What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

__________________________________________________

*** How to set up a button or link on your web page that tricks someone who uses Internet Explorer into thinking you defaced a web site.
__________________________________________________

What if you can't alter the hosts file of your friend's computer? As of today, an easy way to spoof URLs is to exploit a flaw in Internet Explorer versions up to 6.0. You can test for this flaw at http://happyhacker.org/defend/test.shtml . Note: some antivirus programs will claim that this test is a virus. That is not true. They merely are reacting to the fact that it is an attempt to spoof a URL, and are not well enough programmed to tell you it is a URL spoof instead of a virus. If your browser is vulnerable, a link on that page will take you to what looks like http://www.nsa.gov. If your browser is OK, it will show you that this page is actually http://www.happyhacker.org/defend/fakems.htm . The Opera browser will warn you about spoofed URLs (see http://www.opera.com). TSome browsers will partially show a faked URL, usually as http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm.

Now the trick is to somehow get your friend to click on a button you have created to get him or her to go to your "hacked" web site. How does this work? The code for the funny button on this web page is:

<button
onclick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org'/defend/fakems.htm');"
style="font: 8pt verdana, sans-serif;">
<B>Test Exploit</B> </button>

If you have a web site, here is code you can upload that will make a web page that carries your boast about defacing a web site:

<HTML>
<HEAD>
<TITLE>Trick web page</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#ffffff">
<button
onclick="location.href=unescape('http://www.cia.gov%01@happyhacker.org');"
style="font: 12 pt Comic Sans MS">
<B>Click here for proof that I hacked the CIA web page!!!!</B>
</button>
</BODY>
</HTML>

Anyone who has a vulnerable browser will click on it and get the Happy Hacker web site, but the location bar in the browser will say http://www.cia.gov. Of course you could connect to a page on your own web site where you can plaster the childish, ungrammatical, misspelled boasts of the typical web site defacer. For examples of defaced web sites that you can use as, ahem, style guides, see http://www.zone-h.org.

Unless you can include the character between gov and % that probably shows up in your browser as a box, this is not a perfect hack. Without that funny character, if your friend looks at the bottom of the browser, he or she can see a briefly displayed message, "Opening page http://www.cia.gov%01@happyhacker.org…" However, if your friend is on a broadband connection, this message will flash by too fast to read. Aw, shucks.

__________________________________________________

Evil genius tip: How do you embed that funny character on your web page? Hint: find an editor that works with Unicode, and doesn't try to do a whole bunch of extra stuff (like MS Word does). __________________________________________________

GaNt points out that there is another way to make a phoney link. Actually several other ways. "By using the href="#" the link is now activated to point to itself. The onClick will be able to activate because the link will not leave the page.
It would be a really good idea to change the status bar as well, so I put that code into it, too."


This is the Link Text

Here is what the code is for the link above:

<a href="#" onClick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm');" onMouseOver="window.status='http://www.nsa.gov';return true;" onMouseOut="window.status='';return false;">This is the Link Text </a>

Another way to spoof a URL on a web page is to use Javascript. If you've never written a program before, don't sweat. It is super easy to write programs, especially when you have sample code. Try this for a web page:

<script>
function fakIt(spoofed, real){
document.location.href=unescape(spoofed + '%01@' + real);
}
</script>
</head>
<a href="javascript:fakIt('http://www.nsa.gov','happyhacker.org/defend/fakems.htm')" onMouseOver="window.status='This link is the best way to fake a hack of the NSA web site';return true;" onMouseOut="window.status='';return false;">Click here for my defacement of the NSA web site</a>
<br>
<a onClick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm');" onMouseOver="this.style.cursor = 'hand';"><u><font color="blue"> This is a link that shows nothing when the mouse runs over it</font></u></a>

&lt;/BODY&gt;<BR>
&lt;/HTML&gt;</P>

Here's how this will work on your web page:

Click here for my defacement of the NSA web site
This is a link that shows nothing when the mouse runs over it

This Javascript program was based on one written by GaNt. You can enjoy more of his work at his web site, http//www.BleachEatingFreaks.com.

First thing to notice is that when you run a mouse over the upper link, it only shows whatever text you have programmed into the "onMouseOver" command. If you really want to fake someone out, put the URL of the web site you claim to have hacked there. That part of the program is easy to customize. You could have the mouseover stuff read "Muhahaha" -- get the idea? Of course you can also easily modify the URL, for example inserting some really disgusting site.

If your friend knows something about computer security, this won't work because he or she might be using a relatively safe browser such as Mozilla (free from http://www.mozilla.org). You can defend against the Javascript attack by disabling it on your browser.

You can make your browsers much safer by disabling not only Javascript but all active scripting. To turn off active scripting (Javascript, ActiveX and Java) in IE 6:

  • Click Tools --> Internet Options and choose the Advanced tab. Scroll down the list of radio buttons to Microsoft VM and uncheck all of them.
  • Next choose the Security tab. At the very top you will see the ActiveX controls and plug-ins. Click the "prompt" radio buttons for all of them. This will give you a chance to see whether an ActiveX program is the culprit.
  • Continue scrolling down the radio buttons to Java permissions. Unclick the Java radio button.

    To turn off active scripting in Mozilla:

  • Click edit --> Preferences--> Advanced and unclick the Java radio button.
  • Then click Scripts & Plugins and disable Javascript. __________________________________________________

    * How to send an email attachment that tricks someone who uses Internet Explorer into thinking you defaced the CIA web site.
    __________________________________________________

    If you don't have a web site of your own, here's another way to fake a URL. Send this web page code via an attachment to email. Here's how to do it. In Windows, click Start --> All Programs --> Accessories --> Notepad. Cut and paste the code into Notepad, then save it as hack.htm. Then attach this file to an email with a charming invitation to view your dastardly defacement of the CIA web page. When the reader clicks on the attachment, it will bring up the default browser, usually IE. By clicking on the button that the browser shows, it will display http://www.cia.gov in the location window, but it will really be at Happyhacker.org (or whatever awful web site you picked).

    Is it possible to put the button hack into the body text of an email? Yes, but it doesn't seem to work there. I've tested this exploit against both Eudora 6.0.1 and Outlook Express 6.0. When I coded the exploit into the message body, it displayed the button, but clicking on it doesn't do anything. However, keep tuned, there might be a way to do this. If you would like to test new exploits, see the Uberhacker bonus section below for help on how to embed interesting code into email.

    GaNt points out that his Javascript above can be inserted into an email by making a web site and then cutting and pasting it into Outlook. I found that sometimes this trick doesn't seem to work right away, but there is another trick. If your code just looks like code in your email that you are sending, email it to yourself. Oftentimes it will be working properly when you receive it. Then use the redirect or forward command to send it on to someone else. __________________________________________________

    You can get punched in the nose warning: Many antivirus programs will block email with spoofed URLs. Whomever you send it to might accuse you of trying to infect him or her with a virus, because these antivirus programs call *everything* a virus! To evade antivirus programs, try sending an attachment that is zipped and passworded. Without the password the antivirus program can't scan for a spoofed URL.
    __________________________________________________

    More--->>


  • Carolyn's most
    popular book,
    in 4th edition now!
    
    For advanced
    hacker studies,
    read Carolyn's
    
    Google Groups
    Subscribe to Happy Hacker
    Email:
    Visit this group

    Return to the index of Guides to (mostly) Harmless Hacking!

    © 2013 Happy Hacker All rights reserved.