# IPFuscation

{% hint style="warning" %}
Images are broken. I will fix when I have time.
{% endhint %}

## What the... <a href="#whatthe" id="whatthe"></a>

IPFuscation is a technique that allows for IP addresses to be represented in hexadecimal, octal, or a combination, instead of the decimal encoding that we are used to.

## What can we do? <a href="#whatcanwedo" id="whatcanwedo"></a>

Normal:\
`ping 45.54.123.21`

Hexadecimal + Decimal + Octal:\
`ping 0x2d.54.123.025`

Hexadecimal:\
`ping 0x2d367b15`

Hexadecimal with period symbol:\
`ping 0x2d.0x36.0x7b.0x15`

Hexadecimal with 0 padding:\
`ping 0x0000000002d.0x00000000036.0x00000007b.0x0000000015`

Decimal:\
`ping 758545173`

Octal:\
`ping 05515475425`

Octal with period symbol:\
`ping 055.066.0173.025`

Octal with 0 padding:\
`ping 000000055.000066.000000173.0000000025`

As we can see there's a bunch of ways you can ping the same IP. For a moment, I wondered if this was just how Ping worked. However, given that this works with `OpenURL`, I decided to try it with Cobalt Strike!

## GitHub <a href="#github" id="github"></a>

I wrote a script that automatically outputs a set of known formats for the same IP address that you specify. Hopefully will be useful for some people!

<https://github.com/vysecurity/IPFuscator>

### Usage <a href="#usage" id="usage"></a>

```
python .\ipfuscator.py 127.0.0.1
IPFuscator
Author: Vincent Yiu (@vysecurity)
https://www.github.com/vysec/IPFuscator
Version: 0.1.0

IP Address:     127.0.0.1

Decimal:        2130706433
Hexadecimal:    0x7f000001
Octal:          017700000001

Full Hex:       0x7f.0x0.0x0.0x1
Full Oct:       0177.0.0.01

Random Padding:
Hex:    0x000000000000000007f.0x00000000000000000000.0x0000000000000000000.0x0000000000000000000001
Oct:    0000000000000000000000000177.000000000000000.0000000000000000000000.0000000000000000000000000000001
Random base:
#1:     0x7f.0x0.0.1
#2:     127.0.0x0.0x1
#3:     0177.0x0.0.1
#4:     0x7f.0.0.1
#5:     127.0x0.0x0.1

Random base with random padding:
#1:     0x0000000007f.0.0000000000.00000000000001
#2:     0x000000000007f.0x0000000000000000000000.0x00000000000000.0x00000000001
#3:     00000000000000000000000177.0x00000000.000000000000000.00000000000000000000000001
#4:     000000000000000177.0.0.1
#5:     127.0000000000000000000000.00000000000000.0x0000000000001
```

## Cobalt Strike <a href="#cobaltstrike" id="cobaltstrike"></a>

Although I rarely use IP addresses compared to hostnames when it comes to connecting to resources, we know for a fact that many threat actors do. In some cases you may want to resort to using IP addresses and this technique can add a bit of flavor to the mix.

To use this technique in Cobalt Strike, you simply create a listener like you normally would. Let's say my IP was `45.54.123.21`, run IPFuscator as shown below:

![ConEmu64\_2018-05-19\_19-48-55](https://vincentyiu.co.uk/content/images/2018/05/ConEmu64_2018-05-19_19-48-55.png)

You can immediately take this information and use any of these representations in your listener address. For example:\
![javaw\_2018-05-19\_19-50-52](https://vincentyiu.co.uk/content/images/2018/05/javaw_2018-05-19_19-50-52.png)

![javaw\_2018-05-19\_19-51-36](https://vincentyiu.co.uk/content/images/2018/05/javaw_2018-05-19_19-51-36.png)

Generate a payload as you would normally, and it all works fantastically!

You could even mix it up a bit:

![javaw\_2018-05-19\_20-02-44](https://vincentyiu.co.uk/content/images/2018/05/javaw_2018-05-19_20-02-44.png)

## Cobalt Strike Aggressor Script <a href="#cobaltstrikeaggressorscript" id="cobaltstrikeaggressorscript"></a>

I actually wrote a Cobalt Strike Aggressor Script to automatically convert an IP that you can issue with the `ping` command that will convert and use ping with a hexadecimal equivalent IP. If you want to use this you can obtain this script in my [Aggressor repository](https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna). This was released back in 2017.

## Conclusion <a href="#conclusion" id="conclusion"></a>

IPFuscation is not an advanced technique. However, it can be used to:

1. potentially break regex rules for command line logging looking for IP addresses. Eg. when you issue a command such as `ping 0055.0x0036.000173.0x0015`
2. obfuscate previously unobfuscated / unencrypted cleartext strings to C2 locations within the payload

According to inphosys on Reddit, the proxy sees the regular decimal IP address notation:

![chrome\_2018-05-19\_21-00-19](https://vincentyiu.co.uk/content/images/2018/05/chrome_2018-05-19_21-00-19.png)

To keep it simple, make the use of IPs cool again! :)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.vincentyiu.com/red-team/cve-exploitation/ipfuscation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.