live Event
SANS SEC460: Enterprise Threat Beta Two
Crystal City, VAUS
Apr 30, 2018 - May 05, 2018
Live Event
Automotive Cybersecurity Summit & Training 2018
Chicago, ILUS
May 01, 2018 - May 08, 2018
Live Event
SANS SEC504 in Thai 2018
Bangkok, TH
May 07, 2018 - May 12, 2018
Live Event
SANS Security West 2018
San Diego, CAUS
May 11, 2018 - May 18, 2018
Live Event
SANS Melbourne 2018
Melbourne, AU
May 14, 2018 - May 26, 2018
Live Event
SANS Northern VA Reston Spring 2018
Reston, VAUS
May 20, 2018 - May 25, 2018
Live Event
SANS Amsterdam May 2018
Amsterdam, NL
May 28, 2018 - Jun 02, 2018
Live Event
SANS Atlanta 2018
Atlanta, GAUS
May 29, 2018 - Jun 03, 2018
Live Event
SANS London March 2018
OnlineGB
Mar 05, 2018 - Mar 10, 2018
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced