Documents
Intro to XKS AppIDs and Fingerprints
July 1, 2015
TCIP T0 USA, AUS, CAN, GER, NZLH20291123
in-
hl.
ill?II.-
H..-
August 2009
- R. .
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123
TCIP T0 USA, AUS, CAN, GER, NZLH20291123
in-
hl.
ill?II.-
H..-
August 2009
- R. .
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123
TU USA, AUS, CAN. GER.- NZL I [El
Agenda
Overview of Application IDs and
Fingerprints
Background of the 4 generations of
Apple+Fingerprints
Examples of how they are used for target
development SIGDEV
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
Agenda
Overview of Application IDs and
Fingerprints
Background of the 4 generations of
Apple+Fingerprints
Examples of how they are used for target
development SIGDEV
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, Age, ?rm, GEL
:?tW'h?a?t is a A
An Application ID (ApplD) is a meta-data
tag given to a session to help describe
what application is being seen in the traffic
Examples:
- mail/webmail/yahoo indicates that the traffic was
Yahoo Webmail
- chat/msn_messenger indicates the traffic was
MSN Messenger
- indicates that the traffic was an HTTP
Get
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, Age, ?rm, GEL
:?tW'h?a?t is a A
An Application ID (ApplD) is a meta-data
tag given to a session to help describe
what application is being seen in the traffic
Examples:
- mail/webmail/yahoo indicates that the traffic was
Yahoo Webmail
- chat/msn_messenger indicates the traffic was
MSN Messenger
- indicates that the traffic was an HTTP
Get
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 Ml.
have
What's the point of AppIDs/Fingerprints?
For one, they give you a powerful tool for
the quick analysis of what applications are
being seen in your traffic.
A simple histogram on allows you to
quickly identify all of the applications seen
for a given result set, without needing to
View each piece of content
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 Ml.
have
What's the point of AppIDs/Fingerprints?
For one, they give you a powerful tool for
the quick analysis of what applications are
being seen in your traffic.
A simple histogram on allows you to
quickly identify all of the applications seen
for a given result set, without needing to
View each piece of content
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL I
Why even have AppIDs/Fingerprints
Ex: Histogram the applications used during
Target activity:
Grid
E-u' v-u' Page 1 DH I a: ClearSelectinn Expert
Filter Applicatinn ?aunt 1r
httuigat BE
undate sewiteiwintinwa 4?
LIan lawman: WM 2 5
mailhvehmaili'nawat] 11
h?unealnnee 1D
mailmahmai?mailru
nhutn sharinniiai?amhutnhul:Hetmm
mailhwehmailitimail
httireennsemnt
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL I
Why even have AppIDs/Fingerprints
Ex: Histogram the applications used during
Target activity:
Grid
E-u' v-u' Page 1 DH I a: ClearSelectinn Expert
Filter Applicatinn ?aunt 1r
httuigat BE
undate sewiteiwintinwa 4?
LIan lawman: WM 2 5
mailhvehmaili'nawat] 11
h?unealnnee 1D
mailmahmai?mailru
nhutn sharinniiai?amhutnhul:Hetmm
mailhwehmailitimail
httireennsemnt
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To usiSecondly, they provide an additional criteria
that you can use in your query.
NOTE: It?s important to point out that
since most Apple Fingerprints are
tagging technology and/or applications,
they SHOULD NOT be the sole criteria
for your queries in
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To usiSecondly, they provide an additional criteria
that you can use in your query.
NOTE: It?s important to point out that
since most Apple Fingerprints are
tagging technology and/or applications,
they SHOULD NOT be the sole criteria
for your queries in
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Why even have Apple/Fingerprint
EX: I?m looking for targets using mail.ru
from behind a large Iranian proxy:
?ddresz: ?El- Either
Appiljl
[+Fingerprint5) [fulltEHt]: Field Builder
11me (+Fingerprint5]
mailfweljmailfmailru
[mailfweljmailfmailru
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Why even have Apple/Fingerprint
EX: I?m looking for targets using mail.ru
from behind a large Iranian proxy:
?ddresz: ?El- Either
Appiljl
[+Fingerprint5) [fulltEHt]: Field Builder
11me (+Fingerprint5]
mailfweljmailfmailru
[mailfweljmailfmailru
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Why even have Apple/Fingerprint
EX: I?m looking for targets using mail.ru
from behind a large Iranian proxy:
?ddresz: ?El- Either
Appiljl
[+Fingerprint5) [fulltEHt]: Field Builder
11me (+Fingerprint5]
mailfweljmailfmailru
[mailfweljmailfmailru
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Why even have Apple/Fingerprint
EX: I?m looking for targets using mail.ru
from behind a large Iranian proxy:
?ddresz: ?El- Either
Appiljl
[+Fingerprint5) [fulltEHt]: Field Builder
11me (+Fingerprint5]
mailfweljmailfmailru
[mailfweljmailfmailru
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Why even have AppIDs/Fingerprirll
EX: I?m looking for Mojaheden Secrets 2
use in extremist web forums:
Field Builder
AquD er urintel
lier mfeet?e iEtr'I
.
Field Builder
I 2}
{+Fingererint5]
mejl
.
.-
?jrumfexn?emietfaI-nulchbah
riy' me jah ede r1th id den
ide
?jmwewemiwalqimmah
ferumfeeh'emietfal-ehura
?jrumHeHU?emietIalmEre?'I
ferumfeelremietfamh
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Why even have AppIDs/Fingerprirll
EX: I?m looking for Mojaheden Secrets 2
use in extremist web forums:
Field Builder
AquD er urintel
lier mfeet?e iEtr'I
.
Field Builder
I 2}
{+Fingererint5]
mejl
.
.-
?jrumfexn?emietfaI-nulchbah
riy' me jah ede r1th id den
ide
?jmwewemiwalqimmah
ferumfeeh'emietfal-ehura
?jrumHeHU?emietIalmEre?'I
ferumfeelremietfamh
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
How do Appls work??.
ApplD?s are effectively looking for keywors
in order to assign the ApplD tag.
Example, let?s say that this is the definition
for mail/webmail/yahoo:
9.0) 'Host: mail.yahoo';
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
How do Appls work??.
ApplD?s are effectively looking for keywors
in order to assign the ApplD tag.
Example, let?s say that this is the definition
for mail/webmail/yahoo:
9.0) 'Host: mail.yahoo';
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Example
Here is a client side Yahoo session:
GET flagin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1;
Hast: mail.yahan.cnm
Keep?Alive
Cnnkie: B=fn502hd261202&b=3&s=rp;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Example
Here is a client side Yahoo session:
GET flagin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1;
Hast: mail.yahan.cnm
Keep?Alive
Cnnkie: B=fn502hd261202&b=3&s=rp;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
Example
appid( 'mail/webmail/yahoo' 9. 0) 'Host: mail.yahoo'
GET flagin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1; SV1
Hast: mail.yahan.cnm
Keep?Alive
Cnnkie: B=fn502hd261202&b=3&s=rp;
Application: mail/webmaiI/yahoo
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
Example
appid( 'mail/webmail/yahoo' 9. 0) 'Host: mail.yahoo'
GET flagin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1; SV1
Hast: mail.yahan.cnm
Keep?Alive
Cnnkie: B=fn502hd261202&b=3&s=rp;
Application: mail/webmaiI/yahoo
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA.- eras ML
ls work-'3!
ow :Ap
What does the number in the ApplD mean?
9.0):
Each session can have only one ApplD
The goal is for the ApplD to be as descriptive as
possible
Any given session might qualify under multiple
Apple definitions, but only the most specific
ApplD that applies to the session is assigned
Lowest number wins, so the lower the number,
the more specific the definition
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA.- eras ML
ls work-'3!
ow :Ap
What does the number in the ApplD mean?
9.0):
Each session can have only one ApplD
The goal is for the ApplD to be as descriptive as
possible
Any given session might qualify under multiple
Apple definitions, but only the most specific
ApplD that applies to the session is assigned
Lowest number wins, so the lower the number,
the more specific the definition
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
How do Appls work?l5
Let?s say there?s another more descriptive
appid for mail/webmaiI/yahoo/Iogin:
?Host: mail.yahoo' and
3.0)
'/login';
It has a lower number than
mail/webmaiI/yahoo, so if it ?hits? it will be
applied
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
How do Appls work?l5
Let?s say there?s another more descriptive
appid for mail/webmaiI/yahoo/Iogin:
?Host: mail.yahoo' and
3.0)
'/login';
It has a lower number than
mail/webmaiI/yahoo, so if it ?hits? it will be
applied
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
Example
appid??mailfwebmaileahan', 9.0} 'Hast: mail.yahnn';
3.0] 'Hnst: mail.yahnn' and
'/lngin';
GET /10gin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1; SV1
Hast: mail.yahaa.cnm
Keep?Alive
Cnnkie: B=fn502hd261202&b=3&s=rp;
Application: mail/webmaiI/yahoo/Iogin
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
Example
appid??mailfwebmaileahan', 9.0} 'Hast: mail.yahnn';
3.0] 'Hnst: mail.yahnn' and
'/lngin';
GET /10gin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1; SV1
Hast: mail.yahaa.cnm
Keep?Alive
Cnnkie: B=fn502hd261202&b=3&s=rp;
Application: mail/webmaiI/yahoo/Iogin
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
['Ap?pl? Structure
- Note that the Apple have a directory-like
structure:
- mail/webmaiI/yahoo and
mail/webmail/yahoo/Iogin
- If you wanted to search for all webmail activity
you could search for man/webmail!"
- If you wanted to search for all Yahoo mail
activity you could search for
mail/webmail/yahoo/*
etc
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
['Ap?pl? Structure
- Note that the Apple have a directory-like
structure:
- mail/webmaiI/yahoo and
mail/webmail/yahoo/Iogin
- If you wanted to search for all webmail activity
you could search for man/webmail!"
- If you wanted to search for all Yahoo mail
activity you could search for
mail/webmail/yahoo/*
etc
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TD USA. Ans, ?rmSome session can hit on many Apple.
. For example a single session might hit on:
9.2)
8.9)
6.0)
5.0)
Which one will be assigned as the winning
ApplD?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TD USA. Ans, ?rmSome session can hit on many Apple.
. For example a single session might hit on:
9.2)
8.9)
6.0)
5.0)
Which one will be assigned as the winning
ApplD?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER
OW Ap pl 3 work 1? i
.
- =11]
When you see an ApplD how do you know"
what was used to define that ApplD?
Through the XKS ApplD signature page
available through ?go xkeyscore?
Or by simply clicking on the hyperlink
ApplD from the new
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER
OW Ap pl 3 work 1? i
.
- =11]
When you see an ApplD how do you know"
what was used to define that ApplD?
Through the XKS ApplD signature page
available through ?go xkeyscore?
Or by simply clicking on the hyperlink
ApplD from the new
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
['What is a fingerprint?
Apple were built to describe applications;
of which there *should* only be one
application seen per session.
How do we describe other attributes of a
session that aren?t necessarily tied to a
particular application?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
['What is a fingerprint?
Apple were built to describe applications;
of which there *should* only be one
application seen per session.
How do we describe other attributes of a
session that aren?t necessarily tied to a
particular application?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, APE, EA. Ml.
{What is a fi ngerprih?l
One great example is
. A particular type of could be
used in Yahoo Email, Gmail Email, SMTP
Email.
It could be used inside of a Word
Document being uploaded to a free file
website.
It could be used inside of a private
message sent through Facebook.
Etc.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, APE, EA. Ml.
{What is a fi ngerprih?l
One great example is
. A particular type of could be
used in Yahoo Email, Gmail Email, SMTP
Email.
It could be used inside of a Word
Document being uploaded to a free file
website.
It could be used inside of a private
message sent through Facebook.
Etc.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAKE-ER,
r'Wh at is a fingerprin
How can we tag anytime we see that type
of regardless of the application
we saw it in?
Answer - Fingerprints
Think of Fingerprints as ?attributes? of a
session.
A session can have as many fingerprints as
is needed to best describe it.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAKE-ER,
r'Wh at is a fingerprin
How can we tag anytime we see that type
of regardless of the application
we saw it in?
Answer - Fingerprints
Think of Fingerprints as ?attributes? of a
session.
A session can have as many fingerprints as
is needed to best describe it.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Example
appid??mailfwebmaileahan', 9.0} 'Hast: mail.yahnn';
8.0} ?Hnst: mail.yahnn' and '/lngin';
fingerprint( ?mail/arabic') 'mail? and
GET /10gin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1; SV1
Hast: mail.yahaa.cnm
Keep?Alive
Cnnkie: B=fn50ehd261202&b=3&s=rp;
Application: mail/webmaiI/yahoo/Iogin
Fingerprint: mail/webmail/yahoo/Iogin mail/arabic
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Example
appid??mailfwebmaileahan', 9.0} 'Hast: mail.yahnn';
8.0} ?Hnst: mail.yahnn' and '/lngin';
fingerprint( ?mail/arabic') 'mail? and
GET /10gin.html
Referer:
Accept-Language: ar
Accept-Encnding: gzip, deflate
(campatible; MBIE 6.0; Windaws NT 5.1; SV1
Hast: mail.yahaa.cnm
Keep?Alive
Cnnkie: B=fn50ehd261202&b=3&s=rp;
Application: mail/webmaiI/yahoo/Iogin
Fingerprint: mail/webmail/yahoo/Iogin mail/arabic
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Appid vs Fingerprint
Each session gets one appid -- lowest level wins. It gets databased in
the 'application' field.
All matching fingerprints are stored in the 'fingerprint? field.
applicatien Type:
Winning appid
applicatien Infe:
applicatien:
[all fingerprints
eppID [F'e Lilete with Field Builder]
?Fingerprint?l 15- [F?epdlete with Tre_e Field Builder]
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Appid vs Fingerprint
Each session gets one appid -- lowest level wins. It gets databased in
the 'application' field.
All matching fingerprints are stored in the 'fingerprint? field.
applicatien Type:
Winning appid
applicatien Infe:
applicatien:
[all fingerprints
eppID [F'e Lilete with Field Builder]
?Fingerprint?l 15- [F?epdlete with Tre_e Field Builder]
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, EA. @339 Ml.
,Fihgerpri nt Examplj??};
Ex: E-Mails with
rn rn: La 11 Lil" pa [Illa-an Haj..- a r'l? rr'a a1 ian" nara 3-13.23raga El 5 nd
En:
Subject: Launchpad: Can?rm yaur Hay
Wed. 31 Del:
Harainn' U1 :1 Pi imn??
applicatian ?aalD [+Fmgarprinta) 1'
mailfwabmailfautblaza mailfwabmailfautlalaza haa_fingarpriat
EljaTgDUquH?aHrE
Fla EU N?kgguki' aM1 a8
La 1?3 Eh-wGEEunr
QEQVHTEDVWQ
[3:1 aTrr'I DFTIAN E331 +3 Fm
[JngEan FF
PGP
Thanks.
TU USA, EA. @339 Ml.
,Fihgerpri nt Examplj??};
Ex: E-Mails with
rn rn: La 11 Lil" pa [Illa-an Haj..- a r'l? rr'a a1 ian" nara 3-13.23raga El 5 nd
En:
Subject: Launchpad: Can?rm yaur Hay
Wed. 31 Del:
Harainn' U1 :1 Pi imn??
applicatian ?aalD [+Fmgarprinta) 1'
mailfwabmailfautblaza mailfwabmailfautlalaza haa_fingarpriat
EljaTgDUquH?aHrE
Fla EU N?kgguki' aM1 a8
La 1?3 Eh-wGEEunr
QEQVHTEDVWQ
[3:1 aTrr'I DFTIAN E331 +3 Fm
[JngEan FF
PGP
Thanks.
SECRETHCUMINTHHEL TU USA, AUS, CAN, GEIR, MEL
Fingerprint Exam ples
What caused those fingerprints to hit?
Application ApplD i+Fingerorintsi
mailfwehrnailfouthlaze mailiwehrnailfoutblaze hasjingerorin
Look at the definitions (notice any overlap?):
'begin message' or 'begin+pgp+message';
PGP
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GEIR, MEL
Fingerprint Exam ples
What caused those fingerprints to hit?
Application ApplD i+Fingerorintsi
mailfwehrnailfouthlaze mailiwehrnailfoutblaze hasjingerorin
Look at the definitions (notice any overlap?):
'begin message' or 'begin+pgp+message';
PGP
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Ex: Extremist Forum Private Messages
El HTTP Header Inf-ennetien [lenient Type:
Sammie: .1
imegefgif. imegefe-ebitmep. imegefjpeg. imegefpjpeg.
epplieatiem?vnd.me?ppwerpeipt,
Reterer:
ert-gle
Cement-Type:
ue?eep: eElE
gzip. elet'lete
Ueer?Aeent: Meeillef?l? teempetiple: MSIE Windewe NT 5.1:
epplieetien eppID (+Fingerprirrte]
recipients
beereeipiepte
title Fe: ,ee
Lee; lei-'44: eele?le?liti?? Fem [18 mg? chin-El cm peel?emEIeIL?l 33;:5 teem DLe?t-Mlie?i?l?u
WESEEQEI
Emil}. ml?JWIml?lu??gm?e?e
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Ex: Extremist Forum Private Messages
El HTTP Header Inf-ennetien [lenient Type:
Sammie: .1
imegefgif. imegefe-ebitmep. imegefjpeg. imegefpjpeg.
epplieatiem?vnd.me?ppwerpeipt,
Reterer:
ert-gle
Cement-Type:
ue?eep: eElE
gzip. elet'lete
Ueer?Aeent: Meeillef?l? teempetiple: MSIE Windewe NT 5.1:
epplieetien eppID (+Fingerprirrte]
recipients
beereeipiepte
title Fe: ,ee
Lee; lei-'44: eele?le?liti?? Fem [18 mg? chin-El cm peel?emEIeIL?l 33;:5 teem DLe?t-Mlie?i?l?u
WESEEQEI
Emil}. ml?JWIml?lu??gm?e?e
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL -- Ill
Appl vs Fingerprint 9 Pi
Apple and Fingerprints use the exact same
language inside of XKS.
You can tell which one it is by the definition:
appid (mail/webmaiI/yahoo)
fingerprint
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL -- Ill
Appl vs Fingerprint 9 Pi
Apple and Fingerprints use the exact same
language inside of XKS.
You can tell which one it is by the definition:
appid (mail/webmaiI/yahoo)
fingerprint
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA.- em ML
I rug-
nt La ng ual Evoldd
?sA?polD/Finge
There have been 4 generations of XKS I
ApplD/Fingerprint languages
1St Generation: Simple Keyword Scanning
2nd Generation: Context Aware Keyword
Scanning
3rd Generation: Code based
Apple/Fingerprints
4th Generation: Code based Apple that can
extract meta-data (also known as Micro
Plugins)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA.- em ML
I rug-
nt La ng ual Evoldd
?sA?polD/Finge
There have been 4 generations of XKS I
ApplD/Fingerprint languages
1St Generation: Simple Keyword Scanning
2nd Generation: Context Aware Keyword
Scanning
3rd Generation: Code based
Apple/Fingerprints
4th Generation: Code based Apple that can
extract meta-data (also known as Micro
Plugins)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TD USA, we, CANgle rin
"1I3?tGenerat
In the beginning, Apple and Fingerprints
were just keyword scanning similar to
CADENCE tasking Ex:
appid('maillwebmaillyahoo', 9.0)
'Host: mail.yahoo';
appid('maillyahoollogin, 8.0)
?Host: mai .yahoo' and 'llogin';
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TD USA, we, CANgle rin
"1I3?tGenerat
In the beginning, Apple and Fingerprints
were just keyword scanning similar to
CADENCE tasking Ex:
appid('maillwebmaillyahoo', 9.0)
'Host: mail.yahoo';
appid('maillyahoollogin, 8.0)
?Host: mai .yahoo' and 'llogin';
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CANtarp ri in it
Gene rat
I 1St Generation would also support Regular
Expression
PGP
(instead of quotes are enclosed by
forward slashes)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CANtarp ri in it
Gene rat
I 1St Generation would also support Regular
Expression
PGP
(instead of quotes are enclosed by
forward slashes)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
1 Ge ne ration Appl Ds/ i
.: As well as Hex scanning:
7.5):
(Hex characters are prefaced by
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
1 Ge ne ration Appl Ds/ i
.: As well as Hex scanning:
7.5):
(Hex characters are prefaced by
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, ALIS, gin. gamma;
gyj2,?d Generation Appl Ds/Ffiergorl .
2nd Generation Apple/Fingerprints
introduced context sensitive scanning
engine.
- For example, rather than scanning an entire
session top to bottom to look for
?facebookcom? we can just use the
dictionary context http_host to target the
scan for the host field only.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, ALIS, gin. gamma;
gyj2,?d Generation Appl Ds/Ffiergorl .
2nd Generation Apple/Fingerprints
introduced context sensitive scanning
engine.
- For example, rather than scanning an entire
session top to bottom to look for
?facebookcom? we can just use the
dictionary context http_host to target the
scan for the host field only.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, we, CAN,
ow do Appl 3 work?
ApplD?s are effectively looking for keywor?
in order to assign the ApplD tag.
Example, this is the definition for Hi5
'hi5loggedln'o or
or
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, we, CAN,
ow do Appl 3 work?
ApplD?s are effectively looking for keywor?
in order to assign the ApplD tag.
Example, this is the definition for Hi5
'hi5loggedln'o or
or
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
What do Appl?s look like? 3
If you look at the raw text of this traffic, oe
of the definitions for the mail/webmaiI/hi5
vyill hit:?
Heed-er {35 "Iiil'ielza attachments
PUBLIC EHTHL l.D TransitionalffEH"
{html
{head}
ktitlehhi? Tour Friends. Tour Horid.i?title3
{mete chareet=utf?E" f}
Registratien is quick and easy!
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL I I I
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
What do Appl?s look like? 3
If you look at the raw text of this traffic, oe
of the definitions for the mail/webmaiI/hi5
vyill hit:?
Heed-er {35 "Iiil'ielza attachments
PUBLIC EHTHL l.D TransitionalffEH"
{html
{head}
ktitlehhi? Tour Friends. Tour Horid.i?title3
{mete chareet=utf?E" f}
Registratien is quick and easy!
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL I I I
4-
THREL my tee-me.
mam
pi
EM
Iml mm "In ?omlm 1m u; .
a: .- -
IWII H?i'witl 0?
A .
nidlf??iu Win IF
4' enerra
?Nu-uni mm: "Cum. u. .al' 1" BI 5'
or. weExample:
Sfacehnnk
htl't'll_titJ_E I: II
appldE'EDEialffaEEhDDk';
Sfaeehnnk;
Note the use of the chain word $facebook in
the definition
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
4-
THREL my tee-me.
mam
pi
EM
Iml mm "In ?omlm 1m u; .
a: .- -
IWII H?i'witl 0?
A .
nidlf??iu Win IF
4' enerra
?Nu-uni mm: "Cum. u. .al' 1" BI 5'
or. weExample:
Sfacehnnk
htl't'll_titJ_E I: II
appldE'EDEialffaEEhDDk';
Sfaeehnnk;
Note the use of the chain word $facebook in
the definition
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
.1539: . 1 ?was.? If HR (5:542:15; was];
um: um um "01r-?It Iw? --
em 10
wrumml $facehauk
acehnnk'? Dr
appiJI'EucialffacehDDk'; d.U, wehpruc='FacehDDk'h
an: Eh I: I: 1-1;
GET {?riaFl HT .1
Accept: iJ'l'lEl geg?jpegq
?ue-6:131-
?ll-115::
Laugu? gt:
UA-ETU: 3:36
A?ml?- gzilh ?an:
Eucml?lg:
- e; MSIE Wind?wa NT 5.1)
311115. mm
Emma: Eti?l'l: Eu: rap-AER
{1311:1515 1
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
.1539: . 1 ?was.? If HR (5:542:15; was];
um: um um "01r-?It Iw? --
em 10
wrumml $facehauk
acehnnk'? Dr
appiJI'EucialffacehDDk'; d.U, wehpruc='FacehDDk'h
an: Eh I: I: 1-1;
GET {?riaFl HT .1
Accept: iJ'l'lEl geg?jpegq
?ue-6:131-
?ll-115::
Laugu? gt:
UA-ETU: 3:36
A?ml?- gzilh ?an:
Eucml?lg:
- e; MSIE Wind?wa NT 5.1)
311115. mm
Emma: Eti?l'l: Eu: rap-AER
{1311:1515 1
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
mm.1539: . 1 ?was.? If HR (5:542:15; was];
run n' -.
*m enera
nautumml $_a?Ehuuk
ti. Dr
. . 1354:-
appid['sncialffacehuuk', J.D,
H031
All of these hosts
would match this
5tMic?l-Lf?mhmh?nn
TDP SEGHETHCUMIHTHREL TD I
mm.1539: . 1 ?was.? If HR (5:542:15; was];
run n' -.
*m enera
nautumml $_a?Ehuuk
ti. Dr
. . 1354:-
appid['sncialffacehuuk', J.D,
H031
All of these hosts
would match this
5tMic?l-Lf?mhmh?nn
TDP SEGHETHCUMIHTHREL TD I
1f
r' Tb?? EHET
IWI I WI IWI Hm'will.o I?mwn?h?
I - J: i-iil'il' I 3
mm in)! mm ?9'010?amm9m m?ur?f?w-Lq(FIE) 11Immn 39 (-1
gm-
Exam ple:
I $ka3persky_ip
E39.144.T5
113
A
113
113
ipI'
appidi'a?tivirusgkaspersky'
$Las1erskv i1;
5.DI
partIElI and $zia?er3kv i'
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
1f
r' Tb?? EHET
IWI I WI IWI Hm'will.o I?mwn?h?
I - J: i-iil'il' I 3
mm in)! mm ?9'010?amm9m m?ur?f?w-Lq(FIE) 11Immn 39 (-1
gm-
Exam ple:
I $ka3persky_ip
E39.144.T5
113
A
113
113
ipI'
appidi'a?tivirusgkaspersky'
$Las1erskv i1;
5.DI
partIElI and $zia?er3kv i'
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
.1539} 1 aria-Cau?a mus-?'119?9'? "3 --.- .-. ..
I . I. 1-. i I fruimumml 11101?
Can you tell what?s going on here?
appid?'maiifwehmaiifnetlng', n.U,
Dr
Dr
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
.1539} 1 aria-Cau?a mus-?'119?9'? "3 --.- .-. ..
I . I. 1-. i I fruimumml 11101?
Can you tell what?s going on here?
appid?'maiifwehmaiifnetlng', n.U,
Dr
Dr
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I int?
113:9: 1 r. H?di'win?; 'Z?ii?-ziite. kin-?mmo' mrmo u- ..
In If? n1 ICU, 'lLl. ?It? 10? '1 "f tau-
4' ewerra 3'
ID'th?ni alt-?r?h 1'
10 '90Mobile User Agent fingerprints:
i,
DE 'mnturnla'i;
him-?Ear: I: 'Eilau?aEierrgr
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I int?
113:9: 1 r. H?di'win?; 'Z?ii?-ziite. kin-?mmo' mrmo u- ..
In If? n1 ICU, 'lLl. ?It? 10? '1 "f tau-
4' ewerra 3'
ID'th?ni alt-?r?h 1'
10 '90Mobile User Agent fingerprints:
i,
DE 'mnturnla'i;
him-?Ear: I: 'Eilau?aEierrgr
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
4-
To'?i?s THREL mo tea-e.
- A I
il
onsr re i Ci
In)! D. 1"n Hot. ?0?0 1'1, -492. 3 . (j E- i "?f?x?liu
mm 1001 um (.1 1m mm?o u;
ammo _1o 3 . 1
oh-uAIWII H?t'witl 0?
If you were to query on any of these
fingerprints by themselves, would your
auditor be happy?
i
hromseri'iPhonE'i;
browseri'MDT-'c or 'motorola'i;
Eticsson'?
brunt-?Jae: I:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
4-
To'?i?s THREL mo tea-e.
- A I
il
onsr re i Ci
In)! D. 1"n Hot. ?0?0 1'1, -492. 3 . (j E- i "?f?x?liu
mm 1001 um (.1 1m mm?o u;
ammo _1o 3 . 1
oh-uAIWII H?t'witl 0?
If you were to query on any of these
fingerprints by themselves, would your
auditor be happy?
i
hromseri'iPhonE'i;
browseri'MDT-'c or 'motorola'i;
Eticsson'?
brunt-?Jae: I:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER
. . I
ConSIderatIonsl-g
"usSI D1 8
But if you were to query on an Afghan IP
address that was a valid foreign intel target,
and then it with those fingerprints,
that would be a compliant query
(and your auditor would be happy)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER
. . I
ConSIderatIonsl-g
"usSI D1 8
But if you were to query on an Afghan IP
address that was a valid foreign intel target,
and then it with those fingerprints,
that would be a compliant query
(and your auditor would be happy)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To m.
ion Appl ?ngerpfi
era"
3rcl Generation Apple/Fingerprints
introduced the ability to have code-based
scanning
Why is this important? Because scanning
sessions for keywords, hex values and
regular expression can only take you so far.
Using Code-based Apple, we can run
statistical tests of the data that can help
determine what type of data it is when
keyword scanning can?t give us a result.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To m.
ion Appl ?ngerpfi
era"
3rcl Generation Apple/Fingerprints
introduced the ability to have code-based
scanning
Why is this important? Because scanning
sessions for keywords, hex values and
regular expression can only take you so far.
Using Code-based Apple, we can run
statistical tests of the data that can help
determine what type of data it is when
keyword scanning can?t give us a result.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL To USA.- ML
2 neratlo Ap pl Ds/ ?ngerpn rt
4th Generation Apple/Fingerprints
introduce the ability to extract and database
meta-data from Appid/Fingerprints
Why is this important?
With the dynamic nature of DNI applications,
we need the ability to quickly react and
deploy solutions to extract new fields of
meta-data that are important to
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL To USA.- ML
2 neratlo Ap pl Ds/ ?ngerpn rt
4th Generation Apple/Fingerprints
introduce the ability to extract and database
meta-data from Appid/Fingerprints
Why is this important?
With the dynamic nature of DNI applications,
we need the ability to quickly react and
deploy solutions to extract new fields of
meta-data that are important to
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, EA. @339 Ml.
,f4thiGeneration Appl
[lop ll??
- Previously, if we identified a new protocol or
a new field that we wanted to extract meta-
data, we would need to upgrade a ?core?
plug-in and wait until we could upgrade the
field sites.
With 130 field sites, each on their own
upgrade schedule, this could take months for
a simple change to get out in the field
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, EA. @339 Ml.
,f4thiGeneration Appl
[lop ll??
- Previously, if we identified a new protocol or
a new field that we wanted to extract meta-
data, we would need to upgrade a ?core?
plug-in and wait until we could upgrade the
field sites.
With 130 field sites, each on their own
upgrade schedule, this could take months for
a simple change to get out in the field
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL
Ge neration Appl Ds/ i int:
With 4?1 generation Apple, 3 new protocol,
meta-data value, can be properly processed
within an hour of updating the
AppID/Fingerprint.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL
Ge neration Appl Ds/ i int:
With 4?1 generation Apple, 3 new protocol,
meta-data value, can be properly processed
within an hour of updating the
AppID/Fingerprint.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
2'13: I: awn"Fm. . . 1 .
.
IDIOID -39 (.1 '00?
no -
In'
It
Examples:
l.D?
and
$http and
extract?ra
lagin_amail
text
main
if [ingin_email?
rks::user_activity_t "facehmnk"?;
"facehuak"?;
if (text:
return true;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
2'13: I: awn"Fm. . . 1 .
.
IDIOID -39 (.1 '00?
no -
In'
It
Examples:
l.D?
and
$http and
extract?ra
lagin_amail
text
main
if [ingin_email?
rks::user_activity_t "facehmnk"?;
"facehuak"?;
if (text:
return true;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
i
I I
.
.
. Kiwi? 593' Til-S
0 0
.- - -I
Let's take a closer look:
First a V4 needs to be ?anchored?.
The anchor is the beginning part of the
Server'I
and
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
i
I I
.
.
. Kiwi? 593' Til-S
0 0
.- - -I
Let's take a closer look:
First a V4 needs to be ?anchored?.
The anchor is the beginning part of the
Server'I
and
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Facebook Chat V4 Appid Exam
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
DNI Presenter Display:
Session Head-5H3} AttachmentS {13] Met-Elli?) 1
-
UIS Web Farm Dis..me
Farm Final-:15
mag-:1
clientj?ne 125U54213D342
ta:
num_tabs 1
pail:ij 1250542145719
msgjea'l; dent 11 still receg?ize ma?
pest_ferm_ic?
-WEL33E
13-0 Async?eque 51:
_a 1
?ct?ic?]
125?64213472?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Facebook Chat V4 Appid Exam
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
DNI Presenter Display:
Session Head-5H3} AttachmentS {13] Met-Elli?) 1
-
UIS Web Farm Dis..me
Farm Final-:15
mag-:1
clientj?ne 125U54213D342
ta:
num_tabs 1
pail:ij 1250542145719
msgjea'l; dent 11 still receg?ize ma?
pest_ferm_ic?
-WEL33E
13-0 Async?eque 51:
_a 1
?ct?ic?]
125?64213472?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Facebook Chat V4 Appid Exampl-
Lets look at the raw:
- Session Header AttachmentS Meta I
ASCII 374'. El- -: El?n:-
Et I223 [313 I Cunt-3n .
Enter text ti: 33am
EH FEST HTTPI1.1
:Hnst:
User??gent: Hn3i113f5.? [Hin?nms; Hin?nms NT 5.1; en?US; Firefnx?3.?.13
Accept:
Accept-Language:
Accept?Encoding: g31p,deflate
I?ccept?Ehar?et:
EDD
Heep?alive
131121
Enntent-Type: :harset=?TF?E
Cantent?Length: SEE
Ennkie:
Pragma: nD?cache
Eache?Cuntrul: nD?cache
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Facebook Chat V4 Appid Exampl-
Lets look at the raw:
- Session Header AttachmentS Meta I
ASCII 374'. El- -: El?n:-
Et I223 [313 I Cunt-3n .
Enter text ti: 33am
EH FEST HTTPI1.1
:Hnst:
User??gent: Hn3i113f5.? [Hin?nms; Hin?nms NT 5.1; en?US; Firefnx?3.?.13
Accept:
Accept-Language:
Accept?Encoding: g31p,deflate
I?ccept?Ehar?et:
EDD
Heep?alive
131121
Enntent-Type: :harset=?TF?E
Cantent?Length: SEE
Ennkie:
Pragma: nD?cache
Eache?Cuntrul: nD?cache
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I H)
I'll Il'[?at a]
1 1
II
The ?anchor? of this Him. - 4.1. :Dfajaxfchatfsend.php
Hnat:
User?Agent: Hazillaf5.D [Minduws; NT 5.1; en-US;
Accept:
.-. I-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I H)
I'll Il'[?at a]
1 1
II
The ?anchor? of this Him. - 4.1. :Dfajaxfchatfsend.php
Hnat:
User?Agent: Hazillaf5.D [Minduws; NT 5.1; en-US;
Accept:
.-. I-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
H.101
EC r? @Eattlr teem. It: 1:21;
.
luau no: vo-ol .
INII HI): 11u:ouroOnce the ?anchor? hits, the rest of the code
executes. In this case, we?re looking for
these two from the ?Extractors?
sec?on:
login_email
text
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
H.101
EC r? @Eattlr teem. It: 1:21;
.
luau no: vo-ol .
INII HI): 11u:ouroOnce the ?anchor? hits, the rest of the code
executes. In this case, we?re looking for
these two from the ?Extractors?
sec?on:
login_email
text
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
c? 3?33?,
1cm 1 no: man H?l'Win
I um: mm um: ?mom:Etascae mo;ka at Mt
tun??,
9m 30 1001! do! ?90:
110}
I
This REGEX hits within the large cookie string
lugin_email
:3 RB EMI HIEEJLTWEJ 11-, v: .
Q.
61?-
I: I: 1'
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
c? 3?33?,
1cm 1 no: man H?l'Win
I um: mm um: ?mom:Etascae mo;ka at Mt
tun??,
9m 30 1001! do! ?90:
110}
I
This REGEX hits within the large cookie string
lugin_email
:3 RB EMI HIEEJLTWEJ 11-, v: .
Q.
61?-
I: I: 1'
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL
_w
'1
I031 1
H'Iil'. juinclose look
in[:37 3 - . E:
=a%3A2%3A%7Bs%3A5%3A%226mai
yahoo.com%22%3Bs%3A19%3A%22
cy07D;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL
_w
'1
I031 1
H'Iil'. juinclose look
in[:37 3 - . E:
=a%3A2%3A%7Bs%3A5%3A%226mai
yahoo.com%22%3Bs%3A19%3A%22
cy07D;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, ALIS, gin. mm
at V4 Appi [gig-l;
I The other REGEX:
20me%3F :post_form_id
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, ALIS, gin. mm
at V4 Appi [gig-l;
I The other REGEX:
20me%3F :post_form_id
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
?t?Fl '13. 531m waiving: WEE
I Iml mm mm ?om''90?
11m
in"
?3 Finally, in the ?Main? section, if those
found the data they were looking
for, they get databased
main
if [login_emaiil
er::ueer_aetivity_t ual"ehat?, "faeehook"?;
"faeehook"l;
ua-applall;
l-
if [textl
l-
return true;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
?t?Fl '13. 531m waiving: WEE
I Iml mm mm ?om''90?
11m
in"
?3 Finally, in the ?Main? section, if those
found the data they were looking
for, they get databased
main
if [login_emaiil
er::ueer_aetivity_t ual"ehat?, "faeehook"?;
"faeehook"l;
ua-applall;
l-
if [textl
l-
return true;
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
H1339: m' g??s1'th A Eq?l i
A:
mow -m (.1 3001It?
?ft Another example:
5.Dh=
title?'rEHARE'? and 'rshare.netfdelete.htmi'
wft_file_name
mft_deiete_url
mft_upinad_id fdf?nt
wft_uri fifunt
mft_upiuader_uaername f{amali}LuggEd in as:
main
if ?wft_deiete_url
"Eahare.net?;
"upinad";
if [wft_fiLE_namej
if [wft_url?
if [wft_uana?er_uaernamEJ
DE-appirii;
regers didn't match");
return true;
H1339: m' g??s1'th A Eq?l i
A:
mow -m (.1 3001It?
?ft Another example:
5.Dh=
title?'rEHARE'? and 'rshare.netfdelete.htmi'
wft_file_name
mft_deiete_url
mft_upinad_id fdf?nt
wft_uri fifunt
mft_upiuader_uaername f{amali}LuggEd in as:
main
if ?wft_deiete_url
"Eahare.net?;
"upinad";
if [wft_fiLE_namej
if [wft_url?
if [wft_uana?er_uaernamEJ
DE-appirii;
regers didn't match");
return true;
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
FFU Successful Upload Page
if - -
I:
?Weleeme te ESHARE
With ESHAEE area ear1 uplead ?lea,i111agea, wdeea, audie and ?ash fer ?ee. Simply use the upleari ferrn belew and start sharing! Yea can alae use
ESME aa Fear peraenal ?le aterage: baeL-Lup year data and prete et jreur ?les. First Tirrte?I Rea-:1 eur
I UEleatl new
it Leg-
I Create Free
i Pre millrn
File Upleaded
The ?le wekJ'm was upleatledl 1feu're new ready te share it with Lu?jmited peep-1e er Lteep it as a bael-tup.
Dewnlea-d Link.
Link fer f??l?l?i
Direet L??ii
Delete Link:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
FFU Successful Upload Page
if - -
I:
?Weleeme te ESHARE
With ESHAEE area ear1 uplead ?lea,i111agea, wdeea, audie and ?ash fer ?ee. Simply use the upleari ferrn belew and start sharing! Yea can alae use
ESME aa Fear peraenal ?le aterage: baeL-Lup year data and prete et jreur ?les. First Tirrte?I Rea-:1 eur
I UEleatl new
it Leg-
I Create Free
i Pre millrn
File Upleaded
The ?le wekJ'm was upleatledl 1feu're new ready te share it with Lu?jmited peep-1e er Lteep it as a bael-tup.
Dewnlea-d Link.
Link fer f??l?l?i
Direet L??ii
Delete Link:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TD j'u?n, m.
?H?7?Tp_fm g?rr? air
Successful Uj
I
5.Dh=
and '33hare.netfdelete.html'
Free File, Image and Video Hastingiftitle}
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TD j'u?n, m.
?H?7?Tp_fm g?rr? air
Successful Uj
I
5.Dh=
and '33hare.netfdelete.html'
Free File, Image and Video Hastingiftitle}
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
IIDOI '2 li'h 3 ..
loot: om mm .
HOHZW . -
- Innr urn
'l we) Mean may area. leek
I
g: .- . .
In?) LQFOZI
Next look for the extractor to match
extractors {i
mft_file_nama Rn" 1--
file {stronghcifont {Etontbci?stronglw
Then database what was extracted
main
if [mft_filE_namEt
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
IIDOI '2 li'h 3 ..
loot: om mm .
HOHZW . -
- Innr urn
'l we) Mean may area. leek
I
g: .- . .
In?) LQFOZI
Next look for the extractor to match
extractors {i
mft_file_nama Rn" 1--
file {stronghcifont {Etontbci?stronglw
Then database what was extracted
main
if [mft_filE_namEt
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL