API tools faq
paste
Advertisement
douglasmun

SSH Bruteforce

douglasmun
Jul 26th, 2017
1,041
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.26 KB | None | 0 0
raw download clone embed print report
  1. Training SSH Bruteforce
  2.  
  3. 1. Credit to sample from pcapanalysis.com
  4. Traffic Capture from DMZ ftp login and SSH brute force PCAP file download
  5. http://www.pcapanalysis.com/pcap-downloads/scanning-probing/traffic-capture-from-dmz-ftp-login-and-ssh-brute-force-pcap-file-download/
  6.  
  7. Download ftp.pcap from: http://www.pcapanalysis.com/pcap-download/10
  8. Open ftp.pcap in Wireshark
  9. Apply display filter tcp.port == 22 (enter)
  10. File -> Export Specified Packets -> All packets Displayed (354 of 1011)
  11. Save As: ssh_bruteforce.pcap
  12.  
  13.  
  14. 2a. Upload ssh_bruteforce.pcap to NetworkTotal for analysis
  15. https://www.networktotal.com/search.php?q=96c9f3e86c3efdbac04b7565f00152a2&pmd5=db24f994c606f70bc26b1c1ca609dade
  16.  
  17. Events:
  18. Date sid msg
  19. Mon, 16 May 2016 23:34:48 [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND
  20. Mon, 16 May 2016 23:34:07 [1:2210037:1] SURICATA STREAM FIN recv but no session
  21. Mon, 16 May 2016 23:34:08 [1:2001978:8] ET POLICY SSH session in progress on Expected Port
  22. Mon, 16 May 2016 23:34:07 [1:2210037:1] SURICATA STREAM FIN recv but no session
  23. Mon, 16 May 2016 23:34:26 [1:2001219:20] ET SCAN Potential SSH Scan
  24. Mon, 16 May 2016 23:34:07 [1:2210037:1] SURICATA STREAM FIN recv but no session
  25. Mon, 16 May 2016 23:34:08 [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version
  26. Mon, 16 May 2016 23:34:26 [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND
  27.  
  28.  
  29. 2b. Alternative upload ssh_bruteforce.pcap to VirusTotal for analysis
  30. https://www.virustotal.com/en/file/56e7f42115710ea895684f90b51cbcd73558779a9d8fc4d21c6598513b41bf4c/analysis/1501054080/
  31.  
  32. Snort alerts Sourcefire VRT ruleset
  33. INDICATOR-SCAN SSH brute force login attempt (Misc activity) [19559]
  34. Consecutive TCP small segments exceeding threshold (Potentially Bad Traffic) [12]
  35. Reset outside window (Potentially Bad Traffic) [15]
  36.  
  37.  
  38. Suricata alerts Emerging Threats ETPro ruleset
  39. ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic) [2002752]
  40. ET SCAN Potential SSH Scan (Attempted Information Leak) [2001219]
  41. ET SCAN SSH BruteForce Tool with fake PUTTY version (Detection of a Network Scan) [2019876]
  42. ET POLICY SSH session in progress on Expected Port (Misc activity) [2001978]
  43. ET SCAN Potential SSH Scan OUTBOUND (Attempted Information Leak) [2003068]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!