github

Reverse Engineering Akamai

Researching the Sensor Script

Akamai Sensor was created as a way to test my de-obfuscation skills as I would likely need a strong understanding to keep developing Dalphan AIO. I decided on the Mr. Porter website as I was aware they had Akamai protection embedded into their site.

By using Chrome DevTools, I inspected the network traffic, and discovered that the sensor was being created on the client side and sent to the server. This meant there was a script on the client side I would have to reverse engineer to generate the sensor. I utilized the debugger to step through the script and read variable values. With this, I was able to piece together parts of the algorithm used to generate the sensor.

Rebuilding in Go

After finishing research, and detailing the algorithm used to generate the sensor, I began to rebuild the script in Go. The algorithm used random numbers, timing information, graphic card information, and other data to create a sensor that was unique to the client. I was able to recreate the sensor with a 95% success rate in detection evasion.

For the timing functions, I had to fake that the client was taking time to run the calculations, so I used a random number to fill this value. For the graphic card information, I used the same information that the browser would send to the server. This was done by creating a map of the information that the browser would send, and then setting the values in the same order as the map.

Technical Details

The information I will share in this section is not meant to be a tutorial, but rather a high level overview of how Akamai Sensor works. If you are interested in learning more about Akamai Sensor, I would recommend checking out the repository.

Akamai Sensor needed to create a sensor string that was unique to the client, and would be sent to the server to verify the client. There were multiple steps I broke into their own functions that would add on parts to the sensor string. Some would use the sensor string itself as a parameter to expand upon it. The final sensor string would be sent to the server to verify the client. Overall it took about 2 weeks to finish this project, and I was able to evade detection on the Mr. Porter website.