Hello and welcome. My name is John Strand and in this video, we’re going to be talking about Base64 encoding and decoding. Now the reason why we’re talking about it is once again we have the BHIS Cyber Range for our customers and friends and this is just basically a video to walk people through some of the challenges that utilize Base64.
Now the reason why Base64 actually exists is kind of interesting. Whenever you are transferring binary data or you’re transferring data with special characters, it can be encoded and it can be garbled, especially whenever you’re dealing with protocols that are designed predominantly for sending text. For example, if you’re looking at something like HTTP, transports a lot of text and if we start sending binary, we might get into trouble. In fact, we see this all the time, especially with attacks like SQL where semi-colons get interpreted and get executed.
This is why protocols like this exist or different encoding formats like this exist. It allows you to convert things like binary and special character data into something that’s far less benign like upper lower case and numbers and that’s what we actually get whenever we’re utilizing Base64 as an encoding mechanism. You’ll see it all the time whenever you’re doing web application, security assessments, looking at security parameters and tokens, and things of that nature. Let’s play around a little bit with encoding and decoding Base64 and then some of the little challenges that you’re going to run into.
Now, in my example that I have up on my screen, we’re going to be playing around with, “I am sure there’s a better way to do this434343!!!!!!” or capital C, capital C, capital C in hex but we’re not at that video yet. And we’re going to pipe it through Base64. And that’s going to encode it. As you can see, we have the, I am sure and the space and all that has been replaced with what looks like gibberish, but it’s pretty much not malicious gibberish or mostly not malicious gibberish I suppose. It allows it to encode it in a way that it’s easily transferred over clear text or plain text protocols.
Now, one of the things you’ll notice is sometimes with Base64 or a lot of the times it will end with “equals equals” and that has to do with padding. If your character set that’s coming in doesn’t land perfectly on the boundaries that Base64 is looking for, it’ll actually pad it. Many times a telltale giveaway are the equal signs at the end, one or two.
Now sometimes there won’t be any. That will happen. That means the text landed on a perfect boundary and that’s okay, but it’s just something to look for. It’s a quick and dirty trick.
Now if we actually want to decode Base64 encoded data, we can, in fact, do that. Let me bounce out here and I’m just going to use straight-up Base64 decode. Now I utilized a switch, here you can see I did the –decode switch. And now whenever I hit enter, it’s going to try to decode it and it’s going to freak out. You can see right here it says, “I’m sure there is a” and then it goes ahh! Base64 invalid input. The reason why is I snuck in a couple of special characters in the middle of the Base64 encoded string.
Now, why would anybody ever do that?
Well, a lot of malware actually uses Base64. The reason why is very slight changes can actually alter signatures in a much more significant way whenever you’re doing signature pattern matching within an executable.
What some crafty attackers will do is they’ll actually slip special characters in their Base64 encoded stream. And in doing that, any type of firewall or IDS that’s using deep packet inspection to analyze that Base64 encoded data, will start throwing errors. Basically be like, mmm, there’s something wrong here.
Now if you’re dealing with a string that has Base64 and it throws in some special characters, you can throw in the -i switch and with the -i switched does is it tells Base64, ignore garbage. You’re going to decode this Base64 encoded string.
And if you come across something that you don’t quite understand, just don’t worry. Ignore it. Pretend it never existed. Pretend that it never happened. And as you can see, it actually cleans up the output substantially in doing that.
Once again, this is used in the Black Hills Information Security Cyber Range and if you like it for Base64 encoding and decoding data, thank you. Check us out every single Wednesday on Enterprise Security Weekly and be sure to hit the subscribe button down below. We do tons of videos and tons of free education and webcasts at Black Hills InfoSec and I hope to see you on one of our videos or webcasts in the very near future. Thank you so much and take care.
Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.