Hacking 2600.com

by Andrew Smith

This article is largely about fact-finding and planning.

The target of 2600.com is chosen to spark some interest.  It's also written with the assumption that the 2600 staff has a sense of humor.  If you're reading this then you can probably conclude that they do.  For the sake of this title "hacking" means "the pursuit of information."

Disclaimer:  I thoroughly encourage you to do everything that I detail in this article; it's fascinating and not illegal in the slightest.

So we want to impress our hax0r buddiez on EFnet with our mad skills and what not.  Why not choose 2600.com as our target?

But where to begin?  Let's start with all the information we have: the domain.

The Power of WHOIS

WHOIS is a system in which contact information and some other details can be found from a domain name.

The domain name we want to hack is 2600.com so we input it at our favorite online WHOIS engine (xwhois.com, whois.com to name two).

The result is:

Domain Name: 2600.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: PHALSE.2600.COM Name Server: NS.NAH6.COM Name Server: NS2.NAH6.COM Status: REGISTAR-LOCK Updated Date: 04-feb-2005 Creation Date: 03-feb-1994 Expiration Date: 04-feb-2008

Domain Name: 2600.COM Registry Domain ID: 2781441_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com Updated Date: 2020-12-07T07:52:51Z Creation Date: 1994-02-03T05:00:00Z Registrar Registration Expiration Date: 2026-02-05T05:00:00Z Registrar: Network Solutions, LLC Registrar IANA ID: 2 Reseller: Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: 2600 Magazine Registrant Organization: 2600 Magazine Registrant Street: PO BOX 848 Registrant City: MIDDLE ISLAND Registrant State/Province: NY Registrant Postal Code: 11953-0848 Registrant Country: US Registrant Phone: +1.6317512600 Registrant Phone Ext: Registrant Fax: +1.7032650070 Registrant Fax Ext: Registrant Email: email@2600.COM Registry Admin ID: Admin Name: Goldstein, Emmanuel Admin Organization: Admin Street: PO BOX 848 Admin City: MIDDLE ISLAND Admin State/Province: NY Admin Postal Code: 11953-0848 Admin Country: US Admin Phone: +1.6317512600 Admin Phone Ext: Admin Fax: +1.6317512600 Admin Fax Ext: Admin Email: email@2600.COM Registry Tech ID: Tech Name: Goldstein, Emmanuel Tech Organization: Tech Street: PO BOX 848 Tech City: MIDDLE ISLAND Tech State/Province: NY Tech Postal Code: 11953-0848 Tech Country: US Tech Phone: +1.6317512600 Tech Phone Ext: Tech Fax: +1.6317512600 Tech Fax Ext: Tech Email: email@2600.COM Name Server: PHALSE.2600.COM Name Server: NS1.HE.NET DNSSEC: unsigned Registrar Abuse Contact Email: email@web.com Registrar Abuse Contact Phone: +1.8777228662 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2024-03-12T14:40:42Z <<<

So from this we have some valuable information:

• Waiting for the domain to expire and then snapping it up is out of the question (unless we fancy sitting around for three years).
• The domain was registered at www.networksolutions.com.
• The domain has three domain name servers: PHALSE.2600.COM, NS.NAH6.COM, NS2.NAH6.COM
• The domain is "registrar locked."  This means a commonly used trick where people submit a request to transfer the domain to themselves in the hope that it will go unnoticed and be transferred to them automatically after two weeks is not possible.

From here we could go and do a WHOIS of nah6.com, and I have.

It isn't included in this article because I kept going and went through about four domains until I decided to stop.  It does result in some interesting results and further potential angles of attack; think of this as an exercise for you after you've read this article, if you like.

The problem here is you could literally go on forever, you may crack a domain six WHOISes down the line that, afterwards, you realize has no relationship with 2600.com.

Next?

Domain Resolution

Finding out the IP addresses behind the domains can result in some valuable or just interesting information.

So that's what we're doing next.

Again another free online service (dnsstuff.com).

The results:

www.2600.com -> 207.99.30.226 2600.com -> 216.66.24.2 phalse.2600.com -> 216.66.24.2 ns.nah6.com -> 82.94.252.252 ns2.nah6.com -> 213.193.213.210

(Remember, www.2600.com and 2600.com are not the same thing.  The domain resolution shows this.)

Probably one of the oddest collections of IPs related to one domain I've seen.  What does it tell us?

• 2600.com and www.2600.com are probably located on different servers.
• All of the domain name servers are probably located on different servers.
• The primary DNS server and 2600.com are probably located on the same server, so if we were to gain control of 2600.com (216.66.24.2) we could control www.2600.com simply because we could change the domain records.  Whereas if 2600.com did not also host its own domain server we would not.

I say probably because it's possible that two totally different IP addresses could point at the same server.  It's just not probable... at all.

Because we can, let's do some reverse domain resolution (look up the domain based on the IP address).  This could open up some more interesting things about 2600.com:

207:99.30.226 -> - 216.66.24.2 -> phalse.2600.com 82.94.252.252 -> ns.nah6.com ns2.nah6.com -> invader.factory.org

• 2600.com's IP doesn't resolve back to 2600.com.  Not unexpected.
• It's a little odd that the IP for 2600.com and phalse.2600.com would resolve to phalse.2600.com, seeing as it would make sense that the actual domain is more important.  However, this could be for DNS reasons.
• The third name server's IP address resolves to a completely different domain!

Some interesting results add to the confusion.

Are the folks at 2600 incredibly disorganized or is this some cunning scheme to throw off potential attackers?

From here we could go back down the WHOIS road and investigate nah6.com and factory.org, but we're not going to.

This article is going to briefly consider various types of fact finding "attacks" but not delve into too much detail on them.  You can do that!

Their Domain Provider

As found in the WHOIS stage 2600.com was registered by Network Solutions.

What does this mean?  It means the owner of 2600.com purchased it by using Network Solutions.

What does this mean?  Let's go to www.networksolutions.com and find out!

I can't really put in a video of my poking around on that site because this is an article, so I'll detail what I found and what it could mean.

• Network Solutions has an "Account Manager" and a "Log in" section to their site.  This is common with domain providers and from this we can assume that the owner of 2600.com has an account.  From this account it is very likely that domain information can be changed.  Gaining access to the 2600.com Network Solutions account would mean being able to point 2600.com (and www.2600.com and anything.2600.com) wherever we pleased.  This is a possible attack point.
• There is an "I forgot my password" option where the domain for which you forgot the password can be entered.  This fantastic example of corporate security gives us the full name of the domain's primary contact and technical contact.  Further perusal of this also appears to give us the User ID.  This is now an option for a possible brute forcing attack.  I won't give the User ID out here as Network Solutions may have fixed this problem by the time you read this and I do actually want to have this article published.

The Social Engineering Approach

So now we've got some information.

Not that much information, but we know our target.  So what next?

Personally I'd go out and buy a few 2600 magazines.  I'd also start listening to the weekly radio show (Off The Hook) that some of the 2600 staff are involved in.

I do this anyway, and these are some of the possible attacks that could come from this.  They're all fairly over the top, but you never know.

• Just from listening to the show, various mannerisms and familiar sayings that each individual uses could be used in emails when pretending to be one.  A familiar saying used by a person at the end of an email can confirm its validity to the reader.
• One of the show's presenters is recently back from traveling.  This was announced on the show before he left.  At such a time it would be easier to impersonate him by email, for example, with the explanation that he can't access his current account from abroad or something along those lines.
• Off the Hook has been experimenting with Skype lately.  More fact finding could be done by finding out their Skype account and talking to them, or impersonating one of them.
• The inside cover of every 2600 magazine lists staff members names and what they do.

I've skimmed over a few social engineering possibilities here.  You really ought to read through Kevin Mitnick's The Art of Deception for a better idea of this.

The possibilities are fairly limitless, and even if you don't hack the Gibson it's all very interesting and certainly a learning experience.