DOCSLIB.ORG

Violence Cracking Technology of SSH Service Based on Kali-Linux

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Violence Cracking Technology of SSH Service Based on Kali-Linux International Journal of Advanced Network, Monitoring and Controls Volume 04, No.02, 2019 Violence Cracking Technology of SSH Service Based on Kali-Linux Ma Limei Gao Yijun College of Information Technology School of Information Studies Hebei Normal University Dominican University Shijiazhuang, In China River Forest, In USA Key Laboratory of Network and Information e-mail: [email protected] Security in Hebei Province Shijiazhuang, In China School of Information Studies, Dominican University, River Forest, In USA e-mail: [email protected] Zhao Dongmei* Zhao Chen College of Information Technology College of Information Technology Hebei Normal University Hebei Normal University Shijiazhuang, In China Shijiazhuang, In China Key Laboratory of Network and Information Key Laboratory of Network and Information Security in Hebei Province Security in Hebei Province Shijiazhuang, In China Shijiazhuang , In China e-mail: [email protected] e-mail: [email protected] Abstract—In this paper, the current popular SSH password The Kali Linux Penetration Test Platform defaults brute force cracking tool is researched, analyzed and to the SSH service. SSH for remote server management, summarized. The ssh_login module in Metasploit is used to brute force the SSH service to finally obtain the password. The you only need to know the server's IP address, port, Brute Spray tool is used to automatically call Medusa to blast management account and password, you can manage the service, demonstrating SSH. The process of brute force the server, network security follows the principle of cracking has certain reference value for penetration attack wooden barrel, as long as you open a hole through SSH, testing and security defense. this will be for infiltrators It is a new world. Keywords-Component; Violence Cracking; Technology; SSH Service; Kali-Linux I. SSH PROVIDES TWO AUTHENTICATION All SSH is an acronym for Secure Shell, developed METHODS. by the IETF's Network Working Group, SSH is a The first is a key-based security verification that security protocol based on the application layer and relies on a key, which means you have to create a pair transport layer. SSH is a protocol that provides security of keys for yourself and put the public key on the for remote login sessions and other network services. server you need to access. If you are connecting to an The SSH protocol can effectively prevent information SSH server, the client software will make a request to leakage during remote management. SSH was the server for security verification with your key. After originally a program on a UNIX system and later the server receives the request, look for your public key quickly expanded to other operating platforms. SSH in your home directory on the server and compare it to can make up for vulnerabilities in the network when it the public key you sent. If the two keys match, the is used correctly. The SSH client is available on server encrypts the "challenge" with the public key and multiple platforms. SSH can be run on almost all Unix sends it to the client software. After the client software platforms—including hp-Unix, Linux, Aix, Solaris, receives the "challenge", it can decrypt it with your Digital Unix, and others. private key and send it to the server. DOI: 10.21307/ijanmc-2019-045 35 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.02, 2019 The second is password-based security verification, III. THE SPECIFIC STEPS ARE AS FOLLOWS: as long as you know your account and password, you can log in to the remote host. All transmitted data will A. Purpose be encrypted, but there is no guarantee that the server Master the process of brute-breaking the SSH you are connecting to is the one you want to connect to. service through the ssh login module in Metasploit to There may be other servers that impersonate the real finally obtain the password. server, which is attacked by the "middleman". At the same time, if the server has no other security B. Software used restrictions, such as login source IP, account login error Guest operating system: Kali-linux 1.1, IP address times, there may be violent cracking. However, SSH is is 193.168.1.100. not absolutely secure. If you do not restrict the login source IP and do not set the number of attempts to log Server operating system: CentOS 6.5, address in, it will be cracked. 193.168.1.26. Tool software: Metasploit, NMAP. II. SSH PASSWORD BRUTE FORCE APPLICATION AND THOUGHTS C. Steps A. Application 1) Load the kali-linux virtual machine, open the kali system terminal, and use nmap to scan the target The root permission is obtained through remote 193.168.1.26 port. The command is as follows: nmap - command execution such as Structs. v -A -Pn 193.168.1.26, found that open 22 ports, you Get root privileges through web shell can try to brute force. The result is shown in Figure 1. authorization Through the local file contains the vulnerability, you can read all the files locally in linux. Obtain the network access authority, which can access the intranet computer. The SSH port is enabled on the external network (the default or modified port), and SSH access is available. In the previous scenarios, you can get the shadow file and brute force it to get the password of these accounts, but in other scenarios, no loopholes are Figure 1. NMAP scan results available. At this time, you need to brute the SSH account. Parameter Description: -v: enable verbose mode; B. Thoughts -A: Detect the target operating system; brute force the root account -Pn: Do not ping the target host to reduce the use admin as the username to brute force probability of being discovered or blocked by the guard use the admin dictionary for password cracking device. Using mastery information to organize social 2) Open another new command line window, type worker information and generate dictionary ssh [email protected], enter the password brute force cracking arbitrarily, and the access is blocked. Try this process multiple times (3 times or more) and find that you can Comprehensive utilization and recycling of still try to enter the password, the user will not be information locked, as shown in Figure 2, so all the conditions that satisfy the brute force vulnerability can be brute force cracked. 36 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.02, 2019 Explanation of important parameters: RHOST: the target host IP address; PASS_FILE: brute force password dictionary storage path; Figure 2. Trying to log in USERNAME: Specify the username used for brute force attack; 3) Use the ssh_login module in Metasploit to crack STOP_ON_SUCESS: Set to stop brute force attack the crack, open the kali system terminal, and enter immediately after cracking the password. msfconsole, as shown in Figure 3. 7) Set the relevant parameters of the brute force target host, as shown in Figure 7. Figure 7. Set the parameters Figure 3. Start Metasploit 8) Enter the exploit to start brute force cracking, and 4) Enter search ssh_login and search for the successfully obtain the password, which is admin888, ssh_login module, as shown in Figure 4. as shown in Figure 8. Figure 4. Searching for the ssh_login module Figure 8. Execution attack 5) Enter use auxiliary/scanner/ssh/ssh_login to load the ssh_login module, as shown in Figure 5. 9) Open the terminal, enter ssh [email protected], and enter the cracked password to log in to the server, as shown in Figure 9. Figure 5. Loading the ssh_login module 6) Enter show options to display the ssh_login module parameters, as shown in Figure 6. Figure 9. Successful login to the server 10) Enter the command to view server related information, as shown in Figure 10. Figure 10. Execution system command Figure 6. Ssh_login module parameters 37 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.02, 2019 IV. USE BRUTESPRAY TO VIOLENTLY CRACK SSH -T HOSTS, - - hosts HOSTS parameter followed by PASSWORD a value specifying the number of hosts tested at the Brutespray is a gnmap/XML file based on nmap same time scanning output. It calls Medusa automatically to -U USERLIST, --userlist USERLIST parameter explode the service faster than hydra. IBruteSpray calls followed by user dictionary file medusa, which claims to support violent account -P PASSLIST - -- Passlist PASSLIST parameter cracking of ssh, ftp, telnet, vnc, mssql, mysql, followed by password dictionary file postgresql, rsh, imap, nntp, pcanywhere, pop3, rexec, -u USERNAME, -- username USERNAME rlogin, smbnt, smtp, SVN and vmauthd protocols. parameter followed by user name, specify a user name for blasting -P PASSWORD, --password PASSWORD A. Installation under Kali parameter followed by password, specify a password Brutespray is not integrated into Kali Linux by for blasting default. It needs to be installed manually. Some need to - C.-- Continuous blasting after success perform updates in Kali first, and apt-get update before - i --Interactive interaction mode executing the installation command: V. VIOLENT CRACKING OF SSH PASSWORDS Apt-get install brutespray 1) Interactive mode cracking Kali Linux installs its user and password dictionary file location by default: / usr / share / brutespray / Python brutespray. py -- file nmap. XML - I wordlist. After execution, the program automatically identifies the services in the nmap scanning results, B. Manual installation chooses the services that need to be cracked according Git clone to the prompt, the number of threads, the number of https://github.com/x90skysn3k/brutespray.git hosts that are simultaneously violently cracked, CD brutes pray specifies the user and password files, and Brutespray PIP install-r requirements.txt will display the “SUCCESS” information on the screen Note that if Medusa needs to be installed in other after successful cracking.
Load more

Recommended publications
  • Password Cracking / Brute-Force Tools Password Cracking / Brute-Force Tools
    Color profile: Disabled Hacking / Anti-Hacker Tool Kit, 3rd Ed / Shema, Davis, Cowen & Philipp / 226286-9 / Chapter 8 Composite Default screen Presented by: 8 PasswordPassword CrackingCracking // Brute-ForceBrute-Force ToolsTools 195 Reproduced from the book “Anti-Hacker Tool Kit, Third Edition." Copyright © 2006, The McGraw-Hill Companies, Inc. Reproduced by permission of The McGraw-Hill Companies, Two Penn Plaza, NY, NY 10121-2298. Written permission of The McGraw-Hill Companies, Inc. is required for all other uses. P:\010Comp\Hacking\286-9\ch08.vp Monday, January 23, 2006 12:28:07 PM Color profile: Disabled Hacking / Anti-Hacker Tool Kit, 3rd Ed / Shema, Davis, Cowen & Philipp / 226286-9 / Chapter 8 Composite Default screen 196 Anti-Hacker Tool Kit smile, a house key, a password. Whether you’re trying to get into a nightclub, your house, or your computer, you will need something that only you possess. On a Acomputer network, users’ passwords have to be strong enough so that Dwayne can’t guess Norm’s password and Norm can’t steal Dwayne’s password (since Dwayne might have written it on the bottom of his keyboard). Bottom line—one weak password can circumvent secure host configurations, up-to-date patches, and stringent firewall rules. In general an attacker has two choices when trying to ascertain a password. He can ob- tain a copy of the password or hash if encrypted and then use brute-force tools to crack the encrypted hash. Or he can try to guess a password. Password cracking is an old technique that is most successful because humans are not very good random sequence generators.
    [Show full text]
  • Hydra: a Declarative Approach to Continuous Integration1
    Hydra: A Declarative Approach to Continuous Integration1 Eelco Dolstra, Eelco Visser Department of Software Technology, Faculty of Electrical Engineering, Mathematics and Computer Science (EWI), Delft University of Technology, The Netherlands Abstract There are many tools to support continuous integration: the process of automatically and con- tinuously building a project from a version management repository. However, they do not have good support for variability in the build environment: dependencies such as compilers, libraries or testing tools must typically be installed manually on all machines on which automated builds are performed. In this paper we present Hydra, a continuous build tool based on Nix, a package manager that has a purely functional language for describing package build actions and their dependencies. This allows the build environment for projects to be produced automatically and deterministically, and so significantly reduces the effort to maintain a continuous integration en- vironment. 1. Introduction Hydra is a tool for continuous integration testing and software release that uses a purely func- tional language to describe build jobs and their dependencies. Continuous integration (Fowler and Foemmel 2006) is a simple technique to improve the quality of the software development process. An automated system continuously or periodically checks out the source code of a project, builds it, runs tests, and produces reports for the developers. Thus, various errors that might accidentally be committed into the code base are automatically caught. Such a system allows more in-depth testing than what developers could feasibly do manually: • Portability testing: The software may need to be built and tested on many different plat- forms.
    [Show full text]
  • Nessus 6.8 User Guide
    Nessus 6.8 User Guide Last Updated: 8/17/2016 Table of Contents Getting Started 11 About Nessus Products 12 About Nessus Plugins 15 Hardware Requirements 17 Supported Operating Systems 18 Nessus License & Activation Code 21 Setup Nessus 22 Product Download 23 Pre-install Nessus 25 Deployment 26 Host Based Firewalls 27 IPv6 Support 28 Virtual Machines 29 Anti-virus Software 30 Security Warnings 31 Install Nessus and Nessus Agents 32 Nessus Installation 33 Install Nessus on Mac OS X 34 Install Nessus on Linux 36 Install Nessus on Windows 37 Nessus Agent Install 39 Install a Nessus Agent on Mac OS X 40 Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. Install a Nessus Agent on Linux 43 Install a Nessus Agent on Windows 47 Upgrade Nessus and Nessus Agents 51 Nessus Upgrade 52 Upgrade from Evaluation 53 Mac Upgrade 54 Linux Upgrade 55 Windows Upgrade 56 Nessus Agents: Upgrade 57 Installation - Web Browser Portion 58 Nessus (Home, Professional, or Manager) 60 Link to Nessus Manager 61 Link to Tenable Cloud 64 Managed by SecurityCenter 66 Install Nessus while Offline 67 Register Nessus Offline 71 Generate Challenge Code 73 Generate Your License 74 Download and Copy License File (nessus.license) 75 Register Your License with Nessus 76 Download and Copy Plugins 77 Install Plugins Manually 78 Remove Nessus and Nessus Agents 79 Nessus Removal 80 Copyright © 2016.
    [Show full text]
  • Cuteftp Mac Professional V3.1 User Guide
    v3 User Guide GlobalSCAPE, Inc. (GSB) Corporate Headquarters 4500 Lockhill-Selma Road, Suite 150 Address: San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical Support: (210) 366-3993 Web Support: http://www.globalscape.com/support/ © 2004 GlobalSCAPE, Inc. All Rights Reserved Table of Contents Getting Started with CuteFTP Mac 3 Professional .................................................................................. 7 Customer Service ............................................................................................................................. 7 Lost Serial Number ........................................................................................................................... 7 Comprehensive Support Programs .................................................................................................... 7 About FTP (File Transfer Protocol) .................................................................................................... 7 About CuteFTP Mac .......................................................................................................................... 7 CuteFTP Mac's Features: .................................................................................................................. 8 About FTP (File Transfer Protocol) .................................................................................................... 8 System Requirements ......................................................................................................................
    [Show full text]
  • VSC HPC Tutorial for Vrije Universiteit Brussel Mac Users
    VLAAMS SUPERCOMPUTER Innovative Computing CENTRUM for A Smarter Flanders HPC Tutorial Last updated: August 26 2021 For Mac Users Authors: Franky Backeljauw5, Stefan Becuwe5, Geert Jan Bex3, Geert Borstlap5, Jasper Devreker2, Stijn De Weirdt2, Andy Georges2, Balázs Hajgató1,2, Kenneth Hoste2, Kurt Lust5, Samuel Moors1, Ward Poelmans1, Mag Selwa4, Álvaro Simón García2, Bert Tijskens5, Jens Timmerman2, Kenneth Waegeman2, Toon Willems2 Acknowledgement: VSCentrum.be 1Free University of Brussels 2Ghent University 3Hasselt University 4KU Leuven 5University of Antwerp 1 Audience: This HPC Tutorial is designed for researchers at the Vrije Universiteit Brussel and affiliated institutes who are in need of computational power (computer resources) and wish to explore and use the High Performance Computing (HPC) core facilities of the Flemish Supercomputing Centre (VSC) to execute their computationally intensive tasks. The audience may be completely unaware of the VUB-HPC concepts but must have some basic understanding of computers and computer programming. Contents: This Beginners Part of this tutorial gives answers to the typical questions that a new VUB- HPC user has. The aim is to learn how to make use of the HPC. Beginners Part Questions chapter title What is a VUB-HPC exactly? 1 Introduction to HPC Can it solve my computational needs? How to get an account? 2 Getting an HPC Account How do I connect to the VUB-HPC and 3 Connecting to the HPC infrastructure transfer my files and programs? How to start background jobs? 4 Running batch jobs How to start jobs with user interaction? 5 Running interactive jobs Where do the input and output go? 6 Running jobs with input/output data Where to collect my results? Can I speed up my program by explor- 7 Multi core jobs/Parallel Computing ing parallel programming techniques? Troubleshooting 8 Troubleshooting What are the rules and priorities of 9 HPC Policies jobs? FAQ 10 Frequently Asked Questions The Advanced Part focuses on in-depth issues.
    [Show full text]
  • Ftp Now Crack
    Ftp now crack click here to download As demonstrated in the video, this performs a completely customizable and upgradable FTP dictionary attack in order to crack the username and password and so far has had zero false positives. This can be downloaded here (part of security tool kit. OK, I've got access, now what? Really? well the. This is a how-to –video on using hydra to crack FTP passwords. This video is It reveals the basics of hacking a FTP server using dictionary search technique. Here are the steps Now that we have a username/password pair we can login to the server access the files in the ftp server. 10) Depending. Crack FTP server using hydra For Better View Please Watch Video In p Or p Visit Our Site: http://www. This video explains the basic use of hydra to find valid FTP username/password pairs. Download Hydra: http. link: www.doorway.ru My FTP Now Review - See it now! FTP Now ftp now ftp. Monitor Password Policy Compliance #30 Before downloading the word list, I'll use the local change directory com- mand to ensure I'm downloading the file to the correct directory on my system: ftp> lcd /usr/local/crack/dict/1 Local directory now /usr/local/crack/dict/1 ftp> get www.doorway.ru local: www.doorway.ru remote: www.doorway.ru Entering. Ftp now v winall cracked palace. Had 65 of www.doorway.ru: ftp now v winall cracked www.doorway.ruad the ftp www.doorway.ru now v winall cracked www.doorway.rug.v.
    [Show full text]
  • Top 25 Best Kali Linux Tools for Beginners (Source)
    Kali Linux For Beginners Glen Maxson Center for Learning in Retirement Spring 2019 What is Kali Linux • Kali Linux, (first released on the 13th March, 2013) which was formally known as BackTrack, developed by the security firm Offensive Security, is a forensic and security-focused distribution based on Debian’s Testing branch. Kali Linux is designed with penetration testing, data recovery and threat detection in mind. • Kali Linux is free, and has 600+ penetration testing tools included. But first a caution and some advice • Kali Linux isn’t recommended for beginners. Period. This is the first thing you should learn. It is a Linux Distribution geared towards Security Professionals. • During penetration testing, it is crucial to prepare to stay anonymous. Don’t fool yourself by revealing your own identity while hacking, cover it! Kali Install Modes - Basic Differences (source) 1. Live Mode - boots using the USB drive so we run Kali from USB instead of running our main system. This allows us to inspect the system without worrying about locked/running processes. Live mode does not save changes. If you run reports, generate logs or save any data then it will be wiped when you reboot. Changes are not saved. 2. Live Mode (failsafe) - same as above but a bit more robust in case the system fails. Nicer to your devices. 3. Live Mode (forensic) - nothing loads, runs or happens unless it is initiated by you. USB devices do not auto mount and the internal hard drive is not touched. Nothing happens until you make it happen. Very good for professional forensic work.
    [Show full text]
  • Nessus 7.0 User Guide
    Nessus 7.0 User Guide Last Updated: March 20, 2018 Table of Contents Welcome to Nessus 7.0 10 Nessus Workflow 13 Navigating Nessus 14 System Requirements 15 Hardware Requirements 16 Software Requirements 17 Licensing Requirements 20 Deployment Considerations 21 Host-Based Firewalls 22 IPv6 Support 23 Virtual Machines 24 Antivirus Software 25 Security Warnings 26 Install Nessus and Nessus Agents 27 Download Nessus 28 Install Nessus 30 Install Nessus on Linux 31 Install Nessus on Windows 32 Install Nessus on Mac OS X 34 Install Nessus Agents 36 Install a Nessus Agent on Linux 37 Install a Nessus Agent on Windows 40 Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. Install a Nessus Agent on Mac OS X 44 Upgrade Nessus and Nessus Agents 47 Upgrade Nessus 48 Upgrade from Evaluation 49 Upgrade Nessus on Linux 50 Upgrade Nessus on Windows 51 Upgrade Nessus on Mac OS X 52 Upgrade a Nessus Agent 53 Configure Nessus 54 Install Nessus Home, Professional, or Manager 55 Link to Tenable.io 56 Link to Nessus Manager 57 Manage Activation Code 58 View Your Activation Code 59 Reset Activation Code 60 Update Activation Code 61 Transfer Activation Code 63 Manage Nessus Offline 65 Install Nessus Offline 67 Generate Challenge Code 70 Generate Your License 71 Download and Copy License File (nessus.license) 72 Register Your License with Nessus 73 Download and Copy Plugins 74 Copyright © 2018.
    [Show full text]
  • Technical Guide to Information Security Testing and Assessment
    Special Publication 800-115 Technical Guide to Information Security Testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Deputy Director TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology (IT). ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-115 Natl. Inst. Stand. Technol. Spec. Publ. 800-115, 80 pages (Sep.
    [Show full text]
  • Introduction to Nessus by Harry Anderson Last Updated October 28, 2003
    SecurityFocus Printable INFOCUS 1741 Página 1 de 13 Infocus < http://www.securityfocus.com/infocus/1741 > Introduction to Nessus by Harry Anderson last updated October 28, 2003 1.0 Introduction Nessus is a great tool designed to automate the testing and discovery of known security problems. Typically someone, a hacker group, a security company, or a researcher discovers a specific way to violate the security of a software product. The discovery may be accidental or through directed research; the vulnerability, in various levels of detail, is then released to the security community. Nessus is designed to help identify and solve these known problems, before a hacker takes advantage of them. Nessus is a great tool with lots of capabilities. However it is fairly complex and few articles exist to direct the new user through the intricacies of how to install and use it. Thus, this article shall endeavor to cover the basics of Nessus setup and configuration. The features of the current versions of Nessus (Nessus 2.0.8a and NessusWX 1.4.4) will be discussed. Future articles will cover Nessus in more depth. Nessus is a public domain program released under the GPL. Historically, many in the corporate world have ridiculed such public domain software as being a waste of time, instead choosing "supported" products developed by established companies. Typically these packages cost hundreds or thousands of dollars, and are often purchased using the logic that you get what you pay for. Some people are starting to realize that public domain software, such as Nessus, isn't always inferior and sometimes it is actually superior.
    [Show full text]
  • Analysis of Network Intrusion Attacks Using Honeypots
    International Journal of Computer Applications (0975 – 8887) Volume 182 – No. 32, December 2018 Analysis of Network Intrusion Attacks using Honeypots N. Ramakrishnaiah Dept. of Computer Science & Engineering, University College of Engineering, JNTUK, Kakinada-533003, A.P., India ABSTRACT deception tool by exhibiting itself as a vulnerable system and Network intrusion attacks are performed quite immensely providing a simulated domain to the attacker. It helps the these days. Malicious intruder performs attacks on the security researchers and analysts with a study over the new infrastructure of a network of organizations. The increase in techniques of compromising a system by logging the actions the number of various intruders and different attacks has made performed by an intruder[4][5]. Honeypots do not have the mitigation and security implementation a hard task to be capability to avert an attack but have the expertise in achieved. In order to accomplish felonious access over server, detection. They produce data about the attacks that can be attackers target Secure Shell service. In this paper, an used for analysis by cyber professional. To provide detail intrusion detection operation and web trap for an intruder is summary of the operation of honeypot to the cyber defense, performed on SSH service. A fake file system is created data visualization and analysis tools are used which compares which will camouflage itself as the original root. A honeypot the sessions and present results in graphical and tabular forms. system which remains an effective environment in gathering In this paper, a Virtual Private Server is set up to log the brute intelligence about the intruder is used and information which force attacks performed on the SSH honeypot and the activity is highly sufficient in the identification of the attacker is of the honeypot on the attacks.
    [Show full text]
  • Fingerprinting Tooling Used for SSH Compromisation Attempts
    Fingerprinting Tooling used for SSH Compromisation Attempts Vincent Ghiëtte, Harm Griffioen, and Christian Doerr TU Delft, Cyber Threat Intelligence Lab {v.d.h.ghiette, h.j.griffioen, c.doerr}@tudelft.nl Abstract In SSH brute forcing attacks, adversaries try a lot of different username and password combinations in order to compromise a system. As such activities are easily recognizable in log files, TTPs sophisticated adversaries distribute brute forcing attacks over Tools Difficulty for Defender to Detect Difficulty for Adversary to Change Difficulty for a large number of origins. Effectively finding such distributed Netw./Host Artifacts campaigns proves however to be a difficult problem. Domain Names In practice, when adversaries would spread out brute- IP Addresses forcing over multiple sources, they would likely reuse the same kind of software across all of these origins to simplify Hash Values their operation and reduce cost. This means if we are able to identify the tooling used in these attempts, we could cluster similar tool usage into likely collaborating hosts and thus Figure 1: While basic Indicators of Compromise (IoC) are campaigns. In this paper, we demonstrate that it is possible easy to gather and distribute, they are trivially changed by an to utilize cipher suites and SSH version strings to generate a adversary. For effective, more persistent detection it is nec- unique fingerprint for a brute-forcing tool used by the attacker. essary to assemble threat intelligence that covers behavioral Based on a study using a large honeynet with over 4,500 features of the attacker. [3] hosts, which received approximately 35 million compromi- sation attempts over the period of one month, we are able to identify 49 tools from the collected data, which correspond to off-the-shelf tools, as well as custom implementations.
    [Show full text]