Did you know that most web browsers dutifully identify themselves to every web site you visit? There's often a good reason for this. Some web sites will send you pages customized to give you better viewing with the type of browser you use. Some sites use your header information to choose what language to display. Some intrusion detection techniques even look at headers to get an idea whether a connection to a website is being made by a legitimate browser or by a clumsily programmed attack
If it bugs you to tell web sites everything your browser wants to tell them, here's how to fake them out.
Telnet! Yes, my favorite all purpose mostly harmless hacking technique is telnet. If you use Windows and have never used telnet, type Start --> Run --> type telnet in the window and hit enter. This will give you a black window with something like this in it:
Welcome to Microsoft Telnet Client.
Escape character is 'CTRL+]'
Microsoft Telnet>
Now here's a fun thing to do. At the telnet prompt, type "open happyhacker.org 80" . Now wait a few seconds and then hold down the Ctrl key and the c key with one hand and hit enter with the other.
This will give you something like:
HTTP/1.0 408 Request Timeout
Server: thttpd/2.20c 21nov01 on a Brickserver 2
Content-type: text/html
Date: Wed, 31 Jan 2007 13:23:03 GMT
Last-modified: Wed, 31 Jan 2007 13:23:03 GMT
Accept-Ranges: bytes
Connection: close
408 Request Timeout
No request appeared within a reasonable time period.
thttpd/2.20c 21nov01 on a Brickserver 2
Connection to host lost.
Now to get something better, instead you can type Start --> Run and type in "cmd". This gives an MSDOS windows and it looks something like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Carolyn Meinel>
From here we can do something much more fun to unsuspecting webservers. Open Notepad and type this in two lines:
telnet happyhacker.org 80
GET /gtmhh/index.shtml
It won't work unless you have this in two lines! Next copy these two lines and at the MSDOS window prompt right click, choose paste, and then hit enter. This will display all the code that the webserver would normally send your browser.
OK, so why is this a big deal? You can get the same code just by using the "page source" command on your browser. However, you got this code without having to send the browser any extra headers. All you sent was the most basic web browser command, the "GET" command.
Even more important...!!!
You can go to jail warning: If you send a webserver a command that is designed to break into or crash it, you just might wind up being cellmate Spike's girlfriend. Yes, those nasty script kiddie websites offer exploits to send to webservers, and if you try them on about a thousand different websites you may eventually get unlucky and actually break in.
If you want to try out all sorts of weird commands against a webserver without breaking the law, you have permission to do it against this website, happyhacker.org and you can't get into any trouble because I own it and I set the rules, which are, basically, you can do anything you want, see if you can crash happyhacker.org or break in, it's OK with me, muhahaha!
Next, you can set up your web browser to send headers of your own design. This article by Eric Giguere is still useful for learning how to modify your browser's headers. He also has a link that displays a portion (not the entire thing) of your browser's headers. Using this link, I learn that my browser sent out this:
connection keep-alive
accept-language en-us,en;q=0.5
content-length 0
host www.ericgiguere.com
accept text/xml,application/xml,application/xhtml+xml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive 300
cookie JSESSIONID=5CF0B8F73EB94ECA1D6AA324F2AA1ADC; __utma=13
5980773.912983502.1170270059.1170270059.1170270059.1;
__utmc=135980773;
__utmz=135980773.1170270059.1.1.utmccn=(organic)
utmcsr=googleutmctr=
change+browser+headers+Firefoxutmcmd=organic
user-agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
You can tell this doesn't show everything because it doesn't include the "GET" command.
Now let's say you would like to see absolutely everything your browser sends. You can do this by setting up a network sniffer on your own computer and use it to see everything that goes back and forth between your browser and a website. This can be especially interesting if you visit malicious websites, meaning those that try to break into your computer through your browser to install spyware and even worse Trojans that enable criminals to hide their nasty activities inside your computer. Check out http://www.winpcap.org/to learn about sniffers and for free downloads of sniffer tools.
Last on your home computer. You can direct your browser to it by typing "localhost" or "127.0.0.1" into your browser or your telnet connection.
In order to ensure that your Apache webserver saves the headers of your browser, you have to find the file named http.conf. Open it in notepad and look for the line:
CustomLog logs/agent.log agent
If there is a "#" in front of it this means Apache ignores it. If you delete the "#" then Apache will record the headers of visiting browsers, but only after you restart Abut not least, you can see what your headers look like by installing the free Apache webserverpache. Then after visiting it with your browser, you will find your headers in the agent.log file in the logs directory.
Of course after reading all this, you may wonder what the big deal is about forging headers. Or maybe you think this is super fun, in which case you must be a real hacker.
OK, so now lets go do fun stuff with the free Firefox browser. In the browser window type:
about:config
Scroll down the screen this displays to general.useragent.extra.firefox. and then double click on this line. You can change it to whatever you want. I change it from Firefox/2.0.0.1 to Lynx. Yes, most of you are too young to remember Lynx, but I'm a really, really ancient hacker and back when the Web was young we didn't have pictures and all that newfangled fancy stuff. The web was just words and links, and Lynx, which we ran from a Unix shell account (this was before Linux even!) was how we crawled the web.
Next I double click on general.useragent.locale and change en-US (meaning I want to see websites in English if they offer that option) to en-Lower Slobovia
Oh, pooh, it turns out all this does is change one of my headers to:
user-agent Mozilla/5.0 (Windows; U; Windows NT 5.1; Lower Slobovia; rv:1.8.1.1) Gecko/20061204 Lynx
This failure to totally fubar the headers tells me we can have much more fun if we use telnet or even netcat to directly connect to webservers. Then we finally can really, really fake out anyone who actually reads the logs.
You can get punched in the nose warning: Many intrusion detection and prevention systems look for really screwy browser headers. Make yours weird enough and you will make someone hopping mad -- and he or she might tell your online provider that you, yes you, sent evil headers. Yes, you can be tracked back to your home computer. If your online provider is terrified of hackers (could you actually be an evil, evil, criminal?) they might cancel your Internet service.
But lets get back to that Firefox about:config screen. Have you ever tried to enter a really weird URL you found on a hacker website into your browser and it didn't do what you expected? Your browser might be the culprit. Check out:
network.IDN.blacklist_chars
It lists all the characters your browser ignores. Many of these aren't even on your keyboard, although you can create them with a hex editor. Some of them you can't send through telnet, either. The ultimate solution to all that is netcat, a telnet-like program that is also good for lots of amazing, things. If you try really hard, netcat can enable you to do truly amazing "you can get punched in the nose" or "you can go to jail" stuff to webservers. Your choice.
Happy hacking!
0 comments:
Post a Comment