Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fun with cURL and spam
(don’t click it, dissect it)
First a Disclaimer…
• It isn’t my fault if in your exploration you intentionally or inadvertly
do something BAD to your sy...
Spam
Everybody gets it, some is obvious, some a little
more sneaky and occasionally an email with actual
value ends up cau...
cURL, short version and a headstart
curl -L -v -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML,
like Gec...
Here we go…
• Verbose text followed by the html of what you would see in your
browser if you had clicked the link…
…after some gibberish
Most of what was returned was probably a “Markov string”, basically
random-esque text with grammatic...
…the part we are really after
• JavaScript at the bottom…it is at the bottom so the rest of the page
will load before pote...
Magic Happens Here…
• I find JavaScript to be pretty Human
Readable, but for this example I cheated
with Excel…
• I needed...
Oh, good…another scary link
• Here is the output of our example
using the chrome browser’s address bar
• This JavaScript c...
A last tidbit or…
d2luZG93LnRvcC5sb2NhdGlvbi5ocmVmPSdodHRwczovL3NvbWVldmlsYmFzdGFyZC5jb20n
…for short
• Base 64 encoding h...
Links for the curious
• cURL man page - http://curl.haxx.se/docs/manpage.html
• Opt out/Spam laws - https://www.ftc.gov/ti...
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Fun with cURL and spam

Download to read offline

What I do to get entertainment value from spam.
Using the cURL tool to explore your unwanted mail or identify legitimate email improperly identified.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Fun with cURL and spam

  1. 1. Fun with cURL and spam (don’t click it, dissect it)
  2. 2. First a Disclaimer… • It isn’t my fault if in your exploration you intentionally or inadvertly do something BAD to your system. • I will try to give enough info to suggest good search terms for independent exploration if this interests you. I am not trying to create any sort of definitive guide or suggesting this is a best or even good way to accomplish a task. • You wouldn’t use a circular saw without knowing how it works. Using shell commands and executing JavaScript from the address bar of your browser is a lot like playing with power tools. You probably will not lose a thumb but there is a likelihood of pain nonetheless.
  3. 3. Spam Everybody gets it, some is obvious, some a little more sneaky and occasionally an email with actual value ends up caught in the email client’s spam net. The screen grab is from MS Outlook, which will show you just the text... Not the html. NO CLICKING LINKS! My example has lots of signs it is garbage and should be set to e-oblivion: • Do you really think that is a google team addy? • This is Not the format I give out for my email (gmail allows mixed caps and dots, like sT.eve.pOte so I can see who sells me out) • Delayed email at some blog URL? C’mon. (This is the URL I will use for an example) • No opt out? Not even one with a malicious addy behind it? They aren’t even trying…(an opt out is required by US law and legit businesses using mass mailings will always have a means to tell them to stop)
  4. 4. cURL, short version and a headstart curl -L -v -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17“ http://somewhere.com The switches -L follow redirect (if response sends you immediately elsewhere. There are legitimate uses like url shorteners like goo.gl and bit.ly, but these are also good places to hide bad things too.) -v verbose (I always like verbose output…in this case there is more info about the connects, disconnects and redirects) -A user agent string to send (cURL pretends to be a browser by sending a browser’s info. Example uses pretty common string info to make it an attractive target.)
  5. 5. Here we go… • Verbose text followed by the html of what you would see in your browser if you had clicked the link…
  6. 6. …after some gibberish Most of what was returned was probably a “Markov string”, basically random-esque text with grammatical rules to fool ISP’s and others (like spam filters and web crawlers) into believing the target is legit. When an email slips by your filter with total nonsense in the body it is probably a Markov string and very hard to catch because each email can be made with unique content and including highly relevant individual words.
  7. 7. …the part we are really after • JavaScript at the bottom…it is at the bottom so the rest of the page will load before potential errors or things that might catch malicious scripts • Mileage may vary. This example creates a string from ASCII character codes that have been shifted by -73 places. (I will break that down better later). Base 64 encoding is another common technique I have encountered often (there are legit business reasons to encode strings, I will show you how to check them too).
  8. 8. Magic Happens Here… • I find JavaScript to be pretty Human Readable, but for this example I cheated with Excel… • I needed the ASCII numbers -73 • Then ran the String.fromCharCode in a browser address bar (don’t do this at home, not everything is harmless) • javascript:alert(String.fromCharCode(119,105,110,100,111,119,46,116,111,112,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,39,104,116,116,112,58,47,47,115,109 ,97,114,116,112,105,108,108,115,118,97,108,117,101,46,114,117,39,59)); • If you can write JavaScipt you can neuter the function like this… rather than returning the malicious command it alerts with its text.
  9. 9. Oh, good…another scary link • Here is the output of our example using the chrome browser’s address bar • This JavaScript command redirects your browser to the link inside. • Anecdotally most of the time this is abusing google analytics by creating false hits…opens a couple valid pages, closes and moves on. • Every so often there is something nastier, tracking cookies (mild) or some more virulent web-herpes. • Drop this URL into cURL and repeat if you dare.
  10. 10. A last tidbit or… d2luZG93LnRvcC5sb2NhdGlvbi5ocmVmPSdodHRwczovL3NvbWVldmlsYmFzdGFyZC5jb20n …for short • Base 64 encoding has honest upstanding uses • JavaScript has built in functions to encode (window.btoa())and decode (window.atob()) • I use them to send secret messages ;-) • They can also hide malicious intent
  11. 11. Links for the curious • cURL man page - http://curl.haxx.se/docs/manpage.html • Opt out/Spam laws - https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business • Markov strings - https://en.wikipedia.org/wiki/Markov_algorithm • atob – https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/atob • JavaScript from the address bar - http://www.wikihow.com/Have-Fun-With-Your-Address-Bar-on-Your-Browser • Base 64 encoding - https://www.base64decode.org • Me, especially if you are looking for a full stack ‘white hat’ - https://www.linkedin.com/in/steve-pote-61b02b103

What I do to get entertainment value from spam. Using the cURL tool to explore your unwanted mail or identify legitimate email improperly identified.

Views

Total views

811

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

3

Shares

0

Comments

0

Likes

0

×