Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [126]
Now that I knew they would be watching closely and weren’t likely to fall for the same trick again, I changed my tactics. What if I targeted a developer who had full access and tricked him into copying everything for me? I wouldn’t even need to find a way into ATM to get what I wanted.
After exploring Novell’s internal network for several days, I found a cool tool accessible to any Novell employee. The program, called “411,” listed the name, phone number, log-in name, and department of each staffer. My luck was starting to change. I dumped out the entire employee list to a file for analysis. As I looked through the list, it became clear that all the developers worked in a group called “ENG SFT.” I figured that NetWare development was likely handled out of Provo, Utah, the company headquarters.
Looking through the directory using these two criteria, I randomly chose a listing:
Nevarez, Art:801 429-3172:anevarez:ENG SFT
Now that I had my mark, I needed to pose as a legitimate Novell employee. I wanted to choose a contractor or someone else who was unlikely to be known by my target. The phone directory also contained a department named Univel that had probably been formed when Novell and AT&T’s Unix System Laboratories started up a joint venture in 1991. I needed to find an employee who wasn’t going to be in the office. My first choice was:
Nault, Gabe:801 568-8726:gabe:UNIVEL
I called and got his voicemail greeting, which very conveniently announced that he would be out of the office for the next few days, without access to email or voicemail. From the employee directory file, I picked out a lady who worked in the Telecommunications Department and dialed her number.
“Hi, Karen,” I said. “This is Gabe Nault calling from Midvale. Last night I changed my voicemail password, but it doesn’t work. Can you please reset it?”
“Sure, Gabe. What’s your number?”
I gave her Gabe’s number.
“Okay, your new password is the last five digits of your telephone number.”
I thanked her politely, immediately dialed Gabe’s phone, keyed in the digits for the new password, and recorded the outgoing greeting in my own voice, adding, “I have several meetings today, so it’s best to leave a voicemail. Thank you.” Now I was a legitimate Novell employee with an internal phone number.
I phoned Art Nevarez, told him I was Gabe Nault in Engineering, and asked, “Do you work with NetWare? I’m in the Univel Group.”
“Yes,” he said.
“Great. Can you do me a big favor? I’m working on the NetWare for Unix project, and I need to move a copy of the NetWare 3.12 client source code to one of our boxes here in Sandy. I’ll set up an account for you on the ‘enchilada’ server so you can map a drive and transfer the code.”
“Sure. What’s your number? I’ll call you after it’s done,” he said.
After we hung up, I was elated. No need to gain access to ATM—just leverage someone who already has it.
I went to the gym to work out, checking Gabe’s voicemail during a break to find a message from Art saying that he had finished. Awesome! Now I had trust and credibility. Why not go a little further and ask for another small favor? Right from the gym, I called Nevarez back and said, “Thanks, Art. Hey, sorry, but I just realized I also need 4.0 client utilities too.”
He sounded a little annoyed. “There are a lot of files on that server, and there’s not enough space left.”
“I’ll tell you what, I’ll take them off ‘enchilada’ to make room. I’ll call you when I’m done.”
After I finished working out, I went home, logged on, and transferred the files to an account I had created for myself at Colorado Supernet, the largest Internet service provider in Denver. The next day, Nevarez transferred the rest of the files for me, an operation that took him a long time because there was so much code.
Later when I asked him to transfer the server source code, he got suspicious and balked. As soon as