SlideShare a Scribd company logo

fdocuments.in_tracking-hackers-56ed6be29ae97.ppt

Download as PPT, PDF
E
ErRanjanRoutray

Tracking hacker

Data & Analytics
1 of 28
Tracking Hackers By Tyler Hudak tyler@hudakville.com
What we will cover  There are many ways to track “hackers” back to learn more about them  Will go over some easy methods that may produce fruitful results  Will not cover every single way  Two real life examples of using these techniques will be covered
Tracking Hackers  Attackers often leave various unique calling cards that you can use to track them back  These include email addresses, names, IP addresses, tool names, images, techniques, etc.  Various tools on the Internet can be used to find more information on them  Can sometimes figure out how good they are with the information you find. Note: Your mileage may vary.
Emails  Emails provide more information than you may realize.  Mail headers  Who sent the email (IP address, name)?  Web-based email often has creator's IP address  What mail software were they using?  Who does the email go back to?  Mail content  Plain text or HTML?  HTML comments? Image locations, links?
Names  Once you've found some information (name, address, etc) what can you do with it?  Search for it on the Internet!  Many different places on the Internet to get information  Google – search for other occurences of names, other people seeing the same thing  Member directories – many large websites have directories with information on their members  Yahoo, ICQ, myspace, youtube, etc.
Names  Domain Names – Who owns it? What else do they own? What is their contact information?  http://www.completewhois.com  IP Addresses – Where is the IP address located? Is there anyone else seeing attacks from this address?  http://www.arin.net - look up IP information  http://www.dshield.org - Internet DB of attacks
Example 1 eBay Phish
eBay Phish  Received an eBay phish attempt in my email
eBay Phish  Header shows originating IP address as 216.66.20.82  WHOIS lookup on address shows owned by Hurricane Electric  Reverse DNS lookup: servidor8.hgmnetwork.com  Spanish ISP/Hosting Provider  No more information – probably open relay  Google search of jessman335 finds a few message board spam
eBay Phish  All images in email link back to eBay  One interesting link for “respond here”: http://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSig nInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontacteb aycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUs erIa.txt Notice anything unusual about the link?
eBay Phish  The link went to an HTML file with a txt extension  Therefore, not rendered in browser as an HTML file  Typical phish would try to mimic eBay login page and email results to phisher  We now have an address – bad_boy_maf@yahoo.com  Look it up in Yahoo Profiles
Dramatic Pause Here
eBay Phish  Now we have a picture, name, age and other websites to look at  Two of the websites are down but one is still active  Last website gives his birth date, real name, astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, etc.  Download section on the webpage has links to various scanners, bots and attacker scripts
Example 2 Hacked Honeypot
Honeypot - Background  Linux 7.1 honeypot was put up for my GCFA certification in May 2004  Hacked, analyzed and written about*  In early 2006 Robert Wright and I started looking into the group which hacked the honeypot to see how much info we could find.  This is what we found… *The paper can be found at http://www.hudakville.com/infosec
Email Address  In the compromise, the attacker downloaded a rootkit named l1tere.tgz and sent emails to l1tere@yahoo.com  Profiles.yahoo.com shows no information  Google search of email address finds 2 reports of compromises  Another hacked honeypot  ID Theft trojan  Neither provide more information
Another search  Changed Google search to “l1tere”  Bingo! Found web page at http://www.l1tere.5u.com  Contained pornographic cartoons and photos  Email address link to l1tere@yahoo.com  Looking in /images/ directory find index with more images  Many of them other people
What now?  L1tere homepage has no more info  Try Googling the images we found  Specifically the ones with people in them  One of the images: d4r3ck.jpg  A name?  Google: inurl: d4r3ck.jpg = no hits  Google: inurl: d4r3ck = 
d4r3ck  Two pages from search but only one active  http://d4r3ck.8m.net/  More images, pictures of family, friends  Some of the same pics as l1tere  Email address: d4r3ck@personal.ro  List of IRC nicks and channels he frequents  What happens if we try and Google just for d4r3ck?
Carding  Google search pulls up LOTS of IRC chat logs related to #CCcards, #cardz  IRC channels for trading credit card information  D4r3ck is a channel OP
More on D4r3ck  Further searches revealed  other email addresses  more CC trading information  connections to other hackers  Also appears to be former “European e-Commerce Principal Assistant” for Hi-Tech Shells/IT e-solutions World Company  “Industry leader in providing web hosting services and shell accounts to businesses in all 50 states”  Located in Romania
What about the other pictures?  With each new find, more information was uncovered  All are Romanian  Look to be around 16-19 at the time the pictures were taken  All pictures had time stamps of 2004  Most of their home pages had the same images  Did an MD5 hash of the images  Most matched site to site, but one didn’t  Upon further examination it appeared be steganographic
baietzasul22  aka. baietzasu, Ba|3tzasu  Email Addresses  phainu@k.ro  baietzasu@yahoo.com  Mentioned in a lot of the same IRC logs as the other members
alinus  Email addresses  sales@gsm-mania.ro  alinus22@yahoo.com  http://alinus.s5.com/index.html  Posts a lot of cell phone/GSM hacking forums  Speaks English  Profiles say he lives in Pitesti Arges, Romania  ICQ # 167213752
Summary  You can use little tidbits of information found within a phish, compromise, email to find more information on who sent it  The Internet is full of sources – use them  Be creative! Look at names, images, logs, etc.  Don’t always expect to find something.  Sometimes there’s nothing out there.  Lots of dead ends.
Questions/Comments?

Recommended

The devil is in the details
The devil is in the detailsThe devil is in the details
The devil is in the detailsCarola Frediani
 
Multimedia01
Multimedia01Multimedia01
Multimedia01Les Davy
 
hire a hacker
hire a hackerhire a hacker
hire a hackerhackany1
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxamby3
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
Dark Web.pptx
Dark Web.pptxDark Web.pptx
Dark Web.pptxeliofatjon
 
Data security problems
Data security problemsData security problems
Data security problemsMathew
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 

Recommended

The devil is in the details
The devil is in the detailsThe devil is in the details
The devil is in the detailsCarola Frediani
 
Multimedia01
Multimedia01Multimedia01
Multimedia01Les Davy
 
hire a hacker
hire a hackerhire a hacker
hire a hackerhackany1
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxamby3
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
Dark Web.pptx
Dark Web.pptxDark Web.pptx
Dark Web.pptxeliofatjon
 
Data security problems
Data security problemsData security problems
Data security problemsMathew
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 
Social Media Security
Social Media SecuritySocial Media Security
Social Media Securityscstatelibrary
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0Murray Security Services
 
Spear Phishing 101
Spear Phishing 101Spear Phishing 101
Spear Phishing 101Sendio
 
C 7
C 7C 7
C 7Les Davy
 
Improving Phishing URL Detection Using Fuzzy Association Mining
Improving Phishing URL Detection Using Fuzzy Association MiningImproving Phishing URL Detection Using Fuzzy Association Mining
Improving Phishing URL Detection Using Fuzzy Association Miningtheijes
 
Exploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingExploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingMuhammad Haroon CISM PCI QSA ISMS LA CPTS CEH
 
What the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for CybersecurityWhat the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for CybersecurityWhoisXML API
 
Media Law
Media LawMedia Law
Media Lawsrcarrol
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer JungleJason S
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Marco Balduzzi
 
How i stole someone's identity scientific american
How i stole someone's identity scientific americanHow i stole someone's identity scientific american
How i stole someone's identity scientific americanCheck People
 
Tittl e
Tittl eTittl e
Tittl eKayhellKecoh
 
Honeypot Projects are Everywhere
Honeypot Projects are EverywhereHoneypot Projects are Everywhere
Honeypot Projects are EverywhereChristos Beretas
 
A to z of Cyber Crime
A to z of Cyber CrimeA to z of Cyber Crime
A to z of Cyber CrimeJessore University of Science & Technology, Jessore.
 
Death And The Web
Death And The WebDeath And The Web
Death And The Weblilianedwards
 
Twarfing: Malicious Tweets
Twarfing: Malicious TweetsTwarfing: Malicious Tweets
Twarfing: Malicious TweetsCostin Raiu
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Introduction to phishing
Introduction to phishingIntroduction to phishing
Introduction to phishingRaviteja Chowdary Adusumalli
 
Research Project Ms
Research Project MsResearch Project Ms
Research Project Msmafer23
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxBoston Institute of Analytics
 
Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Colleen Farrelly
 

More Related Content

Similar to fdocuments.in_tracking-hackers-56ed6be29ae97.ppt

Spear Phishing 101
Spear Phishing 101Spear Phishing 101
Spear Phishing 101Sendio
 
Improving Phishing URL Detection Using Fuzzy Association Mining
Improving Phishing URL Detection Using Fuzzy Association MiningImproving Phishing URL Detection Using Fuzzy Association Mining
Improving Phishing URL Detection Using Fuzzy Association Miningtheijes
 
What the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for CybersecurityWhat the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for CybersecurityWhoisXML API
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer JungleJason S
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Marco Balduzzi
 
How i stole someone's identity scientific american
How i stole someone's identity scientific americanHow i stole someone's identity scientific american
How i stole someone's identity scientific americanCheck People
 
Honeypot Projects are Everywhere
Honeypot Projects are EverywhereHoneypot Projects are Everywhere
Honeypot Projects are EverywhereChristos Beretas
 
Twarfing: Malicious Tweets
Twarfing: Malicious TweetsTwarfing: Malicious Tweets
Twarfing: Malicious TweetsCostin Raiu
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Research Project Ms
Research Project MsResearch Project Ms
Research Project Msmafer23
 

Similar to fdocuments.in_tracking-hackers-56ed6be29ae97.ppt (20)

Spam and hackers
Spam and hackersSpam and hackers
Spam and hackers
 
Social Media Security
Social Media SecuritySocial Media Security
Social Media Security
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
Spear Phishing 101
Spear Phishing 101Spear Phishing 101
Spear Phishing 101
 
C 7
C 7C 7
C 7
 
Improving Phishing URL Detection Using Fuzzy Association Mining
Improving Phishing URL Detection Using Fuzzy Association MiningImproving Phishing URL Detection Using Fuzzy Association Mining
Improving Phishing URL Detection Using Fuzzy Association Mining
 
Exploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingExploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In Phishing
 
What the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for CybersecurityWhat the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for Cybersecurity
 
Media Law
Media LawMedia Law
Media Law
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)
 
How i stole someone's identity scientific american
How i stole someone's identity scientific americanHow i stole someone's identity scientific american
How i stole someone's identity scientific american
 
Tittl e
Tittl eTittl e
Tittl e
 
Honeypot Projects are Everywhere
Honeypot Projects are EverywhereHoneypot Projects are Everywhere
Honeypot Projects are Everywhere
 
A to z of Cyber Crime
A to z of Cyber CrimeA to z of Cyber Crime
A to z of Cyber Crime
 
Death And The Web
Death And The WebDeath And The Web
Death And The Web
 
Twarfing: Malicious Tweets
Twarfing: Malicious TweetsTwarfing: Malicious Tweets
Twarfing: Malicious Tweets
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
 
Introduction to phishing
Introduction to phishingIntroduction to phishing
Introduction to phishing
 
Research Project Ms
Research Project MsResearch Project Ms
Research Project Ms
 

Recently uploaded

Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Colleen Farrelly
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Cantervoginip
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxNLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxBoston Institute of Analytics
 
办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一
办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一
办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一F La
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理e4aez8ss
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfJohn Sterrett
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一F sss
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档208367051
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceSapana Sha
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...soniya singh
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一fhwihughh
 

Recently uploaded (20)

E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024Generative AI for Social Good at Open Data Science East 2024
Generative AI for Social Good at Open Data Science East 2024
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Canter
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxNLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
 
办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一
办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一
办理(UWIC毕业证书)英国卡迪夫城市大学毕业证成绩单原版一比一
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdf
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts Service
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
 
Call Girls in Saket 99530🔝 56974 Escort Service
Call Girls in Saket 99530🔝 56974 Escort ServiceCall Girls in Saket 99530🔝 56974 Escort Service
Call Girls in Saket 99530🔝 56974 Escort Service
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
 

fdocuments.in_tracking-hackers-56ed6be29ae97.ppt

  • 1. Tracking Hackers By Tyler Hudak tyler@hudakville.com
  • 2. What we will cover  There are many ways to track “hackers” back to learn more about them  Will go over some easy methods that may produce fruitful results  Will not cover every single way  Two real life examples of using these techniques will be covered
  • 3. Tracking Hackers  Attackers often leave various unique calling cards that you can use to track them back  These include email addresses, names, IP addresses, tool names, images, techniques, etc.  Various tools on the Internet can be used to find more information on them  Can sometimes figure out how good they are with the information you find. Note: Your mileage may vary.
  • 4. Emails  Emails provide more information than you may realize.  Mail headers  Who sent the email (IP address, name)?  Web-based email often has creator's IP address  What mail software were they using?  Who does the email go back to?  Mail content  Plain text or HTML?  HTML comments? Image locations, links?
  • 5. Names  Once you've found some information (name, address, etc) what can you do with it?  Search for it on the Internet!  Many different places on the Internet to get information  Google – search for other occurences of names, other people seeing the same thing  Member directories – many large websites have directories with information on their members  Yahoo, ICQ, myspace, youtube, etc.
  • 6. Names  Domain Names – Who owns it? What else do they own? What is their contact information?  http://www.completewhois.com  IP Addresses – Where is the IP address located? Is there anyone else seeing attacks from this address?  http://www.arin.net - look up IP information  http://www.dshield.org - Internet DB of attacks
  • 8. eBay Phish  Received an eBay phish attempt in my email
  • 9. eBay Phish  Header shows originating IP address as 216.66.20.82  WHOIS lookup on address shows owned by Hurricane Electric  Reverse DNS lookup: servidor8.hgmnetwork.com  Spanish ISP/Hosting Provider  No more information – probably open relay  Google search of jessman335 finds a few message board spam
  • 10. eBay Phish  All images in email link back to eBay  One interesting link for “respond here”: http://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSig nInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontacteb aycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUs erIa.txt Notice anything unusual about the link?
  • 11. eBay Phish  The link went to an HTML file with a txt extension  Therefore, not rendered in browser as an HTML file  Typical phish would try to mimic eBay login page and email results to phisher  We now have an address – bad_boy_maf@yahoo.com  Look it up in Yahoo Profiles
  • 13.
  • 14. eBay Phish  Now we have a picture, name, age and other websites to look at  Two of the websites are down but one is still active  Last website gives his birth date, real name, astrological sign, IRC nick and channels he frequents, Yahoo messenger ID, favorite links, etc.  Download section on the webpage has links to various scanners, bots and attacker scripts
  • 16. Honeypot - Background  Linux 7.1 honeypot was put up for my GCFA certification in May 2004  Hacked, analyzed and written about*  In early 2006 Robert Wright and I started looking into the group which hacked the honeypot to see how much info we could find.  This is what we found… *The paper can be found at http://www.hudakville.com/infosec
  • 17. Email Address  In the compromise, the attacker downloaded a rootkit named l1tere.tgz and sent emails to l1tere@yahoo.com  Profiles.yahoo.com shows no information  Google search of email address finds 2 reports of compromises  Another hacked honeypot  ID Theft trojan  Neither provide more information
  • 18. Another search  Changed Google search to “l1tere”  Bingo! Found web page at http://www.l1tere.5u.com  Contained pornographic cartoons and photos  Email address link to l1tere@yahoo.com  Looking in /images/ directory find index with more images  Many of them other people
  • 19. What now?  L1tere homepage has no more info  Try Googling the images we found  Specifically the ones with people in them  One of the images: d4r3ck.jpg  A name?  Google: inurl: d4r3ck.jpg = no hits  Google: inurl: d4r3ck = 
  • 20. d4r3ck  Two pages from search but only one active  http://d4r3ck.8m.net/  More images, pictures of family, friends  Some of the same pics as l1tere  Email address: d4r3ck@personal.ro  List of IRC nicks and channels he frequents  What happens if we try and Google just for d4r3ck?
  • 21. Carding  Google search pulls up LOTS of IRC chat logs related to #CCcards, #cardz  IRC channels for trading credit card information  D4r3ck is a channel OP
  • 22. More on D4r3ck  Further searches revealed  other email addresses  more CC trading information  connections to other hackers  Also appears to be former “European e-Commerce Principal Assistant” for Hi-Tech Shells/IT e-solutions World Company  “Industry leader in providing web hosting services and shell accounts to businesses in all 50 states”  Located in Romania
  • 23.
  • 24. What about the other pictures?  With each new find, more information was uncovered  All are Romanian  Look to be around 16-19 at the time the pictures were taken  All pictures had time stamps of 2004  Most of their home pages had the same images  Did an MD5 hash of the images  Most matched site to site, but one didn’t  Upon further examination it appeared be steganographic
  • 25. baietzasul22  aka. baietzasu, Ba|3tzasu  Email Addresses  phainu@k.ro  baietzasu@yahoo.com  Mentioned in a lot of the same IRC logs as the other members
  • 26. alinus  Email addresses  sales@gsm-mania.ro  alinus22@yahoo.com  http://alinus.s5.com/index.html  Posts a lot of cell phone/GSM hacking forums  Speaks English  Profiles say he lives in Pitesti Arges, Romania  ICQ # 167213752
  • 27. Summary  You can use little tidbits of information found within a phish, compromise, email to find more information on who sent it  The Internet is full of sources – use them  Be creative! Look at names, images, logs, etc.  Don’t always expect to find something.  Sometimes there’s nothing out there.  Lots of dead ends.