We help IT Professionals succeed at work.

Brute Force Attack

SheldonC
SheldonC asked
on
Good day, I am in need of some assistance to complete the following questions

1.  I have to extract . From examining the audit log one brute force authentication attack carried out by users trying different combinations of usernames and passwords with a GET request to various login servers at yahoo.com. From the log file we can see that , attacker (24.168.72.174) was trying to login using
username: exodus, password: HELL
username: exodus9971, password: christ

What I need is to find out Find out similar a case and identify that the same attacker tried brute force attack with what usernames and password combinations.
I need to find at least one attacker and print list of username and password
Below is an example of an Apache audit_log and Example result

========================================
Request: 24.168.72.174 - - [Tue Mar  9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
----------------------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1


Example result:
Arracker’s address 24.168.72.174
Username:Password => exodus:HELL
Username:Password => exodus9971:christ
Username:Password => exodus815:CHRIST
Username:Password => exodus179:lord
Username:Password => exodus7999:Lord
Username:Password => exodus1872:satan


2. Find encoded username and password and decode the Base64 MIME by using Perl module, MIME::base64, then list pair of usename:password. below is a sample log and sample output expected



========================================
Request: 81.215.8.250 - - [Wed Mar 10 01:51:06 2004] "GET http://members.sexy-babes.tv/ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://members.sexy-babes.tv/] for 50000 ms
----------------------------------------
GET http://members.sexy-babes.tv/ HTTP/1.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Authorization: Basic NjlhMHo5YWc6a281NmFqNg==
Host: members.sexy-babes.tv
Pragma: no-cache
Referer: http://members.sexy-babes.tv/
User-Agent: Mozilla/4.73 ( compatible; [en]; Windows 98; athome020 )
mod_security-message: Access denied with code 200. Pattern match "Basic" at HEADER.
mod_security-action: 200

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1








Example output)

jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet
Comment
Watch Question

ozo
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2015

Commented:
How do you get the result
Username:Password =>  exodus:HELL
from the example?
ozo
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2015

Commented:
and how do you get

jonno76:jeanne
printemp:gonzo2
keon200:pimps
x757x:lamer
dqts05d3:aiclzpuq
pats111:ashley
paulheit:pau1heit
paulejg1:tempest
pkwhonet:pkwhonet

from the sample you posed?

I would have expected
NjlhMHo5YWc6a281NmFqNg==
to decode as
69a0z9ag:ko56aj6

Author

Commented:


Sorry the output for Question 1 should read similar to the one below after reading the log

=======================================
Request: 24.168.72.174 - - [Tue Mar  9 22:27:46 2004] "GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodusc&passwd=HELL HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodusc&passwd=HELL] for 50000 ms
----------------------------------------
GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodusc&passwd=HELL HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200

HTTP/1.0 200 OK
Connection: close
=======================================
Request: 24.168.72.174 - - [Tue Mar  9 22:43:47 2004] "GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ] for 50000 ms
----------------------------------------
GET http://login.korea.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=exodus9971&passwd=christ HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST.
mod_security-action: 200

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1


Example result:
Arracker’s address 24.168.72.174
login: exodusc, passwd: HELL
login: exodus9971, passwdd: christ



This is an sample outpur of Question 2 of the apache audit_log using command line code
# egrep -i 'Authorization\: Basic' audit_log | less

Authorization: Basic Og==

Authorization: Basic Og==

Authorization: Basic Og==

Authorization: Basic am9ubm83NjpqZWFubmU=

Authorization: Basic cHJpbnRlbXA6Z29uem8y

Authorization: Basic a2VvbjIwMDpwaW1wcw==

Authorization: Basic eDc1N3g6bGFtZXI=

The following command line gives the desired output:
# for f in `egrep -i 'Authorization\: Basic' audit_log | awk '{print $3}'` ; do echo $f | perl -MMIME::Base64 -ne 'print decode_base64($_)'; echo ; done |less

:

:

:

jonno76:jeanne

printemp:gonzo2

keon200:pimps

x757x:lamer

I would like to accomplish the same using in a perl scripts (regex) like below:
This regex is used to capture IP addresses of remote user

if (/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/)
      {
            $REMOTE_IP{$1}++
      }




Author

Commented:
I tried the following code to try and capture ipaddress, username and password with "Error: mod_security:". however I wasn't able to capture the data needed. I must be doing something wrong.



my $login ; 
my $password ; 
my $ipaddress ; 
  open (LOGFILE2,"audit_log") || die "  Error opening log file .\n";
for my $line (<LOGFILE2>) {
      if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=(
+[^\s]+)/ ) {
        $ipaddress = $1 ; 
        $login = $2 ; 
        $password = $3 ; 
    } elsif ( $line =~ m/^Error: mod_security/) {
        print "Attacker : $ipaddress\n" ;  
        print "Login : $login, Password : $password \n\n" ; 
    }        
        
}
    

Open in new window

Author

Commented:
formatted my code and its now reading the data correctly but I am getting this error message when I use strict and warnings:
use of uninitialized vale password in concatenation (.) or string. Any suggestions?



use strict;
use warnings;

my $login ; 
my $password ; 
my $ipaddress ; 
  open (LOGFILE2,"audit_log") || die "  Error opening log file .\n";
for my $line (<LOGFILE2>) {
      if ( $line =~ /Request: (\d+\.\d+.\d+\.\d+).*(login=.*passwd=+[^\s]+)/ ) {
        $ipaddress = $1 ; 
        $login = $2 ; 
        $password = $3 ; 
    } elsif ( $line =~ m/^Error: mod_security/) {
       # print "Attacker : $ipaddress\n" ;  
       #print "$login, $pass \n\n" ; 
    }       
print "Attacker : $ipaddress\n" ;  
print "$login, $password\n\n" ;  
        
}
    

Open in new window


You get the error because you only have a $1 and a $2 in your regular expression (the first "(" is related to the if statement and does not count towards the number of brackets in the expression).

Replace line 9 with the following:
if ( $line =~ /Request: (\d+\.\d+.\d+\.\d+).*(login=.*)(passwd=+[^\s]+)/ ) {

Open in new window


The extra brackets will make sure a $3 is defined and you will get no errors.

JG
Suhas .Senior QA Manager
CERTIFIED EXPERT

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.