tracking hackers by tyler hudak tyler@hudakville.com

Download Tracking Hackers By Tyler Hudak tyler@hudakville.com

Post on 18-Dec-2015

226 views

Category:

Documents

3 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • Tracking Hackers By Tyler Hudak tyler@hudakville.com
  • Slide 2
  • What we will cover There are many ways to track hackers back to learn more about them There are many ways to track hackers back to learn more about them Will go over some easy methods that may produce fruitful results Will go over some easy methods that may produce fruitful results Will not cover every single way Will not cover every single way Two real life examples of using these techniques will be covered Two real life examples of using these techniques will be covered
  • Slide 3
  • Tracking Hackers Attackers often leave various unique calling cards that you can use to track them back Attackers often leave various unique calling cards that you can use to track them back These include email addresses, names, IP addresses, tool names, images, techniques, etc. These include email addresses, names, IP addresses, tool names, images, techniques, etc. Various tools on the Internet can be used to find more information on them Various tools on the Internet can be used to find more information on them Can sometimes figure out how good they are with the information you find. Can sometimes figure out how good they are with the information you find. Note: Your mileage may vary.
  • Slide 4
  • Emails Emails provide more information than you may realize. Emails provide more information than you may realize. Mail headers Mail headers Who sent the email (IP address, name)? Who sent the email (IP address, name)? Web-based email often has creator's IP address Web-based email often has creator's IP address What mail software were they using? What mail software were they using? Who does the email go back to? Who does the email go back to? Mail content Mail content Plain text or HTML? Plain text or HTML? HTML comments? Image locations, links? HTML comments? Image locations, links?
  • Slide 5
  • Names Once you've found some information (name, address, etc) what can you do with it? Once you've found some information (name, address, etc) what can you do with it? Search for it on the Internet! Search for it on the Internet! Many different places on the Internet to get information Many different places on the Internet to get information Google search for other occurences of names, other people seeing the same thing Google search for other occurences of names, other people seeing the same thing Member directories many large websites have directories with information on their members Member directories many large websites have directories with information on their members Yahoo, ICQ, myspace, youtube, etc. Yahoo, ICQ, myspace, youtube, etc.
  • Slide 6
  • Names Domain Names Who owns it? What else do they own? What is their contact information? Domain Names Who owns it? What else do they own? What is their contact information? http://www.completewhois.com http://www.completewhois.com IP Addresses Where is the IP address located? Is there anyone else seeing attacks from this address? IP Addresses Where is the IP address located? Is there anyone else seeing attacks from this address? http://www.arin.net - look up IP information http://www.arin.net - look up IP information http://www.dshield.org - Internet DB of attacks http://www.dshield.org - Internet DB of attacks
  • Slide 7
  • Example 1 eBay Phish
  • Slide 8
  • eBay Phish Received an eBay phish attempt in my email Received an eBay phish attempt in my email
  • Slide 9
  • eBay Phish Header shows originating IP address as 216.66.20.82 Header shows originating IP address as 216.66.20.82 WHOIS lookup on address shows owned by Hurricane Electric WHOIS lookup on address shows owned by Hurricane Electric Reverse DNS lookup: servidor8.hgmnetwork.com Reverse DNS lookup: servidor8.hgmnetwork.com Spanish ISP/Hosting Provider Spanish ISP/Hosting Provider No more information probably open relay No more information probably open relay Google search of jessman335 finds a few message board spam Google search of jessman335 finds a few message board spam
  • Slide 10
  • eBay Phish All images in email link back to eBay All images in email link back to eBay One interesting link for respond here: http://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSig nInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontacteba ycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUse rIa.txt One interesting link for respond here: http://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSig nInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontacteba ycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUse rIa.txt Notice anything unusual about the link?
  • Slide 11
  • eBay Phish The link went to an HTML file with a txt extension The link went to an HTML file with a txt extension Therefore, not rendered in browser as an HTML file Therefore, not rendered in browser as an HTML file Typical phish would try to mimic eBay login page and email results to phisher Typical phish would try to mimic eBay login page and email results to phisher We now have an address bad_boy_maf@yahoo.com We now have an address bad_boy_maf@yahoo.combad_boy_maf@yahoo.com Look it up in Yahoo Profiles Look it up in Yahoo Profiles
  • Slide 12
  • Dramatic Pause Here
  • Slide 13
  • Slide 14
  • eBay Phish Now we have a picture, name, age and other websites to look at Now we have a picture, name, age and other websites to look at Two of the websites are down but one is still active Two of the websites are down but one is still active Last website gives his birth date, real name, astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, etc. Last website gives his birth date, real name, astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, etc. Download section on the webpage has links to various scanners, bots and attacker scripts Download section on the webpage has links to various scanners, bots and attacker scripts
  • Slide 15
  • Example 2 Hacked Honeypot
  • Slide 16
  • Honeypot - Background Linux 7.1 honeypot was put up for my GCFA certification in May 2004 Linux 7.1 honeypot was put up for my GCFA certification in May 2004 Hacked, analyzed and written about* Hacked, analyzed and written about* In early 2006 Robert Wright and I started looking into the group which hacked the honeypot to see how much info we could find. In early 2006 Robert Wright and I started looking into the group which hacked the honeypot to see how much info we could find. This is what we found This is what we found *The paper can be found at http://www.hudakville.com/infosec
  • Slide 17
  • Email Address In the compromise, the attacker downloaded a rootkit named l1tere.tgz and sent emails to l1tere@yahoo.com In the compromise, the attacker downloaded a rootkit named l1tere.tgz and sent emails to l1tere@yahoo.com Profiles.yahoo.com shows no information Profiles.yahoo.com shows no information Google search of email address finds 2 reports of compromises Google search of email address finds 2 reports of compromises Another hacked honeypot Another hacked honeypot ID Theft trojan ID Theft trojan Neither provide more information Neither provide more information
  • Slide 18
  • Another search Changed Google search to l1tere Changed Google search to l1tere Bingo! Found web page at http://www.l1tere.5u.com Bingo! Found web page at http://www.l1tere.5u.com Contained pornographic cartoons and photos Contained pornographic cartoons and photos Email address link to l1tere@yahoo.com Email address link to l1tere@yahoo.com Looking in /images/ directory find index with more images Looking in /images/ directory find index with more images Many of them other people Many of them other people
  • Slide 19
  • What now? L1tere homepage has no more info L1tere homepage has no more info Try Googling the images we found Try Googling the images we found Specifically the ones with people in them Specifically the ones with people in them One of the images: d4r3ck.jpg One of the images: d4r3ck.jpg A name? A name? Google: inurl: d4r3ck.jpg = no hits Google: inurl: d4r3ck.jpg = no hits Google: inurl: d4r3ck = Google: inurl: d4r3ck =
  • Slide 20
  • d4r3ck Two pages from search but only one active Two pages from search but only one active http://d4r3ck.8m.net/ http://d4r3ck.8m.net/ More images, pictures of family, friends More images, pictures of family, friends Some of the same pics as l1tere Some of the same pics as l1tere Email address: d4r3ck@personal.ro Email address: d4r3ck@personal.ro List of IRC nicks and channels he frequents List of IRC nicks and channels he frequents What happens if we try and Google just for d4r3ck? What happens if we try and Google just for d4r3ck?
  • Slide 21
  • Carding Google search pulls up LOTS of IRC chat logs related to #CCcards, #cardz Google search pulls up LOTS of IRC chat logs related to #CCcards, #cardz IRC channels for trading credit card information IRC channels for trading credit card information D4r3ck is a channel OP D4r3ck is a channel OP
  • Slide 22
  • More on D4r3ck Further searches revealed Further searches revealed other email addresses other email addresses more CC trading information more CC trading information connections to other hackers connections to other hackers Also appears to be former European e-Commerce Principal Assistant for Hi-Tech Shells/IT e-solutions World Company Also appears to be form