Language Engineered Attacks
This week has been fairly quiet on the project because the end of term is fast approaching at university so I've been working on other modules. However, there have been some developments on the project.
There has been an interesting "trickle" brute-force attack happening over the past few days. To date, the attacking IP address has made 4,128 brute-force attempts using password variations such as:
- P@$$w0rd123456789
- P@$$w0rd$123456789
- P@$$W0RD0
- p@sswOrd123456789
- p@sswd123456
These attacks seem to be using some sort of language engineering based brute-force attack to create various misspellings on common password attempts such as, in the above example, the word "password".
As previously mentioned: these language engineering based brute-force attacks have been slowly trickling in over the past few days which can be seen below:
date | ip address | # attempts |
Sat 30 Nov 2013 | 31.***.***.** | 450 |
Fri 29 Nov 2013 | 31.***.***.** | 901 |
Thu 28 Nov 2013 | 31.***.***.** | 900 |
Wed 27 Nov 2013 | 31.***.***.** | 563 |
Tue 26 Nov 2013 | 31.***.***.** | 466 |
Mon 25 Nov 2013 | 31.***.***.** | 848 |
Duplicate Attacks
Another interesting observation arose this week when I duplicated the current honeypot (by simply taking an image of the system) and created a new virtual server. I'll be running the duplicate honeypot alongside the existing one to see how the attacks compare. The two honeypots have different IP addresses and are named alpha and charlie in the data below:
date | ip | username | password | honeypot |
Sat 30 Nov 2013, 10:42:06 | 140.***.***.*** | verwalter | verwalter | alpha |
Sat 30 Nov 2013, 10:42:06 | 140.***.***.*** | yonetici | yonetici | alpha |
Sat 30 Nov 2013, 10:42:05 | 140.***.***.*** | spravce | spravce | alpha |
Sat 30 Nov 2013, 10:42:04 | 140.***.***.*** | pentadbir | pentadbir | alpha |
Sat 30 Nov 2013, 10:42:04 | 140.***.***.*** | skrbnik | skrbnik | alpha |
Sat 30 Nov 2013, 10:42:03 | 140.***.***.*** | beheerder | beheerder | alpha |
Sat 30 Nov 2013, 10:42:03 | 140.***.***.*** | msimamizi | msimamizi | alpha |
Sat 30 Nov 2013, 10:42:02 | 140.***.***.*** | amministratur | amministratur | alpha |
Sat 30 Nov 2013, 10:42:01 | 140.***.***.*** | adminisztrator | adminisztrator | alpha |
Sat 30 Nov 2013, 10:42:01 | 140.***.***.*** | amministratore | amministratore | alpha |
Sat 30 Nov 2013, 10:42:00 | 140.***.***.*** | administrators | administrators | alpha |
Sat 30 Nov 2013, 10:41:59 | 140.***.***.*** | administrator | administrator | alpha |
Sat 30 Nov 2013, 10:41:59 | 140.***.***.*** | administratorius | administratorius | alpha |
Sat 30 Nov 2013, 10:41:58 | 140.***.***.*** | administrateur | administrateur | alpha |
Sat 30 Nov 2013, 10:41:57 | 140.***.***.*** | administranto | administranto | alpha |
Sat 30 Nov 2013, 10:41:57 | 140.***.***.*** | administrate | administrate | alpha |
Sat 30 Nov 2013, 10:41:56 | 140.***.***.*** | administrador | administrador | alpha |
Sat 30 Nov 2013, 10:41:55 | 140.***.***.*** | yonetici | yonetici | charlie |
Sat 30 Nov 2013, 10:41:55 | 140.***.***.*** | administraator | administraator | alpha |
Sat 30 Nov 2013, 10:41:54 | 140.***.***.*** | spravce | spravce | charlie |
Sat 30 Nov 2013, 10:41:54 | 140.***.***.*** | verwalter | verwalter | charlie |
Sat 30 Nov 2013, 10:41:53 | 140.***.***.*** | skrbnik | skrbnik | charlie |
Sat 30 Nov 2013, 10:41:52 | 140.***.***.*** | msimamizi | msimamizi | charlie |
Sat 30 Nov 2013, 10:41:52 | 140.***.***.*** | pentadbir | pentadbir | charlie |
Sat 30 Nov 2013, 10:41:51 | 140.***.***.*** | amministratur | amministratur | charlie |
Sat 30 Nov 2013, 10:41:51 | 140.***.***.*** | beheerder | beheerder | charlie |
Sat 30 Nov 2013, 10:41:50 | 140.***.***.*** | amministratore | amministratore | charlie |
Sat 30 Nov 2013, 10:41:49 | 140.***.***.*** | adminisztrator | adminisztrator | charlie |
Sat 30 Nov 2013, 10:41:48 | 140.***.***.*** | administratorius | administratorius | charlie |
Sat 30 Nov 2013, 10:41:48 | 140.***.***.*** | administrators | administrators | charlie |
Sat 30 Nov 2013, 10:41:47 | 140.***.***.*** | administrator | administrator | charlie |
Sat 30 Nov 2013, 10:41:46 | 140.***.***.*** | administrate | administrate | charlie |
Sat 30 Nov 2013, 10:41:46 | 140.***.***.*** | administrateur | administrateur | charlie |
Sat 30 Nov 2013, 10:41:45 | 140.***.***.*** | administrador | administrador | charlie |
Sat 30 Nov 2013, 10:41:45 | 140.***.***.*** | administranto | administranto | charlie |
Sat 30 Nov 2013, 10:41:44 | 140.***.***.*** | administraator | administraator | charlie |
What the data above shows us is that the attacking IP address is using the exact same brute-force attack (i.e. the same usernames and passwords) and appears to be blindly attacking ranges of IP addresses which have port 22 open and accepting SSH connections.
Lack of Shell Attacks
In last week's post I analysed some recent attacks on the honeypot's shell CLI emulator. Unfortunately this week has seen zero attacks on the shell. I need to look into the shell emulator and check it's working on various SSH clients such as PuTTY.
New bits
Finally, I've added some new bits to this website: there's now a password tag cloud shown on every page of the website. This data being provided to this feature is live, so the tag cloud will update regularly as new passwords are attempted on the honeypot.
There's also a new section on this site called publications where I've added the project proposal and interim report for this project; both of which were handed in to university.
Image credit: generated with Wordle.net using data gathered from honeypot during initial testing phase.
About the author
Simon Bell is an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. Simon's research papers have been published internationally, and his findings have featured in Ars Technica, The Hacker News, PC World, among others. He founded Secure Honey, an open-source honeypot and threat intelligence project, in 2013. He has a PhD in Information Security and a BSc in Computer Science.
Follow Simon on Twitter: @SimonByte