Chapter 10: Advanced Techniques – Cyber Spying Tracking Your Family's (Sometimes) Secret Online Lives

Chapter 10

Advanced Techniques

Now we are going to knock it up a notch. Bam!

Emeril Lagasse

I love it when a plan comes together.

George Peppard as Col. Hannibal Smith of the “A-Team”

Introduction

Congratulations, you have made it through the first part of cyber-spy school. By now you should have a basic understanding of the spy process and quite a few tricks to help you pry into people’s online lives. You may be feeling computer savvy, and even a little dangerous. Be warned, this is just the beginning. We have given you a few basic tricks and scenarios, which will work most of the time, especially in ideal situations. Of course, one of the most important rules of cyber-spying (all spying, in fact) is that there are no ideal situations.

To be as prepared as possible for these non-ideal conditions, you need to develop skills that will expand your knowledge base and make you as versatile as possible. One major thrust of this chapter is to improve and build upon some of the techniques discussed earlier in this book. We want you to take what you have learned and convert it from basic to guru, so that when you encounter those odd cases, you still have a few more tricks up your sleeve.

Although this book focuses mostly on personal computers (PCs), they are only a small part of the entire cyber-realm. While they are generally most people’s gateway to cyberspace, they are not the only area a good cyber-spy should focus on. As cell phones, personal digital assistants (PDAs), and even video game consoles become more advanced, there are more ways to get online and to store and use information. All of these devices can hold clues about how their owner lives. A cyber-spy should not overlook this potential gold mine of information. Harnessing the Internet and its many powerful search engines and online databases should also be a tool in every spy’s arsenal. Many people still do things the old-fashioned way–by paper. Detailed credit card statements, phone bills, and other periodic paper documents are a great place for collecting even more information. Viewing the entire picture and collecting and correlating data from different sources is a very important part of spying, and an advanced technique that even professional spies have a hard time mastering.

Tips and Tricks

Take Two

Throughout this book, we have discussed using hardware-based keystroke loggers. In many cases, they are the easiest and only way to get the information you need. If you decide to purchase a keystroke logger for your spying endeavors, we strongly recommend that you buy two identical ones. Having two keystroke loggers is extremely helpful when you have to deploy and analyze data from them.

A good spy tries to expose himself as little as possible; for you that means minimizing your time on target. While installing a keystroke logger is a quick and easy task, if you want to take it to any other computer and analyze it, there is a time issue involved. If you only have one, you are forced to install it again after you have dumped the data; hence, there is a window of time when the machine is not being monitored at all.

The situation is improved with two keystroke loggers. When you remove the full one from the back of the target PC, you replace it with the empty one. You now have immediate coverage on the computer. Meanwhile, you can analyze the other keystroke logger on a different machine.

Improving Your Skills

This section is about “taking it up a notch.” Many of the basic skills and scenarios presented earlier, while valid, do have problems. Here, we address some advanced techniques to make you a more powerful cyber-spy when encountering realistic complicated scenarios.

Collecting on Switched Networks

As mentioned in Chapter 4, switched networks are becoming very common. For PCs, there is no longer much of a price gap between switches and hubs. In fact, hubs are disappearing from most consumer electronics stores, while switches are being built into cable and Digital Subscriber Line (DSL) routers, making them ubiquitous. Since many of the techniques from the earlier chapters involved sniffing the network, a task made difficult by switched networks, we need to develop a solution to make sniffing a useful endeavor again. We will do this by using a concept known as Address Resolution Protocol (ARP) spoofing. As we will demonstrate, ARP spoofing enables you to use a “Man-in-the-Middle (MITM)” attack against your target.

Notes from the Underground

What Is Spoofing?

Spoofing is the computer term for altering information in a packet in an attempt to hide its true contents. This term is used most often in the context of “spoofing an Internet Protocol (IP) address.” In this case, a packet is labeled with an incorrect sender IP address. The receiving computer is deceived into thinking that it is communicating with a computer other than the real sender. Oftentimes, IP addresses are spoofed so that the destination computer cannot respond to the packet.

ARP Spoofing

From Chapter 4, you are familiar with the concepts of an IP address and how it is used to route packets across a network. We will now go a step lower to learn about addresses that the hardware itself uses, which are called Media Access Control (MAC) addresses. A MAC address is a 12-digit, 48-bit number that uniquely identifies a hardware adapter (i.e., an Ethernet or wireless card).

Each network adapter in a computer has a unique MAC address. This is how the hardware knows which packets it should retrieve, and which belong to a different adapter (potentially at the same IP address). The first section of each packet is dedicated to the MAC addresses of the sender and receiver. If the MAC address of the packet matches the hardware address of the network adapter, the computer examines it.

To send to a packet with an IP address, the adapter queries the local area network (LAN) for someone who has a matching MAC address. (This is called an ARP request, because you are asking the entire network which MAC address corresponds to the desired IP address.) An adapter that matches responds with an ARP response essentially saying, “Yes, that is my IP address, and my MAC address is 00:0B:DB:1C:00:6C.” Because this transaction requires that two packets be sent (a query and a response), the sending computer tries to reduce future network congestion and stores the response in memory. This table of past responses is called an ARP cache. In addition, any other computer that saw the response will store the information. If no one responds, or the IP address is out of the range of the local area subnet, the router or switch that serves the requestor will send a response, which tells the sender that they should send the packet directly to the router to be forwarded to its final destination.

Now, for the danger: there was no mention of authentication. It is possible to send spoofed ARP responses to machines on a network to confuse the computers. ARP spoofing can result in a perfect MITM scenario. There is nothing that stops you from shouting out “Yes, that is my IP address, and my MAC address is …” before the legitimate adapter has a chance to respond. That works easily on local area subnets, but what about switched networks? The attacker’s computer can proactively send spoofed ARP responses to the gateway router or switch indicating that the attack computer’s MAC address corresponds to the target computer’s IP address. More spoofed ARP responses are sent to the target computer, telling it that the MAC address of the attack computer corresponds to the IP of the gateway. Having done this, all traffic sent to the gateway from the target computer will be sent to the attack computer, which then examines and forwards the packets to the actual gateway and finally to the target computer. All responses will be sent from the gateway to the attack computer, which can examine them before forwarding them to the target computer (see Figure 10.1).

Figure 10.1 Results of ARP Spoofing/Poisoning

A successful ARP spoofing attack will result in an MITM scenario that is not easily detected by an unsuspecting user. One advantage of being in the middle of a target computer and its gateway is that you can examine and collect all traffic to and from the target computer. In addition, being in this location relative to the target computer and the outside world enables you to attack certain types of encryption, most notably Secure Sockets Layer (SSL). Since their traffic will actually be passed to the Internet through the attacker, the victim will not notice the attack without sniffing the network. Since the ARP caches eventually time out, by stopping to send the spoofed ARP responses, the network will eventually work back into its natural state. It should be noted that this type of MITM attack is sometimes called ARP poisoning.

Cain & Abel

Some people create tools to do one thing very well, while others create tools that do many things. Cain & Abel (C&A) v2.5 Beta (released by the owner of www.oxid.it) is advertised as a password-recovery tool for Microsoft Windows. C&A is capable of sniffing networks, collecting passwords, and using a variety of cryptographic attacks to crack encrypted passwords. Newer versions of C&A have incorporated methods such as ARP poisoning, to allow for the discovery of more passwords. Although C&A has many exotic and powerful features, we concentrate on some of its more standard features to help expand your current capabilities. We encourage you to download and experiment with this as a tool in your cyber-spy arsenal.

The newest version of C&A can be found at www.oxid.it/cain.html, as well as from our site, www.cyberspybook.com. In our examples, we use C&A for Windows NT, Windows 2000, and Windows XP.

Installation is a two-step process because a special version of WinPcap must be installed. The first step is to double-click on the C&A executable file and install it as you would any other application. Once installation is complete, it is time to install WinPcap, which has been integrated directly into the installation process (you will be prompted to install it). Since installation of WinPcap was shown earlier, we will not cover it again.

With everything installed, you are ready to use C&A. As with most applications, the first procedure is to configure the tool to your needs. To do this, launch the application and select the Configuration Dialog tab (see Figure 10.2). This allows you to select the interface on which to sniff. It is easiest to select the interface by using the IP address as a guide. You can also set the sniffer and ARP to begin on startup, although we do not recommend this. We suggest that you only use C&A when you explicitly want to.

Figure 10.2 Sniffer and General Configuration Options of the C&A Tool

Selecting the ARP Poison Routing (APR) tab (see Figure 10.2) brings up the next set of available options. The default options (see Figure 10.3) should be sufficient, but if you are having problems getting the attack to work, you can set the “Poisoning remote ARP caches every 5 seconds” field to poison at a quicker rate.

Figure 10.3 ARP Poison Configuration Options of the C&A Tool

With configuration complete, you are read to begin performing an MITM attack. Double-click on the executable to bring up the C&A window (see Figure 10.4).

Figure 10.4 Main Interface of the C&A

Next, you need to start the sniffer, which can be done by clicking the sniffer button (the far-left icon shown in Figure 10.4). Once the sniffer has started, you can select the Sniffer tab in the window to bring up the sniffing suboptions. Right clicking in the window allows us to be aggressive and scan for other machines (see Figure 10.5).

Figure 10.5 MAC Address Scanning Dialogue in C&A

As demonstrated next, C&A can explicitly discover any machine on your network (Figure 10.6 shows the various options that are available). We invite you to explore these options after you download the tool. Since we are going to perform our MITM attack on a small home network, scanning all the hosts in the subnet is enough to bring up all of the computers in our network. If you are on a large network, use a small range to limit the amount of traffic (and potentially alerting noise) that you generate.

Figure 10.6 C&A MAC Address Scanner Options

Once C&A has finished its scan of the network, all of the computers it discovers are displayed (see Figure 10.7). In this case, it has successfully discovered all of the machines in our local network. As you can see, the IP address and MAC addresses are both displayed. If C&A determine more information, it will be displayed as well. For example, 192.168.1.1 is most likely a router because the Organizationally Unique Identifier (OUI) fingerprint field says that it is “The Linksys Group, Inc.”

Figure 10.7 Results of a C&A MAC Address Scan

Now it is time to start the ARP poisoning. First, select the APR tab at the bottom left of the window. This will bring up the APR interface (see Figure 10.8).

Figure 10.8 C&A APR Interface

Selecting the “+” button in the upper left corner of the C&A window presents a list of possible machines to ARP spoof. On our network, Figure 10.9 shows the machines that we can poison to mount our MITM attack.

Figure 10.9 C&A Interface to Select New APR

In this instance, we want to poison 192.168.1.107 (the target) and 192.168.1.1 (the gateway). By selecting 192.168.1.107 in the left window, the choices of other machines are displayed in the right window. Selecting 192.168.1.1 and then the OK button sets up the parameters. Because 192.168.1.1 is the gateway for our network, spoofing this connection will redirect all Internet activity from 192.168.1.107 to our machine (see Figure 10.10). At the moment it is idle, so the network is functioning normally.

Figure 10.10 C&A Configured to ARP Poison

To begin ARP poisoning, select the round yellow and black APR symbol in the upper left corner of the window. This will start the poisoning of all of the caches. C&A will constantly send out ARP responses in order to set up the MITM attack. As the user on the unsuspecting machine uses the Internet, the status of the ARP poisoning is displayed in the windows (see Figure 10.11). We can see where the user on the targeted computer has been browsing. The number of packets passed by the MITM attack is also displayed.

Figure 10.11 Successful C&A ARP Poisoning Attack Example

Next, we see the results of our sniffing by selecting the Passwords tab in the bottom of the window. Figure 10.12 shows the passwords that we have found. On the top row, we can see Sarah’s hotmail password. As seen in the next two rows, not every password can be broken out by this application. Some schemes such as Yahoo transmit unbreakable hashes of their passwords. You can task C&A with attempting to break the hash, but unless the software is extremely lucky, it will not happen.

Figure 10.12 Passwords Collected from C&A on a Switched Network

Unfortunately, MITM attacks are not an unknown method of gaining access. As a result, Web pages have security certificates and other mechanisms to help secure the Web site (see Figure 10.13). Our unsuspecting victim will get this warning when they browse to a site that uses these certificates. Most people click their way though the security warning, giving free access to their encrypted Web traffic.

Figure 10.13 Certificate Security Warning to Discourage MITM Attacks

If we are lucky, they will select yes to proceed and therefore continue our MITM attack. An MITM attack performed by C&A can be a very useful tool in your arsenal. C&A also has many more functions that can be used to spy on your mark.

Sneaky Web Tricks

This section involves using the information obtained from other methods to help expand access to your online targets. In Chapter 6, you learned to collect e-mail accounts, passwords, and browser histories. In Chapter 7, we discussed how to collect e-mail. The trick here involves combining all of these lessons in order to access other online sites that your target may be using.

For example, many online personal advertisements and dating sites allow users to create accounts where they receive personal messages and other information specific to that site. Depending on why you are spying, this could be information you are interested in.

The first step is to ensure that you have the ability to view your mark’s e-mail. Once you have control of the e-mail, the next step is to acquire a browser history and after that, search for sites of interest. Most can be browsed to and viewed; those that cannot may require accounts and passwords. When you encounter one of these sites, the next step is to look (either in protected storage or cookies) for an ID associated with that Web site.

Once you have the target site and account, browse to the site. To log in, you will probably need the password. (If you transfer all of your target’s cookies to your computer, you may be able to browse using their session information and not need the password.) While there are many ways to obtain the password, such as logging keystrokes or guessing, most Web sites offer another option: attempt to log in, use anything you want as the password and when you fail, look for a “I forgot my password” button. This usually e-mails the original password, or a new password, to the user’s registered e-mail address. Now that you have the password, you can enter the Web site at your discretion.

Another thing to consider is how you are going to handle the e-mail. If you receive a password reminder or a change in password, it is best to delete the message if you can. Although changing the password may be alerting, your mark will most likely follow the same procedure as you and have a new password e-mailed to him. Since you can monitor e-mail, you will also have access to the new password.

A Secret Web Server

Now that you know about the structure and sweet spots (i.e., e-mail boxes and temporary Internet files) of the Windows operating system, you may want to consider installing a tiny Web server on your target’s computer. Even when files were hidden, we were able to access them remotely from several Web servers. One such server is freeware application Abyss Web server. You can retrieve this executable from www.download.com (search Abyss).

If you want this to remain secret, you must be stealthy in your installation options. We recommend checking only the Abyss Web Server (required) box and the Auto Start box so that the server is always running (see Figure 10.14).

Figure 10.14 Recommended Abyss Web Server Installation Options

After the Web server has been installed, it is time to configure it for use. The first thing to do is specify an Administrator Login name and password (see Figure 10.15). From a tradecraft perspective, you may want to consider selecting a name like “l33thax0r,” which might be the popular choice of a young hacker. Likewise, you could use the name “Mom” if you were trying to overtly convey to your children that you are monitoring them.

Figure 10.15 Configuration of Abyss Web Server Administrator Login Name and Password

The next section must be followed closely; by default, the Web server is tightly configured to be a conventional application serving up .HTML pages. To make things easier, we demonstrate how to do this in a short series of steps.

1. Serving directory. Change the default-serving directory to be the folder you are most interested in viewing, by clicking on the Server Configuration icon on the left side of the console interface. From there, set the Server Root to be C:\ and the Documentation Path to be Documents and Settings (or Program Files, depending on your intentions) and change Port 80 to something you will remember (see Figure 10.16).

Figure 10.16 Configuration of Abyss Web Server Root Directory and Port

2. Disable access log file. Before you can successfully restart the server, you must remove the logging files. This can be done by clicking on the Advanced … button on the left side of the page. This will bring up a new set of icons. Select Server Parameters, blank out the value for the “Log File” field (see Figure 10.17), and click OK.

Figure 10.17 Removal of Abyss Web Server Log File Storage

3. Disable common gateway interface (CGI) capability. Next, the server will notify you if the CGI Error File does not exist. Since you are not using this in the traditional Web server sense, you do not need this capability enabled. Click on the CGI Parameters icon, change “CGI Processing Enabled” to No, blank out the “CGI Error File” location, and click OK. Your settings should resemble those in Figure 10.18.

Figure 10.18 Disabling Abyss Web Server CGI Capability

4. Restart and access. Lastly, you can press the Restart button and access the Web server remotely using a browser pointed at the IP address and port number specified. This gives you full remote browsing access to the root server directory (see Figure 10.19).

Figure 10.19 Browsing to the Abyss Server Remotely

WARNING

Do not install a remote Web server with a root-server directory if you have non-encrypted wireless access on your network, or you do not have a firewall or Network Address Translation (NAT) appliance such as a Linksys router between you and the Internet. If the IP address of the server is routable over the Internet, this is a BAD idea unless you want everyone to be able to access the directory. If you do not have encryption enabled on your wireless access point, a War Driver could secretly gain access to your network and access this server as well. If you do not adequately secure your target, you will not be the only one spying on that machine.

You may think that choosing a port other than 80 ensures you are secure, but many “scanning” applications are in circulation that search for the existence of servers just like this.

From a stealth perspective, one problem with this server is that it has an icon visible in the system tray (the far right of the Start menu). As mentioned, applications exist to remove these icons; however, you can also take intermediate measures by hiding options within the menu itself. To access these options, right click on the system tray and select Properties. Click on the Customize button, which will bring up a list of items. Highlight the Abyss Web Server and change the behavior to be Always Hide (see Figure 10.20). This trick also works for Google Search and other tools that you may have running on a target computer.

Figure 10.20 Hiding the Abyss Web Server System Tray Icon

While you cannot change or add files onto the remote server, you can browse to it whenever you wish. This is an ideal way to periodically copy e-mail, buddy list information, and temporary Internet files. Unfortunately, this method of access does not lend itself well to retrieving key logging or screenshot takes, because you do not have the means of resetting their file size to be zero. Depending on your technical ability, you can experiment with turning the CGI capability back on and creating CGI executables that are capable of executing small tasks such as this. Likewise, if you enable a CGI command and control interface such as this you can theoretically use it to start and stop other monitoring applications such as the desktop monitoring tool discussed next.

Making Desktop Movies

Desktop movies are recordings of all movements on a desktop and are generally used for tutorials; however, they may also be of assistance in your spying endeavors. There are few free stealthy desktop-recording applications available. Most operate by displaying visible “record,” “pause,” and “stop” buttons. However, it should be noted that commercial versions of this software has been purposefully created to be hidden and stealthy such as “Desktop spy” available at www.spyarsenal.com. We do not endorse any commercial products and therefore have not evaluated any of the options, but most (including Desktop spy) give you the opportunity to download them for a free 21-day trial. If you are lucky, you may learn all you need to know in those 21 days. Commercial applications such as this one generally enable you to set certain start and stop times for the captures, which can enables you to know if your spouse wakes up an hour or so before you to access the computer in “privacy.”

Another option is to combine the power of virtual network computing (VNC), which was demonstrated in previous chapters, with desktop movie-making software to record movements on your target’s computer. Because the desktop monitoring software is located on your computer (instead of your target’s), you do not have to worry about a noisy dialogue box. Instead, you merely launch a VNC session and begin capturing data. Figure 10.21 demonstrates how the CamStudio recording box is positioned around a VNC session to make an .AVI movie of the movements on the remote computer. CamStudio, which is freeware, can be downloaded from www.brothersoft.com/Multimedia_Graphics_Screen_Capture_CamStudio_3944.html.

Figure 10.21 Combining VNC and Desktop Recording Software Such as CamStudio Can Enable You to Secretly Store Movies of the Activity on a Remote Computer

There are several freeware desktop movie applications that you may find useful (or more in tune with your needs). Also, it should be mentioned that as of the writing of this book, there are Linux and MacOS versions of VNC recording and playback plug-in applications; however, we were not able to identify any straightforward Windows ports. We encourage you to experiment searching for Windows VNC viewer-recording capabilities that are built directly into VNC, as they may be more effective. Recording is an option that can be used for proof or confrontation material following an event.

Web Cams

Web cams are difficult to detect and collect data from, not because of technological enhancements that keep them protected, but because of the large (and ever-expanding) number of different clients that are available. Most clients use their own protocol and operate on their own port. Table 10.1 shows a sampling of the various ports used by the different services.

Table 10.1

A Sampling of Ports Used for Video

Clients that accompany AIM, Yahoo, and MSN chat clients are some of the most popular for home use. While Snort, Ethereal, and most sniffers collect traffic, there are no good tools for reassembling the video streams from the traffic. Currently, the best we can do is to determine that one is running on our network.

Expanding Your Horizons

For the final part of this lesson, we are going to expand your collection circle from the computers on your home network outward. We start with your home router and end the search on the Internet exploring Google, white pages, and several databases full of information useful for spying.

Small Home Routers

Home networks today often utilize low-end routers such as those produced by Linksys, to share a single Internet connection among several computers. In these circumstances, the router is a choke point in the network that uses NAT to map packets among hosts. Given this responsibility, these devices have access to all of the traffic on the network, and many maintain logs of that traffic.

The first step is to discover where the router is located on the network. This step can be done by identifying which IP address your computer uses as its default router. One method of doing this is to execute ipconfig /all <ENTER> from a command prompt (see Figure 10.22).

Figure 10.22 The Default Router IP Address Can Be Obtained by Executing ipconfig from a Command Prompt

From these results, we see that our IP address is 10.1.1.106 and the address of the default router is 10.1.1.1. Nearly every home router provides a convenient Web interface for administration and maintenance. The next step is to open a browser and “surf” to this IP address. You will most likely be greeted with a page querying you for a user name and password (see Figure 10.23).

Figure 10.23 Password Prompt from a Linksys Router

If you are lucky, this password may not have ever been set by anyone in your home. Several Web sites such as www.cirt.net/cgi-bin/passwd.pl list default passwords and account names on products such as this. Alternatively, you can wait for someone to log in to administer this, and capture the keystrokes. However, note that doing so may take a lot of time because few people need to frequently view or change this information. Given all of the previous password recovery tools discussed in earlier chapters, another option is to try e-mail and Web account passwords that are commonly used by your target. It is very likely they are using one of them on the router.

As a last resort, many of these devices provide a means of “resetting” the system to factory defaults. Doing so completely eliminates the password and enables you to have full access of the system. We recommend only doing this if: (1) no one else in your house is currently accessing the Internet (as it will disrupt the connection, (2) if you have reviewed set-up and configuration information on the manufacture’s Web site, and (3) if you have a good cover story/back-up plan in the event that you are not able to re-configure the Internet connection. For example, if you claim that the power went out, flip the switch on the circuit breaker so that other devices appear to also have lost power. This is also a good time to quickly install a keystroke logger on your target’s computer so that you can identify what the new password is. Otherwise, if the Internet connection works after you reset it, you should be able to directly access the Web site (after potentially using a default login such as username: admin password: admin). Note, however, that resetting the router will also delete any wireless encryption keys, so be sure that you have considered all of the potential side effects before you take this extreme approach.

From this point on, we will assume that you have gained access to the router through one of the means mentioned. For our purposes, the most interesting aspect of the routers is its logging capability. In the Linksys model (see Figure 10.24), you can access the log page by clicking on Administration | Log. Your version may differ somewhat; therefore, you should look at the documentation for your particular model for specific directions. In our example, ensure that the “Log” button is checked Yes to capture traffic information.

Figure 10.24 Internet Traffic Log Location on a Linksys Router

When some time has passed and a log has been collected, you have two options. You can either view the log directly on the router itself through the Web interface, or you can have it sent remotely to a computer where it is stored and updated on the fly. When your computer is shared with your target, you should access the log only from the Web interface; otherwise, your target may stumble across the software and become suspicious. To view the log locally, you must click either Incoming Log or Outgoing Log. The incoming log maintains a list of traffic that is destined for your home network and the Outgoing Log lists where users in your network are going out. The Outgoing Log will probably be the most useful (see Figure 10.25).

Figure 10.25 Outgoing Internet Traffic Log on a Linksys Router

In this figure you can see outgoing traffic information for four different computers:

 10.1.1.100 is using the AOL Instant Messaging (IM) client (port 5190)

 10.1.1.101 is surfing to the www.sony.com Web site

 10.1.1.104 is accessing the www.usatoday.com site and its associated advertisements

 10.1.1.106 is also using AOL IM.

The drawback to accessing information directly on the router is that it has a limited amount of storage space. This means that depending on the amount of traffic, this log may only date back 5 or 10 minutes. If your target was conducting illicit activities while you were at work, you may be out of luck.

To solve this problem, save the log files remotely on a computer that your target does not use. This will enable you to maintain larger amounts of data about the traffic. Most home routers have remote clients such as this for accessing and saving log files. In our example, Linksys provides an application named LogViewer, which can be downloaded at ftp://ftp.linksys.com/pub/befsr41/logviewer.exe. Once you install this application you must verify that the address entered into the “LogViewer IP address” field is correct (i.e., in our case it is set to 10.1.1.106). As Figure 10.26 demonstrates, the log from the LogViewer application is very similar to what you will view on the Web site. The two biggest differences are (1) larger amounts of access data can be stored and (2) logs are updated in real time so you can literally “watch” this application for an up-to-date view of all Internet activity on the network.

Figure 10.26 Outgoing Internet Traffic Viewed Remotely Using LogViewer

Cell Phones

Cell phones have become a ubiquitous communication device. Modern ones much more closely resemble computers than the traditional phones of 10 years ago. Today, cellular phones have Web cams, still cameras, Internet surfing, e-mail, and IM capability built directly into them. Each new model takes a step closer toward realizing the same communication functionality as desktop computers. With this enhancement also comes a security consciousness, with exploits and viruses aimed at cell phones already in circulation.

Given the wide assortment of carriers (i.e., Cingular, Verizon, NexTel, Sprint, T-Mobile, and so on) in the U.S., there is also a wide selection of phone manufacturers and each manufacturer has a hefty selection of cell phone models. Because it is impossible to cover all of them (and the most current models will likely be updated by the time you read this), we stick to a series of collection recommendations:

1. Determine the model. When your target is in the shower or has stepped out for a moment without the phone, physically investigate it to determine what manufacturer and model it is. Most phones have markings that identify them. Given the general interest that many people have with “gadgets,” including phones, you can even admire it while they are around and simply ask, “What model is your phone? It is cool.” If this does not work, determine which wireless provider they are using by asking them or looking for a bill in the mail. Next, go on the Web and find the provider and then search through all of their available telephone models for one that looks the same.

2. Read the manual. In general, people are not keen on reading instruction manuals, but think of this as your opportunity to tune your skills before you even touch the phone. If you cannot find the manual, search the Internet; the manufacturer’s site is sure to have an electronic one available (see Figure 10.27).

Figure 10.27 Using a Provider’s Web Site to Research a Particular Phone

3. Visit the store. If this model phone is available for purchase, you may find it useful to visit the store for a demonstration. Request to see all of the “ins and outs” of the phone’s functionality. This will help you become familiar with it and give you a chance to experiment.

4. Scour the Web for features, tips, and tricks. Before jumping into collection, search online for information about the model. You should be aware of every feature that is available for your exploitation, as well as any exploitation methods for bypassing passwords, and so forth, that have already been posted by others.

5. Look for histories. Now that you have done your homework, you are ready to get started. One of the most useful characteristics about cell phones is that, much like computers, they maintain usage histories. At a minimum, this should tell you who has called your mark, who your mark has called, and how long they talked. You can usually access this information without a password.

6. Look in the address book. Stored address books can be useful because (1) the phone numbers can be entered into the reverse telephone directories and (2) labels entered into the phone may be extremely descriptive (and sometimes alerting).

7. Exploit the features. Many phones today have calendars and camera, video, and Internet access. Search for residual information from any of these. For example, many of the people that use their cell phone for instant messaging stay logged on non-stop. This is an excellent chance for you to retrieve the buddy list (and maybe even password) of your target. Likewise, some forward communication through text messaging using services such as AOL’s MyMobile (see Figure 10.28).

Figure 10.28 Using AOL’s MyMobile Service to Forward Instant Message Text

NOTE

Consider using mobile forwarding as a means of sending e-mail and text message pager alerts to yourself to notify you that your target is online, signed on to IM, or sending/receiving e-mail.

8. Billing. If your target literally has their cell phone on their hip at all times, you may find that your spying efforts have not yielded much success. Never fear, you have one more option. The beauty of phone calls is that they are logged with details on the transaction times, locations, and participants. These bills come in the form of paper listings, or even more popular today, are accessible using electronic accounts. Analyze these carefully, because the information they contain could be your big break in the case (see Figure 10.29).

Figure 10.29 Analyzing the Cell Phone Bill for Activities

Imagine that 703-111-1111 is your home number and 703-222-2222 is your cell number. You may be curious as to why your spouse is always calling 703-555-5555 for long periods of time. Furthermore, the calls to this unknown number tend to occur first thing in the morning, during lunch, and late in the evening, all times that you are not around. The call on October 23 at 11:04 PM is an especially interesting one. You know that your spouse is always in bed by 10:00 PM. This would mean that your spouse secretly got up to use the phone after you fell asleep.

Likewise, some bills have information about where calls originate from. This can also yield interesting clues (see Figure 10.30).

Figure 10.30 Cell Phone Bill Origination Information

In this statement, the origin of the call is displayed in the sixth column. Beyond learning whom your target is calling and when, you can learn where they are. If they are highly active on the phone, you can use this as a type of tracking system. For example, say you are monitoring your child who was supposedly spending evenings at “football practice” in Springfield, VA. You may find it highly interesting that on the nights of October 25 and 26 your child was making phone calls from Washington, D.C., shortly after 5:30 P.M.

Again, few things beyond a confession by someone bring a concern to closure. Each tip and trick that we have given you can be used to collect a wide assortment of clues that can be pieced together. This combination serves two purposes: first, it helps you gather more evidence against someone, and second, it helps you make sure that you are correct in your concern before you jump to conclusions and make emotional accusations.

Google

The Google search engine is a wondrous tool for cyber-spying. Despite the fact that there are an enormous amount of Web pages online, Google manages to discover, catalog, and cache the vast majority of them for your searching pleasure. As you will see, many of these pages were never meant for public viewing. Furthermore, once a page has been included in a caching engine such as Google, it will be there for a long time (see Figure 10.31).

Figure 10.31 Outgoing Internet Traffic Viewed Remotely Using LogViewer

Imagine that “Larry Dirtius, a.k.a. Dirty Larry” changed his mind about posting to the www.trueconfessions.book. Web site one day after first posting there. Even if he successfully persuades the site administrator to remove his posting, it will still show up in the Google search. Since the page has been removed from the Web site itself, clicking on the “Dirty Larry: The Real Story” link will give a “404 File Not Found” error. However, thanks to Google, we can click on the Cached link, and it will retrieve a copy of the original posting.

Notes from the Underground

Cheat Notes on Google Hacking

The definitive Google hacker is Johnny Long of Johnny.ihackstuff.com. Besides being a highly useful forum on the subject, his site contains a database full of useful search terms in Google for uncovering information that no one expected to be made public. For example, Figure 10.32 demonstrates how the tip in his database to search for “# -FrontPage-” inurl:service.pwd provides username and password hashes for 121 different Web sites.

Figure 10.32 Google Hacking to Discover Information

Even funnier in our context is a Google search for “buddylist.blt index –hack,” which gives you the screen name and complete buddy list for several accounts. It is probably worth putting the name of the person you are searching for in the query just in case their buddy list is being exported. If you are lucky, you will come across one or two others that have that person added as a buddy. We also recommend the book Google Hacking for Penetration Testers by Johnny for additional examples and explanations on the subject.

Online Databases

There are several tpes of online databases.

Blogs

Blogs are basically chronological online journals. They are replacing the vanity personal Web pages of the mid to late ‘90s as the way most people attempt to leave their mark on the Internet. It was estimated by Technorati, Inc. that as of October 2004, there were 4.2 million blog sites online. Also, a 2003 Pew/Internet survey reported that approximately 53 percent of adults in the U.S. had written in a blog. Even Google has a blog at www.google.com/googleblog that records the musing of different employee’s at Google.

Different people and groups create blogs for varying reasons. Some are parts of projects, others are people’s personal thoughts and ramblings. When looking for information on a mark, finding their personal blog, if there is one, is a great discovery. This can yield all sorts of personal information that you can use to support or discredit other information you may have collected on them.

Public Records

Without a doubt, the finest option for public records searches is the renowned LexusNexis service. We encourage you to research the www.lexisnexis.com site and determine if this level of service is necessary for what you are trying to accomplish. You should note, however, that there are many free services that are extremely useful as well. One such site is www.searchsystems.net. Because available records vary by city, it starts by asking you to select the city and state that you are interested in. In our case, we are curious about “Larry Dirtius,” whom we have been reading about, so we search “Richmond, Virginia.” Figure 10.33 shows a small collection of the many sites that are returned from our search.

Figure 10.33 Public Record Sites Available from www.searchsystems.net

One of the records databases of particular interest was the “Richmond County Combined Court Records.” Selecting this brought up a site that we used to search for “Dirty Larry.” Figure 10.34 shows an example of this site; most cities have similar sites for their court systems.

Figure 10.34 Court Records for Richmond, Virginia

Use public-record databases for your area (e.g., marriage records, court records, and driving records) to better investigate your target. Investigations that used to take intensive effort are becoming easily available. As public records become easier to find and access, what once was semi-private information such as housing assessments is available to the intrusive neighbor.

Credit Reports

Thanks to the Fair Credit Reporting Act (FCRA), U.S. consumer reporting companies must provide a free copy of their credit report to individuals once a year. Because the debits of individuals that are married can often be grouped together, this may be a good way to search for hidden credit cards and bank accounts if you suspect financial misconduct on the part of your spouse. You can access this information at www.annualcreditreport.com.

Address and Phone Listings

Online phone listings can help in many ways. Remembering that everything is a trail of breadcrumbs they many not gleam a solid “proof”, but they can certainly provide useful clues.

White Pages

If you discover the name of an individual that your mark seems to be corresponding with a great deal, you can use search sites such as www.addresses.com or http://phone.people.yahoo.com to discover both that person’s phone number and address (see Figure 10.35).

Figure 10.35 White Page Search for Larry Dirtius Yields His Address and Home Phone Number

Searching for Larry Dirtius reveals his 804 area code, phone number, and address in Richmond, VA. If you followed our story about 16-year-old Sarah from Alexandria, VA (in Chapter 6), who we learned is really 13-year-old Katie, you know that her parents should keep her away from any unescorted visits to Richmond. Dirty Larry lives there.

Similarly, you may not have solid proof that your spouse is cheating on you, but you discover a large number of e-mails from a person that has made you suspicious. While we do not condone any type of affair (regardless of online-only or not), there may be a difference between the exchange of lusty e-mails and an actual meeting. Suppose you search for the address and phone of this person and discover that they just happen to live in the town that your spouse has been recently traveling to “for work.” This also gives you a phone number to watch for on cell phone caller ID log, which may indicate that there is a potential problem.

Reverse Directories

What can you do if you discover that the same unfamiliar phone number has been listed repeatedly on your child or spouse’s cell phone? Make use of the many reverse phone directories available. For example, Figure 10.36 shows how www.reversephonedirectory.com can be used to look up phone number 804-555-5555.

Figure 10.36 Reverse Directories Enable You to Identify the Owner of a Telephone Number

If the number that you are searching belongs to a cell phone, you may receive information stating that it is registered to a provider, but will most likely not receive the actual owner’s name.

Social Engineering

We cannot write enough about the power of social engineering. Unlike computers that have rules and strict protocols set in code, people adjust their decisions based on reason. This reasoning can be internal contemplation, or a choice that can be swayed or altered by outside forces. Like it or not, nearly everything that surrounds us is social engineering to some extent. This book is an example: in approximately 400 pages we have expressed our opinions about many subtleties of computer science that may or may not change the way you think. Every advertisement that you see is a company’s attempt to socially engineer you to think that you need their product. Never discount social engineering as a method to gain access to your target’s computer or accounts. What might not be available through technical means may be available by talking to the right person. Why spend effort snooping on a person, when you can get them to give you access?

Many times when tracking our mark we are looking for information that they would not willingly give us. Sometimes it is necessary to use social engineering to approach them and “pump” them for information. Since we have talked a lot about online identities, it would not be a bad idea to create an online identity that you feel appeals to your mark, approach them, and build up a relationship with them. By creating online characters to interact with your mark, you can ask questions they might/would not give to most normal people. In addition, with whatever knowledge you have of your mark, you can tailor your online identity to best match any personal preferences they might have. For example, your teenage son may not want to open up to you, but he might feel comfortable talking to a girl his age. Keep this path in mind in your search for information from your target. While technical collection is powerful, never underestimate the power of social engineering.

Summary

New and advanced techniques help cyber-spies with more difficult “real world” situations. In addition, potential spies should look beyond PCs for other areas where useful information can be collected to help them build a picture of their adversary’s activity. Several key topics in this chapter were:

 C&A allows us to automatically sniff a switched network, perform MITM attacks, and collect passwords from targeted machines.

 Techniques from the previous chapters can be combined to obtain difficult-to-find information, or to help deepen access into our mark’s online life.

 A Web server is a great means of remote access to a computer. While based on simple and stable principles, they have most of the capability needed to become full-fledged spy tools.

 Personal routers are critical chokepoints in most home networks, and can offer a great deal of information on what goes on inside them.

 The pervasiveness and communication abilities of cell phones makes them an important technology to watch when tracking someone’s activity.

 There are a wealth of online resources ranging from Google to public information databases that can be used to collect information about your mark.

 Social engineering is one of the oldest methods of spying, and it is still very important even with all of the technical means available today.

Becoming a good cyber-spy requires plenty of knowledge and lots of practice. Everything we have taught up until now is just a launching pad. We encourage everyone to keep learning about new technology and how it plays a role in your everyday interactions. As more technologies become part of our lives, we open up doors to both newfound utility from the technology, and privacy implications as these new technologies are subverted to become useful spy tools.