VP 230: Obfuscated HTTP (50 pts)

Purpose

Monitor obfuscated HTTP traffic with Python, to detect botnet traffic.

Understanding HTTP

In a Web browser, open this page:

http://samlol.samsclass.info/VP/VP230.php

Open Wireshark and start sniffing traffic. In the Filter bar, enter

http

You see a series of HTTP requests scroll by, as shown below.

Notice the long folder names, outlined in red in the image below.

This is how traffic looks when a machine is infected by remote control malware, and "beaconing" or sending stolen data back to a Command & Control server. It makes a series of requests to the server over DNS, HTTP, or another protocol containing obfuscated data.

In this project, you'll write scripts to harvest the HTTP traffic and find the concealed data in it.

Using Scapy

Scapy is a Python library that processes network packets.

Execute this command to download and install the Scapy library:

python3 -m pip install scapy

In a text editor, create a file named http1.py containing this code, as shown below:

from scapy.all import *

def findHTTP(p):
  if p.haslayer(TCP):
    if p[TCP].dport == 80:
      print(p.summary())
      print(p.display())

sniff(prn=findHTTP)

Run the program. Make sure the "VP230.php" page is open.

You see a lot of data about the HTTP requests scroll by, as shown below.

Press Ctrl+C to stop the program.

A Cleaner HTTP Monitor

In a text editor, create a file named http2.py containing this code, as shown below:

from scapy.all import *

def findHTTP(p):
  if p.haslayer(TCP):
    if p[TCP].dport == 80:
      if p.haslayer(Raw):
        print(p[Raw].load)

sniff(prn=findHTTP)

Run the program. The output is a bit cleaner, as shown below, but it still has far too much information.

Press Ctrl+C to stop the program.

Clean it Up

Make a cleaner version of this program that shows only the random folder names, as shown below.

Flag VP 230.1: Directory Name (10 pts)
In a Web browser, open this page:
http://samlol.samsclass.info/VP/VP230-1.php
Monitor the HTTP requests. After a while you'll find the flag, as shown below.

Flag VP 230.2: Hex Encoding (10 pts)
In a Web browser, open this page:
http://samlol.samsclass.info/VP/VP230-2.php
Monitor the HTTP requests. Some of the requests contain the flag, but they are encoded.
Hints

How to convert a string to hex
Decode Hex String in Python 3

Flag VP 230.3: Binary Encoding (10 pts)
In a Web browser, open this page:
http://samlol.samsclass.info/VP/VP230-3.php
Monitor the HTTP requests. Some of the requests contain the flag, but they are encoded.

Flag VP 230.4: Base64 Encoding (10 pts)
In a Web browser, open this page:
http://samlol.samsclass.info/VP/VP230-4.php
Monitor the HTTP requests. Some of the requests contain the flag, but they are encoded.

Flag VP 230.5: Base58 Encoding (10 pts)
In a Web browser, open this page:
http://samlol.samsclass.info/VP/VP230-5.php
Monitor the HTTP requests. Some of the requests contain the flag, but they are encoded.
Hint: Base58Check encoding

Updated to Python 3 6-30-2020