|Eric Lucas on 21 Oct 2017 19:17:42 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] Obfuscated domain names|
at a hacker con, we're on it...the .kz domain translates to "a thing that has been constructed". moment, pleasesent from my toaster.On Oct 21, 2017 21:24, <firstname.lastname@example.org> wrote:Trying again with another one of the obfuscated domain names:
brent timothy saner replied that the xe's and xf's in the "domain name"
below are hex:
e0\xf1\xef\xee\xf0\xf2-\xe2-\x ec\xee\xf1\xea\xe2\xe5.\xf0\xf 4/
Alas, there is still a matter of interpretation; I attempted my
interpretation three different ways:
Aha ! The third one of these is accepted by nslookup: 126.96.36.199,
but _that_ IP address is for the well-known server going by the name
"barefruit error handling." I kinda think it's a catchall for badly
converted "hidden" domains. I've run across them before when I mis-type
an IPV4 address. Note that the actual alphanumeric domain name is not
revealed by nslookup. Whois outright rejects the hex data.
Happily, стройка.kz and xn--80ardojfh.kz both go to the same webpage.
by my interpretation becomes d181d182d180d0bed0b9d0bad0b0.k
which flunks the nslookup test ...
But a hexadecimal conversion to text gives стройка.kz, a plain-Jane
Russian-language website that whois interprets as xn--80ardojfh.kz,
A.K.A. vns.hoster.kz, with the primary IP address.....: 188.8.131.52,
whose server covers IPV4's 184.108.40.206 to 220.127.116.11 with AS200532.
I had no luck with the other two domains in my original email.
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/
General Discussion -- http://lists.phillylinux.org/
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug