Insidious forgery

November 14, 2020 Journal

First, the hacker registers a domain and places a regular website at this address, for example, https://www.vsecurelabs.co/. As an IP address, he indicates to the provider the IP of his PC from which the attack will be carried out. As soon as the victim opens this resource, his computer is told the IP address of the attacking machine. Finally, the attacked PC tries to load the home page of the attacker’s website. Heffner’s Rebind utility, launched on the hacker’s computer, recognizes this request, captures the victim’s IP address and redirects it to a subdomain (for example, https://www.vsecurelabs.co/). This causes the victim computer to re-send the IP request, but this time to the subdomain. The Rebind program responds with two IP addresses – the victim’s own IP address and the victim’s IP address recorded in the previous step. Next, the attacked PC requests the content of the website – this time from the subdomain https://www.vsecurelabs.co/. At this point, the hacker sends a special Rebind program to the victim and blocks all connections to the attacking computer that were made over HTTP through port 80.

JavaScript sends a new request to https://www.vsecurelabs.co/, which is rejected because it works on the blocked port 80. The connection to the first IP does not work, and the victim computer tries the second address received from the cracker. This IP is the address of his own router – and the attacked PC establishes an internal connection with it.

The hacker’s computer can now access the router through the attacked machine by sending control commands to a JavaScript program embedded on the affected PC. To do this, he establishes (in addition to connecting to the router) also a connection with the hacker’s website. As a result, the attacked PC thinks every time that it is connected to the https://www.vsecurelabs.co/resource, and not its own router. The hacker sends control commands through his website, but port 81 is used (after all, the 80th is constantly blocked). The subdomain https://www.vsecurelabs.co/ is connected to the external IP of the victim’s computer. This gives the cracker access to the router interface.