.

Skiddie harassment

<<

Dastt

Newbie
Newbie

Posts: 5

Joined: Wed Jul 29, 2009 10:35 am

Post Wed Jul 29, 2009 10:59 am

Skiddie harassment

Well i guess since this is my first post i will introduce myself.

Hell@ from teh internetz! i am currently an IT technician with a love for security (greyhat). ive been doing lots of reading and some practical applications with backtrack, aircrack-ng, etc. i have learned lots but still have a long way to go and i know this.

I am a long time lurker and now my first post! here it is:

Today a employee came to me describing an issue he is having at home. Apperently someone have taken control of family members facebook and msn, not much i can do for him there; but the second thing he told me was the the hacker (its a skiddie) has actual control over the PC including webcam (which they demostrated for them) and from the sounds of it atleast a keylogger on top that.

This person with access has told them he(they) has been taken pics with the webcam and is threatning to use them in malicous ways. now what you need to understand is that this is all against some young children and its quite sickening to me.

I havent actually had access to the laptop yet so i have to be kinda vague for now. I know i can find the trojan and remove it (no problem there) but i would like to see what i can do about helping the police (there useless) im going to try and log the IP of the skiddie. its a windows XP system more than likely not update properly etc. (i will do this for them aswell) most of what im learning focuses on gaining access and not working from the other way around.

right now my plan is to get the laptop for a few days and see if {they} connect to it again and see what info i can pull, now other than an array of netstat commands when theyre connected and pulling the logs from the router, what else can i do to dig up more info?

Edit:
this still sounds like a skiddie to me, they flaunt there access to there webcam (really? what real hacker cares about a webcam), i wont be surprised to find Subse7en or some other torrent found tool on there. i just need to log some usefull info if i can.
Last edited by Dastt on Wed Jul 29, 2009 11:02 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Jul 29, 2009 11:08 am

Re: Skiddie harassment

Welcome to EH.net!

What country is this taking place in?  I don't believe it's a good idea for you to go poking around the laptop if there are potential crimes against children involved.  You would be mucking around with potential evidence, and not in a forensic way.  If you suspect that there is anything criminal happening there, I suggest you get the authorities involved rather than trying to do this yourself.
~~~~~~~~~~~~~~
Ketchup
<<

Dastt

Newbie
Newbie

Posts: 5

Joined: Wed Jul 29, 2009 10:35 am

Post Wed Jul 29, 2009 11:14 am

Re: Skiddie harassment

Police have already been involved and they dont seem interested in helping in anyway (im in canada BTW).

Trust me, the last thing i want to do is go around and potentially "muck" with any evidence. After reading my first post i did make it sound like there were "indecent" pics taken but from what im told thats not the case, this person is supposedly going to use pics to " socially ruin" member of the family. i am going to clean and secure there laptop for them but first i would like more info from where its comming from in the first place.

i just need to know if theres something else i should be looking at to find more info on the hijacker.
ideas for logging info of an attacker is what i am after. They dont seem to be all that knowledgable (look whos talking right?) but if the police wont do anything then im going to do what i can for them.

im not trying to be some vigilante, im just trying to do what anyone else would do if they had the knowledge and opportunity. ive been focusing alot of my learning of gaining access to systems and not what to do on a system comprimised by someone else. i think this is going to be a great learning expierence for me, i just need a nudge in the right direction 
Last edited by Dastt on Wed Jul 29, 2009 11:25 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Jul 29, 2009 11:35 am

Re: Skiddie harassment

Is there potential that this could become a civil matter?  Is the family considering a law suit?  If so, I would still considering involving a forensic expert. 

If I was doing this, i would take an image (DD) of the computer and work from an image to start.  If you have access to tools like EnCase or FTK, you can you search the image for log files and start looking.  The Helix forensic boot disc also is an option.  It has some decent tools for running search on the entire drive.  The issue with working from the original PC itself is that it can be tough to get around malware's defenses, especially in the case of a rootkit. 

You can compile a list of log files, including firewall, Event Log, etc.  Start looking for IP addresses.  Perhaps a Grep search is your best friend here.  EnCase really makes this easy.  Look at the Internet history as well.  It is likely that if the box was rooted, additional tools were download from the Internet.

I wouldn't be surprised that if you find an IP address, it will be just a proxy or a rooted SSH box in a country that will not work with you. 

Good luck, and let us know if we can help.
~~~~~~~~~~~~~~
Ketchup
<<

Dastt

Newbie
Newbie

Posts: 5

Joined: Wed Jul 29, 2009 10:35 am

Post Wed Jul 29, 2009 12:21 pm

Re: Skiddie harassment

It doesnt sound like its going to become a civil matter, the family contacted the police for good measure and i really doubt there will be an legal action taken by the police or family.

Thank you for the help ketchup, my oringinal idea was to just dump all the log files i could router, firewall, log viewer etc and see what i could dig up. Unfortantly i dont have access to EnCase ( would love to have this tool) but then again i dont realy expect to find a valid IP and "hunt" this person down, im really just using this as a practical learning enviorment and to satisfy a curious mind.

is there anything you know of that could help me log an active connection to the PC? if the "hacker" has had active dialog with a user on the computer i must be able to see how or atleast what port there connecting to. Again from what info im getting so far is that this isnt anything more than someone causing mischief with basic tools. 
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Jul 29, 2009 1:33 pm

Re: Skiddie harassment

Dumping log files is a good idea.  Definitely cover the internet history part as well.  There are a bunch of tools out there, some free, that will parse internet history on a pc.

You can also run a port scan on the computer to see which ports are listening.  This could pin point if there is a known back door or something.  You could run a packet capture as well to see what's going over the wire.  Wireshark has some nice statistical features to analyze the types of conversations happening on the wire.  NetWitness is a good tool to use on the analysis part as well.
~~~~~~~~~~~~~~
Ketchup
<<

Dastt

Newbie
Newbie

Posts: 5

Joined: Wed Jul 29, 2009 10:35 am

Post Wed Jul 29, 2009 2:07 pm

Re: Skiddie harassment

kk, So i will dump all the logs i can find and run some nmap scans and see what i come up with, i'll let you know what i find.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Jul 30, 2009 12:50 am

Re: Skiddie harassment

Hi and welcome to EH-Net, Dastt.

Dastt wrote:[...] im really just using this as a practical learning enviorment and to satisfy a curious mind.


I don't want to be rude but in my opinion this is not the right place for "playing around" as this is obviously no exercise. I appreciate that you are interested in the other site of security as well (defense) but maybe this is not the right way to start with it.

However, as Ketchup already stated it is common to first create an image of the target machine and to continue research with it. Depending on the information you provided I would not say that it is possible to determine the actuall skills the attacker(s) have, however, I would at some point use Wireshark to monitor network traffic. When the attackers installed software with keylogger functionality usually this software sends the logfiles at certain days, time, intervals etc. to some sort of email address or server (IRC, FTP, ...). Often the IP adress or the credentials are hardcoded embedded in the software which allows you to log in to those servers and depending on the setup or mechanism used you would be able to delete all gathered files from you (and others) on the attackers host (consider that the attacker have some sort of automated script which downloads every hour the latest received files).

There are many more things one can do, but if not done properly you could destroy evidence. Therefore and for some other reasons I would try again to contact police and ask for help.
<<

Dastt

Newbie
Newbie

Posts: 5

Joined: Wed Jul 29, 2009 10:35 am

Post Thu Jul 30, 2009 9:58 am

Re: Skiddie harassment

UPDATE:

Well it seems i was too late. I was supposed to get the laptop today and at the very least get an image from it, but it turns out that someone known by the family would "help out" and has already done a complete format/re-install.

I got my hopes up, i was really looking forward to trying the Mir-ror tool discussed here: http://www.ethicalhacker.net/component/ ... ic,4181.0/

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software