__________________________________________________________________________________

Domain Name Robbery (aka Domain-Jacking): A Flaw in InterNIC Authentication Scheme

----------------------------------------------------------------------------------

   By Lucifer Mirza (lucifermirza@hotmail.com)

___________

Disclaimer:

-----------

This sole purpose of the information contained in this advisory is

to point out the flaws in InterNIC's domain name handling system

and is intented for education. Any abuse of the information in whole

or in part is NOT my responsibility nor do I encourage illegal activities.

The below mentioned technique involves a planned step by step way

of stealing different sorts of com/net/org/gov/mil domain names.

______

Tools:

------

* anonymous remailer or mail bomber which could spoof email adresses (I used Kaboom).

* access to internet and mainly networksolutions.com website.

* Social Engineering skills for timing the emails.

* A fake email address at hotmail.com or any other free service.

____________

Intructions:

------------

As an example for this advisory, I will take the domain name wi2000.org.

Go to networksolutions.com and click on the link that says 'Who Is.'

Now enter the domain name (wi2000.org in this case) in the search field

and click on the 'Search' button.

This would show you the WhoIs information as shown below

___________________________________________________________

Registrant:

WI2000 (WI24-DOM)

   Blixered 1

   Goteborg, Lila Edet 46394

   SE

   Domain Name: WI2000.ORG

   Administrative Contact:

      MICKE, ANDERSSON   (AMM367)   HACKEDINDUSTRIES@HOTMAIL.COM

      545326-3445 (FAX) 545326-3445

   Technical Contact, Zone Contact:

      Jason, Berresford   (BJE41)   jasonb@MOUNTAINCABLE.NET

      1-(905)-765-5212

   Billing Contact:

      MICKE, ANDERSSON   (AMM367)   HACKEDINDUSTRIES@HOTMAIL.COM

      545326-3445 (FAX) 545326-3445

   Record last updated on 22-Jan-2000.

   Record created on 19-Dec-1999.

   Database last updated on 3-Feb-2000 14:29:53 EST.

   Domain servers in listed order:

   NS1.CAN-HOST.COM                  24.215.1.6

   NS2.MOUNTAINCABLE.NET      24.215.0.12

____________________________________________________________

Now you have two choices here:

-01> Either you could take full control of the domain by

      changing the Administrator's handle information.

                             OR

-02> You could simply point the domain to another

     host and let it recover in time by itself.

The first approach is very aggressive and could be hazardous if you are

going for gov or mil domain names so I recommend second approach for gov

and mil domains.

___________________________

Intiating the First Attack:

---------------------------

Let me first explain the InterNIC authentication system in case most of you

would be the readers who do not have their own domain names.

The problem with InterNIC authentication is that they do NOT send a

confirmation email if the request is sent from the same email as the

person owning the contact or the domain name itself!

Therefore, utilizing this flaw one could spoof anyone's email address

and change any domain name's information.

Although, a confirmation is required from the person to whom the domain

is about to be transferred; and that shouldn't be too hard as it would

your own email address ;-)

Here's a step by step procedure:

              - Go to http://www.networksolutions.com/

              - Click on the link that says 'Make Changes.'

              - Enter the domain name wi2000.org

              - You should be presented with 2 blue buttons

              - Click on the one that says *Expert*

              - Next screen would have a heading 'Select the form that meets your needs'

              - Click on the link that say 'Contact Form'

              - Next you should see a form with 2 fields.

              - In the first field enter the admin's handle (wi2000.org admin is AMM367)

              - In the next field enter his/her email address

          (in this case it's HACKEDINDUSTRIES@HOTMAIL.COM)

              - Change the option to 'Modify.'

              - Now 'Proceed to Contact Information.'

              - Select the MAIL-FROM option and click the 'Go on to Contact Data Information.'

              - Now you should see all the information about the admin contact of domain name!

              - In the E-mail address field change the email to your own fake email.

                (I changed it to dd@doom.com)

              - Now 'Proceed to Set Authorization Scheme.'

              - Again choose MAIL-FROM and enter the email address of the admin

          (HACKEDINDUSTRIES@HOTMAIL.COM)

              - Leave the bottom option to 'No' and 'Generate Contact Form.'

              - Now you should see a template with all the information. Similar to this:

______________________________________________________________________________

******************* Please DO NOT REMOVE Version Number **********************

Contact Version Number: 1.0

**************** Please see attached detailed instructions *******************

Authorization

0a. (N)ew (M)odify (D)elete.: Modify

0b. Auth Scheme.............: MAIL-FROM

0c. Auth Info...............:

Contact Information

1a. NIC Handle..............: AMM367

1b. (I)ndividual (R)ole.....: Individual

1c. Name....................: MICKE, ANDERSSON

1d. Organization Name.......: WI2000

1e. Street Address..........: BLIXERED 1

1f. City....................: GOTEBORG

1g. State...................: LILLA EDET

1h. Postal Code.............: 46394

1i. Country.................: SE

1j. Phone Number............: 545326-3445

1k. Fax Number..............: 545326-3445

1l. E-Mailbox...............: dd@doom.com

Notify Information

2a. Notify Updates..........: AFTER-UPDATE

2b. Notify Use..............: AFTER-USE

Authentication

3a. Auth Scheme.............: MAIL-FROM

3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM

3c. Public (Y/N)............: NO

________________________________________________________________________________

_____

NOTE: Do NOT press the button at the bottom that says 'Mail this contact form to me!'

-----

Copy and paste this message into your anonymour remailer or mailbomber and you are

ready to go; but WAIT! It's not that easy, now comes the HARD part!

When you mail this message to hostmaster@networksolutions.com a message similar to

the following would be sent to the admin email address:

____________________________________

Subject: [NIC-000128.4r50] Your Mail

__________________________________________________________________________

This is an automatic reply to acknowledge that your message has been

received by hostmaster@networksolutions.com.   This acknowledgement is "NOT"

a confirmation that your request has been processed.   You will be

notified when it has been completed.

If you should have need to correspond with us regarding this request,

please include the tracking number [NIC-000128.4r50] in the subject.

The easiest way to do this is simply to reply to this message.

If you have not already done so, please come and visit our site via www

browser or ftp and pick-up the latest domain template or review the

Domain Name Registration Service Agreement at the URL's:

        Domain Name Registration Service Agreement

              http://www.networksolutions.com/legal/service-agreement.html

         Domain Name Registration Template

              ftp://www.networksolutions.com/templates/domain-template.txt

Regards,

Network Solutions Registration Services

***********************************************

***********************************************

IMPORTANT INFORMATION

***********************************************

On January 15, 2000, Network Solutions introduced Service

Agreement, Version 6.0. All versions of the Service Agreement

template will continue to be accepted and processed until

January 31, 2000. On and after February 1, 2000, please use

the Network Solutions Service Agreement, Version 6.0 template

located at

ftp://www.networksolutions.com/templates/domain-template.txt

for all template requests.

The terms and conditions of the Service Agreement are available

on our Web site at

http://www.networksolutions.com/legal/service-agreement.html.

************************************************

The zone files, which make the Internet work, are normally updated twice

daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time.

Requests that are completed before these times will be included in that

12-hour zone file update and will normally begin to take effect within

5-6 hours.

Should you wish to modify or delete an existing domain name registration,

you can do so online, using our Service Agreement. You can change the

registrant's address, replace a contact/agent with a different

contact/agent, or change primary and/or secondary name server information.

To update information about an existing contact, such as postal address,

e-mail address or telephone number, complete and submit the Contact Form

to hostmaster@internic.net.   This form is available on our Web site at

www.networksolutions.com

To register or update information about a name server, complete and

submit the Host Form to hostmaster@internic.net. This form is also

available on our Web site.

Network Solutions Registration Services

e-mail: help@networksolutions.com

_______________________________________________________________________

You should now be thinking that this message could get you in trouble but

there is a way of getting rid of this trouble. Here you'll use your mailbomber

to mailbomb the guy with 20-30 similar messages if you want your attack to be

successful. The person would see 35 messages from the same address and therefore

would delete all of them and you'd probably be safe. If he 'would' email someone

then he would probably reply to the wrong tracking number. In the above case,

the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have

to open your notepad and generate similar numbers actually come up with them.

You should NEVER mailbomb the person with the same tracking number. What I mean

is that you should never send more than one emails to him from [NIC-000128.4r50]

in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or something

different. Here is a list of some numbers that I generated just to give you

a good idea of how the scheme works.

[NIC-000127.5089]

[NIC-000128.4rg7]

[NIC-000128.523f]

[NIC-000127.53d0]

[NIC-000129.r609]

[NIC-000128.3f6y]

[NIC-000128.5d8t]

[NIC-000127.r509]

[NIC-000128.4r30]

[NIC-000127.d307]

_____

NOTE: Remember to change the number at both places. In the subject as well as the email

----- body!

In the case of wi2000.org you will send the email messages to HACKEDINDUSTRIES@HOTMAIL.COM

from hostmaster@internic.net. The message subject and body are already described above.

Stop after you have mailed him/her 10-15 messages! Now it's time to email

hostmaster@networksolutions.com with our fake email as HACKEDINDUSTRIES@HOTMAIL.COM

So again, in this case the message will be sent to hostmaster@networksolutions.com

from HACKEDINDUSTRIES@HOTMAIL.COM with the following template that we created above:

______________________________________________________________________________

******************* Please DO NOT REMOVE Version Number **********************

Contact Version Number: 1.0

**************** Please see attached detailed instructions *******************

Authorization

0a. (N)ew (M)odify (D)elete.: Modify

0b. Auth Scheme.............: MAIL-FROM

0c. Auth Info...............:

Contact Information

1a. NIC Handle..............: AMM367

1b. (I)ndividual (R)ole.....: Individual

1c. Name....................: MICKE, ANDERSSON

1d. Organization Name.......: WI2000

1e. Street Address..........: BLIXERED 1

1f. City....................: GOTEBORG

1g. State...................: LILLA EDET

1h. Postal Code.............: 46394

1i. Country.................: SE

1j. Phone Number............: 545326-3445

1k. Fax Number..............: 545326-3445

1l. E-Mailbox...............: dd@doom.com

Notify Information

2a. Notify Updates..........: AFTER-UPDATE

2b. Notify Use..............: AFTER-USE

Authentication

3a. Auth Scheme.............: MAIL-FROM

3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM

3c. Public (Y/N)............: NO

________________________________________________________________________________

_____

NOTE: Do NOT put anything in the Subject!

-----

Just send one email! Do NOT bomb hostmaster@networksolutions.com with more than one

emails!! That's pretty much it. Now continue to bomb HACKEDINDUSTRIES@HOTMAIL.COM,

changing the tracking number everytime until your 30-35 tracking numbers are used up!

Now all you gotta do it WAIT. After 24 hours you could go and change the domain

information and no one would be there to stop you because now you are the admin

of the domain name!

_____

NOTE: This attack will only work on domains that have an admin contact different

----- from their technical contact!

____________________________

Intiating the Second Attack:

----------------------------

This attack will be successful even if the technical and admin contact are the

same but the admin of the contact needs to be kind of stupid to disregard

emails from interNIC as he is also the technical contact; but this method should

work as it has worked for me.

The procedure is basically the same apart from the fact that this time:

              - Go to http://www.networksolutions.com/

              - Click on the link that says 'Make Changes.'

              - Enter the domain name wi2000.org

              - You should be presented with 2 blue buttons

              - Click on the one that says *Expert*

              - Next screen would have a heading 'Select the form that meets your needs'

              - Click on the link that say 'Service Agreement.'

              - Now when it asks for email address, enter your own.

              - Now you should see many fields, don't panic!

              - Go to the technical contact and change the handle to freeservers, hypermart e.t.c.

              - Now come to 'Nameserver Information.'

              - Change the nameservers to hypermart or freeserver nameservers.

              - If there's anything in the 'Optional Information' after that then

          simply delete them.

              - Click on the button 'Submit this form for processing.'

              - You are done, the form will be emailed to your email address.

              - When the form arrives in your email, then simply take this part:

___________________________________________________________________________________

**** PLEASE DO NOT REMOVE Version Number or any of the information below

when submitting this template to hostmaster@networksolutions.com. *****

Domain Version Number: 5.0

********* Email completed agreement to hostmaster@networksolutions.com *********

AGREEMENT TO BE BOUND. By applying for a Network Solutions' service(s)

through our online application process or by applying for and registering a

domain name as part of our e-mail template application process or by using

the service(s) provided by Network Solutions under the   Service Agreement,

Version 5.0, you acknowledge that you have read and agree to be bound by all

terms and conditions of this Agreement and any pertinent rules or policies

that are or may be published by Network Solutions.

Please find the Network Solutions Service Agreement, Version 5.0 located at

the URL <a href="http://www.networksolutions.com/legal/service-agreement.html">

http://www.networksolutions.com/legal/service-agreement.html</a>.

[ URL <a

href="ftp://www.networksolutions.com">ftp://www.networksolutions.com</a> ]

[11/99]

Authorization

0a. (N)ew (M)odify (D)elete.........: M Name Registration

0b. Auth Scheme.....................: MAIL-FROM

0c. Auth Info.......................:

1.