Thursday, August 12, 2010

Jsunpack through a proxy

I have a special guest blog from http://twitter.com/malc0de today. He submitted some proxy suggestions for jsunpack-n, which I've added to svn. Here is a description of the features. Thanks for the great new feature ideas, keep them coming! also check out his site at http://malc0de.com/ if you haven't already.


In todays threatscape the ability to forward requests through proxy servers can come in handy in certain situations. Generally speaking a majority of drive-by exploit kits in the wild have logic built in that does not allow for duplicate requests originating from the same IP address. Since I primarily use jsunpack-n to investigate potentially malicious domains and am one of the many jsunpack-n users out there I thought it would be useful if jsunpack supported proxies. At first diving into the 1300+ lines of python was intimidating but after a few hours I had a working prototype that I sent to Blake who later modified (improved) and added to the svn repository.

Once you have checked out a new copy (https://code.google.com/p/jsunpack-n/source/checkout) you will notice two additional options:

-p PROXY, --proxy=PROXY
- use a random proxy from this list (comma separated)
-P CURRENTPROXY, --currentproxy=CURRENTPROXY
- define a single proxy

The first option -p allows you to specify a comma delimited list of proxies of which jsunpack will randomly pick one.

Example
./jsunpackn.py -u "www.google.com" -p 189.3.47.146:3128,187.49.68.11:8080,187.45.175.66:3128

URL fetch www.google.com
[fetch config] random proxy 187.45.175.66:3128
[fetch config] currentproxy 187.45.175.66:3128

The second option -P allows you to define a single proxy.

Example
./jsunpackn.py -u "www.google.com" -P 187.45.175.66:3128
URL fetch www.google.com
[fetch config] currentproxy 187.45.175.66:3128

For your convenience a perl script called getCurrentProxies.pl can be found in the tools directory. This script interfaces with a popular website named malwaregroup.com to retrieve an updated list of active proxies. The IP’s are printed out in a comma delimited format accepted by the new -p option.

Example

./tools/getCurrentProxies.pl
193.255.184.210:3128,193.110.187.209:3128,193.105.240.32:8080,190.200.151.23:8080,189.84.116.88:3128,189.3.177.146:8080,189.3.150.32:3128,189.3.47.146:3128,187.49.68.11:8080,187.45.175.66:3128,187.23.145.82:3128,187.0.80.180:3128,180.149.49.114:8080

I enjoyed working on this project with Blake and would like to take this opportunity to encourage others to contribute their ideas. Jsunpack has come a long way since it was first introduced and continues to remain one of my favorite tools.
Posted by at 3 comments:
Subscribe to: Posts (Atom)