Good day, I am in need of some assistance to complete the following questions
1. I have to extract . From examining the audit log one brute force authentication attack carried out by users trying different combinations of usernames and passwords with a GET request to various login servers at yahoo.com. From the log file we can see that , attacker (24.168.72.174) was trying to login using
username: exodus, password: HELL
username: exodus9971, password: christ
What I need is to find out Find out similar a case and identify that the same attacker tried brute force attack with what usernames and password combinations.
I need to find at least one attacker and print list of username and password
Below is an example of an Apache audit_log and Example result
==========================
==========
====
Request: 24.168.72.174 - - [Tue Mar 9 22:43:47 2004] "GET
http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [
http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
--------------------------
----------
----
GET
http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example result:
Arracker’s address 24.168.72.174
Username:Password => exodus:HELL
Username:Password => exodus9971:christ
Username:Password => exodus815:CHRIST
Username:Password => exodus179:lord
Username:Password => exodus7999:Lord
Username:Password => exodus1872:satan
2. Find encoded username and password and decode the Base64 MIME by using Perl module, MIME::base64, then list pair of usename:password. below is a sample log and sample output expected
==========================
==========
====
Request: 81.215.8.250 - - [Wed Mar 10 01:51:06 2004] "GET
http://members.sexy-babes.tv/ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [
http://members.sexy-babes.tv/] for 50000 ms
--------------------------
----------
----
GET
http://members.sexy-babes.tv/ HTTP/1.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Authorization: Basic NjlhMHo5YWc6a281NmFqNg==
Host: members.sexy-babes.tv
Pragma: no-cache
Referer:
http://members.sexy-babes.tv/
User-Agent: Mozilla/4.73 ( compatible; [en]; Windows 98; athome020 )
mod_security-message: Access denied with code 200. Pattern match "Basic" at HEADER.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example output)
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet