There are a lot of ways to get information on people through computers, ranging from amateurish methods like stalking someone’s Facebook profile to methods that require a little more technical know-how. In this tutorial I’m going to focus on reconnaissance methods that harness clever tech tricks and hacks that not everyone knows about. I wouldn’t say they’re more effective than stalking someone on social media, but they certainly do bring more hacker cred and they’re also a hell of a lot more fun.
Method #1: EXIF leaks
This is a method you can sometimes use to track a person down based on metadata in a photo they’ve posted. You can find this metadata, called EXIF data, by examining the Properties dialogue in Windows or the equivalent in Linux or MacOS. All cameras and smart phones come equipped with GPSs, which provide geolocation information. Some models will store geolocation information in the EXIF data of photos they take, allowing random people on the Internet to find out the exact latitude and longitude where the photo was taken. EXIF geolocation data has been used in the past on 4Chan to dox and track down animal abusers who uploaded photos of the abuse.
Unfortunately for nosy people like me, camera manufacturers seem to have caught on to the privacy risks of geolocation data in recent years, and this feature appears to be turned off in a lot of newer models. So don’t think that this is a surefire method of getting info on someone. It should be regarded as one trick out of many that might or might not work, and you have to keep trying stuff until you can gradually piece together a profile of your target.
Method #2: UDP packet sniffing
Packet sniffing in promiscuous mode can be a great boon when it comes to spying on other people on the same LAN. Unfortunately it’s not available in many operating systems as packets destined for other hosts are filtered out at the kernel level. However, you can still get some limited info on other people’s devices (just basic things like hostnames) by watching for broadcast packets sent by those devices. For example, I was sniffing packets on an Internet café back when I was still using MacOS and I managed to get the real name of a girl sitting at the next table over by looking at the ARP cache flush packets that her iPhone was sending out. I could have used it as an opportunity to break the ice and be extremely creepy at the same time (e.g. by addressing her by name and pretending to be her son from the future), but I thought it best to just keep my snooping behaviors to myself.
There are a few filters you can use to only catch broadcast packets. One way to do it is to filter out all non-UDP traffic (this won’t work if you’re on a VPN though, as VPNs typically operate over UDP). Another, probably better way is to filter out all traffic destined for your own IP address. Then you can just sit and watch as the broadcast packets come in. Some devices may send broadcast packets once to get their own IP addresses when connecting to the network and then do very little broadcasting henceforth, so this method is probably most effective in places where people are coming and going rather quickly, like Internet cafés, as my earlier example illustrates.
Method #3: Tracking spyware to its source
If you have a Trojan on your system that is phoning home to an enemy hacker’s computer, you can trace the connection and see who’s on the other end. You can gather information about network connections in two ways: one is using a packet sniffer and the other is using a command line program called netstat. netstat will show you all the connections established on your system and the IP address or domain name of whoever is on the other end. A packet sniffer will also show you who’s on the other end, except you have a separate entry for each individual packet. More skilled hackers will have ways to obscure their IP addresses so that you’ll get a zombie’s IP address instead of the real culprit, but you might be able to catch a few amateurs this way. Also it’s very informative to watch the packets going in and out of your computer if you’re connected to a website to see if the website is performing covert telemetry.
Method #4: Whois lookup
Once you have someone’s IP address, you can get additional information about their activities through the Whois protocol. Whois is a TCP/IP protocol that maintains a database of domain names and IP addresses and detailed information associated with each. This method is not particularly useful for getting information about individual people, but you can find a wealth of information about who’s hosting them, and then you can go from there. I’ve used Whois to help a friend of mine track down a Chinese scammer who ripped her off and get them banned from the cloud service they were using. So it can be fairly useful in the right circumstances. To use Whois in Unix/Linux, type whois address-or-domain-name at the command line. For Windows or mobile devices, there are websites available that serve as frontends to the Whois protocol, and you can find them with a simple web search.
Method #5: IP address geolocation
Another thing you can do once you have someone’s IP address is find a person’s actual location based on that. There exist several online utilities that provide geolocation data for IP addresses. I’ve used them sporadically, and I’ve found them to be fairly effective. These utilities are based on database backends that keep track of which IP addresses are allocated to whom and in what regions. And I haven’t tried this myself, but I’m pretty sure it’s possible to match geolocation data to an actual street address using something like Google Earth. Might be worth a shot.
Well, I hope you enjoyed my list. With great knowledge comes great power. Use it wisely.
Psycho Cod3r 