Join Us!

Notifications
Clear all

Tracebuster 3000  

  RSS
richardhall
(@richardhall)
New Member

As you're probably aware, proxy servers now present a big problem for us investigators in attempting to trace-to-source criminal actions.

Consider the following scenario each proxy represents a hijacked home computer being abused as an open proxy without the owner's consent or knowledge. The criminal is using software that's clever enough to keep varying the combination of proxies used, the number of proxies used in the chain (normally 12+) and the order the proxy servers are being used within the chain, and each chain configuration is cycled every 3-5 minutes on average.

Suspect –> Proxy1 –> Proxy2 –> .. Proxy11 –> Proxy12 –> Server

The suspect is based in the UK but a good number of the proxies used are not based within the UK so the solution cannot easily involve communication with or integration with ISPs who are rarely able to assist with specific enquiries on a time-critical basis in any case.

How can we trace the user to location whilst they are online (i.e. within those 3-5mins)? I'm looking for realistic solutions, don't worry about the legality of methods at this stage.

Well sorry to disappoint but there is no Tracebuster 3000 that solves this problem with an ounce of magic (at least as far as I know). I'll bet this one keeps you guys puzzled at least for a few consecutive minutes! Looking forward to your replies/solutions..

Quote
Posted : 23/03/2006 10:35 pm
arashiryu
(@arashiryu)
Active Member

http//forensictracer.com/

ReplyQuote
Posted : 24/03/2006 12:53 am
richardhall
(@richardhall)
New Member

Correct me if I'm wrong but after just trying their service it seems to me they are only able to trace the first step in the route. As soon as they hit the first open proxy thats the end of the line in their books. Because we're talking about a live trace assume ISP proxy log files are also unavailable- they take time to acquire.

ReplyQuote
Posted : 24/03/2006 8:21 am
m7esec
(@m7esec)
Junior Member

I am not a networking expert, but… If one assumes that they have control of the recieving server, such as a honeypot, they should be able manipulate the returning packets to the originating machine to include a traceroute program in the payload that would be able report on every "hop" between the server and the destination.

Kinda like traceroute in reverse.

Richard, I am assuming due to your occupation, that you have figured out a program for things such as this, and I do enjoy a good brain twister, but if this is a marketing ploy I will be very dissappointed in your use of these forums.

ReplyQuote
Posted : 24/03/2006 7:42 pm
richardhall
(@richardhall)
New Member

I'm afraid I haven't figured out a solution to this (hence posting- its not a marketing ploy) but I am already working with a ton of security experts on trying to produce a solution because the problem is real. I just thought I'd open up the field of discussion to include those involved in computer forensic analysis/investigation.

Thats the kind of idea I'm looking for, I'm not convinced its possible however I'll run it by some networking experts and post back. You have understood correctly what I'm trying to accomplish though- essentially a reverse traceroute.

(My participation on this forum relates to investigative responsibilities I have outside of my day job as a software developer.)

ReplyQuote
Posted : 25/03/2006 10:03 am
MindSmith
(@mindsmith)
Active Member

Interesting subject. I have experienced this problem many times - a couple of solutions that have workd in the past for me - one of which is

1. If the person is using MSN, add them to your MSN list & use a tool like MSNDetective when they're online to send them a file. even if they dont accept it - you should be able to determine their IP address. Likewsie sending a very large file via MSN & then check your netstat table for a new IP address - which is actually their address. Dont know if this wporks with the current version of MSN. Did it about a year ago.

ReplyQuote
Posted : 25/03/2006 4:18 pm
richardhall
(@richardhall)
New Member

Thats great but given that we're trying to trace a connection and therefore only have an IP (essentially of Proxy12) there's no way of knowing what their MSN email address is, assuming they use MSN and that they're logged in. I tend to find these days whenever anyones doing anything they shouldn't, especially the professional/organised ones, they don't use MSN anymore because of its insecure protocols. They're moving to using skype instead and whilst I'm already working with Kurt at Skype on tracing back skype users this is a separate issue, so lets not deviate from the challenge at hand!

ReplyQuote
Posted : 26/03/2006 12:08 am
youcefb9
(@youcefb9)
Junior Member

knowing the IP address of proxy12 make a response packet with the same TCP/IP details but with a varying TTL value that expires at each node. you would eventually get a response from the orignating PC at some stage (within 3-5 min interval).

youcef

ReplyQuote
Posted : 27/03/2006 11:45 pm
richardhall
(@richardhall)
New Member

How would you do this? What commands/software? Please could you give me a walk through example?

Thanks.

ReplyQuote
Posted : 21/04/2006 12:02 am
nate
 nate
(@nate)
New Member

This document might be of assistance. You can find it on the web.

Nate

The Session Token Protocol for Forensics and
Traceback
Brian Carrier
Center for Education and Research in
Information Assurance and Security (CERIAS)
Purdue University
West Lafayette, IN 47907
[email protected]
and
Clay Shields
Department of Computer Science
Georgetown University
Washington, D.C., 20057
[email protected]

ReplyQuote
Posted : 21/04/2006 12:46 am
nate
 nate
(@nate)
New Member

Another thought I had was to bait a document with a hidden .GIF that can be coded with call home instructions. If you can get the attacker to grab the document then it would work like a reverse hack and you might be able to enumerate his system. Just brain storming and the action might be a violation of some law.

Nate

ReplyQuote
Posted : 21/04/2006 12:57 am
colsanders
(@colsanders)
New Member

Another thought I had was to bait a document with a hidden .GIF that can be coded with call home instructions. If you can get the attacker to grab the document then it would work like a reverse hack and you might be able to enumerate his system. Just brain storming and the action might be a violation of some law.

Nate

Stay away from words like "reverse hack", at least when getting legal approval for your operation )

But this can be done - send a subject some HTML mail, include an image link to a webserver you control, and his IP address will show up in your http logs.

Unless, of course, he does all of his browsing through an anonymous proxy system (like, say, Tor) then you'd be out of luck. This method also assumes he uses HTML mail and hasn't disabled image display through his mail reader.

ReplyQuote
Posted : 21/04/2006 9:10 pm
nate
 nate
(@nate)
New Member

I agree with "colsanders" post about legal wording of your operation documents (hack is not a good word to use). I was wrestling with what to call the process and just went with what I felt most discriptive.

As for the post by "youcef9" I think (hping2) will provide the functionality he mentioned and it is freeware. You just need to learn how to use it or get someone that does.

ReplyQuote
Posted : 22/04/2006 1:33 am
Member
(@member)
New Member

The Session Token Protocol for Forensics and
Traceback

Makes sense! but there are drawbacks to FOOL IT & get undetected.

I am not a networking expert, but… If one assumes that they have control of the recieving server, such as a honeypot, they should be able manipulate the returning packets to the originating machine to include a traceroute program in the payload that would be able report on every "hop" between the server and the destination.

Kinda like traceroute in reverse.


reverse traceroute, I suspect [email protected]

for traceroute you must know your destination HOST & it then tries to map the SHORTEST path the data will travel inbetween computers before it reaches you. While in case of PROXY the data could travell through any host making a long U-TURN around the globe. if the attacker is using some short of proxy the victim will only know the IP address of the LAST proxy (say proxy 12) the proxy 12 will only know the IP address of proxy 11 & proxy 11 only know the ip of proxy 10 and so on.

& regarding the idea of embedding a document with CALL-HOME.GIF i doubt if it would work if the attacker is using a application level firewall. I have seen several times while downloading forensic presentations some ppt files use such trick (maybe to keep track of its popularity etc…) but atlest it doesnt work for me! (but no harm trying)

the biggest challange i see these days is tackling the problem with NAT.

small/medium cable internet service providers in my region use a single IP facing the web with transperent proxy. while in the user side they have 172* or 10*, ro 192* ips. A attacker even with basic intelligence could change/copy someones else MAC address, use tieir IP address too, sniff someones user/password in WAN… most cable service providers provide a user/pass for few hrs to anyone for evaulation or temporary use with no authenciation or any questioning (& disable or use the victims hostname)

this would effectively leave the attarker virtually undetected. ( ok did i mentioned if they use a live CD with the above instruction combinations to do nonsense the forensic examination would be dorzons of times hard if not impossible)

ReplyQuote
Posted : 13/10/2006 12:14 am
Share: