This attack attempt made me laugh a bit. I see the following event from my Sguil instance running on Security Onion that is monitoring my honeypot:
I pull the transcript and find the following:
I thought that was a very odd password to attempt. I wanted to a transcript of all the attempts the attacker tried, so I used tcpdump to carve out the session between my honeypot and the attacker with the following commands:
cd /nsm/sensor_data/jbc-eth0/dailylogs/2013-02-24/
tcpdump -r snort.log.1361664061 -w ~/ftpbruteforce-pcap-20130224.pcap ip and host 61.129.71.42 and host 192.168.1.20 and port 21 and proto 6
Securityonion will log full pcap's to /nsm/sensor_data/<sensor-name>/dailylogs/<date>. The tcpdump command is pretty much the same command that sguil issues to the sensor to generate transcripts. The -r is to read in a pcap file, -w is to write the results to a pcap file. After that is the BPF (Berkley Packet Filter) filter which defines what traffic we want to carve out.
I opened ftpbruteforce-pcap-20130224.pcap in wireshark and started looking at the sessions and found this one:
Turns out, there are multiple attempts of using %username% and some other strings. It seems our attacker forgot to configure this field. Logically, I assume it's supposed to try different variations of Administrator and a string such as:
Administrator1
Administrator12
Administrator123
Administrator1234
If anyone knows the FTP brute forcing tool that was likely used, please let us know. My Google-fu is failing as Google drops punctuations from searches.
Subscribe to:
Post Comments (Atom)
Sometimes you have to look after yourself (Monitor) #watchyour6
#coding #Monitor #myopinionnotyours During my day today I was asked about how coding is relevant on a cyber detection team. This is a goo...
-
Live Linux forensics in a KVM based environment (part 1) Most of this blog will be based on a image that I created that I will be walking...
-
#coding #Monitor #myopinionnotyours During my day today I was asked about how coding is relevant on a cyber detection team. This is a goo...
-
Background Recently, I wanted to perform some basic fuzzing against a target application. I chose Sulley because it's Python-based and...
No comments:
Post a Comment