Dotless IP addresses and URL Obfuscation

morph3us.org

Quicksearch

Categories

Syndication

Tagged entries

Dotless IP addresses and URL Obfuscation

  (Wednesday, March 8. 2006)
First of all, I should explain what "dotless ip addresses" are because I think this term is not very common. Simply spoken this is an address which does not consist of octets seperated by points. You may ask the question how to convert an ip adress into a dotless one..

In fact there are several different methods to convert an ip address into a dotless one and there are much more possibilities to obfuscate an URL but not all of them work in every browser.

Here are some examples, in which I'll use the domain 'buha.info' for demonstration purposes:
We use `nslookup' to determine the IP adress of the domain:
HOLYBITCH# nslookup buha.info
Server:  router
Address:  10.0.0.100

Name:    buha.info
Address:  212.227.76.118

The easiest way to get a dotless ip address is to convert each octet to hex, to concat all hex numbers and to turn the whole number into decimal again.
  212  227   76  118
    |    |    |    |  Hex
   D4   E3   4C   76

=> http://0xD4E34C76/

=> http://3571666038/

At this point we are able to add multiples of 2 ^ 32 (4294967296) without changing the destination of the address.

=> http://7866633334/

=> http://12161600630/

and so on..

Naturally we always can convert the decimal number into a hexadecimal number:

> 12161600630 -> 2D4E34C76

=> http://0x2D4E34C76/

Another method to get a dotless ip address is following:

> 212.227.76.118
 212  256 + 227 = $1
  $1  256 + 76 = $2
  $2  256 + 118 = dotless ip address

      212  256 + 227 = 54499
    54499  256 +  76 = 13951820
 13951820  256 + 118 = 3571666038

=> http://3571666038/

Further URL obfuscation tricks:

It'a also possible to convert each octet of a "dotted decimal number" ip address to a different number system..

> 212.227.76.118
  212  227   76  118
   |    |     |    |  Hex
   D4   E3   4C   76
   |    |     |    |  Octal
  324  343  114  166

=> http://0xD4.0xE3.0x4C.0x76/

=> http://0324.0343.0114.0166/

Add leading zeros:

=> http://0x0000D4.0xE3.0x00004C.0x076/

=> http://00000000324.000343.000114.0166/

We can combine the different octets too:

=> http://0324.0xE3.0x4C.118/

=> http://212.00000343.0x4C.0166/

Each char or number in an IP adress or domain respectively absolute path of an URL (see the RFC 2396: URI scheme) could be encoded with a percent sign and a hexadecimal number.
   b   u   h   a   .   i   n   f   o
  %62 %75 %68 %61 %2E %69 %6E %66 %6F

buha.info -> http://%62%75%68%61%2E%69%6E%66%6F
   b   o   a   r   d
  %62 %6F %61 %72 %64

buha.info/board/ ->
http://%62%75%68%61%2E%69%6E%66%6F/%62%6F%61%72%64

Or we encode numbers of an IP address with hex characters:
   2   1   2   .   2   2   7   .   7   6   .   1   1   8
  %32 %31 %32 %2E %32 %32 %37 %2E %37 %36 %2E %31 %31 %38

212.227.76.118 -> http://%32%31%32%2E%32%32%37%2E%37%36%2E%31%31%38

Or mix decimal/hexadecimal/octal numbers with hex encoded characters:

=> %32%31%32%2E00000343%2E0x4C%2E0166

=> http://%30%33%32%34.0xE3.0%784C.118/

There are still several other tricks to obfuscate URLs.. maybe I'll point them out in another post.

I do not really understand the necessity of supporting dotless adresses and all kind of their variants because a normal user will never need them and they could be easily misused to obfuscate URLs.

Pretty old but still readable: How to Obscure Any URL
Comments (10) | Trackbacks (0)

Trackbacks

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Thx Thomas, I came about this topic years ago and asked myself, for what purpose this "thing" was invented.
In collaboration with Phishingmails, XSS or other attacks, this IP obscuration is really a bad thing. :-/
#1 Dominik (Homepage) on 2006-03-18 20:03 (Reply)
Wow, thats a really nice article. Didnt hear anything about that till now ;) nice work!
#2 Chris on 2006-06-28 15:30 (Reply)
i recieved few spam mails with address like this and i was wondering .... now things are clear thanks...
#3 IPResearcher (Homepage) on 2006-07-03 10:30 (Reply)
hey, this should be useful in bypassing "5urfC0Ntro1" (changed for trademark reasons) but it doesn't work :( oh well, i'll look for more methods.
#4 jamo (Homepage) on 2006-08-04 03:45 (Reply)
yea, that's awesome. Talk about confusing regular computer users with stuff like 188. http://0x3d.0x72.0xe.0xd/www.paypal.com/secure/iaspi.dll-wtfever.htm

Try explaining that to someone who doesn't even understand how icons work, heh. That is my life!
#5 loki (Homepage) on 2006-10-28 15:41 (Reply)
Gr8 tutorial...
cleared lots of doubts :)
#6 pavan on 2006-11-20 20:18 (Reply)
Can someone convert the IP "http://69.50.215.224/" into hex? I don't understand this at all. X.x
#7 JC on 2006-12-01 14:23 (Reply)
won't work with behind proxy (squid) right?
#8 budhi on 2007-02-19 03:59 (Reply)
Nope, I do not think so.
#9 morpheus (Homepage) on 2007-02-19 21:23 (Reply)
http://0x480EDD68...

Zufällig bei einem Streifzug durch die Blogwelt hab ich einen Beitrag von Thomas aka morph3us gelesen ......
#10 chili:blog (Homepage) on 2007-02-23 08:22 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed