How To Trace A Hacker
How To Trace A Hacker
How To Trace A Hacker
By enumerating the attacker in the same way that they have enumerated the victim, you will be able to see the
bigger picture and establish what you’re up against. But how can you do this? Read on…
The computer world, at any rate. Every single time you open up a website, send an email or upload your
webpages into cyberspace, you are connecting to another machine in order to get the job done. This, of course,
presents a major problem, because this simple act is what allows malicious users to target a machine in the first
place.
Well, first of all, they need to get hold of the victim’s IP Address. Your IP (Internet Protocol) address reveals your
point of entry to the Internet and can be used in many ways to cause your online activities many, many problems.
It may not reveal you by name, but it may be uniquely identifiable and it represents your digital ID while you are
online (especially so if you’re on a fixed IP / DSL etc).
With an IP address, a Hacker can find out all sorts of weird and wonderful things about their victim (as well as
causing all kinds of other trouble, the biggest two being Portnukes/Trojans and the dreaded DoS ((Denial of
Service)) attack). Some Hackers like to collect IP Addresses like badges, and like to go back to old targets,
messing them around every so often. An IP address is incredibly easy to obtain - until recently, many realtime
chat applications (such as MSN) were goldmines of information. Your IP Address is contained as part of the
Header Code on all emails that you send and webpages that you visit can store all kinds of information about
you. A common trick is for the Hacker to go into a Chatroom, paste his supposed website address all over the
place, and when the unsuspecting victim visits, everything about your computer from the operating system to the
screen resolution can be logged…and, of course, the all important IP address. In addition, a simple network-wide
port scan will reveal vulnerable target machines, and a war-dialler will scan thousands of lines for exposed
modems that the hacker can exploit.
So now that you know some of the basic dangers, you’re probably wondering how these people connect to a
victim’s machine?
Everything that you recieve over the Internet comes as a result of other machines connecting to your computer’s
ports. You have two types; Physical are the holes in the back of your machine, but the important ones are Virtual.
These allow transfer of data between your computer and the outside world, some with allocated functions, some
without, but knowing how these work is the first step to discovering who is attacking you; you simply MUST have
a basic knowledge of this, or you won’t get much further.
TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which
is compressed, then a header is put on it and it is sent to another computer (UDP stands for User Datagram
Protocol). This is how ALL internet transfers occur, by sending packets. The header in a packet contains the IP
address of the one who originally sent you it. Now, your computer comes with an excellent (and free) tool that
allows you to see anything that is connected (or is attempting to connect) to you, although bear in mind that it
offers no blocking protection; it simply tells you what is going on, and that tool is NETSTAT.
Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your
computer. Open up DOS (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt, type:
netstat -a
(make sure you include the space inbetween the “t” and the “a”).
If you’re connected to the Internet when you do this, you should see something like:
Active Connections
netstat ?
netstat -an
because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious
users….Hostnames can be a little confusing if you don’t know what you’re doing (although they’re easily
understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is,
which is always useful.
Also,
netstat -b
will tell you what ports are open and what programs are connecting to the internet.
## Types of Port ##
It would be impossible to find out who was attacking you if computers could just access any old port to perform
an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your
regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number
used, the more you should be suspicious. Here are the three main types of port:
# Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for
example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of
these ports open (and you usually will), it’s usually because of an essential function.
# Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally
used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random
port within this range before communicating with the remote server, so don’t panic (just be wary, perhaps) if you
see any of these open, because they usually close automatically when the system that’s running on them
terminates (for example, type in a common website name in your browser with netstat open, and watch as it
opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ
usually run on these Ports.
# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain
programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these
open, be very suspicious. So, just to recap:
Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.
## The hunt is on ##
Now, it is essential that you know what you’re looking for, and the most common way someone will attack your
machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your
ports, and when activated, it can give the user your passwords, access to your hard drive…they can even make
your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used
Trojans and the ports they operate on. For now, let’s take another look at that first example of Netstat….
Active Connections
Netstat -a
then
Netstat -an
## Tracerouting ##
Having the attacker’s IP is all well and good, but what can you do with it? The answer is, a lot more! It’s not
enough to have the address, you also need to know where the attacker’s connections are coming from. You may
have used automated tracerouting tools before, but do you jknow how they work?
Go back to MSDOS and type
tracert *type IP address/Hostname here*
Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine,
including blockages, firewalls etc. More often than not, the hostname address listed before the final one will
belong to the Hacker’s ISP Company. It’ll either say who the ISP is somewhere in there, or else you run a second
trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get
back doesn’t actually seem to mention an actual geographical location within its text, you may think all is lost. But
fear not! Suppose you get a hostname such as
http://www.haha.com
Well, that tells us nothing, right? Wrong….simply enter the hostname in your browser, and though many times
you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location
and in what areas they operate. This at least gives you a firm geographical location to carry out your
investigations in.
If you STILL have nothing, as a last resort you COULD try connecting to your target’s ISP’s port 13 by Telnet,
which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace
based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their
clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have
their computer’s clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what
you’re doing, I wouldn’t advise using Telnet (which is outside the parameters of this tutorial).
This is probably the most effective way of running a trace on somebody. If ever you’re in a chatroom and you see
someone saying that they’ve “hacked into a satellite orbiting the Earth, and are taking pictures of your house right
now”, ignore them because that’s just bad movie nonsense. THIS method is the way to go, with regard to finding
out what country (even maybe what State/City etc) someone resides, although it’s actually almost impossible to
find an EXACT geographical location without actually breaking into your ISP’s Head Office and running off with
the safe.
netstat
and hit return. Any active connections will resolve to hostnames rather than a numerical format.
## DNS ##
DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep
track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain
Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP
address….which is why we can enter “www.Hotmail.com” and get the website to come up, instead of having to
actually remember Hotmail’s IP address and enter that instead. Well, Reverse DNS, of course, translates the IP
Address into a Hostname (ie - in letters and words instead of numbers, because sometimes the Hacker will
employ various methods to stop Netstat from picking up a correct Hostname).
Anyway, see the section at the end? (au) means the target lives in Australia. Most (if not all) hostnames end in a
specific Country Code, thus narrowing down your search even further. If you know your target’s Email Address
(ie they foolishly sent you a hate mail, but were silly enough to use a valid email address) but nothing else, then
you can use the Country codes to deduce where they’re from as well. You can also deduce the IP address of the
sender by looking at the emails header (a “hidden” line of code which contains information on the sender)…on
Hotmail for example, go to Preferences, and select the “Full Header’s Visible” option. Alternatively, you can run a
“Finger” Trace on the email address, at:
www.samspade.org
Plus, some ISP’s include their name in your Email Address with them too (ie Wanadoo, Supanet etc), and your
Hacker may be using an email account that’s been provided by a Website hosting company, meaning this would
probably have the website host’s name in the email address (ie Webspawners). So, you could use the
information gleaned to maybe even hunt down their website (then you could run a website check as mentioned
previously) or report abuse of that Website Provider’s Email account (and thus, the Website that it goes with) to
abuse@companynamegoeshere.com
www.usps.gov/ncsc/lookups/abbr_state.txt
Please note that this isn’t a complete list by any means, but it will give you an idea of what to look out for in
Netstat. Be aware that some of the lower Ports may well be running valid services.