You are on page 1of 4

www.hackersbook.

com
Dear customer, thanks for your order and your download from the online readers area of the chapter Identifying attackers Pants down. We hope, you enjoy reading this chapter on your computer screen before you receive the copy of our book. Please do not give this file or prints of this file to third parties. Its only for our customers! Best regards, Ingo Haese

Copyright 2004: www.hackersbook.com

Identifying attackers Pants down


You certainly experience people trying to send you Trojans or viruses or attacking you with unnecessary mails. Your firewall will caution you in such cases and reveal the senders IP address in the mail header. The IP address comes in handy when trying to identify the origin of the attack. We want to illustrate what steps to take in order to get as much information as possible. PING The IP address gives the attackers Internet address. The numerical address like 212.214.172.81 does not reveal much. You can use PING to convert the address into a domain name in WINDOWS: The Domain Name Service (DNS) protocol reveals the matching domain name. PING stands for Packet Internet Groper and is delivered with practically every Internet compatible system, including all current Windows versions. Make sure you are logged on to the net. Open the DOS shell and enter the following PING command: Ping a 123.123.12.1 Ping will search the domain name and reveal it. You will often have information on the provider the attacker uses e.g.: dialup21982.gateway123.provider.com

Copyright 2004: www.hackersbook.com

This means that the attacker logged on using provider.com. Unfortunately, there are several IP addresses that cannot be converted into domain names. The following passage may be of help in such cases. Traceroute Where is the attack from? Traceroute is also carried out in the MS DOS shell, and connects your PC to another one that is in the Internet or to a server. In precise terms, Traceroute traces the route of data packages that have reached you from a particular location in the net and vice versa. Internet comprises of several servers and routers that function as stations that convey your data packages further. Traceroute is known as tracert in Windows. Tracert 123.123.12.1

Tracer connects to the computer whose IP has been entered and reveals all stations starting from your Internet connection. Both the IP address as well as the domain name (if available) is displayed. If PING cannot reveal a name, Traceroute will possibly deliver the name of the last or second last station to the attacker, which may enable conclusions concerning the name of the provider used by the attacker and the region from which the attacks are coming. After identifying a provider in this manner (e.g. provider.com), you can obtain more information on this provider at http://www.netsol.com/cgibin/whois/whois .
Copyright 2004: www.hackersbook.com

Foreign domain names can searched for under the WHOIS section of that country. You will find these at http://ww.nic. +national top-leveldomains. e.g. http://www.nic.at for Austria or http://www.nic.ch for Switzerland or http://www.nic.de for Germany. Geographical analysis with NeoTrace Finally, we would like to introduce another tool, NeoTrace, which even gives a graphical display of TRACEROUTE analysis and the connection on a map. A free trial version is available at http://www.neotrace.com. After downloading, you should install while still online to enable Neotrace display the geographical details. Enter your country and the next city to where you are. After installing, you can enter the IP address you are targeting in the area marked Target, then click Go.

Copyright 2004: www.hackersbook.com

You might also like