Domain Stealing

SOURCE and more info at: www.darknet.org.uk

The sole purpose of the information contained in this advisory is to point out the flaws in InterNIC’ s domain name handling system and is intended for educational use only. Since this is public knowledge, it should be also in everyone’ s reach.

THIS DOCUMENT SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY

Required ingredients:
-Anonymous remailer or mail bomber that can spoof email addresses.
-Social Engineering skills for timing the emails.
-A fake email address at hotmail.com or any other free service.

Exploit:
As an example for this advisory, we will take the domain name example.org. Go to http://www.networksolutions.com and click on the link that says ‘ Who Is. ’ Now enter the domain name (example.org in this case) in the search field and click on the ‘ Search ’ button. This would show you the WhoIs information, which will be similar to the one shown below:

Registrant:
Example (ex24-DOM)

Address details

Domain Name: EXAMPLE.ORG

Administrative Contact,
Technical Contact, Zone Contact,
Billing Contact:
DOMAIN, ADMIN (ADM001)
ADMINEMAIL@EXAMPLE.COM

Record last updated on 00-
Jan-2000.
Record created on 00-
Jan-2000.
Database last updated on 3-
Feb-2000 14:29:53 EST.

Domain servers in listed order:

NS1.EXAMPLE.COM 1.2.3.4
NS2.EXAMPLE.NET 1.2.3.5

Now you have two choices:
1) Either you could take full control of the domain by changing the Administrator’ s handle information. Or
2) You could simply point the domain to another host and let it recover in time by itself.

Initiating the First Attack:

Let us first explain the InterNIC authentication system in case most of you would be the readers who do not have their own domain names. The problem with InterNIC authentication is that they do NOT send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself! Therefore, utilizing this flaw one could spoof anyone’ s email address and change any domain name’ s information.
Although, a confirmation is required from the person to whom the domain is about to be transferred; and that shouldn’ t be too hard as it would your own email address.

Here’ s a step-by-step procedure:
-Go to http://
www.networksolutions.com/
-Click on the link that says ‘
Make Changes. ’
-Enter the domain name example.org
-You should be presented with 2 blue buttons
-Click on the one that says *Expert*
-Next screen would have a heading
‘ Select the form that
meets your needs ’
-Click on the link that say ‘
Contact Form ’
-Next you should see a form with 2 fields.
-In the first field enter the admin’ s handle (example.org admin is ADM001)
-In the next field enter his/her email address (in this case it’ s ADMINEMAIL@EXAMPLE.COM)
-Change the option to ‘ Modify. ’
-Now ‘ Proceed to Contact Information. ’
-Select the MAIL-FROM option and click the
‘ Go on to Contact Data Information. ’
-Now you should see all the information about the admin contact of domain name!
-In the E-mail address field change the email to your own fake email. (in this case it’s evil@domain.com)
-Now ‘ Proceed to Set Authorization Scheme. ’
-Again choose MAIL-FROM and enter the email address of the admin (ADMINEMAIL@EXAMPLE.COM)
-Leave the bottom option to ‘ No ’ and ‘ Generate Contact Form. ’

Now you should see a template with all the information. Similar to this:
******** Please DO NOT REMOVE Version Number ********

Contact Version Number: 1.0

******** Please see attached detailed instructions ********

Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:

Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com

Notify Information
2a. Notify Updates..........: AFTER-
UPDATE
2b. Notify Use..............: AFTER-USE Authentication
3a. Auth Scheme.............: MAIL-
FROM
3b. Auth Info...............:
ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO

NOTE: Do NOT press the button at the bottom that says ‘ Mail this contact form to me !’

Part 1
Part 2
Part 3
Part 4
Part 5