What is it?
URL Obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.
Typically, when obfuscating a URL, you must trick someone into viewing a website they did not want to view by tempting them with something they are familiar with.
Example.com will resolve to 192.168.1.1 and Sample.com will resolve to 10.0.0.1 (both reserved IPs). We will move from simple to more complex forms of obfuscating. You can skip the first few methods if you are good at them.
The first thing we could do is use the ‘@’ exploit. Typically, the @ symbol is for a username and password for a website.
If Sample.com needed a username and password, we could login with http://username:firstname.lastname@example.org.
Now, if a username and password is not required, then it is skipped all together and the browser moves on to sample.com.
Internet Explorer does this (not working as of late). Firefox will warn you. Not sure what Netscape and Opera do, someone investigate it if they care.
Anyhow, this is highly exploitable, because, say Sample.com is just a collection of… questionable pictures… there is no need for a username:password.
This way, we can trick someone into viewing it like this:
This will make the user think they are going to go to example.com, when really they are going to sample.com.
Note: This has not been working lately in IE, for me at least.
This is something short that can further confuse someone.
It helps to make a link like:
This will show the text of http://example.com but take you to sample.com. As a security note: MAKE SURE EVERY LINK YOU CLICK IS ABSOLUTELY TRUSTED.
Hover over it and look in the bottom left corner of your window to see where it is really taking you.
Hex Encoded URLs
This is really self explanatory. This is for IE. Not sure what Netscape and Opera do.
http://sample.com can be turned into:
Combined with confusing links and @ exploits, they may fall for it.
Fun With IPs
This is basically altering IP addresses. What is the easiest way to find an IP address of a website?
Either use traceroute or nslookup.
This CANNOT be done with subdomains, so stop before you try. 😛
Now, it would return 10.0.0.1 for us.
How can we really mess that up? We will use DWORD format. DWORD is a way of making a dotless IP address.
(This is all easier in your calculator in Windows. Accessories->Calculator->Scientific mode)
firstoctet * 256 + secondoctet = * 256 + thirdoctet = * 256 + fourthoctet = your new address!
Isn’t that useful? We can mess this up even more. We’ll turn it into hex!
To turn your dword IP address into Hex, simply enter it into the calculator of Windows and then hit the radio button saying “Dec” or “Decimal” and changed it to “Hex”.
Enter 0xYOURHEXHERE into your browser, and voila, it will work!
Internets, 4chan, pool’s closed, etc
Also, if you discover anything else, post it and I’ll slap it up here with credit to you, so anyone and everyone can get this information easily.
Filed under: Hacks, Uncategorized | 12 Comments