tracking hackers
DESCRIPTION
Tracking Hackers. By Tyler Hudak [email protected]. What we will cover. There are many ways to track “hackers” back to learn more about them Will go over some easy methods that may produce fruitful results Will not cover every single way - PowerPoint PPT PresentationTRANSCRIPT
Tracking HackersTracking HackersBy Tyler HudakBy Tyler [email protected]@hudakville.com
What we will coverWhat we will cover There are many ways to track There are many ways to track
“hackers” back to learn more about “hackers” back to learn more about themthem
Will go over some easy methods that Will go over some easy methods that may produce fruitful resultsmay produce fruitful results Will not cover every single way Will not cover every single way
Two real life examples of using these Two real life examples of using these techniques will be coveredtechniques will be covered
Tracking HackersTracking Hackers Attackers often leave various unique Attackers often leave various unique
calling cards that you can use to track calling cards that you can use to track them backthem back
These include email addresses, names, These include email addresses, names, IP addresses, tool names, images, IP addresses, tool names, images, techniques, etc.techniques, etc.
Various tools on the Internet can be used Various tools on the Internet can be used to find more information on themto find more information on them
Can sometimes figure out how good they Can sometimes figure out how good they are with the information you find.are with the information you find.
Note: Your mileage may vary.Note: Your mileage may vary.
EmailsEmails Emails provide more information than Emails provide more information than
you may realize.you may realize. Mail headersMail headers
Who sent the email (IP address, name)?Who sent the email (IP address, name)? Web-based email often has creator's IP addressWeb-based email often has creator's IP address
What mail software were they using?What mail software were they using? Who does the email go back to?Who does the email go back to?
Mail contentMail content Plain text or HTML?Plain text or HTML? HTML comments? Image locations, links?HTML comments? Image locations, links?
NamesNames Once you've found some information (name, Once you've found some information (name,
address, etc) what can you do with it?address, etc) what can you do with it? Search for it on the Internet!Search for it on the Internet! Many different places on the Internet to get Many different places on the Internet to get
informationinformation Google – search for other occurences of Google – search for other occurences of
names, other people seeing the same thingnames, other people seeing the same thing Member directories – many large websites Member directories – many large websites
have directories with information on their have directories with information on their membersmembers Yahoo, ICQ, myspace, youtube, etc.Yahoo, ICQ, myspace, youtube, etc.
NamesNames Domain Names – Who owns it? What else Domain Names – Who owns it? What else
do they own? What is their contact do they own? What is their contact information?information? http://www.completewhois.comhttp://www.completewhois.com
IP Addresses – Where is the IP address IP Addresses – Where is the IP address located? Is there anyone else seeing located? Is there anyone else seeing attacks from this address?attacks from this address? http://www.arin.net - look up IP informationhttp://www.arin.net - look up IP information http://www.dshield.org - Internet DB of http://www.dshield.org - Internet DB of
attacksattacks
Example 1Example 1eBay PhisheBay Phish
eBay PhisheBay Phish Received an eBay phish attempt in my emailReceived an eBay phish attempt in my email
eBay PhisheBay Phish Header shows originating IP address as Header shows originating IP address as
216.66.20.82216.66.20.82 WHOIS lookup on address shows owned by WHOIS lookup on address shows owned by
Hurricane ElectricHurricane Electric Reverse DNS lookup: servidor8.hgmnetwork.comReverse DNS lookup: servidor8.hgmnetwork.com
Spanish ISP/Hosting ProviderSpanish ISP/Hosting Provider No more information – probably open relayNo more information – probably open relay
Google search of jessman335 finds a Google search of jessman335 finds a few message board spamfew message board spam
eBay PhisheBay Phish All images in email link back to eBayAll images in email link back to eBay One interesting link for “respond here”:One interesting link for “respond here”:
http://signinebaycomwsebayisapdllsgd.pop3.ru/Bhttp://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSignInUsingSSLpUserIdcopartnerId2siayISAPIdllSignInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontactebaycouk3A802Fws2Feteid77ruhttpAF2Fcontactebaycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUserIa.txBayIS711eBayISAPIdllSignInUsingSSLpUserIa.txtt
Notice anything unusual about the link?Notice anything unusual about the link?
eBay PhisheBay Phish The link went to an HTML file with a txt extensionThe link went to an HTML file with a txt extension
Therefore, not rendered in browser as an HTML fileTherefore, not rendered in browser as an HTML file
Typical phish would try to mimic eBay login page and Typical phish would try to mimic eBay login page and email results to phisheremail results to phisher
We now have an address – We now have an address – [email protected][email protected] Look it up in Yahoo ProfilesLook it up in Yahoo Profiles
Dramatic Pause Dramatic Pause HereHere
eBay PhisheBay Phish Now we have a picture, name, age and other Now we have a picture, name, age and other
websites to look atwebsites to look at Two of the websites are down but one is still Two of the websites are down but one is still
activeactive Last website gives his birth date, real name, Last website gives his birth date, real name,
astrological sign, IRC nick and channels he astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, frequents, Yahoo messenger ID, favorite links, etc.etc.
Download section on the webpage has links to Download section on the webpage has links to various scanners, bots and attacker scriptsvarious scanners, bots and attacker scripts
Example 2Example 2Hacked HoneypotHacked Honeypot
Honeypot - BackgroundHoneypot - Background Linux 7.1 honeypot was put up for my Linux 7.1 honeypot was put up for my
GCFA certification in May 2004GCFA certification in May 2004 Hacked, analyzed and written about*Hacked, analyzed and written about* In early 2006 Robert Wright and I In early 2006 Robert Wright and I
started looking into the group which started looking into the group which hacked the honeypot to see how much hacked the honeypot to see how much info we could find.info we could find.
This is what we found…This is what we found…
*The paper can be found at http://www.hudakville.com/infosec*The paper can be found at http://www.hudakville.com/infosec
Email AddressEmail Address In the compromise, the attacker In the compromise, the attacker
downloaded a rootkit named l1tere.tgz downloaded a rootkit named l1tere.tgz and sent emails to [email protected] sent emails to [email protected]
Profiles.yahoo.com shows no Profiles.yahoo.com shows no informationinformation
Google search of email address finds 2 Google search of email address finds 2 reports of compromisesreports of compromises Another hacked honeypotAnother hacked honeypot ID Theft trojanID Theft trojan
Neither provide more informationNeither provide more information
Another searchAnother search Changed Google search to Changed Google search to
“l1tere”“l1tere” Bingo! Found web page at Bingo! Found web page at
http://www.l1tere.5u.comhttp://www.l1tere.5u.com Contained pornographic cartoons Contained pornographic cartoons
and photosand photos Email address link to Email address link to
[email protected]@yahoo.com Looking in /images/ directory Looking in /images/ directory
find index with more imagesfind index with more images Many of them other peopleMany of them other people
What now?What now? L1tere homepage has no more infoL1tere homepage has no more info Try Googling the images we foundTry Googling the images we found
Specifically the ones with people in themSpecifically the ones with people in them
One of the images: One of the images: d4r3ck.jpgd4r3ck.jpg A name?A name? Google: inurl: d4r3ck.jpg = no Google: inurl: d4r3ck.jpg = no
hitshits Google: inurl: d4r3ck = Google: inurl: d4r3ck =
d4r3ckd4r3ck Two pages from search but only one activeTwo pages from search but only one active
http://d4r3ck.8m.net/http://d4r3ck.8m.net/ More images, pictures of family, friendsMore images, pictures of family, friends
Some of the same pics as l1tereSome of the same pics as l1tere Email address: [email protected] address: [email protected] List of IRC nicks and channels he List of IRC nicks and channels he
frequentsfrequents What happens if we try and Google just for What happens if we try and Google just for
d4r3ck?d4r3ck?
CardingCarding Google search pulls up LOTS of IRC chat Google search pulls up LOTS of IRC chat
logs related to #CCcards, #cardzlogs related to #CCcards, #cardz IRC channels for trading credit card IRC channels for trading credit card
informationinformation D4r3ck is a channel OPD4r3ck is a channel OP
More on D4r3ckMore on D4r3ck Further searches revealedFurther searches revealed
other email addressesother email addresses more CC trading informationmore CC trading information connections to other hackersconnections to other hackers
Also appears to be former “European e-Also appears to be former “European e-Commerce Principal Assistant” for Hi-Tech Commerce Principal Assistant” for Hi-Tech Shells/IT e-solutions World CompanyShells/IT e-solutions World Company ““Industry leader in providing web hosting Industry leader in providing web hosting
services and shell accounts to businesses in all services and shell accounts to businesses in all 50 states”50 states”
Located in RomaniaLocated in Romania
What about the other What about the other pictures?pictures?
With each new find, more information was With each new find, more information was uncovereduncovered
All are RomanianAll are Romanian Look to be around 16-19 at the time the Look to be around 16-19 at the time the
pictures were takenpictures were taken All pictures had time stamps of 2004All pictures had time stamps of 2004
Most of their home pages had the same imagesMost of their home pages had the same images Did an MD5 hash of the imagesDid an MD5 hash of the images Most matched site to site, but one didn’tMost matched site to site, but one didn’t Upon further examination it appeared be Upon further examination it appeared be
steganographicsteganographic
baietzasul22baietzasul22 aka. baietzasu, Ba|3tzasuaka. baietzasu, Ba|3tzasu Email AddressesEmail Addresses
[email protected]@k.ro [email protected]@yahoo.com
Mentioned in a lot of the Mentioned in a lot of the samesameIRC logs as the other IRC logs as the other membersmembers
alinusalinus Email addressesEmail addresses
[email protected]@gsm-mania.ro [email protected]@yahoo.com
http://alinus.s5.com/index.htmlhttp://alinus.s5.com/index.html Posts a lot of cell phone/GSM hacking forumsPosts a lot of cell phone/GSM hacking forums Speaks EnglishSpeaks English Profiles say he lives in Pitesti Arges, RomaniaProfiles say he lives in Pitesti Arges, Romania ICQ # 167213752ICQ # 167213752
SummarySummary You can use little tidbits of information You can use little tidbits of information
found within a phish, compromise, email found within a phish, compromise, email to find more information on who sent itto find more information on who sent it
The Internet is full of sources – use themThe Internet is full of sources – use them Be creative! Look at names, images, Be creative! Look at names, images,
logs, etc.logs, etc. Don’t always expect to find something. Don’t always expect to find something.
Sometimes there’s nothing out there.Sometimes there’s nothing out there. Lots of dead ends.Lots of dead ends.
Questions/Questions/Comments?Comments?