Brute Force Attack
Good day, I am in need of some assistance to complete the following questions
1. I have to extract . From examining the audit log one brute force authentication attack carried out by users trying different combinations of usernames and passwords with a GET request to various login servers at yahoo.com. From the log file we can see that , attacker (24.168.72.174) was trying to login using
username: exodus, password: HELL
username: exodus9971, password: christ
What I need is to find out Find out similar a case and identify that the same attacker tried brute force attack with what usernames and password combinations.
I need to find at least one attacker and print list of username and password
Below is an example of an Apache audit_log and Example result
==========================
Request: 24.168.72.174 - - [Tue Mar 9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
--------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example result:
Arracker’s address 24.168.72.174
Username:Password => exodus:HELL
Username:Password => exodus9971:christ
Username:Password => exodus815:CHRIST
Username:Password => exodus179:lord
Username:Password => exodus7999:Lord
Username:Password => exodus1872:satan
2. Find encoded username and password and decode the Base64 MIME by using Perl module, MIME::base64, then list pair of usename:password. below is a sample log and sample output expected
==========================
Request: 81.215.8.250 - - [Wed Mar 10 01:51:06 2004] "GET http://members.sexy-babes.tv/ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://members.sexy-babes.tv/] for 50000 ms
--------------------------
GET http://members.sexy-babes.tv/ HTTP/1.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Authorization: Basic NjlhMHo5YWc6a281NmFqNg==
Host: members.sexy-babes.tv
Pragma: no-cache
Referer: http://members.sexy-babes.tv/
User-Agent: Mozilla/4.73 ( compatible; [en]; Windows 98; athome020 )
mod_security-message: Access denied with code 200. Pattern match "Basic" at HEADER.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example output)
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
1. I have to extract . From examining the audit log one brute force authentication attack carried out by users trying different combinations of usernames and passwords with a GET request to various login servers at yahoo.com. From the log file we can see that , attacker (24.168.72.174) was trying to login using
username: exodus, password: HELL
username: exodus9971, password: christ
What I need is to find out Find out similar a case and identify that the same attacker tried brute force attack with what usernames and password combinations.
I need to find at least one attacker and print list of username and password
Below is an example of an Apache audit_log and Example result
==========================
Request: 24.168.72.174 - - [Tue Mar 9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
--------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example result:
Arracker’s address 24.168.72.174
Username:Password => exodus:HELL
Username:Password => exodus9971:christ
Username:Password => exodus815:CHRIST
Username:Password => exodus179:lord
Username:Password => exodus7999:Lord
Username:Password => exodus1872:satan
2. Find encoded username and password and decode the Base64 MIME by using Perl module, MIME::base64, then list pair of usename:password. below is a sample log and sample output expected
==========================
Request: 81.215.8.250 - - [Wed Mar 10 01:51:06 2004] "GET http://members.sexy-babes.tv/ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://members.sexy-babes.tv/] for 50000 ms
--------------------------
GET http://members.sexy-babes.tv/ HTTP/1.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Authorization: Basic NjlhMHo5YWc6a281NmFqNg==
Host: members.sexy-babes.tv
Pragma: no-cache
Referer: http://members.sexy-babes.tv/
User-Agent: Mozilla/4.73 ( compatible; [en]; Windows 98; athome020 )
mod_security-message: Access denied with code 200. Pattern match "Basic" at HEADER.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example output)
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
and how do you get
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
from the sample you posed?
I would have expected
NjlhMHo5YWc6a281NmFqNg==
to decode as
69a0z9ag:ko56aj6
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
from the sample you posed?
I would have expected
NjlhMHo5YWc6a281NmFqNg==
to decode as
69a0z9ag:ko56aj6
Sorry the output for Question 1 should read similar to the one below after reading the log
==========================
Request: 24.168.72.174 - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodusc&passwd=HELL HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodusc&passwd=HELL] for 50000 ms
--------------------------
GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodusc&passwd=HELL HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
==========================
Request: 24.168.72.174 - - [Tue Mar 9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=ch
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
--------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example result:
Arracker’s address 24.168.72.174
login: exodusc, passwd: HELL
login: exodus9971, passwdd: christ
This is an sample outpur of Question 2 of the apache audit_log using command line code
# egrep -i 'Authorization\: Basic' audit_log | less
Authorization: Basic Og==
Authorization: Basic Og==
Authorization: Basic Og==
Authorization: Basic am9ubm83NjpqZWFubmU=
Authorization: Basic cHJpbnRlbXA6Z29uem8y
Authorization: Basic a2VvbjIwMDpwaW1wcw==
Authorization: Basic eDc1N3g6bGFtZXI=
The following command line gives the desired output:
# for f in `egrep -i 'Authorization\: Basic' audit_log | awk '{print $3}'` ; do echo $f | perl -MMIME::Base64 -ne 'print decode_base64($_)'; echo ; done |less
:
:
:
jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
I would like to accomplish the same using in a perl scripts (regex) like below:
This regex is used to capture IP addresses of remote user
if (/^(\d{1,3}\.\d{1,3}\.\d{1
{
$REMOTE_IP{$1}++
}
I tried the following code to try and capture ipaddress, username and password with "Error: mod_security:". however I wasn't able to capture the data needed. I must be doing something wrong.
my $login ;
my $password ;
my $ipaddress ;
open (LOGFILE2,"audit_log") || die " Error opening log file .\n";
for my $line (<LOGFILE2>) {
if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=(
+[^\s]+)/ ) {
$ipaddress = $1 ;
$login = $2 ;
$password = $3 ;
} elsif ( $line =~ m/^Error: mod_security/) {
print "Attacker : $ipaddress\n" ;
print "Login : $login, Password : $password \n\n" ;
}
}
formatted my code and its now reading the data correctly but I am getting this error message when I use strict and warnings:
use of uninitialized vale password in concatenation (.) or string. Any suggestions?
use of uninitialized vale password in concatenation (.) or string. Any suggestions?
use strict;
use warnings;
my $login ;
my $password ;
my $ipaddress ;
open (LOGFILE2,"audit_log") || die " Error opening log file .\n";
for my $line (<LOGFILE2>) {
if ( $line =~ /Request: (\d+\.\d+.\d+\.\d+).*(login=.*passwd=+[^\s]+)/ ) {
$ipaddress = $1 ;
$login = $2 ;
$password = $3 ;
} elsif ( $line =~ m/^Error: mod_security/) {
# print "Attacker : $ipaddress\n" ;
#print "$login, $pass \n\n" ;
}
print "Attacker : $ipaddress\n" ;
print "$login, $password\n\n" ;
}
You get the error because you only have a $1 and a $2 in your regular expression (the first "(" is related to the if statement and does not count towards the number of brackets in the expression).
Replace line 9 with the following:
The extra brackets will make sure a $3 is defined and you will get no errors.
JG
Replace line 9 with the following:
if ( $line =~ /Request: (\d+\.\d+.\d+\.\d+).*(login=.*)(passwd=+[^\s]+)/ ) {
The extra brackets will make sure a $3 is defined and you will get no errors.
JG
Premium Content
You need an Expert Office subscription to comment.Start Free Trial