brent saner on 21 Oct 2017 19:38:26 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Obfuscated domain names


so that one you couldn't find out:



Ñайга-ÑÑанзиÑ.su


I have NO idea what kind of encoding or weird translation that is, but that's hex => utf-8.

On Oct 21, 2017 21:34, "brent saner" <brent.saner@gmail.com> wrote:
at a hacker con, we're on it...

the .kz domain translates to "a thing that has been constructed". moment, please

sent from my toaster.

On Oct 21, 2017 21:24, <george@georgesbasement.com> wrote:

brent timothy saner replied that the xe's and xf's in the "domain name"
below are hex:

\xe7\xe0\xe3\xf0\xe0\xed\xef\xe0\xf1\xef\xee\xf0\xf2-\xe2-\xec\xee\xf1\xea\xe2\xe5.\xf0\xf4/

Alas, there is still a matter of interpretation; I attempted my
interpretation three different ways:

231224227240224237239224241239238240242-226-236238241234226229.240244/

%e7%e0%e3%f0%e0%ed%ef%e0%f1%ef%ee%f0%f2-%e2-%ec%ee%f1%ea%e2%e5.%f0%f4/

e7e0e3f0e0edefe0f1efeef0f2-e2-eceef1eae2e5.f0f4/

Aha ! The third one of these is accepted by nslookup: 92.242.140.21,
but _that_ IP address is for the well-known server going by the name
"barefruit error handling." I kinda think it's a catchall for badly
converted "hidden" domains. I've run across them before when I mis-type
an IPV4 address. Note that the actual alphanumeric domain name is not
revealed by nslookup. Whois outright rejects the hex data.


Trying again with another one of the obfuscated domain names:


\xd1\x81\xd1\x82\xd1\x80\xd0\xbe\xd0\xb9\xd0\xba\xd0\xb0.kz
by my interpretation becomes d181d182d180d0bed0b9d0bad0b0.kz,
which flunks the nslookup test ...

But a hexadecimal conversion to text gives стройка.kz, a plain-Jane
Russian-language website that whois interprets as xn--80ardojfh.kz,
A.K.A. vns.hoster.kz, with the primary IP address.....: 185.98.6.6,
whose server covers IPV4's 185.98.6.0 to 185.98.6.255 with AS200532.
Happily, стройка.kz and xn--80ardojfh.kz both go to the same webpage.


I had no luck with the other two domains in my original email.

George Langford

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug