Tag Archives: Obfuscation

Decipher obfuscated URLs with PowerShell

I recently received a message on Skype from a friend I had not talked to for a while, I was happy to see it was spam. Not because it was spam, but because it was using an encoded Url. After taking a quick look at the structure I thought, this is definitely something I can decode.

To me this looked like hexadecimal code, and I quickly threw together a PowerShell one-liners to decode to decode this, note that I skip the first six character because:

1
2
3
-join [char[]](
'%6A%61%61%70%62%72%61%73%73%65%72%2E%63%6F%6D' -split '%' |
Where-Object {$_} | ForEach-Object {[Convert]::ToInt32($_,16)})

This provides us with the following output:

jaapbrasser.com

Because this is a little bit hard to read, let’s break it up into chunks:

1
2
3
4
5
$Split      = '%6A%61%61%70%62%72%61%73%73%65%72%2E%63%6F%6D' -split '%'
$Split      = $Split | Where-Object {$_}
$Integers   = $Split | ForEach-Object {[Convert]::ToInt32($_,16)})
$Characters = [char[]]$Integers
-join $Characters

So let’s go line-by-line through what the code does:

  1. Split the code on the %-character
  2. Skip the first entry, because we split on %, the first result will be empty and can cause errors later
  3. Convert the hexadecimal number to integers using the Convert type accelerator
  4. Convert the integers to Char by strong typing them to a Char array
  5. Use the join operator to turn it into a string

So now that we have this complete, we no longer have to guess where the encoded link is going to lead us. In my case, the link of my friend happened to take me a Russian website trying to get me involved in binary option trading:

For more information about percent encoding as a concept, have a look at the Wikipedia page over here:

Wikipedia – Percent-Encoding

I have created a function for to be able to perform this this conversion in the future, I made it available on GitHub, TechNet Gallery and the PowerShell Gallery:

Share

Wrapup of BSides Amsterdam 2017

Last Friday I had the pleasure to speak at BSides Amsterdam, a security centered conference that hosted its first iteration in Amsterdam. I could not pass up on the opportunity to attend this event. Here is an excerpt about the BSides concept from their site at bsidesams.nl:

Security BSides is a community-driven framework for building events, by and for, information security community members. These events are already happening in major cities all over the world! We are responsible for organizing an independent BSides-Approved event in Amsterdam, for the Netherlands.

It was a full day with topics ranging from hardware hacking to botnet infrastructure. With 13 sessions on a single day it was very interesting to take part in this event and to be able to speak and network with professionals from all different sides of the spectrum. I have attached some pictures to give you an impression of the day at BSides Amsterdam:

It was a full day with topics ranging from hardware hacking to botnet infrastructure. With 13 sessions on a single day it was very interesting to take part in this event and to be able to speak and network with professionals from all different sides of the spectrum.

At the event I spoke about using PowerShell to Automate security and specifically about how to detect malicious activity. All the code and slides are as always available in my Events GitHub repository:

Automating security with PowerShell

I also shared this slidedeck and my others on SlideShare:

Share