Secure Honey

SSH honeypot written in C

Language Engineered Attacks

Saturday 30th November 2013 11:13

passwordtag cloudThis week has been fairly quiet on the project because the end of term is fast approaching at university so I've been working on other modules. However, there have been some developments on the project.

There has been an interesting "trickle" brute-force attack happening over the past few days. To date, the attacking IP address has made 4,128 brute-force attempts using password variations such as:

These attacks seem to be using some sort of language engineering based brute-force attack to create various misspellings on common password attempts such as, in the above example, the word "password".

As previously mentioned: these language engineering based brute-force attacks have been slowly trickling in over the past few days which can be seen below:

date ip address # attempts
Sat 30 Nov 2013 31.***.***.** 450
Fri 29 Nov 2013 31.***.***.** 901
Thu 28 Nov 2013 31.***.***.** 900
Wed 27 Nov 2013 31.***.***.** 563
Tue 26 Nov 2013 31.***.***.** 466
Mon 25 Nov 2013 31.***.***.** 848

Duplicate Attacks

Another interesting observation arose this week when I duplicated the current honeypot (by simply taking an image of the system) and created a new virtual server. I'll be running the duplicate honeypot alongside the existing one to see how the attacks compare. The two honeypots have different IP addresses and are named alpha and charlie in the data below:

date ip username password honeypot
Sat 30 Nov 2013, 10:42:06 140.***.***.*** verwalter verwalter alpha
Sat 30 Nov 2013, 10:42:06 140.***.***.*** yonetici yonetici alpha
Sat 30 Nov 2013, 10:42:05 140.***.***.*** spravce spravce alpha
Sat 30 Nov 2013, 10:42:04 140.***.***.*** pentadbir pentadbir alpha
Sat 30 Nov 2013, 10:42:04 140.***.***.*** skrbnik skrbnik alpha
Sat 30 Nov 2013, 10:42:03 140.***.***.*** beheerder beheerder alpha
Sat 30 Nov 2013, 10:42:03 140.***.***.*** msimamizi msimamizi alpha
Sat 30 Nov 2013, 10:42:02 140.***.***.*** amministratur amministratur alpha
Sat 30 Nov 2013, 10:42:01 140.***.***.*** adminisztrator adminisztrator alpha
Sat 30 Nov 2013, 10:42:01 140.***.***.*** amministratore amministratore alpha
Sat 30 Nov 2013, 10:42:00 140.***.***.*** administrators administrators alpha
Sat 30 Nov 2013, 10:41:59 140.***.***.*** administrator administrator alpha
Sat 30 Nov 2013, 10:41:59 140.***.***.*** administratorius administratorius alpha
Sat 30 Nov 2013, 10:41:58 140.***.***.*** administrateur administrateur alpha
Sat 30 Nov 2013, 10:41:57 140.***.***.*** administranto administranto alpha
Sat 30 Nov 2013, 10:41:57 140.***.***.*** administrate administrate alpha
Sat 30 Nov 2013, 10:41:56 140.***.***.*** administrador administrador alpha
Sat 30 Nov 2013, 10:41:55 140.***.***.*** yonetici yonetici charlie
Sat 30 Nov 2013, 10:41:55 140.***.***.*** administraator administraator alpha
Sat 30 Nov 2013, 10:41:54 140.***.***.*** spravce spravce charlie
Sat 30 Nov 2013, 10:41:54 140.***.***.*** verwalter verwalter charlie
Sat 30 Nov 2013, 10:41:53 140.***.***.*** skrbnik skrbnik charlie
Sat 30 Nov 2013, 10:41:52 140.***.***.*** msimamizi msimamizi charlie
Sat 30 Nov 2013, 10:41:52 140.***.***.*** pentadbir pentadbir charlie
Sat 30 Nov 2013, 10:41:51 140.***.***.*** amministratur amministratur charlie
Sat 30 Nov 2013, 10:41:51 140.***.***.*** beheerder beheerder charlie
Sat 30 Nov 2013, 10:41:50 140.***.***.*** amministratore amministratore charlie
Sat 30 Nov 2013, 10:41:49 140.***.***.*** adminisztrator adminisztrator charlie
Sat 30 Nov 2013, 10:41:48 140.***.***.*** administratorius administratorius charlie
Sat 30 Nov 2013, 10:41:48 140.***.***.*** administrators administrators charlie
Sat 30 Nov 2013, 10:41:47 140.***.***.*** administrator administrator charlie
Sat 30 Nov 2013, 10:41:46 140.***.***.*** administrate administrate charlie
Sat 30 Nov 2013, 10:41:46 140.***.***.*** administrateur administrateur charlie
Sat 30 Nov 2013, 10:41:45 140.***.***.*** administrador administrador charlie
Sat 30 Nov 2013, 10:41:45 140.***.***.*** administranto administranto charlie
Sat 30 Nov 2013, 10:41:44 140.***.***.*** administraator administraator charlie

What the data above shows us is that the attacking IP address is using the exact same brute-force attack (i.e. the same usernames and passwords) and appears to be blindly attacking ranges of IP addresses which have port 22 open and accepting SSH connections.

Lack of Shell Attacks

In last week's post I analysed some recent attacks on the honeypot's shell CLI emulator. Unfortunately this week has seen zero attacks on the shell. I need to look into the shell emulator and check it's working on various SSH clients such as PuTTY.

New bits

Finally, I've added some new bits to this website: there's now a password tag cloud shown on every page of the website. This data being provided to this feature is live, so the tag cloud will update regularly as new passwords are attempted on the honeypot.

There's also a new section on this site called publications where I've added the project proposal and interim report for this project; both of which were handed in to university.

Image credit: generated with Wordle.net using data gathered from honeypot during initial testing phase.

Comments

There are no comments for this blog post yet

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today393
yesterday194
past 7 days4,426
past 30 days17,357
all time4,114,040

Top 5 passwords

password # attempts
12345618,562
admin8,503
password6,536
-6,393
root4,833

Top 5 usernames

username # attempts
root3,927,129
admin78,772
test4,046
oracle3,356
nagios2,648

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Tue, 07 Jun 2016 16:33:48 +0100

Live Password Cloud

12qwaszx 963852741 1234%^ POIUYT 12344321 zxcvbn 111 zaqxsw 888888 111111 asdfghjkl a123456 windows qwer1234 q1w2e3 Passw0rd zxcv support 1111 server iloveyou welcome123 user !@ abcdef a cisco 123abc qwer qwerty123 q123456 manager 54321 alpine qq123456 huawei 11223344 password zaqxswcde qazwsx default 1 qwe123 test okokok 88888888 ubnt dragon 159753 147852369 12345678 passwd qwertyuiop 23456 power qwaszx huawei123 changeme123 123123123 5201314 Aa123456 qwe 1qazxsw2 nagios redhat zaqxswcdevfr q1w2e3r4 1234qwer 1qaz2wsx3edc monitor 12345 pass root1234 password123 123qweasd 000000 z1x2c3v4 qaz qazwsx123 f**kyou admin123!@# Pass123 121212 p@ssword 1a2s3d4f 1qaz2wsx Admin123456 woaini zaq1xsw2 linux adminadmin _ system 1qaz@WSX P@ssw0rd1 sapp a1b2c3d4 654321 qazwsxedc 1234 sqlpp qazxsw asdf sysadmin qqpp abc123 idc2008 123123 666666 123456 123qwe 987654321 admin123 admin@123 zhang 789789 11111111 idcidc qwerty123456 secret Huawei@123 !@#$%^ changeme 1q2w3e 147258369 superman 147258 admin1 mnbvcxz admin welcome 225588 !qaz1QAZ 123 p0o9i8u7 apple aaa !QAZ2wsx administrator zzzzzz oracle qwerty china 0000 rootpass 7890pp letmein abcd1234 1122334455 raspberry abc1234 a1s2d3f4 rootroot P@ssw0rd qwert public adminpp 1q2w3e4r5t root 1234567890 qweasd guest asdfgh test123 zxcvbnm caonima - !QAZ@WSX 112233 147147 123654 q1w2e3r4t5 1234567 1q2w3e4r password1 root123 123456789 12345qwert qweasdzxc 110110 159357