Connection lores |
---|
by PCHelp, Last Updated Monday, 1 November 1999 |
How to Obscure Any URL
How Spammers And Scammers Hide and Confuse
Last Updated Monday, 1 November 1999
The URL (Universal Resource Locator) of the page you are now viewing is http://www.nwi.net/~pchelp/obscure.htm.
It is also http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D. Go ahead and click on that link. It'll take you right back to this very page.
The weird-looking address above takes advantage of several things many people don't know about the structure of a valid URL.
There's a little more to Internet addressing than commonly meets the eye; there are conventions which allow for some interesting variations in how an Internet address is expressed.
These tricks are known to the spammers and scammers, and they're used freely in unsolicited mails. You'll also see them in ad-related URLs and occasionally on web pages where the writer hopes to avoid recognition of a linked address for whatever reason. Now, I'm making these tricks known to you. Read on, and you'll soon be very hard to fool.
(Note: Depending on your browser type and its version, some of the oddly-formatted URLs on this page may not work. Also if you're on a LAN and using a proxy [gateway] for Internet access, many of them are unlikely to work. Also, fear not; this page does not exploit the "Dotless IP Address" vulnerability of some IE versions.)
Here it is again: http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D
First take note of the "@" symbol that appears amid all those numbers. In actual fact, everything between "http://" and "@" is completely irrelevant! Just about anything can go in there and it makes no difference whatsoever to the final result. Here are two examples:
http://doesn'[email protected]/~pchelp/obscure.htm
http://!$^&*()_+`-={}|[]:;@www.nwi.net/~pchelp/obscure.htm
Go ahead and use the links. You'll be back to this page again. I've added bookmarks so you won't lose your place.
This feature is actually used for authentication. If a login name and/or password is required to access a web page, it can be included here and login will be automatic.
Example: http://username:[email protected]/secret/eyesonly.htm
But if the page requires no authentication, the authentication text is in effect ignored by both browser and server.
This presents interesting possibilities for confusing the unsuspecting user. How about this one:
http://www.playboy.com@3466536962/~pchelp/obscure.htm
If you didn't know better, you might think this page were at playboy.com!
By the way, the @ symbol can be represented by its hex code %40 to further confuse things; this works for the IE browser, but not for Netscape. (Thanks to The Webskulker for this.)
All right, so what about that long number after the "@"? How does 3466536962 get you to www.nwi.net?
In actual fact, the two are equivalent to one another. This takes a little explaining so follow me carefully here.
The first thing you need to know (most Net users know this), is that Internet names translate to numbers called IP addresses. An IP address is normally seen in "dotted decimal" format. www.nwi.net translates to 206.159.40.2.
Numeric IP addresses are generally unrecognizable to people. That's why we use names for network locations in the first place.
Merely using an IP address, in its usual dotted-decimal format, in place of the name is commonly done and can be quite effective at leaving the human reader in the dark.
But there are other ways to express that same number. The alternate formats are:
The dword equivalent of 206.159.40.2 is 3466536962. Its octal and hexadecimal equivalents are also illustrated below.
Why obscure names in the first place? Most often it's because by publicly-available registration records, the owners of domain names can often be identified. Even if the owner isn't traceable by that record, his service provider is. The last thing any scammer or spammer wants is to be found by his victims, or to have his service provider alerted to his abuses.
Below, I explain how you can get an IP address for any name, how to convert a dotted-decimal IP address to the dword format, and how the octal and hex formats work.
Okay, so what about the rest of the URL? Let's look yet again at that weird address I first showed you:
http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D
It's beginning to make some sense, isn't it? But what's all that gibberish on the right? Here's how that works:
Individual characters of a URL's path and filename can be represented by their numbers in hexadecimal form. Each hex number is preceded by a "%" symbol to identify the following two numbers/letters as a hexadecimal representation of the character. The practical use for this is to make it possible to include spaces and unusual characters in a URL. But it works for all characters and can render perfectly readable text into a complete hash.
In my example, I have interspersed hex representations with the real letters of the URL. It simply spells out "/~pchelp/obscure.htm" in the final analysis:
%7e p %63 h %65 l %70 / o %62 s %63 ur %65 %2e %68 t %6D ~ p c h e l p / o b s c ur e . h t m
The letters used in the hex numbers can be either upper or lower case. The "slashes" in the address cannot be represented in hex; nor can the IP address be rendered this particular way. But everything else can be.
Hex character codes are simply the hexadecimal (base 16) numbers for the ASCII character set; that is, the number-to-letter representations which comprise virtually all computer text.
To find the numeric value for an ASCII character, I often use a little batchfile I wrote for the purpose years ago; and then if I want the hex equivalent I usually do the math in my head. It just requires familiarity with the multiples of 16 up to 256.
For most people, the conversion is probably best done with a chart. The best ASCII-to-hex chart I have ever seen is on the website of Jim Price: http://www.jimprice.com/jim-asc.htm. Jim explains the ASCII character set wonderfully well, and provides a wealth of handy charts.
I can't improve on Jim's excellent work! Print out Jim's ASCII-to-hex chart and you're in business. If Jim's site ever disappears, let me know and I'll do a chart of my own.
IP addresses are most commonly written in the dotted-decimal format. A dotted-decimal IP number normally has 4 numeric segments, each separated by a period. The numbers must range from 0 to 255.
Translation of a network name to its IP address is usually done in the background by your network software, invisible to the user. Given a name, your browser queries a name server, a machine somewhere on the Net which performs this basic network addressing function; it thereby obtains the numeric IP address and then uses that address to direct its requests to the right computer, somewhere out there on the Net.
There is a standard utility which allows the user to perform these name server lookups directly and see the results. It's called NSLOOKUP.
A wide variety of nslookup utilites is available on the Net, often for free download. Some provide a graphical interface under Windows, but the original and most basic nslookup is run from a textual command line. One such command-line utility is included in my free Network Tracer. Please download it if you're interested.
Place NSLOOKUP.EXE in your Windows directory and you can use it from a DOS window. A simple nslookup query is structured as follows:
nslookup [name or IP address] [name server]
A name server has to be specified, either by name or IP address. If you don't know a name server address for your own ISP (it can usually be found in your Dial-Up Networking setup), use this one: 198.41.0.196
A valid query for my ISP's web server address would be:
nslookup www.nwi.net 198.41.0.196
Here's what that command puts out in response, with my comments:
nslookup www.nwi.net 198.41.0.196 <-- Here's the command you typed in
Server: ns.netsol.com <-- The name server you utilized
Address: 198.41.0.196 <-- The responding name server's IP address
Non-authoritative answer: <-- Some other name server is the source of the data
Name: sundance.nwinternet.com <-- The "real" name of www.nwi.net
Address: 206.159.40.2 <-- What you came here for: the IP address of www.nwi.net
Aliases: www.nwi.net <-- www.nwi.net is an alias -- not the
primary name given to that address, but a valid one.
It's a powerful utility; it can find names for known addresses, addresses for known names, and a variety of other information relevant to an Internet address. But doing some of the fancier things with NSLOOKUP is difficult if you're not already technically savvy. For the technically inclined, there is a manual; and several examples of its use can be found in TRACE.BAT, the primary component of my Network Tracer.
If you're determined to avoid the DOS command line, and want a tool that will do most of the thinking for you, I recommend NetScanTools, a reasonably-priced network utility toolbox. It's available as a 30-day shareware demo and a bargain at just $25. NetScanTools is not merely an address-lookup utility; it can do a great many things. For a Windows user trying to comprehend the nuts and bolts of the Net, it's a whole world of discovery.
You can also do your name server lookups with a web browser. There are nslookup "gateways" scattered around on the Web. One such gateway is at: http://www.interlog.com/~patrick/cgi/nslookup.cgi
Here's another address for this page: http://462.671.296.770/~pchelp/obscure.htm
If you're using Internet Explorer, that address should work. I'm not sure about Netscape; it doesn't work with version 3.x.
Normally, the four IP numbers in a standard dotted-decimal address will all be between 0 and 255. In fact they must translate to an 8-bit binary number (ones and zeroes), which can represent a quantity no higher than 255.
But the way this number is handled by some software often allows for a value higher than 255. The program uses only the 8 right-hand digits of the binary number, and will drop the rest if the number is too large.
This means you can add multiples of 256 to any or all of the 4 segments of an IP address, and it will often still work. In my tests, it was limited to 3 digits per number; values over 999 didn't work.
Converting An IP Address to Dword Format
I could create a math lesson about this, and tell you all about bits and bytes and base 16. But it's not really necessary. Anyone with a Windows system has a handy calculator that makes it simple to convert decimal numbers to hex, and to find the dword equivalent of any dotted-decimal IP number. You should find it by selecting Start ... Programs ... Accessories ... Calculator. It will look like this:
or, in Scientific mode, it looks like this:
You'll need it in Scientific mode for this purpose.
Let's start with the IP address for this site's web server: 206.159.40.2. We want to obtain the hex equivalent for each of the 4 numbers separated by dots.Enter the first IP number, 206. Now select the button on the upper left which says Hex:
The number will now display as hexadecimal value CE:
Write this hex value down! Now, select the Dec button to go back to decimal mode; clear the entry with the C or CE button, and you're ready to enter the next IP number. Do each one the same way as above. When you get to the last number, you'll find it's the same in hex: 2. Write it down as 02. Always add a leading zero to single-digit results.
Now put them all together and you should have this hexadecimal value: CE9F2802
It will always be an 8-digit number.
Clear the calculator and place it in Hex mode. Enter the hex number:
Now select the Dec button, and the dword equivalent will be the
result:
And there it is; that same number I used in the trick URL I first showed you: 3466536962.
Reversing the process will bring you back to the dotted-decimal address. Convert the dword number to hex, then each of the 4 pairs of hex numbers to decimal.
There's another way to do this which is very simple math, but I find it takes just as long to do manually. Multiply the numbers of the IP address by the following fixed values (which are powers of 256), then add the results:
206 | x | 16777216 | (2563) | = | 3456106496 |
159 | x | 65536 | (2562) | = | 10420224 |
40 | x | 256 | (2561) | = | 10240 |
2 | x | 1 | (2560) | = | 2 |
---------- | |||||
3466536962 |
Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564) -- and it will still work. This is because when the sum is converted to its basic digital form, the last 8 hexadecimal digits will remain the same. Everything to the left of those 8 hex digits is discarded by the IP software and therefore irrelevant.
Thus, the following URLs will also work:
http://7761504258/~pchelp/obscure.htm
http://16351438850/~pchelp/obscure.htm
http://231099803650/~pchelp/obscure.htm
I know of no DOS or Windows program made specifically to do a dword conversion. But there's a handy script on Matthias Fichtner's website which will quickly convert any IP address to its dword value and vice-versa: http://www.fichtner.net/tools/ip2dword/.
The PING utility that's in every Windows system can decipher dword IPs. In fact, it deals with every method of expressing an IP address that's described on this page. (My thanks to Steven, who pointed this out on the NTBugTraq list.)
Just open a DOS window and type:
ping [IPAddress]
PING will then do its usual job, in which it contacts the remote system (if any) at that address and gauges its response times. In the process, it displays the ordinary dotted-decimal equivalent of the IP address you entered.
As if all this weren't enough, an IP address can also be represented in octal form -- base 8.
The URL for this page with its IP address in octal form looks like
this: http://0316.0237.050.02/~pchelp/obscure.htm
Go ahead, try it. You'll be right back here once again..
Note the leading zeroes. They're necessary to convey to your browser the fact that this is an octal number.
Any number of leading zeroes can be added to any or all of the numbers in the address. For example: http://000316.000000237.000050.0000000002/~pchelp/obscure.htm
Naturally, arbitrary authentication text can also be added to an octal address. Example: http://[email protected]/~pchelp/obscure.htm
I'll spare you a detailed description of octal conversion. Most people can probably figure it out, and those who can't, can always use the nifty URLomatic at www.samspade.org. It will reveal the dotted-decimal IP address of a dword- or octal-formatted URL, as well as to decode hex character codes.
This link to the URLomatic will completely decipher my original example address.
Many thanks to Dan Renner of R&B Computerhelp, who read this page and directed me to those great tools at samspade.org. Check it out!
You thought that was all? Well, so did I, until one Daniel Dočekal informed me otherwise. There is yet another obscure way to express an IP address.
Remember that hexadecimal number we calculated above? That number (CE9F2802) can be expressed as an IP address in this manner: 0xCE.0x9F.0x28.0x02
The "0x" designates each number as a hex quantity.
The dots can be omitted, and the entire hex number preceded by 0x: 0xCE9F2802
And, additional arbitrary hex digits can be added to the left of the "real" number: 0x9A3F0800CE9F2802
Some browsers (Netscape 3.x and 4.x for instance) won't work with hex
IPs; but for IE users, this page's URL can be:
http://0xCE.0x9F.0x28.0x02/~pchelp/obscure.htm
or:
http://0xCE9F2802/~pchelp/obscure.htm
or:
http://0x9A3F0800CE9F2802/~pchelp/obscure.htm
Ah, you thought you had it all nailed down? Well, it's mix-and-match time!
Believe it or not, the following URL, which uses hex, decimal and octal numbers in the IP address, actually works: http://0xCE.159.050.0x02/~pchelp/obscure.htm
This mixed-format address also works with bogus authentication text: http://[email protected]/~pchelp/obscure.htm
For Netscape users, omitting the hex is necessary; but decimal and octal can be mixed: http://[email protected]/~pchelp/obscure.htm
Thankfully, the wonderful URLomatic at samspade.org deals with these mixed-up IPs just fine.
Also, don't forget PING. It will also decode these mixed-format addresses.
In Sum
URLs can be obscured at least three ways:
Some Notes on Compatibility
I've been getting a lot of feedback about this page from people who are running various browsers and proxies. So far, reports and my own rather limited tests seem to indicate that:
hex-coded IPs and values over 255 in dotted-decimal IPs don't work with Netscape; most, perhaps all of the dword-coded IPs don't work with some versions of IE; this could be an effect of the MS patch for the "dotless IP" exploit. Later IE versions seem to reject any hex-coded IP that's not broken up by dots as in my first example above; Opera 3.60 doesn't allow non-dotted hexadecimal IPs. Netscape won't allow the following characters in the authentication text: /? IE won't allow the following characters in the authentication text: /\#
and it exhibits problems or inconsistencies with: %'"<>MS-Proxy rejects almost everything that's not normal dotted-decimal IP format, as apparently do other proxies.
I suspect proxies (gateways) in general can't be expected to deal well with strangely-formatted IPs. I'm not sure if this is good or bad, since these are all technically valid ways of expressing IP numbers.
Almost anyone using a gateway is on a LAN, and most often an employee of some business. Most "weird" URLs point to shady spam-promoted scams and/or porn sites. So from the boss' viewpoint, it's probably just as well.
If you notice anything more you think I should know about which of
these URL formats work with which software, feel free to drop me a note.