Idenifying the real ip address of a hidden Hacker

metasploitI want in this post to discuss some issues concerning proxy uses by hackers and how to address these issues, Many hackers used to hide themselves behind proxies in order to not give IDS’s WAF’s and firewalls the opportunity to find there ip addresses, there are some proxies like Freegate ,tor and others changes IP addresses of user constantly so the attacker can’t be traced at the web server side.

To solve this problem I advise you to take a look at Metasploit-Declocking project. Metasploit Decloaking Engine tool purpose is to identify the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services and without exploiting vulnerabilities in the client system.

The decloaking engine uses eight techniques to identify the ip address:

1. When a web client tries to resolve a host name, it will send a lookup request to its configured DNS server. The client’s DNS server will then send a query to the name server for the particular domain. If the host name contains a unique identifier, it is possible to correlate the IP address of the client with that of its DNS server. This can leak the ISP or company from which a given client is accessing the web, even if a proxy is in use. This leak does not occur when the proxy server is responsible for performing DNS resolution (socks4a, but not socks4).
2. When a Java applet tries to resolve a host name using the socket API, and the host name is not the same as the web site that served the applet, a security exception is raised. However, even though a security exception is triggered, the DNS request itself is still sent to the client’s DNS server. This can leak the ISP or company from which a given client is accessing the web, even in cases when a DNS enabled proxy server is in use.
3. When a Java applet sends UDP packets back to the originating host, the packets are usually sent without passing through the proxy service. This will leak the real external IP address of the web client. This method may not work with newer versions of Java and the packet destination is limited to the IP address that served up the applet.
4. When Java is enabled, the host name and IP address of the web client are available by accessing the socket API. This method will leak the name of the user’s workstation and the IP address, as the system sees itself. In other words, this will leak the internal IP address of the system, even if the system is behind a NAT gateway or a proxy server.
5. When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user’s workstation.
6. When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user.
7. When the Quicktime plugin is installed, it can be loaded with a parameter which explicitly tells it to use a direct connection for the movie and to ignore the browser’s settings.
8. When the iTunes is installed, it registers the itms:// protocol handler. This protocol handler will open iTunes and do a direct connection to the specified URL. There are some restrictions on the URL you can pass, but we found a nice way around them 🙂

So for the security of your business make sure that you have the router and firewall logs, intrusion detection logs, network monitoring data, Web server logs, and server event and performance-monitoring logs. To document everything that happens on the network. And of course to monitor your web client log to detect any intrusion that harms your web application early and avoids it.

make sure you subscribe to my RSS feed!