How Domains Are Stolen

by Crim, Redomega

Network Solutions controls many of the .com, .net, and .org domain names for the Internet.

When you purchase a domain name, you are expected to supply them with three contacts for your domain: Administrative, Technical, and Billing.  You are also supposed to supply each contact's name, address, phone number, and email address.

All of this information is kept in NSI's public WHOIS database: www.networksolutions.com/cgi-bin/whois/whois

Modifying a Domain

So you've registered your domain name with NSI, but you need to modify or update your contacts or name server address.

You simply go to www.networksolutions.com/makechanges and supply it with your domain name.

Fill out a "Host Form" for your domain and use the "Mail-From" authentication.  This will email you the correct form to update your domain.  When you receive this form in your email box, you are supposed to send it back to hostmaster@internic.net and it will check your email address with the one in its database to see if they match.  If they do, your domain is updated.

Exploiting

Updating NSI's records using the "Mail-From" method doesn't seem to be all too secure.

The easiest way I have found to modify someone else's domain is to request a modify form from Network Solutions and save it to your hard drive.  From this you can change form blanks to whichever domain you wish to modify.

After making your changes to your form, the only problem is having the email sent from the technical contact's email address.  This is easy to do.  Look up the technical contact's address using the above WHOIS database.

Then you can use a somewhat well known trick to "spoof" your email address:

1.)  Telnet into any mail server on port 25: telnet mail.server.com 25

2.)  You should connect to the server's SMTP server.  You need to give it false info by entering: HELO some.fake.website

3.)  Now to tell the server who is sending the email, put in the technical contact's email address: MAIL FROM: address@server.com

4.)  Now that the SMTP server knows who is sending the email, you need to tell the server to whom the email is being sent to.  Put in: RCPT TO: hostmaster@internic.net

5.)  Now tell the server to start the body of the email: DATA

6.)  Now you should paste your domain modify form into the Telnet session.

7.)  To send the email type a period on an empty line.

8.)  Then type: QUIT

This will send hostmaster@internic.net the domain modification form as if it came from the technical contact's email address, and it will process the form.

The only problem I see in this method, is that hostmaster@internic.net sends out two automatic emails to the technical contact's address.

The first is just an acknowledgment that it received the form and the second shows that the changes have been made to the InterNIC database.