If you know anything about the internets, you probably know what is an IP address, and what it is used for. If you don’t, I’m not gonna tell you – you will need to google it for yourself. But, not everyone knows that browsers will try to resolve IP addresses, even if they are not typed in the traditional dotted decimal notation.
After my last post, I have been asked to explain how did I obfuscate the URL in my example. So here is the explanation. Every IP address can be represented as dotted decimal, or a decimal dword value.
What is a dword you ask? It is a double word – a 32 bit long binary string. In most cases a word is 16 bits long which is exactly the amount of space that you need to store a 4 digit hexadecimal value. Here is a quick refresher in binary: bin to hex conversions are very easy. All you need to do is you divide your binary string into 4 bit chunks and then covert these chunks into hex. So 0001b = 0×1, 0101b = 0×5 and 1111b = 0xF. Then you put them all together. Each 2 digit hexadecimal number like 0×2D is a byte. Put two bytes together and you have a word. Put two words together, and you have yourself a dword. Got it? Good!
Google’s IP address is 72.14.207.99. Let’s convert this into a dword. Dotted decimal notation makes it very easy:
72 = 0×48
14 = 0×0E
207 = 0xCF
99 = 0×63
Put it all together and you get 0×480ECF63. By convention, dwords are expressed in base 10 notation so take out your calculator and convert this big number into decimal and you will get 1208930147. Paste that into your address bar, and it will take you to google. Seriously – try it: http://1208930147
If you think this is to much work, here is a javascript that will do this for you. Just type in the IP address in the box and press convert.
I also used another method for obfuscation, to conceal the http:// string in my URL. As you may know, some characters cannot be part of a URL. Non-alphanumerics such as @, :, ?, % and etc all have special functionality, and the browser will try to interpret them accordingly. Thus, if you want to send these characters as parameters via GET request, they need to be URL encoded. So ? becomes %3f, @ becomes %40 and so on.
What is the pattern here? Observant readers probably already guessed it. Get the hexadecimal ASCII value of your character, stick a % in front of it, and you are good to go! You can do this with every letter of the alphabet – so the whole URL can be encoded this way. Here is another nifty tool that will do this for you:
Please try it out. Type in google.com in the box, and click convert. The address becomes http://%67%6f%6f%67%6c%65%2e%63%6f%6d. Click on the link to make sure it works.
Most URL’s can be easily obfuscated using both techniques. However, the dword method will not always work. Go ahead, and try using it on terminally-incoherent.com. It doesn’t work! Why? Because my website can’t be accessed via IP address alone. I do not have a dedicated server – all my stuff is hosted on the same box as dozen other websites. My host then uses Apache’s Virtual Host functionality to properly resolve the requests. If you use the IP address alone, you will hit the default document root which currently does not contain any website. So you get an error message. You can still obfuscate it using the ASCII method though.
Have fun with these, and don’t do evil with this newly gained knowledge. 
Related Posts:
RSS Feed
/dev/random
Nice article!
Thanks!
This reminds me of some XSS (Cross Site Scripting) fun.
[...] For a good explanation as to why this is and what URL obfuscation is used for, check out this post. [...]
Good Article …
let’s see if you guess my browser and os