Tracking the hack

jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
in Off-Topic
So I hear on the news that this organization or that organization has tracked the hackers back to "this place" or "that place". But I'm curious.... how do they know where the attack actually came from when there are ways to provide anonymity such as VPNs and proxy chaining? From my knowledge, not all VPN providers and proxies keep logs.
Booya!!
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
· Share on FacebookShare on Twitter

Comments

  • philz1982philz1982 Member Posts: 978
    Some folks will put files in a honeypot or a live directory with geolocation code embedded in the file. That's one reason why folks don't shut down hacks instantly. You put the file on the drive being hacked, and the geolocation code will tell you where the hacker is at.
    [COLOR=blue]var[/COLOR] loc = [COLOR=blue]null[/COLOR];[INDENT][COLOR=blue]function[/COLOR] getLoc() {       [/INDENT]
[INDENT=2] [COLOR=blue]if[/COLOR] (loc == [COLOR=blue]null[/COLOR]) 
{            loc = [COLOR=blue]new[/COLOR] Windows.Devices.Geolocation.Geolocator();        }       

 [COLOR=blue]if[/COLOR] (loc != [COLOR=blue]null[/COLOR]) 
{            loc.getGeopositionAsync().then(getPositionHandler, errorHandler);        } [/INDENT]
[INDENT]}    [/INDENT]
[INDENT=2]
[COLOR=blue]function[/COLOR] getPositionHandler(pos) [/INDENT]
[INDENT=3]{        
 document.getElementById([COLOR=#A31515]'latitude'[/COLOR]).innerHTML = pos.coordinate.point.position.latitude;        document.getElementById([COLOR=#A31515]'longitude'[/COLOR]).innerHTML = pos.coordinate.point.position.longitude;        document.getElementById([COLOR=#A31515]'accuracy'[/COLOR]).innerHTML = pos.coordinate.accuracy;        document.getElementById([COLOR=#A31515]'geolocatorStatus'[/COLOR]).innerHTML =            getStatusString(loc.locationStatus);   
 }[/INDENT]

    Then once you have location you setup a reverse connection and send the location to the listener.You could use an HTTP Socket to send the information, if you wanted to you could encrypt and send over HTTPS.
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Ah, the lovely game of attribution. A lot of the work is done with forensics, reverse engineering and log analysis. Attackers usually tend to reuse tools and methods so that makes it easier to associate attacks to a particular group. Sometimes comments are found in the code that provide valuable pointers to the origin and identity of the attackers. The problem then becomes the 'false flag' issue where attackers mask their footprint to have it appear as coming from a specific group or country. This is where the concept of strategic attribution comes in place, where a more in-depth analysis is performed going above and beyond the physical evidence and take into consideration geopolitical and other factors.
    · Share on FacebookShare on Twitter
  • Dieg0MDieg0M Member Posts: 861
    philz1982 wrote: »
    Some folks will put files in a honeypot or a live directory with geolocation code embedded in the file. That's one reason why folks don't shut down hacks instantly. You put the file on the drive being hacked, and the geolocation code will tell you where the hacker is at.

    Then once you have location you setup a reverse connection and send the location to the listener.You could use an HTTP Socket to send the information, if you wanted to you could encrypt and send over HTTPS.

    So what you are saying is that you have to hack the hacker to get his identity?
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Attributing the attack to someone is the hardest part. But it is just like any other crime, you follow the clues. The way someone writes their code, particular methods used for an attack (if you read you'll see that certain teams like to use certain kinds of attacks), and then good old fashioned mistakes. It really comes down to this, if you do not have evidence you won't find them. Logs, logs, logs.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
    · Share on FacebookShare on Twitter
  • philz1982philz1982 Member Posts: 978
    Dieg0M wrote: »
    So what you are saying is that you have to hack the hacker to get his identity?

    I'm telling you, if you haven't done this you'd be surprised how well it works. When someone is uploading GB/PB of data that little 24kb file goes unnoticed.

    It's the whole concept of active defense.

    -Phil
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    It's a legal grey area that I'm not totally sure I'd want to go down, but companies do try it.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
    · Share on FacebookShare on Twitter
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    Regarding the VPN / Tor security part; Sometimes they just wait for you to make a mistake, or force you to make a mistake.

    An example: A Kiddie P@&# site was ceased I think by FBI, so they do some changes to the site and use a flash player exploit to expose site visitors.

    Example 2, look at how they caught the guy behind Silk Road 2.0 .
    · Share on FacebookShare on Twitter
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Another way this is done, particularly with botnets, is to identify/enumerate the domains used by the botnet, find one with a domain name that is about to expire, then register the domain before the botnet operator renews it. This is called "sinkholing a domain". Then you set up your own CnC server on that domain to accept the connection requests from the bots sending callbacks and capture their traffic. Meanwhile you put a copy of the botnet client in a malware analysis environment (sandboxed lab) and reverse engineer it. From this analysis you'll often find:

    - Countries, industries, specific systems/users being targeted
    - All the above target demographics that are excluded from being targeted (example, if the malware install is aborted if the victim machine's NAT IP address puts this host in Russia, then Russia is a likely geographic source or sponsor)
    - Often the analysis reveals authentication credentials or possible exploits that can be used against the actual botnet server, for instance you may be able to log into the server and drop a payload of your own, or if the server hosts a database with no backend data validation you might be able to use a SQL injection to **** the tables, get all the info stored within, and pwn the blackhat's servers.
    · Share on FacebookShare on Twitter
  • ChinookChinook Member Posts: 206
    In some cases knowing the location of the hacker is mostly a moot point. For example, the Syrian Electronic Army regularly attack the United States & some of it's companies. We can assume they're in Syria & the subpoena the Feds send won't have much influence.

    @WD40. I think it was in 2014 when the FBI took down Freedom Hosting & a bunch of dark net sites. They did so by writing a complex JavaScript (or so I read) that was able to extract the IP of the Tor user. It only worked on Windows & Mac (not Linux).

    The complexity of modern computer systems make it that a lone Blackhat has a real challenge to stay anonymous. The game changes when the intruder has their own red team & are state sponsored. Then you're dealing with a high level of skill and a budget.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.