Detecting and Preventing Anonymous Proxy Usage - SANS Institute

Download PDF
0 downloads 148 Views 414KB Size Report
Comment
and available as a download for Windows operating systems) and in Perl programs. Regular expressions can be both complex
Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Detecting and Preventing Anonymous Proxy Usage Many organizations filter the Internet sites that their users may view. They do this for legitimate reasons that include preventing hostile work environments for their users, protecting network assets and ?var=" then strip it out.

20

if (($TempElement =~ m/.*\?*=/) && ($EqualPos < $ElementLength - 4)) {

te

#Take the string after the = character.

Ins titu

$TempElement = substr($TempElement,index($TempElement,"=") + 1); $ElementLength = length($TempElement); };

# If Base64 encoding ended with an "=" sign at the end, it will likely be "URL" encoded # as the "=" sign has meaning within a URL. The value it has is "%3D".

{

NS

if ($TempElement =~ m/(%3D)+/)

$TempElement =~ s/%3D/=/;

SA

};

# Clean off any trailing variables like "&b=52"

©

if ($TempElement =~ m/.*&.*/) { $TempElement = substr($TempElement,0,index($TempElement,"&"));

45

© SANS Institute 2008,

Author retains full rights.

. hts

Detecting and Preventing Anonymous Proxy Usage

rig

$ElementLength = length($TempElement); };

# Base64 is always on a 4 byte boundary (padded with "=" if needed.) If we get a 0 from Length MOD 4

ful l

# then we know the length is right for a Base64 string. $DivByFour = $ElementLength%4;

ins

# It's not Base64 if it has a: .%!_ in it. Also, Base64 is in 4 byte blocks so if # the string is not divisible by 4, it's not Base64. A caveat is that some anonymous

eta

# proxies drop the padding instead of URL encoding it. The result is that it still decodes # correctly, but it's not "proper" Base64. I set up a strict variable so it can be set to

# '0' if you want strict Base64 checking or '1' if you want loose checking. Loose checking

rr

# will result in more false positives output.

tho

if ( (not $TempElement =~ m/[.%!_]+/) && (($DivByFour == 0) || ($Strict == 0)) ) { # print "got here\n";

Au

$DecodedValue = MIME::Base64::decode($TempElement);

# If we've decoded a non-Base64 value, the ASCII value will probably not be

08 ,

# one of the first 128 regular characters and give a value > 128. This extra # check willFA27 prevent some998D false FDB5 positives. Key fingerprint = AF19 2F94 DE3D F8B5 06E4 A169 4E46 $Len = length($DecodedValue);

20

$PosInString = 0; $NotB64 = 0;

print "PosInString: ".$PosInString." Length: ".$Len."\n";

te

#

Ins titu

while ($PosInString < $Len) {

$CurChar = substr($DecodedValue,$PosInString,1); # Get current character's ASCII value $ASCIIval = ord($CurChar);

NS

# We don't want non printable, space, or extended ASCII codes if (($ASCIIval > 128) || ($ASCIIval < 33))

SA

{

$NotB64 = 1;

};

©

$PosInString = $PosInString + 1;

}; # There are several invalid character combinations that can result if decoding a string

46 © SANS Institute 2008,

Author retains full rights.

. rig

# that wasn't really Base64 encoded. Look for them here and, if found, flag as notBase64. # These include "+-", "'^", "~)", "+^", ”~*”, ”*^” if ($DecodedValue =~ m/.*((\+-)|(\'\^)|(~\))|(\+\^)|({)|(~\*))|(\*\^).*/)

ful l

{ $NotB64 = 1;

eta

# If not detected to be notBase64 and the string is atleast 4 characters...

ins

};

if ((not $NotB64 == 1) && ($PosInString >= 4)) {

print "Str: ".$TempElement." Decode: ".$DecodedValue." Ordinal: ".$CHRChar."\n";

rr

#

hts

Detecting and Preventing Anonymous Proxy Usage

tho

if ($weburl ne $previousurl) { $FindingNumber +=1;

Au

$previousurl = $weburl; };

08 ,

print ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n"); = $Matches + 1; FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint =$Matches AF19 FA27 2F94 998D print OUTFILE ($FindingNumber."\t".$DecodedValue."\t".$TempElement."\t".$weburl."\n");

20

};

}; # end Element Length

}; # EOF

Ins titu

}; #end Current pos

te

}; # end TempElement

print $Matches." matches on ".$FindingNumber." URLs out of ".$LineCt." rows processed.\n"; close CHECKFILE;

©

SA

NS

close OUTFILE;

47

© SANS Institute 2008,

Author retains full rights.

Last Updated: March 3rd, 2018

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Paris March 2018

Paris, FR

Mar 12, 2018 - Mar 17, 2018

Live Event

SANS Secure Osaka 2018

Osaka, JP

Mar 12, 2018 - Mar 17, 2018

Live Event

SANS San Francisco Spring 2018

San Francisco, CAUS

Mar 12, 2018 - Mar 17, 2018

Live Event

SANS Secure Singapore 2018

Singapore, SG

Mar 12, 2018 - Mar 24, 2018

Live Event

SANS Northern VA Spring - Tysons 2018

McLean, VAUS

Mar 17, 2018 - Mar 24, 2018

Live Event

ICS Security Summit & Training 2018

Orlando, FLUS

Mar 18, 2018 - Mar 26, 2018

Live Event

SANS Pen Test Austin 2018

Austin, TXUS

Mar 19, 2018 - Mar 24, 2018

Live Event

SEC487: Open-Source Intel Beta One

McLean, VAUS

Mar 19, 2018 - Mar 24, 2018

Live Event

SANS Secure Canberra 2018

Canberra, AU

Mar 19, 2018 - Mar 24, 2018

Live Event

SANS Munich March 2018

Munich, DE

Mar 19, 2018 - Mar 24, 2018

Live Event

SANS Boston Spring 2018

Boston, MAUS

Mar 25, 2018 - Mar 30, 2018

Live Event

SANS 2018

Orlando, FLUS

Apr 03, 2018 - Apr 10, 2018

Live Event

SANS Abu Dhabi 2018

Abu Dhabi, AE

Apr 07, 2018 - Apr 12, 2018

Live Event

Pre-RSA® Conference Training

San Francisco, CAUS

Apr 11, 2018 - Apr 16, 2018

Live Event

SANS London April 2018

London, GB

Apr 16, 2018 - Apr 21, 2018

Live Event

SANS Zurich 2018

Zurich, CH

Apr 16, 2018 - Apr 21, 2018

Live Event

SANS Baltimore Spring 2018

Baltimore, MDUS

Apr 21, 2018 - Apr 28, 2018

Live Event

SANS Seattle Spring 2018

Seattle, WAUS

Apr 23, 2018 - Apr 28, 2018

Live Event

Blue Team Summit & Training 2018

Louisville, KYUS

Apr 23, 2018 - Apr 30, 2018

Live Event

SANS Riyadh April 2018

Riyadh, SA

Apr 28, 2018 - May 03, 2018

Live Event

SANS Doha 2018

Doha, QA

Apr 28, 2018 - May 03, 2018

Live Event

SANS SEC460: Enterprise Threat Beta Two

Crystal City, VAUS

Apr 30, 2018 - May 05, 2018

Live Event

Automotive Cybersecurity Summit & Training 2018

Chicago, ILUS

May 01, 2018 - May 08, 2018

Live Event

SANS SEC504 in Thai 2018

Bangkok, TH

May 07, 2018 - May 12, 2018

Live Event

SANS Security West 2018

San Diego, CAUS

May 11, 2018 - May 18, 2018

Live Event

SANS Melbourne 2018

Melbourne, AU

May 14, 2018 - May 26, 2018

Live Event

SANS Northern VA Reston Spring 2018

Reston, VAUS

May 20, 2018 - May 25, 2018

Live Event

SANS Amsterdam May 2018

Amsterdam, NL

May 28, 2018 - Jun 02, 2018

Live Event

SANS Atlanta 2018

Atlanta, GAUS

May 29, 2018 - Jun 03, 2018

Live Event

SANS London March 2018

OnlineGB

Mar 05, 2018 - Mar 10, 2018

Live Event

SANS OnDemand

Books & MP3s OnlyUS

Anytime

Self Paced