Homoglyph Phishing – Exploiting Basic Authentication Userinfo

After learning more about them from eWPTX, I’d like to cover a homoglyph phishing attack.

Introduction

While homoglyphs can often be used for filter/WAF avoidance, they can also be used for phishing attacks.

For instance, take the following G-mail URL.

https://mail.google.com/mail/u/0/#inbox

This is a standard URL, and one that you might see in your browser if you logged into G-mail. That said, by the end of this post, you’ll hopefully look a little closer next time you see it.

Homoglyphs

For those of you who have never dealt with homoglyphs before, the earlier Wikipedia link is a great start.

That said, there are a number of tools available for using them in attacks.

Some systems will try to convert from them to the “normal” characters, which is where the filter bypass comes in to play.

For example, the following might bypass a filter looking for less-than and greater-than characters, but be interpreted as the proper XSS vector.

≪script≫alert(1)≪/script≫

Additionally, these homoglphys can also be used in a variety of phishing attacks, one of which this post is about.

Tools

There are a bunch of tools for generating homoglyph strings, but I’ll cover a few that I’ve found the most useful.

Irongeek’s attack generator – this tool is super handy for seeing all the characters in one place. Additionally, you can easily copy and paste your generated strings. The biggest downside for me is that it doesn’t have the actual unicode for these strings. This would be useful if you wanted to generate the strings programatically or easily change them.

Codebox homoglyph list – this is a HUGE list of characters with a generator. I haven’t used the generator a ton yet, so let me know if you have. That said, I really like the raw_data/char_codes.txt file. I go to this file, look up the ascii char I want to modify, and start trying other values from that line.

That said, when using homoglphys, I’ve actually found a resource (as opposed to a tool) the most useful. The FileFormat unicode list has every unicode character, what they look like, tests for them, and the values in various number systems.

Basic Authentication via URL

Another piece of this puzzle is basic authentication via the URL. If you were not aware of it, you are actually able to pass a username and password directly in the URL.

For example, if my site supported it, you could login directly with this url:

http://username:[email protected]

While basic, it is important to understand this for the final attack.

The following StackOverflow posts cover a bit more about how this works, the encryption, and support.

https://stackoverflow.com/questions/2716990/http-basic-authentication-credentials-passed-in-url-and-encryption

https://stackoverflow.com/questions/4105623/urls-of-type-http-userpasswordsite-com-in-internet-explorer

Finally, the following Wikipedia section on syntax covers how a URL looks, which we will need to know to break it.

Homoglyph Phishing – The Attack

In this case, we want to make an innocuous seeming URL point to something more malicious.

Again, we will start with our simple G-mail URL:

https://mail.google.com/mail/u/0/#inbox

root@kali:~# python -c 'print "https://mail.google.com/mail/u/0/#inbox"'
https://mail.google.com/mail/u/0/#inbox

The first step will be to replace the /’s and the # from the URL. In this case, this will break the earlier mentioned syntax, and point us somewhere different. Here, instead of pointing to mail.google.com as our host, we will be pointing to the entire URL as a malformed host. The reason for this is that the unicode encoded slashes cannot begin our path or fragment.

root@kali:~# python -c 'print u"https://mail.google.com\u2044mail\u2044u\u20440\u2044\uFF03inbox"'
https://mail.google.com⁄mail⁄u⁄0⁄＃inbox

As you can see, if you attempt to visit this URL in a browser, it does not resolve. In most cases your browser redirects you to your default search engine, as this is not even a valid URL at all.

Finally, let’s make our malformed URL malicious. To do that, we just need to add our payload to the end of it.

root@kali:~# python -c 'print u"https://mail.google.com\u2044mail\u2044u\u20440\u2044\[email protected]"'
https://mail.google.com⁄mail⁄u⁄0⁄＃[email protected]

While this looks like a slightly modified G-mail payload, it actually breaks down into the following components:

Username: https://mail.google.com⁄mail⁄u⁄0⁄＃inbox
Password: (blank)
Host: r4y.pw

As my r4y.pw site does not need authentication, the browser ignores that part of the URL, and my alert(‘XSS’) fires off. In an actual attacking scenario, I would replace the host with a phishing page that looked like G-mail in an attempt to steal credentials.

Homoglyph Phishing – Conclusion

As you can see, it is still possible to create a “safe” looking URL that actually isn’t. In this case, we took a G-mail URL, replaced it with some unicode homoglyphs, and pointed it to our malicious site.

Note that you will want to verify your attack vector before trying this out. The reason for this is that the URL rendering/handling is different in various applications. That said, here are a few examples with their caveats:

Chrome

Chrome will actually strip the username and password from the URL preview as well as after you visit the URL.

Slack

Slack recognizes this as an invalid URL, and cannot handle it at all.

Firefox

Firefox does not modify the preview URL, but it does warn users of the URL that they are attempting to visit.

Edge

Edge is even more secure than Firefox in this case, as it won’t even allow you to visit the URL.

Finally, I suggest you play with this homoglyph phishing attack a bit more and try to come up with even more nefarious ideas or payloads. If you come up with any fun examples, then let me know!