2 hours 5 minutes
Hello, everyone, and welcome back to the course, identifying my attacks through logs.
In the last video, we talked about vulnerability scans and their logs.
In this video, we'll talk about brute force attacks and their locks.
The objectives of this video are to review brute force attacks and to identify the brute force attacks using Web server logs.
So what are brute force attacks?
A brute force attack occurs when someone is trying to get access to your system or, in our case, tow our Web page.
It's usually done with multiple log in and password attempts, so the attacker is forcing the authentication
to perform brute force tax. It's common to use dictionaries or leaked information.
A dictionary is just a common password list, and leaked information about users and passwords can obviously make the attack much easier.
If the brute force attacker uses the dictionary, the attacker will take ah lot of guesses and may use a lot of automation.
The leaked information could have the user name and password that the attacker needs, so the attacker may need to try fewer options.
That's why it's really important to change your password after some period of time or when you hear about leaked information from a website that you have an account with
for Web applications, the most common targets are http forms.
Depending on the Web application, the form can use, get or post methods.
You'll see there is a difference between both requests.
If you remember from a WASP, the brute force attack is related to a to the broken authentication.
To see an example of the most common password
check This Web page
in this attack will use our lab.
There is a vulnerable http form.
Some tools will help us to perform the attack.
We'll use the Hydra and Burp community edition.
Here we have the logs of the attack.
Notice the user name and password information on the lock.
There are many different user names and passwords
checking the date and time. It's also possible to see many requests in a short period of time.
One user sent seven requests in less than 10 seconds.
Here you have more than one user name is a target,
So if you're thinking that a user forgot his password,
many user names doesn't make sense.
Also, you have administrator Loggins
for more information Here's the detail of one logline.
Here we can see the typical behavior of a brute force attack.
The first has many requests to log in Web page and a small period of time and different user names and passwords sent.
Here's another example.
In this case on Lee, one user name is the target.
The user name Pablo is the target.
Notice that the behavior is similar.
Many requests in a small period of time from the same I p.
I said before we can use get or post methods.
In the last example, it was easy to identify the user name in the password because of the get method.
Here we have an example of a request using the post method.
Notice that we don't have the user name and the password in the request.
This happens because of the request is in the payload. Later, in, this horse will analyze the http payload.
Since it's a log, let's analyze it.
Check this user Agent
Hydra is a well known tool used to perform brute force attacks.
It's also possible to see we have many requests in a short period of time from the same I p all these requests are to the Log and Web page.
One more example.
Check this lock
Here we have a post, but the user agent looks normal.
In the real world,
things will not be so easy.
You always need to ask.
Is this an expected behavior?
Small time between requests
in the Long and Whip eight Web page looks suspicious.
You can see that the refer and the requested page are the same. This could be someone trying to log in
the user types, the wrong user name or password in the log in pages reloaded.
But could someone type the user name or password in three or four seconds?
Our conclusion is that this is an attack, specifically a brute force attack.
In this video, we used to tools
THC, hydra and Burp Community Edition.
The difference between both is the number of the requests. With hydro. We did many requests in a small period of time.
There are many other tools we can use to perform the brute force attacks, though
let me give you some directions to identify these brute force attacks.
The first is to look for many requests in a small period of time to the log in pages.
The same IP doing many requests is a good indicator of a brute force attack as well.
If your Web application uses get, look for different users or passwords
for post requests, look for the number of the requests and the time.
Don't forget to check the user agents.
Post assessment question.
You could always identify a brute force attack analyzing just the user agent.
Is this information true or false?
This information is false.
The user name would help, but an attacker can change it. As we saw in some examples
for the next question, analyze the log below and identified the I p. Source type of attack
and what the attacker is trying to do.
We can easily identify the source i p address.
The requested page has a log in page, many user name and password combinations and a small period of time.
Usually, Administrator is an important user name.
Why would someone trying to get administrator access to this Web page?
In summary, we have
the source I p is trying to perform a brute force attack, and the attack is trying to obtain the administrator password
In today's video, we discussed the brute force attack,
analyze the two types of brute force attacks using both get and post methods and identified the attack analyzing the logs
during the analysis. Look for user agents many requests in a small period of time,
request to the log in Web pages
and suspicious user names like administrator.
In the next video, we'll have a brief review of SQL Injections and will analyze the logs to identify the SQL injections.