Updated: Jan 6, 2019
After taking FOR610 and taking the GREM I decided to try and write a tool or two that could be utilized for Malware Analysis. Some malware, according to the training, will only fire if a certain user agent string were directed against it. I wrote a somewhat long python script that will pull down about 20-30 of the most utilized user agent strings from http://www.browser-info.net/useragents then initiate requests against a specified site with those UAs. If there is any different type of response from the site, the site is then downloaded for analysis.
My initial thoughts were that most sites would only have a few different responses based on the most popular browsers. That is not what I found, almost all modern sites will respond with a unique site based on the individual UA string. The sites that don't are the MALICIOUS sites, or at least most of them. Here is some of my analysis I switched to PowerShell, because it's just easier for me because I REFUSE to use the Requests module from Apache.
This function allows me to get all the responses with a md5 hash from those responses.
PS C:\Users\mweek\scripts> $google = ua-brute -url https://www.google.com
Then do some quick cmdline kungfu to determine what the variance is:
PS C:\Users\mweek\scripts> $google | Group-Object md5 | Measure-Object count -Maximum -Minimum -Average -Sum
Count : 40
Average : 1
Sum : 40
Maximum : 1
Minimum : 1
Property : Count
So I formatted the response and tried against a couple websites:
Website I just made:
PS C:\Users\mweek\scripts> C:\Users\mweek\Documents\uabrute\uabrute.ps1 -url http://192.168.1.3
PS C:\Users\mweek\scripts> C:\Users\mweek\Documents\uabrute\uabrute.ps1 -url http://www.google.com
My WIX website :P
PS C:\Users\mweek\scripts> C:\Users\mweek\Documents\uabrute\uabrute.ps1 -url http://www.packetaddict.com
Interestingly enough the more malicious a site is the less variance you receive. Who knew?