📜 ⬆️ ⬇️

National characters in the addresses - a paradise for phishing?



Hello!

On the material of this small little article I made another, similar subject, which I read for a long time. And I decided to play around a bit with a randomly caught topic and dedicate the habronarod to my games.
')
It will be today mainly about the zone. And we will play with the site of the distinguished President of the Russian Federation, for which he thanks a lot!

Of course, these "games" can be scaled for any other site with national characters in domain names. And in general, this article is not a way to hack into the President’s website, but simply to prove and discuss some point, which is quite possible that can be effectively used by intruders.


INTRODUCTION
So it is done ! On May 12, 2010, the glorious existence of the zone began. The first pioneers of which were the sites http: //president.rf and http: //regovitelstvo.rf. A PR company was active in purchasing domain names, many became their happy owners, with sweet Cyrillic alphabet in the address. In principle, we already have http: //mail.rf , http: //yandeks.rf ... Nice. But there are other thoughts ...

THEORY
As you know, in the zone. RF there is a possibility of introducing the name Cyrillic. This is a prime example of our research today - President.RF
When entering a name in the address bar of the Firefox browser and launching, the user has the opportunity to notice the rapid appearance of a strange combination: xn - d1abbgf6aiiy.xn - p1ai - what you see is the conversion of a Cyrillic alphabet that is not understandable for DNS systems into a clear Latin script in the IDN representation . In fact, for the DNS as it was not, there is no president . RF , there is only a strange, but understandable to the system name xn - d1abbf6aiiy.xn - p1ai . At the same time, the prefix xn-- unequivocally indicates that the name is represented in a peculiar encoding called Punnycode .

Proof of concept
I looked at all this for a long time and suddenly remembered - and yet the multitude of Latin letters is the same as in writing with the Cyrillic alphabet! In total, “President. RF” can appear in several variants, since the letters “e” and “p” are absolutely identical in shape, but different for the system. These letters in the name four, respectively, we have 2 ^ 4 = 16 variants of “President. RF”, indistinguishable to the eye! The only difference between them is punnycode.

We will use a convenient online converter to illustrate our idea (I will not give all 16 options, but I will do four illustrative ones):

http: //president.rf = http: //xn-- d1abbgf6aiiy.xn--p1ai (this is the real site of the President)
http: //president.rf = http: //xn--p-htbcbig1bj8a.xn--p1ai (fake number 1)
http: //prezident.rf = http: //xn--e-htbdgf6aiiy.xn--p1ai (fake №2)
http: //prezident.rf = http: //xn--pee-oddog1bj8a.xn--p1ai (fake №3)

As you can see, there is no difference in the “Russian” name. But these are different hosts, both in punnycode and in nature. You can see that something is wrong, you can use Latin letters between hyphens, for example, "xn-- pee -oddog1bj8a.xn", but who will notice them?

FINDINGS
As a result, we have just the perfect phishing trap: when a website is compromised, the attacker very quickly gets all the information that the user usually enters on his original website.

At the time of writing the post, I did not find any restrictions, that in such IDN domains it is impossible in principle to use Latin letters. The examples at the top lead to a page stating that at the moment there are no corresponding host IP addresses with the specified domain names. That is, they have not bought them yet. How long? ;)

Morality:
“How many languages ​​do you know - so many times you are a man” by Anton Chekhov

PS At the moment from the site President.RF an automatic redirection to the kremlin.ru is being carried out. So this article should be considered a Proof of concept - but with a possible development;)

Source: https://habr.com/ru/post/107034/


All Articles