tracking hackers by tyler hudak [email protected]

28
Tracking Hackers Tracking Hackers By Tyler Hudak By Tyler Hudak [email protected] [email protected]

Upload: shana-stephens

Post on 18-Dec-2015

306 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Tracking HackersTracking Hackers

By Tyler HudakBy Tyler Hudak

[email protected]@hudakville.com

Page 2: Tracking Hackers By Tyler Hudak tyler@hudakville.com

What we will coverWhat we will cover

There are many ways to track There are many ways to track “hackers” back to learn more about “hackers” back to learn more about themthem

Will go over some easy methods that Will go over some easy methods that may produce fruitful resultsmay produce fruitful results Will not cover every single way Will not cover every single way

Two real life examples of using these Two real life examples of using these techniques will be coveredtechniques will be covered

Page 3: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Tracking HackersTracking Hackers Attackers often leave various unique Attackers often leave various unique

calling cards that you can use to track calling cards that you can use to track them backthem back

These include email addresses, names, These include email addresses, names, IP addresses, tool names, images, IP addresses, tool names, images, techniques, etc.techniques, etc.

Various tools on the Internet can be Various tools on the Internet can be used to find more information on themused to find more information on them

Can sometimes figure out how good Can sometimes figure out how good they are with the information you find.they are with the information you find.

Note: Your mileage may vary.Note: Your mileage may vary.

Page 4: Tracking Hackers By Tyler Hudak tyler@hudakville.com

EmailsEmails

Emails provide more information than Emails provide more information than you may realize.you may realize.

Mail headersMail headers Who sent the email (IP address, name)?Who sent the email (IP address, name)?

Web-based email often has creator's IP Web-based email often has creator's IP addressaddress

What mail software were they using?What mail software were they using? Who does the email go back to?Who does the email go back to?

Mail contentMail content Plain text or HTML?Plain text or HTML? HTML comments? Image locations, links?HTML comments? Image locations, links?

Page 5: Tracking Hackers By Tyler Hudak tyler@hudakville.com

NamesNames Once you've found some information (name, Once you've found some information (name,

address, etc) what can you do with it?address, etc) what can you do with it? Search for it on the Internet!Search for it on the Internet! Many different places on the Internet to get Many different places on the Internet to get

informationinformation Google – search for other occurences of Google – search for other occurences of

names, other people seeing the same thingnames, other people seeing the same thing Member directories – many large websites Member directories – many large websites

have directories with information on their have directories with information on their membersmembers Yahoo, ICQ, myspace, youtube, etc.Yahoo, ICQ, myspace, youtube, etc.

Page 6: Tracking Hackers By Tyler Hudak tyler@hudakville.com

NamesNames Domain Names – Who owns it? What else Domain Names – Who owns it? What else

do they own? What is their contact do they own? What is their contact information?information? http://www.completewhois.comhttp://www.completewhois.com

IP Addresses – Where is the IP address IP Addresses – Where is the IP address located? Is there anyone else seeing located? Is there anyone else seeing attacks from this address?attacks from this address? http://www.arin.net - look up IP informationhttp://www.arin.net - look up IP information http://www.dshield.org - Internet DB of http://www.dshield.org - Internet DB of

attacksattacks

Page 7: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Example 1Example 1eBay PhisheBay Phish

Page 8: Tracking Hackers By Tyler Hudak tyler@hudakville.com

eBay PhisheBay Phish Received an eBay phish attempt in my emailReceived an eBay phish attempt in my email

Page 9: Tracking Hackers By Tyler Hudak tyler@hudakville.com

eBay PhisheBay Phish

Header shows originating IP address as Header shows originating IP address as 216.66.20.82216.66.20.82 WHOIS lookup on address shows owned by WHOIS lookup on address shows owned by

Hurricane ElectricHurricane Electric Reverse DNS lookup: servidor8.hgmnetwork.comReverse DNS lookup: servidor8.hgmnetwork.com

Spanish ISP/Hosting ProviderSpanish ISP/Hosting Provider No more information – probably open relayNo more information – probably open relay

Google search of jessman335 finds a Google search of jessman335 finds a few message board spamfew message board spam

Page 10: Tracking Hackers By Tyler Hudak tyler@hudakville.com

eBay PhisheBay Phish

All images in email link back to eBayAll images in email link back to eBay One interesting link for “respond here”:One interesting link for “respond here”:

http://signinebaycomwsebayisapdllsgd.pop3.ru/Bhttp://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSignInUsingSSLpUserIdcopartnerId2siayISAPIdllSignInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontactebaycouk3A802Fws2Feteid77ruhttpAF2Fcontactebaycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUserIa.txBayIS711eBayISAPIdllSignInUsingSSLpUserIa.txtt

Notice anything unusual about the link?Notice anything unusual about the link?

Page 11: Tracking Hackers By Tyler Hudak tyler@hudakville.com

eBay PhisheBay Phish The link went to an HTML file with a txt extensionThe link went to an HTML file with a txt extension

Therefore, not rendered in browser as an HTML fileTherefore, not rendered in browser as an HTML file

Typical phish would try to mimic eBay login page Typical phish would try to mimic eBay login page and email results to phisherand email results to phisher

We now have an address – We now have an address – [email protected][email protected] Look it up in Yahoo ProfilesLook it up in Yahoo Profiles

Page 12: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Dramatic Pause Dramatic Pause HereHere

Page 13: Tracking Hackers By Tyler Hudak tyler@hudakville.com
Page 14: Tracking Hackers By Tyler Hudak tyler@hudakville.com

eBay PhisheBay Phish

Now we have a picture, name, age and other Now we have a picture, name, age and other websites to look atwebsites to look at

Two of the websites are down but one is still Two of the websites are down but one is still activeactive

Last website gives his birth date, real name, Last website gives his birth date, real name, astrological sign, IRC nick and channels he astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, frequents, Yahoo messenger ID, favorite links, etc.etc.

Download section on the webpage has links to Download section on the webpage has links to various scanners, bots and attacker scriptsvarious scanners, bots and attacker scripts

Page 15: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Example 2Example 2Hacked HoneypotHacked Honeypot

Page 16: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Honeypot - BackgroundHoneypot - Background

Linux 7.1 honeypot was put up for my Linux 7.1 honeypot was put up for my GCFA certification in May 2004GCFA certification in May 2004

Hacked, analyzed and written about*Hacked, analyzed and written about* In early 2006 Robert Wright and I In early 2006 Robert Wright and I

started looking into the group which started looking into the group which hacked the honeypot to see how much hacked the honeypot to see how much info we could find.info we could find.

This is what we found…This is what we found…

*The paper can be found at http://www.hudakville.com/infosec*The paper can be found at http://www.hudakville.com/infosec

Page 17: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Email AddressEmail Address

In the compromise, the attacker In the compromise, the attacker downloaded a rootkit named l1tere.tgz downloaded a rootkit named l1tere.tgz and sent emails to [email protected] sent emails to [email protected]

Profiles.yahoo.com shows no Profiles.yahoo.com shows no informationinformation

Google search of email address finds 2 Google search of email address finds 2 reports of compromisesreports of compromises Another hacked honeypotAnother hacked honeypot ID Theft trojanID Theft trojan

Neither provide more informationNeither provide more information

Page 18: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Another searchAnother search

Changed Google search to Changed Google search to “l1tere”“l1tere”

Bingo! Found web page at Bingo! Found web page at http://www.l1tere.5u.comhttp://www.l1tere.5u.com Contained pornographic cartoons Contained pornographic cartoons

and photosand photos Email address link to Email address link to

[email protected]@yahoo.com Looking in /images/ directory Looking in /images/ directory

find index with more imagesfind index with more images Many of them other peopleMany of them other people

Page 19: Tracking Hackers By Tyler Hudak tyler@hudakville.com

What now?What now?

L1tere homepage has no more infoL1tere homepage has no more info Try Googling the images we foundTry Googling the images we found

Specifically the ones with people in themSpecifically the ones with people in them

One of the images: One of the images: d4r3ck.jpgd4r3ck.jpg A name?A name? Google: inurl: d4r3ck.jpg = Google: inurl: d4r3ck.jpg =

no hitsno hits Google: inurl: d4r3ck = Google: inurl: d4r3ck =

Page 20: Tracking Hackers By Tyler Hudak tyler@hudakville.com

d4r3ckd4r3ck

Two pages from search but only one activeTwo pages from search but only one active http://d4r3ck.8m.net/http://d4r3ck.8m.net/

More images, pictures of family, friendsMore images, pictures of family, friends Some of the same pics as l1tereSome of the same pics as l1tere

Email address: [email protected] address: [email protected] List of IRC nicks and channels he List of IRC nicks and channels he

frequentsfrequents What happens if we try and Google just for What happens if we try and Google just for

d4r3ck?d4r3ck?

Page 21: Tracking Hackers By Tyler Hudak tyler@hudakville.com

CardingCarding

Google search pulls up LOTS of IRC chat Google search pulls up LOTS of IRC chat logs related to #CCcards, #cardzlogs related to #CCcards, #cardz IRC channels for trading credit card IRC channels for trading credit card

informationinformation D4r3ck is a channel OPD4r3ck is a channel OP

Page 22: Tracking Hackers By Tyler Hudak tyler@hudakville.com

More on D4r3ckMore on D4r3ck

Further searches revealedFurther searches revealed other email addressesother email addresses more CC trading informationmore CC trading information connections to other hackersconnections to other hackers

Also appears to be former “European e-Also appears to be former “European e-Commerce Principal Assistant” for Hi-Tech Commerce Principal Assistant” for Hi-Tech Shells/IT e-solutions World CompanyShells/IT e-solutions World Company ““Industry leader in providing web hosting Industry leader in providing web hosting

services and shell accounts to businesses in all services and shell accounts to businesses in all 50 states”50 states”

Located in RomaniaLocated in Romania

Page 23: Tracking Hackers By Tyler Hudak tyler@hudakville.com
Page 24: Tracking Hackers By Tyler Hudak tyler@hudakville.com

What about the other What about the other pictures?pictures?

With each new find, more information was With each new find, more information was uncovereduncovered

All are RomanianAll are Romanian Look to be around 16-19 at the time the Look to be around 16-19 at the time the

pictures were takenpictures were taken All pictures had time stamps of 2004All pictures had time stamps of 2004

Most of their home pages had the same imagesMost of their home pages had the same images Did an MD5 hash of the imagesDid an MD5 hash of the images Most matched site to site, but one didn’tMost matched site to site, but one didn’t Upon further examination it appeared be Upon further examination it appeared be

steganographicsteganographic

Page 25: Tracking Hackers By Tyler Hudak tyler@hudakville.com

baietzasul22baietzasul22

aka. baietzasu, Ba|3tzasuaka. baietzasu, Ba|3tzasu Email AddressesEmail Addresses

[email protected]@k.ro [email protected]@yahoo.com

Mentioned in a lot of the Mentioned in a lot of the samesameIRC logs as the other IRC logs as the other membersmembers

Page 26: Tracking Hackers By Tyler Hudak tyler@hudakville.com

alinusalinus

Email addressesEmail addresses [email protected]@gsm-mania.ro [email protected]@yahoo.com

http://alinus.s5.com/index.htmlhttp://alinus.s5.com/index.html Posts a lot of cell phone/GSM hacking Posts a lot of cell phone/GSM hacking

forumsforums Speaks EnglishSpeaks English Profiles say he lives in Pitesti Arges, Profiles say he lives in Pitesti Arges,

RomaniaRomania ICQ # 167213752ICQ # 167213752

Page 27: Tracking Hackers By Tyler Hudak tyler@hudakville.com

SummarySummary

You can use little tidbits of information You can use little tidbits of information found within a phish, compromise, email found within a phish, compromise, email to find more information on who sent itto find more information on who sent it

The Internet is full of sources – use themThe Internet is full of sources – use them Be creative! Look at names, images, Be creative! Look at names, images,

logs, etc.logs, etc. Don’t always expect to find something. Don’t always expect to find something.

Sometimes there’s nothing out there.Sometimes there’s nothing out there. Lots of dead ends.Lots of dead ends.

Page 28: Tracking Hackers By Tyler Hudak tyler@hudakville.com

Questions/Questions/Comments?Comments?