danielsauder

IT security is a matter of trust.

The first 15 days of a password honeypot

A couple of days ago I started running a password honeypot based on heralding. Here is some first analysis and wordlists.
Time frame of this analysis
From:
$ head heralding_activity.log -n 2 | cut -d “,” -f1
timestamp
2016-10-07 19:33:32.291966
To:
$ tail heralding_activity.log -n 1 | cut -d “,” -f1
2016-10-22 16:51:06.616767
Password attacks
Total:
$ cat heralding_activity.log | cut -d “,” -f9 | sort | wc -l
406581
Total unique:
$ cat heralding_activity.log | cut -d “,” -f9 | sort -u | wc -l
41309
Most hits from one ip
$ cat heralding_activity.log | cut -d”,” -f4 |awk ‘{print $1}’ | sort |uniq -c |sort -n |tail
    365 118.68.52.154
    404 185.56.82.83
    467 98.167.86.131
    496 125.212.225.107
    523 125.212.248.85
    581 222.124.18.147
    698 46.172.91.20
    771 116.228.12.138
  90983 221.229.172.117
 154845 180.97.244.253
Top users
$ cat heralding_activity.log | cut -d”,” -f8 |awk ‘{print $1}’ | sort |uniq -c |sort -n |tail
    438 supervisor
    452 service
    457 ubnt
   1284 user
   1353 guest
   2098 support
  12731 admin
  40297 shell
  53335 enable
 286812 root
delete shell and enable, due to mirai:
    438 supervisor
    452 service
    457 ubnt
   1284 user
   1353 guest
   2098 support
  12731 admin
 286812 root
Top passwords
$ cat heralding_activity.log | cut -d”,” -f9 |awk ‘{print $1}’ | sort |uniq -c |sort -n |tail -n 15
   1963 xmhdipc
   2030 support
   2033 1111
   2034 default
   2394 54321
   2753 888888
   2767
   2769 123456
   2989 password
   3019 12345
   3507 vizxv
   3877 xc3511
   6117 admin
  40201 sh
  53764 system
Delete system and sh due to mirai:
   1963 xmhdipc
   2030 support
   2033 1111
   2034 default
   2394 54321
   2753 888888
   2767
   2769 123456
   2989 password
   3019 12345
   3507 vizxv
   3877 xc3511
   6117 admin
As can be seen the top accounts and passwords are default credentials used by mirai.
Because of that here are the top passwords for ssh only:
$ cat heralding_activity.log | grep ssh | cut -d”,” -f9 |awk ‘{print $1}’ | sort |uniq -c |sort -n |tail -n 15
     81 123456789
     82 support
     91 “8ik
     98 test
    109 12345
    111 1234
    112 raspberry
    123 123qwe
    126 qwe123
    128 ubnt
    132 “
    136 password
    138 root
    147 admin
    421 123456
Time to mirai infection
start of the honeypot:
$ head -n 1 heralding.log | cut -d ” ” -f1,2
2016-10-07 19:27:35,447
$ head heralding_activity.log -n 10 | grep telnet | cut -d “,” -f1,8,9
2016-10-07 19:33:32.291966,root,12345
2016-10-07 19:33:33.636283,enable,system
2016-10-07 19:33:34.988987,shell,sh
2016-10-07 19:33:36.876664,root,admin
2016-10-07 19:33:38.301110,enable,system
2016-10-07 19:33:39.719285,shell,sh
2016-10-07 19:33:41.544074,root,xmhdipc
2016-10-07 19:33:42.898664,enable,system
2016-10-07 19:33:44.245631,shell,sh
Conclusion:
six minutes from 1st mirai attack
Closer look to two bruteforcing attempts
771 116.228.12.138
771 attempts for SNMP:
$ cat heralding_activity.log | grep 116.228.12.138 | cut -d “,” -f 1,7,8,9 | head -n 5
2016-10-19 01:21:50.393370,smtp,account,account
2016-10-19 01:21:50.504453,smtp,account,accountaccount
2016-10-19 01:21:51.943364,smtp,account,account1
2016-10-19 01:21:52.099676,smtp,account,account12
2016-10-19 01:21:52.641753,smtp,account,account123
$ cat heralding_activity.log | grep 116.228.12.138 | cut -d “,” -f 1,7,8,9 | tail -n 5
2016-10-19 01:33:20.499069,smtp,webmaster,Passw0rd
2016-10-19 01:33:20.701765,smtp,webmaster,Password1
2016-10-19 01:33:20.889161,smtp,webmaster,Password123
2016-10-19 01:33:21.471823,smtp,webmaster,password
2016-10-19 01:33:21.637730,smtp,webmaster,password1
Nothing special, but usage of different user accounts.
90983 221.229.172.117
$ cat heralding_activity.log | grep 221.229.172.117 | cut -d “,” -f 1,7,8,9 | head -n 5
2016-10-10 11:27:05.514881,ssh,root,!@
2016-10-10 11:27:05.836226,ssh,root,!@
2016-10-10 11:27:06.157371,ssh,root,password
2016-10-10 11:27:22.077912,ssh,root,cisco
2016-10-10 11:27:22.364435,ssh,root,stm
$ cat heralding_activity.log | grep 221.229.172.117 | cut -d “,” -f 1,7,8,9 | tail -n 5
2016-10-19 05:07:10.324697,ssh,root,a0.418.0a
2016-10-19 05:07:10.566465,ssh,root,a d m i n
2016-10-19 05:07:11.256323,ssh,root,@WSXCVFR$
2016-10-19 05:07:20.925478,ssh,root,@root1234
The hole attack took nearly 9 days and was for ssh accounts.
Download password lists
I made password lists:
allpasswords.txt -> containing all passwords sorted and unique
smtpcredentials.txt -> all snmp credentials is user:password format, sorted and unique
https://github.com/govolution/honeypotwordlist
For a list with default credentials check out:
https://github.com/govolution/betterdefaultpasslist

Published by

Daniel

2 responses to “The first 15 days of a password honeypot”

  1. Froschs Blog: » Im Netz aufgefischt #288

    […] Govolution: The First 15 Days of a Password Honeypot (via @DanielX4v3r / […]

    Reply
  2. Review Udemy “Certified Cyber Threat Intelligence Analyst” | govolution

    […] https://govolution.wordpress.com/2016/10/24/the-first-15-days-of-a-password-honeypot/ […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: