b32.py

Recently during one of my network security monitoring engagements, I encountered a unique scenario in which a POS was infected and credit card data was being stolen. What made this situation unique was the use of DNS as a data exfil mechanism. I hadn’t seen this before in a production environment, but more on that later.

The purpose of this post is to share a quick script that I put together to aide in my hunting. I discovered that the credit card numbers were being base32 encoded. Surprisingly, there isn’t an easy way to encode/decode base32 natively on my *nix box, so I put together this Python script to do it for me. (Yes, I know that one can install libmime-base32-perl, but this just seemed a little cleaner.)

You can get the script here