Another thought I had was to bait a document with a hidden .GIF that can be coded with call home instructions. If you can get the attacker to grab the document then it would work like a reverse hack and you might be able to enumerate his system. Just brain storming and the action might be a violation of some law.
Nate
Another thought I had was to bait a document with a hidden .GIF that can be coded with call home instructions. If you can get the attacker to grab the document then it would work like a reverse hack and you might be able to enumerate his system. Just brain storming and the action might be a violation of some law.
Nate
Stay away from words like "reverse hack", at least when getting legal approval for your operation )
But this can be done - send a subject some HTML mail, include an image link to a webserver you control, and his IP address will show up in your http logs.
Unless, of course, he does all of his browsing through an anonymous proxy system (like, say,
I agree with "colsanders" post about legal wording of your operation documents (hack is not a good word to use). I was wrestling with what to call the process and just went with what I felt most discriptive.
As for the post by "youcef9" I think (hping2) will provide the functionality he mentioned and it is freeware. You just need to learn how to use it or get someone that does.
The Session Token Protocol for Forensics and
Traceback
Makes sense! but there are drawbacks to FOOL IT & get undetected.
I am not a networking expert, but… If one assumes that they have control of the recieving server, such as a honeypot, they should be able manipulate the returning packets to the originating machine to include a traceroute program in the payload that would be able report on every "hop" between the server and the destination.
Kinda like traceroute in reverse.
—
reverse traceroute, I suspect NEVER!@
for traceroute you must know your destination HOST & it then tries to map the SHORTEST path the data will travel inbetween computers before it reaches you. While in case of PROXY the data could travell through any host making a long U-TURN around the globe. if the attacker is using some short of proxy the victim will only know the IP address of the LAST proxy (say proxy 12) the proxy 12 will only know the IP address of proxy 11 & proxy 11 only know the ip of proxy 10 and so on.
& regarding the idea of embedding a document with CALL-HOME.GIF i doubt if it would work if the attacker is using a application level firewall. I have seen several times while downloading forensic presentations some ppt files use such trick (maybe to keep track of its popularity etc…) but atlest it doesnt work for me! (but no harm trying)
the biggest challange i see these days is tackling the problem with NAT.
small/medium cable internet service providers in my region use a single IP facing the web with transperent proxy. while in the user side they have 172* or 10*, ro 192* ips. A attacker even with basic intelligence could change/copy someones else MAC address, use tieir IP address too, sniff someones user/password in WAN… most cable service providers provide a user/pass for few hrs to anyone for evaulation or temporary use with no authenciation or any questioning (& disable or use the victims hostname)
this would effectively leave the attarker virtually undetected. ( ok did i mentioned if they use a live CD with the above instruction combinations to do nonsense the forensic examination would be dorzons of times hard if not impossible)