SSH honeypot, deployed in the wild, collecting and sharing data

Language Engineered Attacks

30 Nov 2013 • 3 min read

passwordtag cloudThis week has been fairly quiet on the project because the end of term is fast approaching at university so I've been working on other modules. However, there have been some developments on the project.

There has been an interesting "trickle" brute-force attack happening over the past few days. To date, the attacking IP address has made 4,128 brute-force attempts using password variations such as:

  • P@$$w0rd123456789
  • P@$$w0rd$123456789
  • P@$$W0RD0
  • p@sswOrd123456789
  • p@sswd123456

These attacks seem to be using some sort of language engineering based brute-force attack to create various misspellings on common password attempts such as, in the above example, the word "password".

As previously mentioned: these language engineering based brute-force attacks have been slowly trickling in over the past few days which can be seen below:

date ip address # attempts
Sat 30 Nov 2013 31.***.***.** 450
Fri 29 Nov 2013 31.***.***.** 901
Thu 28 Nov 2013 31.***.***.** 900
Wed 27 Nov 2013 31.***.***.** 563
Tue 26 Nov 2013 31.***.***.** 466
Mon 25 Nov 2013 31.***.***.** 848

Duplicate Attacks

Another interesting observation arose this week when I duplicated the current honeypot (by simply taking an image of the system) and created a new virtual server. I'll be running the duplicate honeypot alongside the existing one to see how the attacks compare. The two honeypots have different IP addresses and are named alpha and charlie in the data below:

date ip username password honeypot
Sat 30 Nov 2013, 10:42:06 140.***.***.*** verwalter verwalter alpha
Sat 30 Nov 2013, 10:42:06 140.***.***.*** yonetici yonetici alpha
Sat 30 Nov 2013, 10:42:05 140.***.***.*** spravce spravce alpha
Sat 30 Nov 2013, 10:42:04 140.***.***.*** pentadbir pentadbir alpha
Sat 30 Nov 2013, 10:42:04 140.***.***.*** skrbnik skrbnik alpha
Sat 30 Nov 2013, 10:42:03 140.***.***.*** beheerder beheerder alpha
Sat 30 Nov 2013, 10:42:03 140.***.***.*** msimamizi msimamizi alpha
Sat 30 Nov 2013, 10:42:02 140.***.***.*** amministratur amministratur alpha
Sat 30 Nov 2013, 10:42:01 140.***.***.*** adminisztrator adminisztrator alpha
Sat 30 Nov 2013, 10:42:01 140.***.***.*** amministratore amministratore alpha
Sat 30 Nov 2013, 10:42:00 140.***.***.*** administrators administrators alpha
Sat 30 Nov 2013, 10:41:59 140.***.***.*** administrator administrator alpha
Sat 30 Nov 2013, 10:41:59 140.***.***.*** administratorius administratorius alpha
Sat 30 Nov 2013, 10:41:58 140.***.***.*** administrateur administrateur alpha
Sat 30 Nov 2013, 10:41:57 140.***.***.*** administranto administranto alpha
Sat 30 Nov 2013, 10:41:57 140.***.***.*** administrate administrate alpha
Sat 30 Nov 2013, 10:41:56 140.***.***.*** administrador administrador alpha
Sat 30 Nov 2013, 10:41:55 140.***.***.*** yonetici yonetici charlie
Sat 30 Nov 2013, 10:41:55 140.***.***.*** administraator administraator alpha
Sat 30 Nov 2013, 10:41:54 140.***.***.*** spravce spravce charlie
Sat 30 Nov 2013, 10:41:54 140.***.***.*** verwalter verwalter charlie
Sat 30 Nov 2013, 10:41:53 140.***.***.*** skrbnik skrbnik charlie
Sat 30 Nov 2013, 10:41:52 140.***.***.*** msimamizi msimamizi charlie
Sat 30 Nov 2013, 10:41:52 140.***.***.*** pentadbir pentadbir charlie
Sat 30 Nov 2013, 10:41:51 140.***.***.*** amministratur amministratur charlie
Sat 30 Nov 2013, 10:41:51 140.***.***.*** beheerder beheerder charlie
Sat 30 Nov 2013, 10:41:50 140.***.***.*** amministratore amministratore charlie
Sat 30 Nov 2013, 10:41:49 140.***.***.*** adminisztrator adminisztrator charlie
Sat 30 Nov 2013, 10:41:48 140.***.***.*** administratorius administratorius charlie
Sat 30 Nov 2013, 10:41:48 140.***.***.*** administrators administrators charlie
Sat 30 Nov 2013, 10:41:47 140.***.***.*** administrator administrator charlie
Sat 30 Nov 2013, 10:41:46 140.***.***.*** administrate administrate charlie
Sat 30 Nov 2013, 10:41:46 140.***.***.*** administrateur administrateur charlie
Sat 30 Nov 2013, 10:41:45 140.***.***.*** administrador administrador charlie
Sat 30 Nov 2013, 10:41:45 140.***.***.*** administranto administranto charlie
Sat 30 Nov 2013, 10:41:44 140.***.***.*** administraator administraator charlie

What the data above shows us is that the attacking IP address is using the exact same brute-force attack (i.e. the same usernames and passwords) and appears to be blindly attacking ranges of IP addresses which have port 22 open and accepting SSH connections.

Lack of Shell Attacks

In last week's post I analysed some recent attacks on the honeypot's shell CLI emulator. Unfortunately this week has seen zero attacks on the shell. I need to look into the shell emulator and check it's working on various SSH clients such as PuTTY.

New bits

Finally, I've added some new bits to this website: there's now a password tag cloud shown on every page of the website. This data being provided to this feature is live, so the tag cloud will update regularly as new passwords are attempted on the honeypot.

There's also a new section on this site called publications where I've added the project proposal and interim report for this project; both of which were handed in to university.

Image credit: generated with Wordle.net using data gathered from honeypot during initial testing phase.

About the author

Simon BellSimon Bell is an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. Simon's research papers have been published internationally, and his findings have featured in Ars Technica, The Hacker News, PC World, among others. He founded Secure Honey, an open-source honeypot and threat intelligence project, in 2013. He has a PhD in Information Security and a BSc in Computer Science.

Follow Simon on Twitter: @SimonByte