Category Archives: Security

Decipher obfuscated URLs with PowerShell

I recently received a message on Skype from a friend I had not talked to for a while, I was happy to see it was spam. Not because it was spam, but because it was using an encoded Url. After taking a quick look at the structure I thought, this is definitely something I can decode.

To me this looked like hexadecimal code, and I quickly threw together a PowerShell one-liners to decode to decode this, note that I skip the first six character because:

1
2
3
-join [char[]](
'%6A%61%61%70%62%72%61%73%73%65%72%2E%63%6F%6D' -split '%' |
Where-Object {$_} | ForEach-Object {[Convert]::ToInt32($_,16)})

This provides us with the following output:

jaapbrasser.com

Because this is a little bit hard to read, let’s break it up into chunks:

1
2
3
4
5
$Split      = '%6A%61%61%70%62%72%61%73%73%65%72%2E%63%6F%6D' -split '%'
$Split      = $Split | Where-Object {$_}
$Integers   = $Split | ForEach-Object {[Convert]::ToInt32($_,16)})
$Characters = [char[]]$Integers
-join $Characters

So let’s go line-by-line through what the code does:

  1. Split the code on the %-character
  2. Skip the first entry, because we split on %, the first result will be empty and can cause errors later
  3. Convert the hexadecimal number to integers using the Convert type accelerator
  4. Convert the integers to Char by strong typing them to a Char array
  5. Use the join operator to turn it into a string

So now that we have this complete, we no longer have to guess where the encoded link is going to lead us. In my case, the link of my friend happened to take me a Russian website trying to get me involved in binary option trading:

For more information about percent encoding as a concept, have a look at the Wikipedia page over here:

Wikipedia – Percent-Encoding

I have created a function for to be able to perform this this conversion in the future, I made it available on GitHub, TechNet Gallery and the PowerShell Gallery:

Share

Secure your servers in time with JIT and JEA at Experts Live Summer Night event

Earlier this month I spoke at Experts Live Summer Night, an Security focused event for IT Professionals. I covered JIT, Privileged Access Management and JEA, Just Enough Administration. Here is an excerpt of the presentation:

Just Enough Administration, also known as JEA, has been around for several years and has received a lot of updates and new features. How can we use this to secure our servers and reduce the attack surface that we expose to potential malicious actors. During this session Jaap will demo how to configure and deploy JEA templates, configure JIT administration.

All the code and slides are as always available in my Events GitHub repository:

Furthermore I have also uploaded my presentations to SlideShare:

Share