Domain Stealing or How to Hijack a Domain

Please note this is an old technique again, just for learning purposes, learn how the old techniques worked and why they worked, then try and discover new ways to do things.


The sole purpose of the information contained in this advisory is to point out the flaws in InterNIC’s domain name handling system and is intended for educational use only. Since this is public knowledge, it should be also in everyone’s reach.

The technique described below involves an easy to follow procedure of stealing .com/.net/.org/.gov/.mil domain names.

This vulnerability has been publicly known for quite a while, and there are ways to prevent it. The procedure below enables an attacker to take over a domain name, enabling him or her to make the arbitrary web address ( point to any desired web page on the Internet. This method of domain hijacking is constantly being used to hijack domain names, and to deface web sites.



Required ingredients:

  • Anonymous remailer or mail bomber that can spoof email addresses.
  • Social Engineering skills for timing the emails.
  • A fake email address at or any other free service.

As an example for this advisory, we will take the domain name Go to and click on the link that says ‘Who Is.’ Now enter the domain name ( in this case) in the search field and click on the ‘Search’ button. This would show you the WhoIs information, which will be similar to the one shown below:

Now you have two choices:

1) Either you could take full control of the domain by changing the Administrator’s handle information.


2) You could simply point the domain to another host and let it recover in time by itself.

Initiating the First Attack:

Let us first explain the InterNIC authentication system in case most of you would be the readers who do not have their own domain names. The problem with InterNIC authentication is that they do NOT send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself! Therefore, utilizing this flaw one could spoof anyone’s email address and change any domain name’s information.

Although, a confirmation is required from the person to whom the domain is about to be transferred; and that shouldn’t be too hard as it would your own email address.

Here’s a step-by-step procedure:

  • Go to
  • Click on the link that says ‘Make Changes.’
  • Enter the domain name
  • You should be presented with 2 blue buttons
  • Click on the one that says *Expert*
  • Next screen would have a heading ‘Select the form that meets your needs’
  • Click on the link that say ‘Contact Form’
  • Next you should see a form with 2 fields.
  • In the first field enter the admin’s handle ( admin is ADM001)
  • In the next field enter his/her email address (in this case it’s ADMINEMAIL@EXAMPLE.COM)
  • Change the option to ‘Modify.’
  • Now ‘Proceed to Contact Information.’
  • Select the MAIL-FROM option and click the ‘Go on to Contact Data Information.’
  • Now you should see all the information about the admin contact of domain
  • In the E-mail address field change the email to your own fake email. (in this case it’s
  • Now ‘Proceed to Set Authorization Scheme.’
  • Again choose MAIL-FROM and enter the email address of the admin (ADMINEMAIL@EXAMPLE.COM)
  • Leave the bottom option to ‘No’ and ‘Generate Contact Form.’

Now you should see a template with all the information. Similar to this:

NOTE: Do NOT press the button at the bottom that says ‘Mail this contact form to me!’

Copy and paste this message into your anonymous remailer or mailbomber and you are ready to go; but WAIT! It’s not that easy, now comes the HARD part! When you mail this message to a message similar to the following would be sent to the admin email address:

You should now be thinking that this message could get you in trouble but there is a way of getting rid of this trouble. Here you’ll use your mailbomber to mailbomb the guy with 20-30 similar messages if you want your attack to be successful. The person would see 35 messages from the same address and therefore would delete all of them and you’d probably be safe. If he ‘would’ email someone then he would probably reply to the wrong tracking number. In the above case, the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have to open your notepad and generate similar numbers actually come up with them.

You should NEVER mailbomb the person with the same tracking number. What we mean
is that you should never send more than one emails to him from [NIC-000128.4r50] in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or something different. Here is a list of some numbers that we generated just to give you a good idea of how the scheme works.


Remember to change the number at both places. In the subject as well as the email body!

In the case of you will send the email messages to ADMINEMAIL@EXAMPLE.COM from The message subject and body are already described above.

Stop after you have mailed him/her 10-15 messages! Now it’s time to email with our fake email as ADMINEMAIL@EXAMPLE.COM So again, in this case the message will be sent to from ADMINEMAIL@EXAMPLE.COM with the following template that we created above:

NOTE: Do NOT put anything in the Subject!

Just send one email! DO NOT bomb with more than one email. That’s pretty much it. Now continue to bomb ADMINEMAIL@EXAMPLE.COM, changing the tracking number every time until your 30-35 tracking numbers are used up!

Now all you have to do is wait. After 24 hours you could go and change the domain information and no one would be there to stop you because now you are the admin of the domain name!

NOTE: This attack will only work on domains that have an admin contact different from their technical contact!

Initiating the Second Attack:

This attack will be successful even if the technical and admin contact are the same.
The procedure is basically the same apart from the fact that this time:

  • Go to
  • Click on the link that says ‘Make Changes.’
  • Enter the domain name
  • You should be presented with 2 blue buttons
  • Click on the one that says *Expert*
  • Next screen would have a heading ‘Select the form that meets your needs’
  • Click on the link that say ‘Service Agreement.’
  • Now when it asks for email address, enter your own.
  • Now you should see many fields, don’t panic!
  • Go to the technical contact and change the handle to freeservers, hypermart e.t.c.
  • Now come to ‘Nameserver Information.’
  • Change the nameservers to hypermart or freeserver nameservers.
  • If there’s anything in the ‘Optional Information’ after that then simply delete them.
  • Click on the button ‘Submit this form for processing.’

You are done, the form will be emailed to your email address. When the form arrives in your email, then simply take this part:

Now launch your anonymous remailer or mailbomber.

  • From: the domain admin (ADMINEMAIL@EXAMPLE.COM in this case).
  • To:
  • Subject: (do not enter any subject, leave the field blank!)
  • Body: the template you created above.
  • You are ready to go but before you send this email to InterNIC, remember to bomb ADMINEMAIL@EXAMPLE.COM with similar emails but different tracking numbers as we did in the first procedure.
  • After sending 10-20 emails, send the above template to InterNIC.
  • Continue bombing your 40 messages. Remember to generate 40-50 tracking numbers.
    This is basically it.
  • The domain would be transferred to freeservers or hypermart and then you could simply activate it from there on your own email address. Remember to use a fake email.

Nameservers and Handles:

Freeservers Technical Handle: FS4394
Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP Address:
Secondary Nameserver: NS4.FREESERVERS.COM
Secondary Nameserver IP Address:

Hypermart Technical Handle: DA3706-ORG
Primary Nameserver: NS1.HYPERMART.NET
Primary Nameserver IP Address:
Secondary Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address:


Possible Fixes:

Enable the CRYPT-FW password mechanism. This should prevent anyone without this password from changing your domain information (see the Internic contact form for more information)

Originally By Lucifer Mirza aka Bufferman – Updated by Darknet.

Posted in: Networking Hacking Tools, Social Engineering

Latest Posts:

Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc

11 Responses to Domain Stealing or How to Hijack a Domain

  1. hobot September 20, 2006 at 9:19 pm #

    Oh snap.

  2. Tyler October 7, 2006 at 7:08 pm #

    thanks to whoever wrote this , very informative

  3. sirhackypants November 1, 2006 at 8:51 pm #

    SO you guys pulled a quick one with this thanks a lot!

  4. Needhelp November 13, 2006 at 5:50 pm #

    Help needed on how to take back a domain name which was used by someone who impersonated our company and stealing away all our clients . Please reply .

  5. Roger Wray May 20, 2007 at 1:37 pm #

    Telling about how a hijacking is done only serves to information to those that want to hijack. I only wanted to know how to stop the hijacking. This article is by someone that is in the hijacking buisness and wants everyone know how to do it.

  6. Daniel June 4, 2007 at 8:57 am #


    haha okay ill hack my own domains. yeah

  7. sayeed July 2, 2007 at 8:55 am #

    Hey buddies, I can’t find the “make changes” link in . Please help me out !!!!

  8. lyz August 15, 2008 at 12:45 pm #

    Yeah. You can play with your own domains just to check the weakness of some applications nowadays.

  9. Navin August 15, 2008 at 5:58 pm #

    @ daniel….tht’s wht U’re expected to do…or for Ure clients (who’ve already been informed of these tests being carried out)…..”ETHICAL” hacking remember??

  10. lyz August 16, 2008 at 5:34 am #

    and that is the reason why we are all here. To learn.

  11. Morgan Storey August 16, 2008 at 7:49 am #

    Heh microsoft opened there servers to “pen testing” so have at them. Of course sharpen your skills then let them know or just do this on your own domains to find weaknesses.