Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Training SSH Bruteforce
- 1. Credit to sample from pcapanalysis.com
- Traffic Capture from DMZ ftp login and SSH brute force PCAP file download
- http://www.pcapanalysis.com/pcap-downloads/scanning-probing/traffic-capture-from-dmz-ftp-login-and-ssh-brute-force-pcap-file-download/
- Download ftp.pcap from: http://www.pcapanalysis.com/pcap-download/10
- Open ftp.pcap in Wireshark
- Apply display filter tcp.port == 22 (enter)
- File -> Export Specified Packets -> All packets Displayed (354 of 1011)
- Save As: ssh_bruteforce.pcap
- 2a. Upload ssh_bruteforce.pcap to NetworkTotal for analysis
- https://www.networktotal.com/search.php?q=96c9f3e86c3efdbac04b7565f00152a2&pmd5=db24f994c606f70bc26b1c1ca609dade
- Events:
- Date sid msg
- Mon, 16 May 2016 23:34:48 [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND
- Mon, 16 May 2016 23:34:07 [1:2210037:1] SURICATA STREAM FIN recv but no session
- Mon, 16 May 2016 23:34:08 [1:2001978:8] ET POLICY SSH session in progress on Expected Port
- Mon, 16 May 2016 23:34:07 [1:2210037:1] SURICATA STREAM FIN recv but no session
- Mon, 16 May 2016 23:34:26 [1:2001219:20] ET SCAN Potential SSH Scan
- Mon, 16 May 2016 23:34:07 [1:2210037:1] SURICATA STREAM FIN recv but no session
- Mon, 16 May 2016 23:34:08 [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version
- Mon, 16 May 2016 23:34:26 [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND
- 2b. Alternative upload ssh_bruteforce.pcap to VirusTotal for analysis
- https://www.virustotal.com/en/file/56e7f42115710ea895684f90b51cbcd73558779a9d8fc4d21c6598513b41bf4c/analysis/1501054080/
- Snort alerts Sourcefire VRT ruleset
- INDICATOR-SCAN SSH brute force login attempt (Misc activity) [19559]
- Consecutive TCP small segments exceeding threshold (Potentially Bad Traffic) [12]
- Reset outside window (Potentially Bad Traffic) [15]
- Suricata alerts Emerging Threats ETPro ruleset
- ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic) [2002752]
- ET SCAN Potential SSH Scan (Attempted Information Leak) [2001219]
- ET SCAN SSH BruteForce Tool with fake PUTTY version (Detection of a Network Scan) [2019876]
- ET POLICY SSH session in progress on Expected Port (Misc activity) [2001978]
- ET SCAN Potential SSH Scan OUTBOUND (Attempted Information Leak) [2003068]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement