Spammers have been getting craftier with how they get through the bayesian and other heuristic filters many mail providers use to deliver only legitimate emails to recipients. One of the ways they do this is by encoding or encapsulating patterns into base64 or some other encoding mechanism. This allows the email client to render a message with text that would have been blocked by a spam filter as the filter usually can’t comprehend the encoded strings. These usually come down in the form of htm or html attachments where the email client effectively acts as a web viewer to render data to the screen. If we take a sample of…
-
-
Base64 Encoding and Decoding
I received a piece of malware today and as one will do, I of course opened it up on my test machine. Like with a lot of phishing-types of emails, it was really just trying to get at a password (in this case it was a fake Office365 login). One thing that jumped out at me was that the payload was a bunch of base64 encoded blobs. The machine was offline, so I couldn’t use one of the many online decoders to see what it was doing. Thus, time to bust out the old openssl and base64 commands. Let’s start with a quick example of encoding a string object into…
-
Get a list of Google Chrome extensions on a Mac (and more on what’s in the manifest.json)
A common task for those who manage devices is trying to get a list of things installed on a computer. Plenty of the things are apps. But increasingly there are extensions in apps that expand the functionality of those apps. This is nowhere more true than in web browsers, where it’s possible to intercept endpoints and manipulate text on the screen. Google Chrome stores extensions in /Users/<username>/Library/Application\ Support/Google/Chrome/Default/Extensions. To see a list of all of the extensions in Google Chrome, the following find command can parse through the directory, read the manifest.json, and find the name field. It’s quoted such that it will skip those that also have short_name defined…
-
Inspecting WebAuthn Traffic
Just released v2 of a Chrome Extension that overrides the navigator.credentials.get and navigator.credentials.create endpoints to show the json that is sent and received from a webauthn transaction. The extension simply produces a dialog box that shows the json submitted to the appropriate endpoints on a server that supports Passkeys. It’s available as an unpacked Chrome extension at https://github.com/krypted/webauthn-inspector. The two primary attributes I was interested in exploring are “id” and “challenge”. Visit webauthn.info and change the “Advanced Settings” it’s easy to see how the other fields change as the settings change and compare these to sites (e.g. bestbuy.com) that have implemented some of the WebAuthn spec. In general, the id…
-
New Version of Extensions Manager
Just uploaded a new version of Extensions Manager to GitHub at https://github.com/krypted/extensionsmanager. Now it has a search function and can sort by column. These make it much quicker to find potential extension conflicts. Uploaded the Xcode project and the compiled binary to just download and run it.
-
The Return Of Extensions Manager
Just posted a graphical interface to see what extensions are running on Macs, the version of extension, what type of extension each is, the status, path, and SDK. This is a rebirth of the slick Extensions Manager of old. It’s less cool like that as it doesn’t yet allow for extensions management – but should once the logic is worked out (or an API is provided for these types of system-wide tasks rather than just for the app that instantiated the extension). To download Extensions Manager, click https://github.com/krypted/extensionsmanager/raw/main/Extension%20Manager%20Executable.zip or to access the source for it and the CLI version, visit https://github.com/krypted/extensionsmanager. The tool is similar in nature to the early…
-
Extensions Manager Swift Project for macOS
Extension Manager was an important app for those who managed Macs in the System 8 and System 9 era. It allowed us to see all of the extensions loaded in the classic OS and disable them. It was also easy to take extensions and move them to the desktop for troubleshooting. In the years since Apple began to pick apart what developers used kernel extensions to do, the type of extensions and how we use them has left us with a few different tools to comb through to see what extensions are on a system and what they do. Thus, let’s bring Extension Manager back (ish). Let’s start with a…
-
A Bit On Self-Destructing Shell Scripts
Shells come with a magic variable $0 for performing various operations. We can use these to perform certain functions. In its simplest incantation we can just echo out $0 to get the path a script is in from within the script: echo $0 We can also just get the directory a script is in. For example, if we want to see if it’s being executed from within an app bundle, temp, or download directory. This is also helpful if we’ve created files in a folder we created and need to delete them all at the end of a larger atomic operation (e.g. rm -r …/<the directory name>. To do that…
-
Add Commands To The Shell Built-in Commands
Some shell commands are internal built-in commands. This allows them to change shell process states and when they’re internal they can be really fast as they don’t have to load another program. Some machines are dedicated to running a couple of scripts. Adding a command to the built-ins for those can make them all the faster. To enable a bult-in, use the enable command followed by a -f, the path/uri to the binary, and then the name you want it to be called as. Let’s say we want to call /usr/local/devopsmagic as devopsmagicb, that would be run as follows: enable -f /usr/local/devopsmagic devopsmagicb I’m not a big fan of doing…
-
Disable Offload Unused Apps If You Use A Lot Of Sensors In The Home
The Offload Unused Apps feature on an iPhone is great to save space and keep devices secure. This keeps documents and settings for apps that haven’t been used for awhile but removes the app bundle itself. For those with a lot of “set it and forget it” sensors in the home it can be a bit problematic. Once an app is disabled, push notifications no longer get sent to the app. So if a carbon monoxide monitor or water sensor goes off, installed for a little peace of mind, then the app might not be alerting you (maybe an email as a backup). To disable this feature, open the Settings…