Documents
Free File Uploaders
Jul. 1 2015 — 9:51 a.m.

TCIP T0 USA, AUS, CAN, GER, NZLH20291123
13 August 2009
DERIVED .
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Agenda
Overview of how work and what the
raw data looks like in XKS
Targets use of
How to eXploit in XKS
- HTTP Activity Search
I (new) Web File Transfer Search
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

To @531; HEEL
{What is a 7 $511
A free file uploader is a website that allows
you to upload a file and then hosts that file
for others to download.
Think of the ?dropbox? service that we have
on NSAnet.
Since Free File Upoaders are web-based,
the HTTP Activity plug-in will be the first
place to look for activity
We?ll also introduce the Web File Transfer
plug-in
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

To USA, ALIS, gin. gamma;
rt of 7t
hl'i?
ree? a
- Most FFU sites are free and don?t require
accounts, but only allow for basic service
- For example, files might only stored for a
short period of time
- Or the person who uploads it does not have
a lot of access into who has downloaded
their files and how many times
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

To usiSome FFU sites allow for ?premium? access,
maybe just by registering or maybe by charging
the user a fee
Premium access might allow for more uploads per
account, or files that can be stored longer
Some premium accounts give the uploader
?admin? insight into how many times a given file
was downloaded (commonly referred to as a
?counter?).
Some premium account sites will even allow the
uploader to see the IP address and datetimes
associated with each download.
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Example of ?Premium? acces?
For Zshare.com:
Messian uplseel sise
New 111:: EGEI fer users! end 133 fer registered users!
Prisseje: Share Ere-111? ?le with the we?el
Fee ensues eyes e111}? {Release} dussrs gees
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

To USA, Ans, ?rm. GEL
ha es with
- . Almost no FFU activity contains strong
selectors (Username or E-mail
Addresses) making it difficult to identify
our target?s use of these services
In most cases we see a URL to the file
that doesn?t contain the original filename
(eg:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity
HTTP activity comes in two types:
FFU Sewers
Client-te-Server
?requests?
Server-te-Client
?responses?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How work
CIient?to?Server request of the homepag
GET
User?Agent: (Witt-items NT 5.1; ea]
Heat:
teauhtml, appheatiea?aalg??, applieatiem?e?taal :aal, imagefpag, anagefjpeg, imagefgif, ?agefa?atatmap,
Language:
elf-E, utf?l?,
de?ate, gap, a-geip, identity,
Caehe?Centrel: maa?etale=U
Cemeetie?:
K?BlaeCeat??Jia:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How work
I Server-to?client response of the homepage
HF: Bessie-n viewer Presenter - embedded
Wireleeme te ESHARE
Wi?1 ESM- sen ?les, Lmeges, iridees, 311:1 ?esh fer Simply: use the upleed ferns belew seed steel: sharing! "5 e11 een else
use as Ere-er persenel ?le sterege heel-Lu}: lee-111' date 3111-21 prete e: ?les. First Time? Read eus' FAQ I
UE less-:1 new
i lee
IGeesee Free
1- Premium
FAQ
Upleed 3 File, Image, Videe. Audie er Flesh Unlimited Dewnleeds
I'u'Iisjnun size
New up 1e EGE fe: Presmsre users! end 1GB fer registered 115 ere!
File: I
Desenp?een:
PIis tits. 43} Share ?e with tee werle s)
fer greet eyes enljs {Peseta} dusee erly
Nudity {1 s+js
I Have seed and agree te the TEE
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How work
CIient?to-Server POST of the file
POST a981de0b38312900b149ae9
.1
User?Agent: Opera/9.22 (Windows NT 5.1; en)
Host:
Aooept: text/html, imageipng, imageIJpeg,
image/git, imagelx-xbitmap,
Accept?Language: Acoept?Charset: iso?8859?1, utf?S, utf?16,
Accept-Encoding: deflate, gzipj x?gzip, identity,
Expect: 1UO?continue
Referer:
Cookie:
Cookie2: $Version=1 Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity,
trailers Content?Length: 17048
Content-Type: multipart/form-data; boundary:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL Te USA, AUS, CAN. GER.-
OW work Lil
-. I
The POST contains the file, but also the
answers to the checkboxes on the homepage
Privaegr: Share yeur ?le with the werl-zl d]
Herr greet ejgee etij? {Rivets} Ira-igiigd men:
Nudity
I have read ail-:1 agree te the T03
Centent-Diepeeitien: term-data; names-descr"
Centent-Diepeeitien: term-data;
Centent-Diepesitien: term-data; name="TOS"
1
"Elny?JQJxOmSCCaMhF?leHns
Centent-Diepeeitien: term-data; name="paee?

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How work
[Tsar?Agent: [111111110113 HT 5- 1; 1311}
Hrs-st:
3.1511111: 311111111: 311111115151111111 111111, magnify-11g, ?nagafjpeg, ?nagafgif, ?nagafx-Ebitmap, r21= 3. 1
Anew?11311915133
Ancept?Charset: 1511?33594, utF?E?l, 11115?15,
Acct-apt-E?mdmg: c?a?ata, gzip, H-gzip, id??ti?f', ?211:0
Referer: :1r 3113111111311?
(3901111153
_11t111b=2135303395
_11t111:1=2 1 EQUESQE 1249553234- 1-
{3901:1152
CID-11111312111111: Keep?Alive, TE
TE: 11131131111:r gzzip, Ehll?k?d, identity, trailers
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How work
I Server-to?client response after successful uploa
W'eleeme te ESHARE
With 33% areu eah uelead ?les. images, sides-s, and ?ash fer ?ee. Sirh'el';r use the Lie-lead ferrii helew and start sharing! Teu
earl alse use as freer persenal ?le sterage: backup data and pretest j??LlI' ?les. First Time" Read eur
I UElead new
it Leg
1! Create free
1! Premium
I Fi?-lg
File Upleaded
The ?le lehi piesazip was upleaded! (til. Teu're new re ad}:r te share it with unlimited peeple er keep it as a haelzup.
Dewrile ad Ll?l-E
dewale ad? 537 9957 Uh lTrile?'??
Ts?lr Fer Fer-urns [l =htrp'm-ww sshare I?d
Direct Link:
Delete Liril-L: I:
FL?rn ail Me This Tri?e
Te all the irife en the ?le F?ll upleaded, sueh as :remeval instructielis arid [lewnlead link, enter year e?mail address en the
?eld helew:
Teur e?inail:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Critical piece of collect!
This one server to client session serves as proof of the uces
of the upload and it connects the original filename to the URL
that will be passed around in E-mail or forum posts
File Upleaded
successfully uplcaded! Ycu're new read};r tc share it with unlimited peep-1e ci? keep it as a backup.
Ii piessip 1
Little
:Ifwstuteeshareiietf'dewnle adf? 37 9957' Ella 1T4 c5315r
Link fer fetuses:
Direct Link: I?ilcEll,l
Delete Little:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How work
activity in time order
HTTP T'gie Heet LIRL F'eth LIRL siege
get
peet tiltl?i .zeherenet?lillillil
get
1 get
get
i get
i! get
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How does
HTTPI
User?Ayn: ClperaI'QEE William NT 5. 1; e11}
Heat:
Aenpt: applitarien?zhtn? E1111, imageipng, ?nage?F-Eg ?agefgiif, Lmagafa-Ebimap,
gig:
Amept-Charsat
?ccht-Elm?jigg
Ca2he?C-3ntrel:
ism-33591, thE-E,
de?att, H-g?p, identtj',
Cement-n: lie-5 :
E?Ehe?eat-?Jia:
HTTP activity meta-data:
Datetime
get
.?npplicati-Jn Int:-
applicatinn Type
?letranefer
applicatinn
?letranefera?weIri?zelmre
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
that activity look in
"Client to server request for the homepage:
?ippID E+Fingerprintaj
?letraneferi?welti?zelmre

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
How does that activity look in
'iServer-to?Client?reciuest of the homepage:
Mix-[Pruimmr
?"elrmne H. 1511mm.
II I I :rll 'J-l
ll II.-
1
I Cram:
i Ir:rn.u;
?l
L'pleml a l-?ile. hinge. ?Ir?ideu. Audie cur t'lnell L'nlimited
H.I: rr'.r I: n: HI
L.-. II-.-. .HTTP activity meta-data:
HTTP Time
application Irith
- Free Image, Uitlee, Jitutlie, Flash and File ?eeting
Applieetien Type Applieetien App": [+Fingerprinte]
?letranef'er ?letr?neferi'wehi'z elmre ?letraneferiwelli?elmre
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How does that activity look in
'IICIient-to-Server POST of me;
PD 3T Iegi-binm 3r_u
User?Agent: DperetEiEE {Windewe NT 5.1; eh]
Heet:
Accept: imegefpng, imegefjpeg,
imegetgit, imegefI-Ihitmee,
Accept-Language:
Aenept?Eneeding: deflate, gzip. I?gzip. identity,
Expect: t??-eehtinue
Reterer:
Beet-tie: eid=35935232ee?ff4f?fd 32359
CeehieE: $3ereieh=1 C??r?t??ti?ni Heep-Alive, TE TE: deflate. gzie. ehunkee, identity: treilere
Centent? Length: ?1??343
Cement-Type: multipel?ferm?dete: bene?ciary:
Heet URL Feth LIHL erge
INST
- ?ggkig Hefarer Attachment Filener'ne
Ithi Irina-zip
Dete Length Length ?pplieetien Type Applieetien 3%me ?+Finger erintej
13323 13343 ?letr?nsfer HEI Ice mpr-eesienr'uI-zzin
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How does that activity look in
"ICIient-to-Server checks up upload status:
149335!
Elm-t5] uplaaci sm?l'IWH ?at-mi
User-Agar Clpem'F'EE IT 5 an)
East: 1.:shmc.r.ct3
Accept: text-?hunt, applimtic-ru??iun] Hm], ?ageip?g. imagexjpeg, imagefgi? magefH-Hhimap, ?cw-?1311
:"Lccegat Chit-mat inc: E359 1, mi 3, mi
Em'p H?Erip. it'l??l'jlj?
Ectt?r
immii'
1
Std-El'EiJlFl
Keep-?bre, IE
HTTP activity meta-data:
HTTP H??t LIHL Path LIHL Arg?
?eet 493139
CDCIHE:
A at' A ID 'nt
33'
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
How does that activity look in
"'Server-to-Client successful upload:
??elmme tn
miia:h :rar. Lain;
can rkn: I13: nrl?: m:
1 I
I-
I
II-
Uplml dud
IF-
I'll I 7-1
l'r.r'l
:qu-it'IhJIrEI
5r ml- I.- U: Iii-El H- IJI
HTTP activity meta-data:
application Into HTTP Type
- Free Image, Uitlee, Jitmlie, Flash File ?eeting
applicatien Type Applieetien
?letranefer ?letrenefe
#3.me [+Fingerprirrte]
?letranefien'weln?tlieletelink
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

To USA.- ML
the Web File Transe search
Web File Transfer plug-ins were built to
harvest valuable pieces of information
which are not pulled out by default in the
HTTP activity search
For example, in the server to client
response we see the name of the file that
was uploaded, the URL to be used to
download the file and the delete key, all
great pieces of information!
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Web File Transfer search
I For example:
VVeleeme te ESHARE
With 33m areu uelead ?les. images, iridees, and ?ash fer ?ee. Siren-11:r use the uelead ferrii helewr and start sharing! Teu
earl alse use ESHAEE as yeur persenal ?le sterage: haeltup }.reur data and pretest j??LlI' ?les. First Time" Read eur
I UElead new
it Leg
l- Create free
l- Preruiiur.
I Fag
File Upleaded
Tee ?le lehi pissed]: was upleaded! ewes}. Teu're new read}:r te share it with unlimited peeple er keep it as a haelzup.
Dewrile ad Ll?l-E
htte?vnwersharehetldeueile adfti?? 9957 We
Ts?lr Fer Fer-urns [l =htlp'mru'mm rshere I?d
Direet Linl-L:
Delete Liril-L: :3 393m I:
Fi?rn ail Me This Tn?e
Te all the irife en the ?le greu uple aded, sueh as remeval instruetielis arid [lewulead link, enter Feur e?iuail address en the
?eld helew:
Teur e?iuail:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL I
Web File Transfer search
Web File Transfer plug-ins were built to
extract fields like this
File Uplaaded
a3 uplaaclacl! Yau'ra new raaclj; ta abate it with ut?jmitad peep-la at keep it as a backup.
Dawniaac? Link
L?ik Ear Banana:
Direct Link:
Liak:
File URL Filanama
Q?i??ll? Ham? khi
Tranafar Tarp-a Llplaatl ID Dalata ID Site Name
uplaatl Eallaramat
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Web File Transfer searc
Other examples:
Eentents (ll ?ilr??h Expand all El Cellapse al
File name File tgge File size Attachments
i] 'Itl'l'li ease a
Display l-l'l'lF'f-l'l'l'ilL Send ta Fin lit".r
la
The warld's biggest Fin 1mm:
PHEMIUM-Dewnlnads
Fcreet Premium-easswerd?
PREMIUM 1 and" wahh?st?r wnemne eF
FIIE
Upluiul link
I hanlc: yeu fer yeur upleacl. henemtle? 1:
Hapitltihare is a ?ile
1. Click. 31:1:- in Ell:
Yum Dawn Dag-er WI rajmgh
htt?iil'laj'd?h MDT:
Send Li?W?i??Li link via e?Ineil
"He send mid Tar-:- ether recipient a-f 33-511: eat-ice The dawniaaci and delete-n Units per 3131'] ?int fir-3L; can aliens: an: fir-3111? data.
Heme (sen-ear]:
[trim-r. Ef- elzun'nzctua Lang]
Erna-.1 address c-f?tst FECiF-i??ii
(mm-r. Ef- Lang")
Ti-Tr a'i HI
(arias: chaiai'tsts
3::sz ale-dress adeiltansl recijaimt:
LilJ? tultIs Lungl
%at?r message as The recipient
lane;
Berti dewnleed link]
Litai'nzatieu
f.1:U5t'
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

To @531; HEEL
1
earc hi up
When you see an FFU URL passed
around, you can use the HTTP activity
parser to see if anyone went to that URL.
Use the HTTP activity search and simply
copy and paste the URL into the field
builder?
Make sure to add a valid foreign IP address
or foreign country code to your search to
make it USSID18 compliantll
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Searching on in XK
For example, if we see this URL passed
around In traffic:
Search: HTTP Activity-
Query' Name:
JUStifiE?ti?l?l:
Justificatien:
Mireede Number:
Datetime:
Time:
Hest
URL F'eth:
Egg URL used by CT target
I 1:
i Menth
Start: Ended?- 12 Ind
Rel:th Juetifieetiene
URL Field Builder
Enter a LIFLI. I:th will he autumeticellr parsed tn pepulete the
:iel:hll and argument ?elds:
htte waw .
I Errter I I Ceneel
[Pet-elete with LJFIL Field Builder]
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL $3.11
Searching on in
Make sure to and your search with a valid
foreign targetI like IP address or county or
city codel!
Type:
Heat: i1!- [Peddlete with em Field Edilder]
URL Path:
?3 EDS i?l Field EiLiiIder]
?3 .Eiddrees: Te I?l eddiess Field Builder]
F'ei't:
Port: Td
SD
TE. 1.:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Searching on in 18
It?s also worth it to search the URL as the
?referer? and again remember to add
something ?foreign?
Referer:
IF'eddrees: From '11" HP eddrese Field Builder]
To HP Field Eluilder]
l:I rt From
Fl: TE.
Eountry: '50 Pram or
Countr'r: i Vi To
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Searching on in
To find all files being uploaded to
from a given IP address/range or
city/country code use the HTTP activity
6 Type:
?tteehmertt Filename: .
angling.th ?letranaferlwebfzaharelupldad
Cuuntw: Frurn
?3 address: Fran":
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Searching 0n in Xi'?
If you want to try to find who uploaded the
file that generated that URL, use the Web
File Transfer Plug-in
El '5
Network Lege
Metedete
?i-?elF Metedete
Phone Number Extreeter
REGAN
Hediue Lege
en:-
ESL F'ereer
TIDE Leg
Teeh Etringe in Deegment:
Lleer ?aetie?y
WLAN
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Searching on in
To find all file upload success web-pages,
which have the filename and the FFU URL,
use the Web File Transfer Search
Tra?sfer Type: uplnad
Bite Harrie: setter-shat
?3 .Eujclress: Tn:
Gauntry:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Searching 0n in XK
To try to find the filename associated with a URL, enter in
the URL into the ?File field, again remember to add
something ?foreign?
mt:? "smut: Eliot-.- i:d:n Smro?: 'idd: Cit-1' Eca'd' Hot-1:1 Saar-r fit-EE-
Eoorm: Wei:- Transfqu
Query Nun-t?rUCt JL sLi'
.E-ddit ono JLsti? :31: on: I
HI I
Untetime: llh?cnth - u-m: 0::03'3i LitorJ: 23:55'3l vi
Fil:
Iilena?ie: I
we:
ousuiuLun:
HHS
'wngm-n: IFrn'n ?l [rr L'u'Jn?n?r.
1W-
rr Frn
H:
1' IFn-TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL