Hacking Free ISPs Using WinDump
by rys
I'm writing this article to prove one rule. It's a bad idea to hard code passwords into software.
I've never done it, and I don't know anyone (intelligent anyway) who has. Some companies might consider information in the following article "trade secret." Sorry, but you shouldn't have hard coded your new user sign-up. Perhaps even set up the sign-on within a tunnel. Please, it's not beyond most concentrators and/or routers that run RADIUS to do such a thing. I imagine that after this article is published, free ISPs will have no choice but to do so, or disable the logins, which, in effect, will turn millions of CDs into coasters.
Anyway, now that I'm done ranting, I need to mention that the information and techniques in this article are for informational and educational purposes only. If some big company/corporation comes after you, don't come after me, and don't come after 2600. You have been warned. In fact, if you can't be responsible for using the information contained within this article, stop reading right now.
Still reading? Good.
If you don't have a Windows partition, take out that old 700 MB hard drive from the closet and dig up that Windows 95 CD from under those stacks of paper. You will need Windows 95/98/2000 installed. I suppose that, in the future, the free ISPs may try and disable the binding of Network Driver Interface Specification (NDIS) to TCP/IP during authentication. There's always the option of using an external modem and capturing the data from the serial port, but that's another topic entirely.
Next, get a copy of WinDump installed. At the time this article was published, this link was valid: netgroup-serv.polito.it/windump.
You will need the NDIS packet capture driver and the executable. If you run the executable without the driver, your system will blue screen.
Next, log on to the Internet as per normal means. (You do have a legal account, don't you?) Download your favorite free ISP's software. Please be aware that I have personally tried this technique on 1stUP Internet services (AltaVista, Excite, etc.). I think they use CHAP. This article is about PAP. So you'll have to download software from perhaps BlueLight.com, or maybe NetZero.
Next, install the free ISP's software. Prepare for the packet capture. Bring up a DOS window. Make a directory for your project so that you can see only the files for this project. Now get ready to start-up WinDump:
Don't hit Enter yet. Now, start up your free ISP's software and pretend to be a new user.
I know some of these software packages require that you sign up on their web page. Ignore the username/password that you've been given and pretend that you received the software in the mail on CD or something. You should go so far as to actually sign up.
Starting up WinDump is as easy as switching to the DOS window and pressing Enter. When do you start WinDump, you ask? Good question. You start up WinDump when it appears to be calling a local access number to complete new user sign-up (not the 1-800 number to get the latest list of local access numbers, if your software does anything of the sort).
Once you've got the authentication packets and it starts to bring up the new user sign-up, you can stop the capture with a Ctrl-C.
You can view the dump in one of several ways. If you're looking to just try and find the password without any of the technicalities, open the file in a text editor. It'll be very scrambled but you should be able to see the username/password in clear text (in most cases). This will take some guesswork. If you've gotten the username/password and that's all you wanted, you may choose to stop reading at this point. I'm about to go into the technicalities of packet analysis. Perhaps someone will actually go ahead and write a program to automatically snag the username and password out of a PAP packet.
I've used RFC 1334 (PPP Authentication Protocols) as a reference for this project. To get packet data for analysis, run the following command:
Now, you may edit analysis.txt to find the packet data for PAP authentication. PAP protocol is specified as: c023
So you're looking for a packet that looks like the following:
The above is data for BlueLight/Spinway.
Notice the c023 on the first line that specifies the packet protocol is PAP. I've slightly modified the data, so this will not work if you just try and login without doing this.
How you want to view a hex translation of this is your business. There are many other ways of doing this, but for those of you who have little to no tools on your Windows box, I'll show you below what I've done.
Make a DEBUG script file called debug.scr with the following hex data (taken from above, just reformatted):
Execute the following:
The file plain.txt will contain the following information:
First, please note that I've truncated the output, because over half of it isn't part of the packet - it's just data left over in memory.
Now, for the analysis.
According to RFC 1334, this is what the packet data means:
So from this output, we would gather that BlueLight's new user account is as follows:
- Username: 004blreguser@mpspinway
- Password: 4ml8XYH4
Please remember that I've modified the data for this article and the username/password listed above is not the true account login.
Plug those values back into Dial-Up Networking and test it. You should connect clean.
Now you can erase the software. Better yet, ditch your Windows drive and plug the values back into pppd.
Enjoy!