How to Obscure Any URL How Spammers And Scammers Hide and Confuse Last Updated Thursday, 28 October 1999 ------------------------------------------------------------------------ The URL (Universal Resource Locator) of the page you are now viewing is http://www.nwi.net/~pchelp/obscure.htm. It is also http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D. Go ahead and click on that link. It'll take you right back to this very page. The weird-looking address above takes advantage of several things many people don't know about the structure of a valid URL. There's a little more to Internet addressing than commonly meets the eye; there are conventions which allow for some interesting variations in how an Internet address is expressed. These tricks are known to the spammers and scammers, and they're used freely in unsolicited mails. You'll also see them in ad-related URLs and occasionally on web pages where the writer hopes to avoid recognition of a linked address for whatever reason. Now, I'm making these tricks known to you. Read on, and you'll soon be very hard to fool. How It's Done Here it is again: http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D First take note of the "@" symbol that appears amid all those numbers. In actual fact, everything between "http://" and "@" is completely irrelevant! Just about anything can go in there and it makes no difference whatsoever to the final result. Here are two examples: http://doesn'tmatter@www.nwi.net/~pchelp/obscure.htm http://!$%^*()_-+={[}]|\:;,@www.nwi.net/~pchelp/obscure.htm Go ahead and use the links. You'll be back to this page again. I've added bookmarks so you won't lose your place. This feature is actually used for authentication. If a login name and/or password is required to access a web page, it can be included here and login will be automatic. Example: http://username:password@www.whatever.com/secret/eyesonly.htm But if the page requires no authentication, the authentication text is in effect ignored by both browser and server. This presents interesting possibilities for confusing the unsuspecting user. How about this one: http://www.playboy.com@3466536962/~pchelp/obscure.htm If you didn't know better, you might think this page were at playboy.com! All right, so what about that long number after the "@"? How does 3466536962 get you to www.nwi.net? In actual fact, the two are equivalent to one another. This takes a little explaining so follow me carefully here. The first thing you need to know (most Net users know this), is that Internet names translate to numbers called IP addresses. An IP address is normally seen in "dotted decimal" format. www.nwi.net translates to 206.159.40.2. Numeric IP addresses are generally unrecognizable to people. That's why we use names for network locations in the first place. Merely using an IP address, in its usual dotted-decimal format, in place of the name is commonly done and can be quite effective at leaving the human reader in the dark. But there are other ways to express that same number. The alternate formats are: * "dword" - meaning double word because it consists essentially of two binary "words" of 16 bits; but it is expressed in decimal (base 10); * "octal", meaning it's expressed in base 8; and * "hexadecimal" hexa=6 + deci=10 (base 16). The dword equivalent of 206.159.40.2 is 3466536962. Its octal and hexadecimal equivalents are also illustrated below. Why obscure names in the first place? Most often it's because by publicly-available registration records, the owners of domain names can often be identified. Even if the owner isn't traceable by that record, his service provider is. The last thing any scammer or spammer wants is to be found by his victims, or to have his service provider alerted to his abuses. Below, I explain how you can get an IP address for any name, how to convert a dotted-decimal IP address to the dword format, and how the octal and hex formats work. Okay, so what about the rest of the URL? Let's look yet again at that weird address I first showed you: http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D It's beginning to make some sense, isn't it? But what's all that gibberish on the right? Here's how that works: Individual characters of a URL's path and filename can be represented by their numbers in hexadecimal form. Each hex number is preceded by a "%" symbol to identify the following two numbers/letters as a hexadecimal representation of the character. The practical use for this is to make it possible to include spaces and unusual characters in a URL. But it works for all characters and can render perfectly readable text into a complete hash. In my example, I have interspersed hex representations with the real letters of the URL. It simply spells out "/~pchelp/obscure.htm" in the final analysis: %7e p %63 h %65 l %70 / o %62 s %63 ur %65 %2e %68 t %6D ~ p c h e l p / o b s c ur e . h t m The letters used in the hex numbers can be either upper or lower case. The "slashes" in the address cannot be represented in hex; nor can the IP address be rendered this particular way. But everything else can be. Hexadecimal Character Codes Hex character codes are simply the hexadecimal (base 16) numbers for the ASCII character set; that is, the number-to-letter representations which comprise virtually all computer text. To find the numeric value for an ASCII character, I often use a little batchfile I wrote for the purpose years ago; and then if I want the hex equivalent I usually do the math in my head. It just requires familiarity with the multiples of 16 up to 256. For most people, the conversion is probably best done with a chart. The best ASCII-to-hex chart I have ever seen is on the website of Jim Price: http://www.jimprice.com/jim-asc.htm. Jim explains the ASCII character set wonderfully well, and provides a wealth of handy charts. I can't improve on Jim's excellent work! Print out Jim's ASCII-to-hex chart and you're in business. If Jim's site ever disappears, let me know and I'll do a chart of my own. In Sum URLs can be obscured at least three ways: 1. Meaningless or deceptive text can be added after "http://" and before an "@" symbol. 2. The domain name can be expressed as an IP address, in dotted-decimal, dword, octal or hexadecimal format. 3. Characters appearing after the IP address can also be expressed as hexadecimal (base 16) numbers. Below, I provide the whole scoop on the IP address formats. IP Addresses IP addresses are most commonly written in the dotted-decimal format. A valid dotted-decimal IP number has up to 4 numeric segments, each separated by a period. The numbers must range from 0 to 255. Translation of a network name to its IP address is usually done in the background by your network software, invisible to the user. Given a name, your browser queries a name server, a machine somewhere on the Net which performs this basic network addressing function; it thereby obtains the numeric IP address and then uses that address to direct its requests to the right computer, somewhere out there on the Net. There is a standard utility which allows the user to perform these name server lookups directly and see the results. It's called NSLOOKUP. A wide variety of nslookup utilites is available on the Net, often for free download. Some provide a graphical interface under Windows, but the original and most basic nslookup is run from a textual command line. One such command-line utility is included in my free Network Tracer. Please download it if you're interested. Place NSLOOKUP.EXE in your Windows directory and you can use it from a DOS window. A simple nslookup query is structured as follows: nslookup [name or IP address] [name server] A name server has to be specified, either by name or IP address. If you don't know a name server address for your own ISP (it can usually be found in your Dial-Up Networking setup), use this one: 198.41.0.196 A valid query for my ISP's web server address would be: nslookup www.nwi.net 198.41.0.196 Here's what that command puts out in response, with my comments: nslookup www.nwi.net 198.41.0.196 <-- Here's the command you typed in Server: ns.netsol.com <-- The name server you utilized Address: 198.41.0.196 <-- This is the name server's IP address Non-authoritative answer: <-- This means a name server other than the one you queried is the actual source of the record. Name: sundance.nwinternet.com <-- The "real" name of www.nwi.net Address: 206.159.40.2 <-- This is what you came here for: the IP address of www.nwi.net Aliases: www.nwi.net <-- www.nwi.net is an alias -- not the primary name given to that address, but a valid one. It's a powerful utility; it can find names for known addresses, addresses for known names, and a variety of other information relevant to an Internet address. But doing some of the fancier things with NSLOOKUP is difficult if you're not already technically savvy. For the technically inclined, there is a manual; and several examples of its use can be found in TRACE.BAT, the primary component of my Network Tracer. If you're determined to avoid the DOS command line, and want a tool that will do most of the thinking for you, I recommend NetScanTools, a reasonably-priced network utility toolbox. It's available as a 30-day shareware demo and a bargain at just $25. NetScanTools is not merely an address-lookup utility; it can do a great many things. For a Windows user trying to comprehend the nuts and bolts of the Net, it's a whole world of discovery. You can also do your name server lookups with a web browser. There are nslookup "gateways" scattered around on the Web. One such gateway is at: http://www.interlog.com/~patrick/cgi/nslookup.cgi Converting An IP Address to Dword Format I could create a math lesson about this, and tell you all about bits and bytes and base 16. But it's not really necessary. Anyone with a Windows system has a handy calculator that makes it simple to convert decimal numbers to hex, and to find the dword equivalent of any dotted-decimal IP number. You should find it by selecting Start ... Programs ... Accessories ... Calculator. It will look like this: [Image] or, in Scientific mode, it looks like this: [Image] You'll need it in Scientific mode for this purpose. Let's start with the IP address for this site's web server: 206.159.40.2. We want to obtain the hex equivalent for each of the 4 numbers separated by dots.Enter the first IP number, 206. Now select the button on the upper left which says Hex: [Image] The number will now display as hexadecimal value CE: [Image] Write this hex value down! Now, select the Dec button to go back to decimal mode; clear the entry with the C or CE button, and you're ready to enter the next IP number. Do each one the same way as above. When you get to the last number, you'll find it's the same in hex: 2. Write it down as 02. Always add a leading zero to single-digit results. Now put them all together and you should have this hexadecimal value: CE9F2802 It will always be an 8-digit number. Clear the calculator and place it in Hex mode. Enter the hex number: [Image] Now select the Dec button, and the dword equivalent will be the result: [Image] And there it is; that same number I used in the trick URL I first showed you: 3466536962. Reversing the process will bring you back to the dotted-decimal address. Convert the dword number to hex, then each of the 4 pairs of hex numbers to decimal. There's another way to do this which is very simple math, but I find it takes just as long to do manually. Multiply the numbers of the IP address by the following fixed values (which are powers of 256), then add the results: 206 x 16777216 (2563) = 3456106496 159 x 65536 (2562) = 10420224 40 x 256 (2561) = 10240 2 x 1 (2560) = 2 ---------- 3466536962 Now, there is a further step that can make this address even more obscure. You can add to this dword number, any multiple of the quantity 4294967296 (2564) -- and it will still work. This is because when the sum is converted to its basic digital form, the last 8 hexadecimal digits will remain the same. Everything to the left of those 8 hex digits is discarded by the IP software and therefore irrelevant. Thus, the following URLs will also work: http://7761504258/~pchelp/obscure.htm http://16351438850/~pchelp/obscure.htm http://231099803650/~pchelp/obscure.htm I know of no DOS or Windows program made specifically to do a dword conversion. But there's a handy script on Matthias Fichtner's website which will quickly convert any IP address to its dword value and vice-versa: http://www.fichtner.net/tools/ip2dword/. Octal IP Addresses As if all this weren't enough, an IP address can also be represented in octal form -- base 8. The URL for this page with its IP address in octal form looks like this: http://0316.0237.050.02/~pchelp/obscure.htm Go ahead, try it. You'll be right back here once again.. Note the leading zeroes. They're necessary to convey to your browser the fact that this is an octal number. Any number of leading zeroes can be added to any or all of the numbers in the address. For example: http://000316.000000237.000050.0000000002/~pchelp/obscure.htm Naturally, arbitrary authentication text can also be added to an octal address. Example: http://www.sleazy-ad.com@000316.000000237.000050.0000000002/~pchelp/obscure.htm I'll spare you a detailed description of octal conversion. Most people can probably figure it out, and those who can't, can always use the nifty URLomatic at www.samspade.org. It will reveal the IP address of a dword- or octal-formatted URL, as well as to decode hex character codes. This link to the URLomatic will completely decipher my original example address. Many thanks to Dan, who read this page and directed me to those great tools at samspade.org. Check it out! Hexadecimal IP Addresses You thought that was all? Well, so did I, until one Daniel Dočekal informed me otherwise. There is yet another obscure way to express an IP address. Remember that hexadecimal number we calculated above? That number (CE9F2802) can be expressed as an IP address in this manner: 0xCE.0x9F.0x28.0x02 The "0x" designates each number as a hex quantity. The dots can be omitted, and the entire hex number preceded by 0x: 0xCE9F2802 And, additional arbitrary hex digits can be added to the left of the "real" number: 0x9A3F0800CE9F2802 Some browsers (Netscape 3.x and 4.x for instance) won't work with hex IPs; but for IE users, this page's URL can be: http://0xCE.0x9F.0x28.0x02/~pchelp/obscure.htm or: http://0xCE9F2802/~pchelp/obscure.htm or: http://0x9A3F0800CE9F2802/~pchelp/obscure.htm It's Not Over Yet Ah, you thought you had it all nailed down? Well, it's mix-and-match time! Believe it or not, the following URL, which uses hex, decimal and octal numbers in the IP address, actually works: http://0xCE.159.050.0x02/~pchelp/obscure.htm This mixed-format address also works with bogus authentication text: http://spam-world.net@0xCE.159.050.0x02/~pchelp/obscure.htm For Netscape users, omitting the hex is necessary, but decimal and octal can be mixed: http://spam-world.net@0316.159.050.2/~pchelp/obscure.htm Thankfully, the wonderful URLomatic at samspade.org deals with these mixed-up IPs just fine. ------------------------------------------------------------------------ Home