This is a cross post from here: http://www.reddit.com/r/HowToHack/comments/1o4nto/how_mark_zuckerburg_google_and_the_government/

Posted for archival purposes.

A different kind of hacker.

I’m probably one of the most unconventional hackers you’ll ever meet, if you ever do, and you probably wouldn’t even consider me a hacker. I don’t code, even though I can understand most of the source code I read. I don’t develop new exploits, though I’ve discovered a couple by accident. I’ll occasionally run a few that I’ve borrowed, but I don’t really have any of my own. Hell, I don’t even know enough HTML to design a web page that meets all of the w3c standards. I’m a power user at best when it comes to personal computing, miles above the average user, but would you believe that *nix is still a mystery to me?

And yet, I can do horrible, ruinous things that most hackers could never do. I’ve stolen thousands of credit cards from people, not web sites. I’ve bled bank accounts dry. I’ve stolen homes, and taken out loans on them. Sent SWAT teams to houses in the middle of the night. Raided emails and phones. I’ve even made myself a part of the lives of some of my victims in a very real, physical way.

See, I chose not to hack computers. I chose to learn how to do something else. I learned how to hack people.

People

Let’s talk about people for a minute. People are generally simple creatures that tend to fall into a routine quite easily. They are, by nature:

Trusting (Gullible)
Predictable (Prone to routine behavioural patterns)
Followers (Not leaders)
Social (They talk. A lot.)
Timid (More likely to run than fight.)

They have many of the same needs:

Socialization
Entertainment
Personal Wealth and Possessions
Education (Whether for personal enrichment or employment)
Housing

Needs and Nature Expanded

We can make broad generalizations about people called demographics (or stereotypes), but that’s of very limited use. It’s useful if you want to separate a large body of people from an even greater whole, and it’s good to know if you want to verify data you’ve collected on a victim, but this isn’t why I brought up the earlier points.

We need to examine these points of the human condition not as they are laid out, but as vulnerabilities within society as a whole. Much like a vulnerable computer or network, humans have vulnerabilities built into them, and they don’t even know it.

Trust

Most people don’t operate under the assumption that someone is out to get them. This allows them to interact with each other with relative ease, and without feeling that they must deceive or will be deceived. It’s a good thing, but tends to leave them vulnerable to anyone that would lie to them.

Predictable Behaviour

Most people tend to fall into a routine. Wake up, drink coffee, eat breakfast, go to work, eat lunch, go home, play with the kids, shower, brush teeth, make love to significant other, pass out in bed. Repeat.

These routines are very comfortable, and create an illusion of safety and security that simply isn’t real. Something I neglected to mention is that people are generally very lazy, at least in the first world. We don’t call it that though, instead we call it efficient. So much of our lives, mine included, is automated and completely out of our hands- or even the need to be in them.

Newspapers are delivered, checks are deposited into the bank directly, banking statements are electronic (so no mail), packages are delivered to our house- I could go on ad nauseum. I won’t. All of this allows the comfort of falling into and relying on a basic, day to day routine. This is highly dangerous, as it allows a predator to easily stalk a victim remotely and with a high degree of accuracy.

Unambitious

People are more likely to follow a crowd than to lead their own. We are natural followers, and following the crowd assures us that we’ll reap the same benefits of the crowd. It’s easier that way, and the reasons have a strong basis in the points I made in the earlier section. People tend to succumb to peer pressure, and if you’re keen on the demographics of a victim’s friends and family you can predict their behaviour based on what their peers are doing. This allows for a less reliable form of reconnaissance, but it’s accurate enough for a best guess if that’s all you have to go on.

An explanatory note: Something that people tend to overlook is the unspoken significance of stereotypes and demographics. You are not unique. You’ve been told that you are your entire life, and it’s a bold-faced lie. You might be biologically distinct from your peers, but the reality is that a truly unique person is quite rare- you know one when you see it, and you rarely forget.

Sociable

All people socialize with others, even the anti-social, though they go about it in an unconventional way. Out of everything I’ve outlined here, this is and the first are the two biggest vulnerabilities in the human condition. The first, trust, allows them to be lied to. This one, the social nature of humans, allows you to interact with them with relative ease.

Timid

This is largely conditional, as not all people are timid. It’s not a good word, but a far more fair description would be that people tend to not rock the boat, to upset the status quo, and to run from a fight before standing their ground. Passive when cornered. Some people will fight back if they think they have a good chance of winning, but when they don’t they often don’t resist. This often allows them to be coerced or pressured into something they wouldn’t otherwise do.

An explanatory note: It’s not the willingness to fight that needs to be focused on here, but the achilles heel that removes the will to fight. The crazy drunk hick in the bar might just kick your ass because he feels like it, but threaten to blow up his 4×4 or shoot his favorite dog and he might do anything you ask him to. It’s a rarity to find someone that would fight when they know they can’t win. In that sense, the majority of people are timid and unwilling to fight once you’ve cornered them.

In a nutshell:

Vulnerability	Exploit/intel
Trust	Deception
Routine	Reconnaissance
Unambitious	Surveillance
Social	Insertion
Timid	Coercion

Socialization

Not only are people social, but they have a compulsion to socialize. It’s a basic human need. It’s been covered earlier, so I’ll leave the bulk of that alone to avoid redundancies.

Relevant to their need to socialize are the places people meet up to do so. Physical places where people meet up will be outside the scope of this paper for now, and instead our focus will remain restricted to the online world.

People meet with friends and family on a variety of social networking sites, as well as chatrooms, bulletin boards, and web forums. I’ll cover this in another section, and while doing so explain the title of this paper in more detail. Facebook, Myspace, Twitter, Reddit, Flickr, Google+, and others are a great place to start looking. You can create an entire outline of the connections a potential victim has with friends and family, and their relationships to each other from any one of these sites.

Entertainment

People have a need to be entertained, otherwise they grow restless and anxious. While this ties in with socialization, knowing the entertainment your victim prefers can give you a great deal of insight into the mind of your victim, and it can grant a foothold into their life by allowing you a common ground- whether real or imagined.

Personal Wealth and Possessions

This is a big one. Personal wealth is acquired through a career of some sort, which is highly traceable if this person is self-employed. Also, you can often learn the real name or location of a person from the sites they buy from.

Education (Whether for personal enrichment or employment)

People are curious by nature, and have a need to learn about the world around them- though they might not express it as a desire to go to school. This gives you a lot, and a little. You can gauge the overall knowledgeability of the victim, the career or desired career, interests, friends, level of income, and even general location if the victim is still a student.

Housing

Everyone needs somewhere to sleep. If they own the home they live in, rest assured that you can find them. They don’t even need to own it, they just need a mortgage and you can find their address. You can also find marriage details in the same place you find information pertaining to the home they own.

In a nutshell:

Vulnerability	Intel
Social Networks	Contacts
Entertainment	Interests
Wealth	Employment
Education	Various
Housing	Location

Tools

In the upcoming sections I’ll address the following tools and how to use them to gain a foothold in any social network, as well as what you can do while you’re there.

Social Networking:

Facebook
Myspace
Twitter
Reddit
Flickr
Forums
And more.

E-Commerce:

Ebay
Amazon

Public Records:

Clerk of Courts (Court Records, Legal Documents such as Land, Mortgage, Divorce, Marriage)
Department of Commerce or Department of Corporations (Business Ownership)
County Appraiser (GIS)

Useful Tools:

Wolfram Alpha (Great for guessing an age if all you have is a first name)
Phone Books (More useful than you think)
Pay Public Records (We do not pay, we use them for broad searches)
Maltego (Less useful, especially if you use the free version)
Creepy (So much awesome, but still in development)

Geolocation

Google Maps
County Appraiser (GIS)

The Information You Need

There are three (or four) pieces of information that can give you almost complete control over the life of another person. These are:

First and Last Name
Date of Birth
Social Security Number (Last 4)
Mother’s Maiden Name (Optional)

With this information you can find anything else you could possibly need, as well as give you a great deal of control over the victim’s finances and daily life. If you have the person’s real name, you can easily find out where they live in most cases, and you can’t really do much without it.

The date of birth is essential if you want to mess around with their finances, and there are several places you can look to find this. Marriage records are a great place to look.

This information is useful as well:

Property Records (Titles, Deeds, Mortgages)
Photographs
Relatives
Workplace
Businesses Owned or Operated
Signature
Phone Numbers
Criminal Record
Facebook
Twitter
Instagram

And I’m going to teach you how to get all of it.

An explanatory note: One thing to remember is that there is no such thing as useless information when it comes to your victim. It is all useful, it is all relevant; unless it is redundant. In that case, make a note of it as a source in your dossier and move on. Yes, Myspace, Twitter, and Facebook are as important as property records and phone numbers. Social Networks let you monitor their activity, and the others let you know where they are. Don’t discount any of it!

Collecting and Filtering Data

Start Broad and Narrow Results by Mining Data

There are a few starting points, usually either a username or a birth name. Locating data based on this can be of varying difficulty, depending upon how open a person is about themselves if only a username, or how much you know about the person if it’s a birth name.

People seem to think that while usernames are unique, birth names aren’t. This couldn’t be further from the truth. Usernames are often a unique arrangement of characters, where birth names tend to be linked to a very unique set of locational, age, and marital data. Usernames are less likely to hold this much information.

Consider the very generic sounding name John Wilson. It’s not of any real significance, as I just pulled the name out of the aether. Substitute with John Smith, Paul Johnson, Doug Jones… You get the idea.

John Wilson Intellius Search

With a name that sounds that generic, there are only 99 entries in Public records, several of which are duplicates. How many lived in Florida? How many are in their 30s? How many, given the age group and locations, probably voted Republican? How many are or were married? Had children? Even if you know next to nothing about the person, you could easily know everything.

Let’s go back to the username for a minute. Usernames are unique strings of data, and can generally tell you something about the person behind them, as they were chosen; not given. This is going to be very difficult to explain without a username to go on, but doing so might just violate the rules here at Reddit. Believe me, I’d love nothing more than to give you a detailed example, but I can’t. Sorry.

Unique strings are great for searches. I prefer Google, but you should never rely on only one search engine. Search for that particular string, open up Notepad++ or a similar text editor, and paste anything remotely relevant in there. Also, paste the exact query you used, so you can go back and filter it down later.

Take that information and look for: * Forum posts * E-Commerce * Social Networks * Hotmail, Yahoo Mail, Gmail/Google, and Chat programs * University or related .edu sites * Random comments on blogs or other sites * Anything else

If you found the username in an IRC chat, try to see the IP when it logs on or off. If you found it in a forum, join up and read every single post the user ever made. All of them. Copy and paste them into another .txt. Keep doing this until you’ve copied everything and it’s respective URL.

If you find something useful along the way, pull that out and keep it in a final text; a dossier. This is where all the information you’ve narrowed down will go, but not yet verified.

Store all of your texts except the dossier in one directory. Use the search function to find States and Cities. Any time you get a hit, read it. This should narrow down a great deal for you. After you’ve exhausted that, it’s time to start reading everything. This might take a while, but you should really be getting to know your victim by now. You’ll have a great deal of insight into the victim’s mind, and you’ll probably start finding its friends among fellow internet denizens.

Look for any data concerning a career, education, location, friends, family, pets- anything that you can to paint a picture of the person. Even people that go to great lengths to obfuscate their identity let on much more than they think about their personal life. Use it.

If you haven’t found anything yet, search them. Eventually you will find something that links them to a birth name. Immediately go to Social Networks and find that person. Start looking at all of his or her friends until you find someone that most matches your target.

Once you have this, start working backward until you find a link between the two. If you find nothing, start over and try again until you do.

Here are a few good tools for this:

Once you have a name and an approximate age or some locational data it’s time to move on to the next section.

Identifying Your Victim

Nationwide Public Record Pay Sites

Let’s start with another Public Records Search. Oh, and just a reminder, we never pay for this. Ever. That’s how you get arrested, by using your own credit card to assist you. If you haven’t stolen one, you can’t use one.

Paul Johnson US Search

Notice how there are only 50 matches for such a generic sounding name? In a country with over 300 million citizens, you’d think there’d be thousands. There aren’t.

Depending on the information you have, you can attack this in a variety of ways. Say you only know a general age group for your victim, for example; 35-45. That would be numbers 2, 6, 11, 14, 16, 31, 34, 37, 40, 42, 45, 46, 47, 48, and an unknown- 49. 15 names you’ve pulled from an earlier 50.

Look at the other data here as well. Many of these men are related. Brothers, sons, fathers, uncles, nephews. They probably even live or have lived in the same household. Try to find a link between the information you have about the person and the data on the screen. Don’t discount the names you’ve wiped either, as they might be relevant. Look at relatives and (former) addresses. Take special care to note duplicate cities between separate entities- this is a sign that they are likely relatives, especially if the difference in age is 20+ years.

Search for the other relatives. Does he have a 19 year old daughter or son that just went to college? All of this serves to narrow your information to a specific person. Once you have that it’s time to verify your data and get the good stuff, but I’m going to cover a few more things first.

Telephone Directory

This is going to save you a great deal of time and effort before we start looking into government records; and by that I mean committing a crime. Take the list(s) you’ve created from the previous sections and go to the phone book. No, not the paperbacks silly, these:

I personally go with the three at the top of the list, but you can use whatever you like. Search for what you have, and don’t forget to search every state you have. You might not find the person you’re looking for, but chances are you’ll see an address and possibly a phone number. Keep what you find.

Now, and here’s the fun part. Once you have Phone numbers, do a reverse search and don’t limit yourself to one Telephone Directory. Search them all, as many as you can. Run the number through Google as well, or the search engine of your choice. You’re trying to do two things here: First, to see if the address listed in the phone book has changed or to get one if you don’t already have it, and second; to verify that the number still belongs to that person.

Yes, this is a lot of work.

Google Maps and Street View

Take the address(es) you have and run them through Google Maps or any other Map service you like. Get satellite and Street View images for extra credit. Capture the images and store them with the dossier. Be sure to save the links to both Satellite and Street Views with your Screen Captures, and place the links with each address. We’ll be revisiting this later.

Take note of the make and model of the vehicle, security/alarm company signage, animals, and anything else. Be sure to zoom in and verify the address on the house- often Google is off by a few numbers.

Property Shark

This is one of the few paysites I’d bother signing up with. You get one free report, but you can always sign up with as many throwaway emails as you like and milk them for free. Still, I’d go with the Property Appraiser in the next section before I’d trust them. Still, some jurisdictions make you pay to see records, or require you to visit them in person. When all else fails, you can get a decent detailed report here for free or cheap.

Property Shark Website

Facebook

Facebook is a personal favorite of mine, and actually deserves its own section. I’m going to go into greater detail in a later paper, but for now it serves to mention that you can gather a great deal of information about a person’s interests, family and friends through Facebook. I hate it for personal use, but love it for gathering data.

Limited Datasets and Inaccurate Information

An interesting situations can arise when you have limited data. In one scenario, I was trying to locate a person named Marybeth, but didn’t have a lot to go on. I had a picture of her and knew her general interests, but didn’t have much else; I was flooded with an array of Marybeths as I searched through phone books and Public Record Pay Sites. I’d guessed her age as being mid-20’s, but I was coming up with nothing.

Enter Wolfram Alpha. Wolfram Alpha is a complex online database created and maintained by the Wolfram Research Company, the makers of Wolfram Mathematica.

Marybeth Wolfram Alpha Search

It is exceedingly useful at pulling up data on a number of things, especially names. If you scroll down to the section that says “History for US Births”, you’ll see a graph that illustrates the birth (used to estimate age group) statistics for every Marybeth born between 1880 and 2012. It also cites sources, and is very accurate. Birth names are a trend like any other, and they rise and wane in popularity just the same. Take a look at the year on the graph where the line drops off. What was my mistake? I was looking for a twenty-something year old that was actually thirty-something. With that hammered out, I found everything else very quickly.

Gathering and Confirming Sensitive Information

An explanatory note: Everything in this section is illegal. Do we give a fuck? Hell no. Why should we? I only mention it because it is unlawful to access government records with the intention of committing a crime- or at least it says so on every disclaimer page I ignore and click through.

Clerk of Courts

This is, bar none, the most important place for gathering information on the internet. You can get all sorts of goodies here- but you’ll need to do some research. First, let me give you a little insight as to how this all works.

The United States is divided into 50 states, and within each state are separate jurisdictions- either counties, parishes, or burroughs. Within each county (etc), incorporated municipalities comprise their own separate jurisdictions. Incorporated municipalities and townships have their own police force, but property, criminal, civil, and family court is all handled by the county.

Some states allow you to search for records statewide, some don’t. Some states have counties with limited to no online access, while other counties have state of the art records you can download as PDFs or TIFFS and others. If you have an address, you’ll know the city and state- you’ll need to look up the county. Wikipedia is your friend.

Once you have your county you can search by name, docket if you know it, or a few other methods. You’ll find a bunch of listings for Judgements, Agreements, Annulments, and documents of varying use. Grab them all, particularly Mortgages, Deeds, Marriage Licenses.

This is what they look like, but some jurisdictions differ slightly:

Marriage licenses always contain ( for both parties):

Date of Birth
Full Names
State of Birth
Mother’s Maiden Name

Mortgage Agreements and Deeds/Titles generally have this speech:

Grantor [Previous Owner] Grantee [Current Owner]

[Party 1’s Name], a (un)married man, and (if married) [Party 2’s Name], a married woman, are Granted the property at [Address] on this date of [Date] by [Party 3’s name]

You’ll want to confirm this with the information you have. You might find that they’ve sold the property and moved. Another thing to keep in mind is the fact that SSN’s are redacted on these documents, and often family court documents are censored or unavailable. Don’t be discouraged. These are not scanned into the server by hand, but are done in bulk by overworked bookkeepers.

They use pattern recognition software to find SSN’s, or redact them in places where they commonly appear . Sometimes the paper goes in at an angle, leaving a SSN only partially or entirely unredacted. If you know some of it, you can figure out the rest. Plenty of Public Records Pay Sites allow you to search by SSN for free, and try to get you to pay to see the whole record- but you always get the name. Only know 5 of the nine numbers? Brute force that shit. Why not?

Finally, you’d be surprised to see how many times I’ve found a SSN in places where it shouldn’t appear. I found one in the middle of a paragraph on a court document detailing a court case where a woman was charged with petty theft. It had no reason to be there, but it was. Just don’t give up.

Property Appraiser

I love the Property Appraiser. Few things say as much about a person’s net worth like the value of their home. Some of the older systems can be a bit wonky, but most allow you to search by name, address, and a few other listings. You can see floor plans, additions and the dates they were added, previous owners, and tons more. Some jurisdictions allow you to download the entire database, which I always do whenever I’m given the opportunity.

Remember when I said we’d revisit Google Maps? This is when we do it. The resolution at most CIS(or GIS, I forget) and related systems is crap. Make sure the house they own is the one you took a capture of. If it is, kudos; otherwise find the right one and grab some more pictures. I’d get as many angles of the house as possible- you’ll need them if you ever plan an entry…

Department of Corporations/Commerce

Every state has one. This is the state registry of businesses, be it a Corporation, LLC, Sole Proprietorship, Doing Business As(DBA) or Fictitious Name, or others. Look them up my Registered Agent Name to see if your guy runs it. The only problem is that not too many states allow you to access this without paying a fee or showing up in person.

Still, you can really get a good idea about your victim’s net worth if you know the value of his or her business and home. Also, you can use this information for Purchase Order fraud, provided you have or can make a letterhead for their business.

In the next part I’ll detail some of the hacks you can use to make money and/or completely fuck someone’s shit up for life with the information you’ve gleaned here.

ctfcybersecurity

Helping you Defend your network since 2012

Category Archives: Uncategorized

Review of Ethernet the defin. guide