Nowadays all keyloggers and RATs are sending data to the hacker in regular intervals (usually every 5 to 10 minutes) by using one of the two methods below:
1. Using the Emails: where hacker configures his email ID and password while creating the server. Key-logger records the key strokes in a temp file and sends it to the hacker in form of emails. But this has a limit as most free email servers like Gmail or Yahoo or Hotmail has limit of 500 composed and received mails. So most hackers use the second method.
2. FTP server: While creating the key-logger server, hackers configure their FTP server, where they receive the logs of key strokes in the form of text file(usually labeled on the basis of current system time stamp). Hackers key-logger server uploads the files to FTP server after every few minutes interval.
Hacking The Hacker
If we monitor all data packets we can easily scan for one of these and then we’ll have the hackers email info or FTP info. What can we do with this, you might ask? Highly skilled hackers obviously won’t allow this as they create a completely separate email or FTP site which leaves no traces of them. But novice skilled hackers (there’s plenty of those) will just use their own email or leaving behind information about them. An example could be that you find the name of the person from the email you backtracked – this ain’t his primary email, so there’s nothing valuable. From there you can look up his name on Google, you’ll probably find his real email on some site; then simply try to login to it using the password from the fake email (most novice skilled hackers will have the same password).
Wireshark is a very famous network scanning hack tool which is used by hackers or network forensic experts to monitor the packet flow of their network cards like Ethernet or WLAN. It records each and every packet coming and going out of your system’s Network card. Packets is just a bunch of data.
Whenever you feel anything suspicious in your system like your system is compromised or you are infected follow the steps below prior to removing the key-logger or RAT from your system.
Also Read: How to DDoS any website in 2 minutes?
Steps to reverse engineering
2. Now go to the “Capture”-button in the top menu of the Wireshark. Select the interface (means your network card which can be Ethernet or WLAN). Click “Start”.
3. It will now start capturing the packets through that Network card. Now just keep capturing the records for at least 30 minutes for getting the best results. After x time, stop capturing the packets.
4. Now you need to filter your results. For this go to the filter box and type FTP and SMTP one by one.
If you get records for FTP then hacker has used FTP server. If you didn’t get FTP that means the hacker has used SMTP, so give SMTP in Filter box.
5. Hacker may have used FTP or SMTP servers. You can check whether FTP is used or not. As you scroll down you will find the “FTP username” and “Password” for victims ftp account. And if hacker has used SMTP then you will find “email address” and its “password” that hacker has used to create the server.
This won’t work in all cases, but it’s certainly worth trying. Who wouldn’t want revenge if some skid infected your precious PC?