1 / 28

Tracking Hackers

Tracking Hackers. By Tyler Hudak tyler@hudakville.com. What we will cover. There are many ways to track “hackers” back to learn more about them Will go over some easy methods that may produce fruitful results Will not cover every single way

makara
Download Presentation

Tracking Hackers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tracking Hackers By Tyler Hudak tyler@hudakville.com

  2. What we will cover • There are many ways to track “hackers” back to learn more about them • Will go over some easy methods that may produce fruitful results • Will not cover every single way • Two real life examples of using these techniques will be covered

  3. Tracking Hackers • Attackers often leave various unique calling cards that you can use to track them back • These include email addresses, names, IP addresses, tool names, images, techniques, etc. • Various tools on the Internet can be used to find more information on them • Can sometimes figure out how good they are with the information you find. Note: Your mileage may vary.

  4. Emails • Emails provide more information than you may realize. • Mail headers • Who sent the email (IP address, name)? • Web-based email often has creator's IP address • What mail software were they using? • Who does the email go back to? • Mail content • Plain text or HTML? • HTML comments? Image locations, links?

  5. Names • Once you've found some information (name, address, etc) what can you do with it? • Search for it on the Internet! • Many different places on the Internet to get information • Google – search for other occurences of names, other people seeing the same thing • Member directories – many large websites have directories with information on their members • Yahoo, ICQ, myspace, youtube, etc.

  6. Names • Domain Names – Who owns it? What else do they own? What is their contact information? • http://www.completewhois.com • IP Addresses – Where is the IP address located? Is there anyone else seeing attacks from this address? • http://www.arin.net - look up IP information • http://www.dshield.org - Internet DB of attacks

  7. Example 1eBay Phish

  8. eBay Phish • Received an eBay phish attempt in my email

  9. eBay Phish • Header shows originating IP address as 216.66.20.82 • WHOIS lookup on address shows owned by Hurricane Electric • Reverse DNS lookup: servidor8.hgmnetwork.com • Spanish ISP/Hosting Provider • No more information – probably open relay • Google search of jessman335 finds a few message board spam

  10. eBay Phish • All images in email link back to eBay • One interesting link for “respond here”:http://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSignInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontactebaycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUserIa.txt Notice anything unusual about the link?

  11. eBay Phish • The link went to an HTML file with a txt extension • Therefore, not rendered in browser as an HTML file • Typical phish would try to mimic eBay login page and email results to phisher • We now have an address – bad_boy_maf@yahoo.com • Look it up in Yahoo Profiles

  12. Dramatic Pause Here

  13. eBay Phish • Now we have a picture, name, age and other websites to look at • Two of the websites are down but one is still active • Last website gives his birth date, real name, astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, etc. • Download section on the webpage has links to various scanners, bots and attacker scripts

  14. Example 2Hacked Honeypot

  15. Honeypot - Background • Linux 7.1 honeypot was put up for my GCFA certification in May 2004 • Hacked, analyzed and written about* • In early 2006 Robert Wright and I started looking into the group which hacked the honeypot to see how much info we could find. • This is what we found… *The paper can be found at http://www.hudakville.com/infosec

  16. Email Address • In the compromise, the attacker downloaded a rootkit named l1tere.tgz and sent emails to l1tere@yahoo.com • Profiles.yahoo.com shows no information • Google search of email address finds 2 reports of compromises • Another hacked honeypot • ID Theft trojan • Neither provide more information

  17. Another search • Changed Google search to “l1tere” • Bingo! Found web page at http://www.l1tere.5u.com • Contained pornographic cartoons and photos • Email address link to l1tere@yahoo.com • Looking in /images/ directory find index with more images • Many of them other people

  18. What now? • L1tere homepage has no more info • Try Googling the images we found • Specifically the ones with people in them • One of the images: d4r3ck.jpg • A name? • Google: inurl: d4r3ck.jpg = no hits • Google: inurl: d4r3ck = 

  19. d4r3ck • Two pages from search but only one active • http://d4r3ck.8m.net/ • More images, pictures of family, friends • Some of the same pics as l1tere • Email address: d4r3ck@personal.ro • List of IRC nicks and channels he frequents • What happens if we try and Google just for d4r3ck?

  20. Carding • Google search pulls up LOTS of IRC chat logs related to #CCcards, #cardz • IRC channels for trading credit card information • D4r3ck is a channel OP

  21. More on D4r3ck • Further searches revealed • other email addresses • more CC trading information • connections to other hackers • Also appears to be former “European e-Commerce Principal Assistant” for Hi-Tech Shells/IT e-solutions World Company • “Industry leader in providing web hosting services and shell accounts to businesses in all 50 states” • Located in Romania

  22. What about the other pictures? • With each new find, more information was uncovered • All are Romanian • Look to be around 16-19 at the time the pictures were taken • All pictures had time stamps of 2004 • Most of their home pages had the same images • Did an MD5 hash of the images • Most matched site to site, but one didn’t • Upon further examination it appeared be steganographic

  23. baietzasul22 • aka. baietzasu, Ba|3tzasu • Email Addresses • phainu@k.ro • baietzasu@yahoo.com • Mentioned in a lot of the sameIRC logs as the other members

  24. alinus • Email addresses • sales@gsm-mania.ro • alinus22@yahoo.com • http://alinus.s5.com/index.html • Posts a lot of cell phone/GSM hacking forums • Speaks English • Profiles say he lives in Pitesti Arges, Romania • ICQ # 167213752

  25. Summary • You can use little tidbits of information found within a phish, compromise, email to find more information on who sent it • The Internet is full of sources – use them • Be creative! Look at names, images, logs, etc. • Don’t always expect to find something. • Sometimes there’s nothing out there. • Lots of dead ends.

  26. Questions/Comments?

More Related