I pull the transcript and find the following:
I thought that was a very odd password to attempt. I wanted to a transcript of all the attempts the attacker tried, so I used tcpdump to carve out the session between my honeypot and the attacker with the following commands:
cd /nsm/sensor_data/jbc-eth0/dailylogs/2013-02-24/
tcpdump -r snort.log.1361664061 -w ~/ftpbruteforce-pcap-20130224.pcap ip and host 61.129.71.42 and host 192.168.1.20 and port 21 and proto 6
Securityonion will log full pcap's to /nsm/sensor_data/<sensor-name>/dailylogs/<date>. The tcpdump command is pretty much the same command that sguil issues to the sensor to generate transcripts. The -r is to read in a pcap file, -w is to write the results to a pcap file. After that is the BPF (Berkley Packet Filter) filter which defines what traffic we want to carve out.
I opened ftpbruteforce-pcap-20130224.pcap in wireshark and started looking at the sessions and found this one:
Turns out, there are multiple attempts of using %username% and some other strings. It seems our attacker forgot to configure this field. Logically, I assume it's supposed to try different variations of Administrator and a string such as:
Administrator1
Administrator12
Administrator123
Administrator1234
If anyone knows the FTP brute forcing tool that was likely used, please let us know. My Google-fu is failing as Google drops punctuations from searches.
No comments:
Post a Comment