We help IT Professionals succeed at work.
Get Started
Brute Force Attack
Good day, I am in need of some assistance to complete the following questions
1. I have to extract . From examining the audit log one brute force authentication attack carried out by users trying different combinations of usernames and passwords with a GET request to various login servers at yahoo.com. From the log file we can see that , attacker (24.168.72.174) was trying to login using
username: exodus, password: HELL
username: exodus9971, password: christ
What I need is to find out Find out similar a case and identify that the same attacker tried brute force attack with what usernames and password combinations.
I need to find at least one attacker and print list of username and password
Below is an example of an Apache audit_log and Example result
==========================
Request: 24.168.72.174 - - [Tue Mar 9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
--------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example result:
Arracker’s address 24.168.72.174
Username:Password => exodus:HELL
Username:Password => exodus9971:christ
Username:Password => exodus815:CHRIST
Username:Password => exodus179:lord
Username:Password => exodus7999:Lord
Username:Password => exodus1872:satan
2. Find encoded username and password and decode the Base64 MIME by using Perl module, MIME::base64, then list pair of usename:password. below is a sample log and sample output expected
==========================
Request: 81.215.8.250 - - [Wed Mar 10 01:51:06 2004] "GET http://members.sexy-babes.tv/ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://members.sexy-babes.tv/] for 50000 ms
--------------------------
GET http://members.sexy-babes.tv/ HTTP/1.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Authorization: Basic NjlhMHo5YWc6a281NmFqNg==
Host: members.sexy-babes.tv
Pragma: no-cache
Referer: http://members.sexy-babes.tv/
User-Agent: Mozilla/4.73 ( compatible; [en]; Windows 98; athome020 )
mod_security-message: Access denied with code 200. Pattern match "Basic" at HEADER.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example output)
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
1. I have to extract . From examining the audit log one brute force authentication attack carried out by users trying different combinations of usernames and passwords with a GET request to various login servers at yahoo.com. From the log file we can see that , attacker (24.168.72.174) was trying to login using
username: exodus, password: HELL
username: exodus9971, password: christ
What I need is to find out Find out similar a case and identify that the same attacker tried brute force attack with what usernames and password combinations.
I need to find at least one attacker and print list of username and password
Below is an example of an Apache audit_log and Example result
==========================
Request: 24.168.72.174 - - [Tue Mar 9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
--------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example result:
Arracker’s address 24.168.72.174
Username:Password => exodus:HELL
Username:Password => exodus9971:christ
Username:Password => exodus815:CHRIST
Username:Password => exodus179:lord
Username:Password => exodus7999:Lord
Username:Password => exodus1872:satan
2. Find encoded username and password and decode the Base64 MIME by using Perl module, MIME::base64, then list pair of usename:password. below is a sample log and sample output expected
==========================
Request: 81.215.8.250 - - [Wed Mar 10 01:51:06 2004] "GET http://members.sexy-babes.tv/ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://members.sexy-babes.tv/] for 50000 ms
--------------------------
GET http://members.sexy-babes.tv/ HTTP/1.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Authorization: Basic NjlhMHo5YWc6a281NmFqNg==
Host: members.sexy-babes.tv
Pragma: no-cache
Referer: http://members.sexy-babes.tv/
User-Agent: Mozilla/4.73 ( compatible; [en]; Windows 98; athome020 )
mod_security-message: Access denied with code 200. Pattern match "Basic" at HEADER.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example output)
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE