Brute Force Attacks

00:00

Hello, everyone, and welcome back to the course, identifying my attacks through logs.

00:05

In the last video, we talked about vulnerability scans and their logs.

00:09

In this video, we'll talk about brute force attacks and their locks.

00:13

The objectives of this video are to review brute force attacks and to identify the brute force attacks using Web server logs.

00:21

Let's begin.

00:23

So what are brute force attacks?

00:26

A brute force attack occurs when someone is trying to get access to your system or, in our case, tow our Web page.

00:32

It's usually done with multiple log in and password attempts, so the attacker is forcing the authentication

00:39

to perform brute force tax. It's common to use dictionaries or leaked information.

00:43

A dictionary is just a common password list, and leaked information about users and passwords can obviously make the attack much easier.

00:52

If the brute force attacker uses the dictionary, the attacker will take ah lot of guesses and may use a lot of automation.

00:59

The leaked information could have the user name and password that the attacker needs, so the attacker may need to try fewer options.

01:07

That's why it's really important to change your password after some period of time or when you hear about leaked information from a website that you have an account with

01:15

for Web applications, the most common targets are http forms.

01:19

Depending on the Web application, the form can use, get or post methods.

01:23

You'll see there is a difference between both requests.

01:26

If you remember from a WASP, the brute force attack is related to a to the broken authentication.

01:34

To see an example of the most common password

01:37

check This Web page

01:40

in this attack will use our lab.

01:42

There is a vulnerable http form.

01:46

Some tools will help us to perform the attack.

01:49

We'll use the Hydra and Burp community edition.

01:53

Here we have the logs of the attack.

01:57

Notice the user name and password information on the lock.

02:00

There are many different user names and passwords

02:04

checking the date and time. It's also possible to see many requests in a short period of time.

02:08

One user sent seven requests in less than 10 seconds.

02:13

Here you have more than one user name is a target,

02:15

So if you're thinking that a user forgot his password,

02:19

many user names doesn't make sense.

02:22

Also, you have administrator Loggins

02:24

for more information Here's the detail of one logline.

02:29

Here we can see the typical behavior of a brute force attack.

02:31

The first has many requests to log in Web page and a small period of time and different user names and passwords sent.

02:40

Here's another example.

02:43

In this case on Lee, one user name is the target.

02:46

The user name Pablo is the target.

02:50

Notice that the behavior is similar.

02:52

Many requests in a small period of time from the same I p.

02:55

I said before we can use get or post methods.

03:00

In the last example, it was easy to identify the user name in the password because of the get method.

03:06

Here we have an example of a request using the post method.

03:08

Notice that we don't have the user name and the password in the request.

03:14

This happens because of the request is in the payload. Later, in, this horse will analyze the http payload.

03:21

Since it's a log, let's analyze it.

03:23

Check this user Agent

03:24

Hydra is a well known tool used to perform brute force attacks.

03:29

It's also possible to see we have many requests in a short period of time from the same I p all these requests are to the Log and Web page.

03:38

One more example.

03:38

Check this lock

03:40

Here we have a post, but the user agent looks normal.

03:44

In the real world,

03:45

things will not be so easy.

03:49

You always need to ask.

03:51

Is this an expected behavior?

03:53

Same IP

03:53

Small time between requests

03:57

in the Long and Whip eight Web page looks suspicious.

04:00

You can see that the refer and the requested page are the same. This could be someone trying to log in

04:06

the user types, the wrong user name or password in the log in pages reloaded.

04:11

But could someone type the user name or password in three or four seconds?

04:15

Our conclusion is that this is an attack, specifically a brute force attack.

04:21

In this video, we used to tools

04:24

THC, hydra and Burp Community Edition.

04:28

The difference between both is the number of the requests. With hydro. We did many requests in a small period of time.

04:34

There are many other tools we can use to perform the brute force attacks, though

04:39

No,

04:40

let me give you some directions to identify these brute force attacks.

04:45

The first is to look for many requests in a small period of time to the log in pages.

04:49

The same IP doing many requests is a good indicator of a brute force attack as well.

04:56

If your Web application uses get, look for different users or passwords

05:01

for post requests, look for the number of the requests and the time.

05:05

Don't forget to check the user agents.

05:11

Post assessment question.

05:13

You could always identify a brute force attack analyzing just the user agent.

05:19

Is this information true or false?

05:24

This information is false.

05:26

The user name would help, but an attacker can change it. As we saw in some examples

05:31

for the next question, analyze the log below and identified the I p. Source type of attack

05:38

and what the attacker is trying to do.

05:44

We can easily identify the source i p address.

05:46

The requested page has a log in page, many user name and password combinations and a small period of time.

05:54

Usually, Administrator is an important user name.

05:58

Why would someone trying to get administrator access to this Web page?

06:01

In summary, we have

06:03

the source I p is trying to perform a brute force attack, and the attack is trying to obtain the administrator password

06:13

video summary

06:14

In today's video, we discussed the brute force attack,

06:16

analyze the two types of brute force attacks using both get and post methods and identified the attack analyzing the logs

06:26

during the analysis. Look for user agents many requests in a small period of time,

06:30

request to the log in Web pages

06:33

and suspicious user names like administrator.