Decoding Proofpoint URLs


Recently, I started reviewing messages found in the corporate spam box, setup for people to alert us on any phishy messages getting past the spam filters, in an attempt to automatically analyze new phishing links.

Fortunately, or unfortunately (depending on where you sit), Proofpoint offers a service to a block links to malicious and suspicious sites. This service rewrites the suspect URL in each email with a link that redirects through the Proofpoint URL Defense system. A parameter of this new URL is the encoded version of the suspect link.

The challenge was to decode the URL parameter from Proofpoint and return it to its original format. This is for two purposes, first and formost, this allows me to not get blocked by URL Defense and second, it prevents skewed results.

Another interesting aspect of URL Defense is in the real-time alerts. These alerts contain information around who clicked the suspect link, from where and which link. Proofpoint is tricky how they include the suspect URL. They insert zero width space (Unicode: \u200b) between each character, basically invalidating the link. You know, for safety.

Thankfully, Warren Raquel had already written some code to decode the suspect link parameter of the rewritten URL, I simply scriptified his code, and added removal of those funky zero width spaces.

Modified ppdecode

Original ppdecode

More »

Cuckoo Intergration with threat_note

threat_note is a great, light-weight webapp that gives security researchers, incident responders and other security practitioners a place to collect indicators of compromise. threat_note has been designed to integrate with a variety of 3rd party services, allowing users to quickly pull in data to provide more context around an indicator.

One useful integration is with Cuckoo Sandbox. Cuckoo is a malware analysis sandbox used to detonate and examine suspicious executables. Cuckoo collects execution data including how a system is modifed, any dropped files and network communication. Enabling Cuckoo integration in threat_note is simple and quickly allows the investigator to grab IOCs from a previously analyzed sample.

Start by running the Cuckoo API server.

python ./cuckoo/utils/ -H

Next, in threat_note enable Cuckoo Sandbox in the Settings > File. Then configure the fields for Cuckoo Host and Cuckoo API Port.

Alt text

Alt text

The Import from Cuckoo button will appear on the Dashboard, clicking it will take you to the import page.

Alt text

Select the analysis task you would like to import and optionally, add a campaign or list of tags.

All file hashes, domains and IP address detected by Cuckoo will now be available in the threat_note interface.

Alt text

This simple yet powerful integration enables you to quickly import a large set of indicators from a tool that generates high quality IOCs.

More »

Cowrie Event IDs

There doesn't seem to be much documentation on the EventIDs generated by Kippo (or it's fork Cowire), other than what's in the source. This post is just for reference.

# KIPP0001 : create session
# KIPP0002 : succesful login
# KIPP0003 : failed login
# KIPP0004 : TTY log opened
# KIPP0005 : handle command
# KIPP0006 : handle unknown command
# KIPP0007 : file download
# KIPP0008 : INPUT
# KIPP0009 : SSH Version
# KIPP0010 : Terminal Size
# KIPP0011 : Connection Lost
# KIPP0012 : TTY log closed
# KIPP0013 : env var requested

Kippo Source - Github

More »

Cisco Aironet 1242 and the Nest Learing Thermostat

I've been having issues with the Nest reporting 'Offline' every hour or so within the app. The thermostat would comeback 'Online' if I deliberately moved in front of it or otherwise woke it up. I realized this issue must be related to the device sleeping to conserve power. I use a Cisco Aironet 1242 WAP for my home wireless and decided to dig into it's configuration. After many failed debugging and configuration attempts, I think the issue has finally be solved by adding the following configuration item:

beacon dtim-period 3

I also set the speeds to 802.11g standards and the activity-timeout to 600.

speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

dot11 activity-timeout unknown default 600

dot11 activity-timeout client default 600 maximum 600

The DTIM-period is how often the a wireless client in power save mode should check a buffer for data. The Cisco default is 2, which tells the client check after every other beacon. Increasing this value to 3 seems to work the best with the Nest.


More »