Domain Spoofing in Penetration testing

Today in the "network penetration test-the protection of network security technology, tools, processes," a book about the malicious link to the domain name camouflage method, previously never know A method, hereby recorded:

We usually use a domain name in the following format:

www.example.com

The browser will first process the domain name before sending the domain name to the DNS server, which involves an implicit knowledge: the "@" symbol

If you enter a domain name in the browser's address bar that contains the "@" symbol, the browser automatically ignores everything before the "@" symbol before it sends the domain name.

This should not be considered a loophole, most browsers will include this default way. If we exploit this not a loophole, we can construct a seemingly normal URL address that will be able to direct the target to our attack page: for example:

http://[email protected]

If the attack does not make a detailed observation of the link, or lack of necessary computer knowledge, it can be a fake from Baidu page www.example.com attack.

Of course, we want to talk about is not only this way of construction, it is obvious that this structure of the page is not deceptive at all today, we see this URL will be the heart of doubt, after all, fools can see here there are two URL address, very suspicious. Here's what we'll do to disguise the malicious domain name behind it:

All of the domain name, in fact, corresponds to an IP address, we can convert the domain name to an IP address, but this is still a very foolish camouflage way, the reason is not trustworthy to say, and the same. We also have another way:

In fact, each IP address can be converted to a decimal number, this decimal number will also be the domain name server (DNS Server) resolution to the corresponding IP

Let's give a simple example here, assuming that the IP is 172.168.23.113. (This IP is not routable in a real-world network, we are only using it as a demonstration example, please follow the laws and regulations of the response)

The current IP4 is made up of 4 groups of three-bit decimal numbers.

For 172.168.23.113 this domain name for the corresponding decimal conversion method is as follows:

Multiply the first three-bit decimal number by 256^3 or 16,777,216 (256 of 3): 172*16,777,216=2,885,681,152

Multiply the second three-bit decimal number by 256^2 or 65,536 (256 of the 2 Parties): 168*65,536=11,010,048

Multiply the third three-bit binary number by 256 (256 of 1): 23*256=5,888

Finally, multiply the fourth three-bit binary number by 1 (256 of 0): 113*1=113

Add the final result of the above four formulas: 2,885,681,152+11,010,048+5,888+113=2,896,697,201

Finally this decimal number is the last equivalent to 172.168.23.113 this IP decimal number, you can directly in the browser input "http://This decimal number", you can access the 172.168.23.113 this Web server, such as:

http://2896697201

Here, in this way domain name camouflage of the various parts of the principle is clear, it will also understand how to use this special method to the domain name camouflage it:

Suppose we want to pretend that Baidu customer service staff to a certain Baidu customers send a social work mail to get the corresponding user name password, We carefully set up the fishing page on the 172.168.23.113 server, then we can send our specially crafted social worker email and send the URL embedded in the email:

http://[email protected]

So our goal is basically achieved, then we can wait for the page to submit the user name password to carry out the next step to infiltrate the work

(It is hereby stated that the above content is only used as a study note by my colleagues and the same hobby, please abide by the corresponding laws and regulations of our country, do not use for illegal purposes)

Domain Spoofing in Penetration testing