TC7 Day 1 – How Hackers Get Caught

simple nomad
UPDATE: Slides

Simple Nomad’s keynote was titled “How hackers get caught” which could have been subtitled “laughing at skiddies” as he gave several examples throughout. SN, founder of NMRC, has been hacking for years and proved this with his Bell Special Services hat.

The first area covered was logs. Not knowing how the event, application, and system logs work can easily give you away. The shell history will expose the actions you were taking, even the incredibly inept (attempting to install a rootkit four times). Another giveaway is leaving a “:wq” in /var/log/messages or even worse binarys.

Laziness is a fast track to jail time. Never hack from home; take the time to drive to suburbia and get a free WiFi connection. Take pride in your paranoia. The logs will take you down, but you have to consider what makes sense: Do you wipe them completely or just edit? SN described monitoring several logs that normally generated patterned output. The logs are colored and opened in terminals with a really small font. You can’t actually read the text, but you can recognize the text block coloring and shape and it is easy to spot entries that aren’t normal. Other things to look for in logs are portscan footprints (ssh disconnect without a connect). Default settings are also an easy giveaway (not changing the default Metasploit port).

The code you run on the system can give you away. Is it really system or bandwidth intensive? A regular user will notice that and start complaining. If the target is slower than your testing system this is definitely possible. If you compile the code on the target the libraries accessed will give you away.

He also covered blackhat vs. blackhat. This was mostly silly tricks for annoying other blackhats. Gaining access to 0wned systems and modifying the rootkit so it was plainly exposed (hiding something important like system32). A lot of trojan code is written quickly and features buffer overflows that can be taken advantage of. Also, scanning .mil addresses from the 0wned box is a great way to get it noticed.

Finally, there is the problem of people bragging. If you deface some site at 3AM then jump on IRC and send all of your buddies to go look at the low traffic site you are an idiot for seeding the server logs with your group’s IPs. He also noted that the fed could own any of the free proxy servers you are connecting to. In 1996 the CIA admitted to running the two largest freemail services. So, if you use Hotmail, you’re agreeing to give all of your info away.

It was a pretty interesting talk and really educational if you were interested in doing forensics on your own system.

19 thoughts on “TC7 Day 1 – How Hackers Get Caught

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.