URL Obfuscation

25Jul06

What is it?
URL Obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.

Methods:
Typically, when obfuscating a URL, you must trick someone into viewing a website they did not want to view by tempting them with something they are familiar with.

Let’s take http://example.com (test site that is reserved) as the comfy, known site. Now, we have http://sample.com for the site that we want them to view.

Example.com will resolve to 192.168.1.1 and Sample.com will resolve to 10.0.0.1 (both reserved IPs). We will move from simple to more complex forms of obfuscating. You can skip the first few methods if you are good at them.

@ Exploit
The first thing we could do is use the ‘@’ exploit. Typically, the @ symbol is for a username and password for a website.

If Sample.com needed a username and password, we could login with http://username:password@sample.com.

Now, if a username and password is not required, then it is skipped all together and the browser moves on to sample.com.

Internet Explorer does this (not working as of late). Firefox will warn you. Not sure what Netscape and Opera do, someone investigate it if they care.

Anyhow, this is highly exploitable, because, say Sample.com is just a collection of… questionable pictures… there is no need for a username:password.

This way, we can trick someone into viewing it like this:

http://example.com@sample.com

This will make the user think they are going to go to example.com, when really they are going to sample.com.

Note: This has not been working lately in IE, for me at least.

Confusing Links
This is something short that can further confuse someone.

It helps to make a link like:
<a href=http://example@sample.com>http://example.com</a&gt;

This will show the text of http://example.com but take you to sample.com. As a security note: MAKE SURE EVERY LINK YOU CLICK IS ABSOLUTELY TRUSTED.

Hover over it and look in the bottom left corner of your window to see where it is really taking you.

Hex Encoded URLs

This is really self explanatory. This is for IE. Not sure what Netscape and Opera do.

http://sample.com can be turned into:

http://%73%61%6D%70%6C%65.com

Combined with confusing links and @ exploits, they may fall for it.

Fun With IPs

This is basically altering IP addresses. What is the easiest way to find an IP address of a website?

Either use traceroute or nslookup.

Syntax
tracert http://sample.com

nslookup http://sample.com

This CANNOT be done with subdomains, so stop before you try.😛

Now, it would return 10.0.0.1 for us.

How can we really mess that up? We will use DWORD format. DWORD is a way of making a dotless IP address.

(This is all easier in your calculator in Windows. Accessories->Calculator->Scientific mode)

firstoctet * 256 + secondoctet = * 256 + thirdoctet = * 256 + fourthoctet = your new address!

Example:

http://64.233.187.99/ = http://www.google.com
64 * 256 + 233 = * 256 + 187 = * 256 + 99 = http://1089059683/

Isn’t that useful? We can mess this up even more. We’ll turn it into hex!

http://0x40e9bb63/ = http://1089059683/

To turn your dword IP address into Hex, simply enter it into the calculator of Windows and then hit the radio button saying “Dec” or “Decimal” and changed it to “Hex”.

Enter 0xYOURHEXHERE into your browser, and voila, it will work!

Credits:
http://www.pc-help.org/obscure.htm
http://www.contentverification.com/obfuscation-attacks/index.html
Internets, 4chan, pool’s closed, etc

Also, if you discover anything else, post it and I’ll slap it up here with credit to you, so anyone and everyone can get this information easily.



12 Responses to “URL Obfuscation”

  1. Nice stuff……. Though I stopped using IE a long long time ago.. if some webpages dont work properly there is the IETAB Extension

  2. 2 infamousjeff

    Works the same on Opera as Firefox. In Chrome there is no warning but you can see the real address on the bottom address bar with the latest developer release.

  3. Very good post and i have learned a new thing.

  4. 4 yim2oh

    yugygu6756 tyu hffdrtd y guyg ug

  5. dsfsdfs67877 test test

  6. 6 name

    What is it,

  7. I used to be suggested this blog by way of my cousin. I’m not positive whether
    or not this publish is written through him as no one else realize such distinct about my problem.
    You are incredible! Thanks!

  8. Wonderful goods from you, man. I have keep in mind your stuff previous to
    and you are simply too wonderful. I really like what you have obtained right here, certainly like what you’re saying and the
    way in which through which you say it. You make it enjoyable and you continue to care for to stay it sensible.

    I can’t wait to learn far more from you. That is really a tremendous web
    site.


  1. 1 URL Redirection Attack With Examples « Paralliverse
  2. 2 Google Chrome Exploit | hacker.com.br
  3. 3 Google chrome sufre multiples vulnerabilidades II | Hackers Libres
  4. 4 http://photopeach.com/user/lonniedement0724

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: