Backtrace A Hackers Keylogger or Rat
Have you been infected with a RAT or a Keylogger and want to find out who your attacker is? Almost all Keyloggers and RATs send information to the hacker via 2 methods. In this tutorial we will explain how to find out who they are using a program called Wireshark.
There are 2 ways an attacker can receive your information. Emails and FTP servers. You must undertstand how this works first.
By Email: The hacker configures his malware and while configuring the virus server, the hack has to input which email address to send the stolen information.
By FTP server: Much like the email method, except instead of configuring an email to send your infomation to they have an FTP server that recieves your information. Usually both methods have text logs of your keystroke activity once you have been infected.
If we monitor all data packets we can scan for one of the methods and we will have the hackers FTP info or his email address.
Wireshark is a very useful and popular network scanning tool that is used by network forensic experts to monitor the incoming and outgoing packet flow of their network cards like Ethernet or WLAN. It records every packet coming and going out of your Network.
Whenever you think you may be infected, follow the steps below to find out if and who has infected you.
- First of all download and install Wireshark. You can find it HERE.
Note: While Wireshark installing please ensure that it installs Winpcap otherwise it won’t work correctly.
Now go to the “Capture” button in the top menu of Wireshark and select the interface.
It will capture the packets through the Network card. What you have to do is keep capturing the records for at least an hour for maximum results.
Now you should filter the results. Go to the filter box and type FTP and SMTP. If one doesn’t work, try the other as the hacker could be using either.
Scroll down to find the “FTP username” and the “Password” for victims ftp account in case FTP server is used. And if hacker has used SMTP then you will also find “email address” and its “password” that the hacker used to create the malicious server that infected you.
Thats it! You have found the hacker. Note: More advanced hacker will have other methods of securing themselves. This may not always work, but is a great first step for backtracing and catching a hacker who has infected your system.