Thursday, February 22, 2007

Recovering (or stealing) a domain registration

Most organizations don't think much about their domain registration until it either expires -- disabling their website and email -- or until the day before they intend to launch a new website at a new webhosting provider.

Often the internal employee who originally purchased a domain registration for a company no longer works there, or the web host that handled the registration as a middleman becomes defunct, and the owner is left with no record of how to access the registration. The result is that the registration is frozen, nameservers and WHOIS contacts cannot be changed and the poor mope who's been assigned the wild goose chase of regaining control of the domain name has no idea where to begin.

Where to begin is first identifying the registrar for a particular domain name. This information is in the publicly available WHOIS database. If you've never queried WHOIS, take a look at http://geektools.com/whois.php and enter any domain name. In the output, the identity of the registrar is contained in the bits of data labeled "Referral URL," "Sponsoring Registrar," or "Registrar."

Because everything these days is web-based self-service, most registrars have a self-help way to recover a password. This generally consists of going to a public page on the registrar's website (that you identified through WHOIS), entering the domain name in a form, and the registrar sending an automated message to the email address in the registrar's records that offers a way to recover or reset the password used to access the registration. Whoever can read that email will be the de facto new owner of the registration.

As a practical matter, whoever controls a domain registration controls all email and the website for that domain. Gone are the days when you needed to pay a special "registrant transfer" fee and sign papers in order to sell your registration to another party. Today, any legitimate registrar has a web interface that lets the domain owner login and change whatever data they please, including "registrant." If you want to sell your domain name, all you do now is give the username and password to the new owner, and they can login to change WHOIS info, nameservers, or even approve a registration transfer to a new registrar.

Network Solutions, the oldest registrar with the worst service and highest prices, has automated tools on their website that allow anyone on the internet to take control of a domain registration registered there, so long as that person has access to read the email of the Administrative Contact listed in the publicly visible WHOIS database. You can find Network Solutions automated login recovery page here: https://www.networksolutions.com/manage-it/forget-login.jsp

[Unlike most other registrars, at Network Solutions, total login recovery is a 2 phase project. First you have to recover the "Account ID" that NetSol arbitrarily assigns to owners, and that no one can remember. This is done by putting either the domain name or the Admin Contact's email address in NetSol's web form. Then they automatically email the Admin Contact the Account ID associated with the registration. Once you have that Account ID, you paste it into the "lost password" form, and they email the same Admin Contact a link to click that will reset the password. Whoever receives those emails can reset the password to the account, login, and do whatever they please with the registration.]

If the Administrative Contact's email address is "@" the same domain as the registration, then the organization should have an easy time reading those machine-generated emails (ask your system administrator or web host for help). However, using the same domain name as an email contact point on the registration is usually a bad idea, since if anything goes wrong with the registration (like expiration), then email at that domain name is likely to be broken and you will not be able to receive email sent to that address at the same domain name. For that reason, it's a good idea to use a permanent email address at a different domain name as a contact point on your registration, such as one from Yahoo, Gmail, or your local ISP.

In some cases, the email address for the Admin Contact that the registrar has on record may also be defunct, and if it's your job to recover that registration, you might be ready to give up at that point and start faxing blurry paperwork to Network Solutions (which, by the way, anyone, even Nigerians, can also do) to prove you're entitled to access, then waiting helplessly four days for them to get around to considering it.

An alternative is to look closely at the Admin Contact email address listed in WHOIS. If you can take over the email address marked as Administrative Contact, you can take over the entire registration of any Network Solutions registration. Seizing a registration that way means you will have control over email to the entire organization, can redirect their website traffic and more.

Because many organizations never think about their domain registration until it's expired and their entire domain is down, the contact information in WHOIS associated with those registrations is consequently not maintained accurately by registrants, either. This provides any registration recovery agent, or thief, a foothold. If the email address of the Admin Contact is one "@" a public internet service provider, you can check to see if that email address is valid anymore. If it's not, it's yours.

One can check by sending an email to that address and waiting for a bounce message or reply. Or, you can lookup the MX record of the domain name, then connect to the SMTP port on that server, and initiate a manual SMTP conversation with that server to test whether the listed Admin Contact email address is still "occupied."

For example, the Admin Contact for a particular domain name registered at Network Solutions is "swall@bigsky.net." Bigsky.net was a company bought out by bigger ISP, Amerion. Amerion continues to let subscribers (like S. Wall) have email at the original local ISP's "bigsky.net" namespace.

The organization for which S. Wall was an Admin Contact has lost its registration login info, has kept no records, and now wants to change web hosts, which requires gaining access to and modifying their domain registration.

The easiest thing we might do to resolve this is email that Admin Contact's address and see if we can get the user to cooperate and either forward or read to us whatever emails from the registrar they receive. But what if that user canceled her email service a long time ago and there's no one to answer? What if, when we email that address, we just get a bounce message with an error like "Code 550, no such user?"

If were interested in learning on a more massive scale how prevalent this condition is (Admin Contact email addresses that are abandoned), we might write a script to harvest all the Admin Contact email addresses from a list of domain names, programatically testing each Admin Contact's email address, searching for "no such user" type errors, and saving all the ones that we find in a pile labeled "vulnerable."

In our example, we're looking at the Admin Contact address "swall@bigsky.net," and after extracting the MX record of the bigsky.net domain using nslookup, host, or dig (http://geektools.com/digtool.php), we find the following MX records:
bigsky.net mail exchanger = 20 bigsky.net.amerion.mail6.psmtp.com.
bigsky.net mail exchanger = 30 bigsky.net.amerion.mail7.psmtp.com.
bigsky.net mail exchanger = 10 bigsky.net.amerion.mail5.psmtp.com.
We can test any of those mailservers (they all should behave the same) in the following way:
telnet bigsky.net.amerion.mail5.psmtp.com 25
Trying 64.18.5.10...
Connected to bigsky.net.amerion.mail5.psmtp.com.
Escape character is '^]'.
220 Postini ESMTP 157 y6_8_11c0 ready. CA Business and Professions
Code Section 17538.45 forbids use of this system for unsolicited
electronic mail advertisements.
helo whatever.com
250 Postini says hello back
mail from: someone@whatever.com
250 Ok
rcpt to: swall@bigsky.net
550 unknown user
The last response tells us that the Admin Contact's email address is up for grabs.

All of the above could be encapsulated into a fairly simple script capable of being fed a long list of domain names (or dictionary words ending in ".com") that an attacker would like to steal, extracting the email address of the Admin Contact using a little WHOIS and regular expression action, then another regex to parse out the domain name of that email address, then a lookup to pull the MX for that email address' domain, and then a little socket programming to test that MX to see if that email address is still valid. An attacker who has written the above program could have a list of 1000 popular domain names that are ripe for hijacking, overnight.

For any email addresses at public internet service providers that are invalid, all one need do to own that address is go to that ISP's website and sign up for an account. In our example, I signed up with Amerion over the phone for a $9.95/month account. Five minutes later I was receiving mail addressed to "swall@bigsky.net" through Amerion's handy webmail system. Two minutes after that (and after changing the email address listed as Admin Contact on the registration), I was canceling the account over the phone with a nice Amerion rep who did not inquire further into why I needed the service for less than 10 minutes.

Anyone could do the same with any unoccupied email address at any public internet service provider.

Being able to receive that email meant that I could receive Network Solutions' automated password recovery messages, and as soon as that happened, I had control over this domain. Lucky for this organization, they asked me to provide them with this service.

However, for all the thousands of other organizations out there with stale contact information on their domain registrations, and the chunk of those unlucky enough to have the Admin address be unoccupied space at a public provider, anyone with a stolen credit card number can deface your website, intercept your company's email, or even sell your domain name for a tidy sum to an innocent third party.

For those readers feeling uneasy about my publishing such exploits, I recommend reading the rationale of "full disclosure" and how publication actually improves security: http://www.schneier.com/crypto-gram-0702.html#4

Admittedly, though, this really is not a case of Network Solutions or any other registrar leaving a security hole in the domain registration system. Rather, this vulnerability of some registrations is really a product of the convenience demanded by consumers who are just not very well-versed in maintaining integrity or security of sensitive data.

3 comments:

  1. Pops Ptang4:53 AM

    I think the rationale of full disclosure is much weaker here than it is on the cases discussed by Schneier. There the security lapse is in the hands of a single company, and that company has (or should have) people who are expert in the area and work full-time in that area. Public disclosure forces them to fix it, and that fixes it (for those users who install the patches). Here, the lapse is in the hands of millions of people who know almost nothing about how this works (although the owners of the more valuable domain names should have staff that does know) and will not hear about this vulnerability. Yes, hackers will discover this even without disclosure, but with disclosure, many more hackers will exploit this. I guess the argument is that widespread domain theft will cause the Registrars to figure out a new system.

    ReplyDelete
  2. Anonymous9:58 PM

    Guess what technique I just used :)

    I was moving [censored].com, [censored].com, and [redacted].com over to my system (they didn't want to stay at ICS now that Blackfoot owns them), and the admin contact on the first two was [censored]@msn.com - an address that [censored] hasn't had in three
    years. Blackfoot didn't have the login info on file, and wanted us to
    fax a bunch of bullshit to Tucows to change the admin contact, so I decided to go sign up at MSN so we could receive the username/password
    email and log in. Then I called, cancelled, and got my money back :) The guy did ask me why I was cancelling, I told him "I'm done with it".

    Freaking AWESOME.

    ReplyDelete
  3. Anonymous7:10 AM

    Dear sir,

    how can you register a emailadress ending with @bigsky.net (or lalalala.com) if you are not the owner of www.bigsky.net?

    please reply at tomasvandalen@hotmail.com if you would.

    Thank you in advance

    ReplyDelete