Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello, everyone, and welcome back to the course. You did fire me, but thanks True logs Amigo Vieira. And in the last video we talked about for the nobility, skins
00:09
and its logs
00:11
in this well, we'll talk about brute force attacks and its logs.
00:16
The objectives off this video are
00:19
reviewed. The brute force attacks,
00:21
and it is Friday. Brute force attacks using the Web server logs.
00:25
Let's start,
00:27
but brute force attacks.
00:30
A brute force attack occurs when someone is trying to get access. Trust season are, in our case to a webpage.
00:37
There's usually drawn with more Pellegrin and password tries,
00:41
so the attacker is forcing the authentication
00:45
to perform the brute force attacks.
00:47
It's coming to use. Dictionaries are leaking information.
00:52
A dictionary is just a coma. Best word least
00:55
leaked information about hears it and passwords can make the attack much easier,
01:00
while the brute force attack
01:02
with tradition, there's the attack. You use a lot off gases and we use a lot of automation. The leaked information can have their user name and password that the attacker needs.
01:12
So the attacker you need to try fewer options.
01:18
That's why it's really important to change your password after some period of time or after you heard about leaked information from the website that you have on account
01:27
for the Web applications. The most common targets are http forms depending on the Web application
01:36
the farm can use, get a post methods.
01:38
You will see there is a difference between both requests.
01:44
And if you remember the old WASP, the brute force attack is related to a to the broken out education.
01:52
Just seen an example off the most common password. Check this Web page
01:56
in this attack. We use our life.
02:00
There is a vulnerable http. Four
02:01
Some tools will help us to perform that take.
02:05
We will use the Hydra
02:07
and Burb Community edition.
02:10
Here we have the logs of the take
02:15
notices the user name and password information on the log.
02:19
Many different was the name in pencil
02:23
checking the date in time. It's possible to see many requests in few time.
02:28
Well, didn't use ST seven requests in less than 10 seconds.
02:32
Here you have Martin. One of yours, a name, a stargate.
02:36
So if you're thinking that I'm using forgot his password,
02:40
menus and names doesn't make sense.
02:43
Also, you have a demonstrator, Loggins
02:47
as information the detail off one logline.
02:52
Here we can see a typical behavior off the brute force attack.
02:55
The first is
02:58
many requests to the logging Web page in a small period of time,
03:01
and different user name and password ST
03:06
here are not that simple.
03:07
In this case, only one user name is a target.
03:12
They use the Navy. Pablo is the target
03:14
notice that the behavior similar
03:16
many requests.
03:17
It is my period of time from the same might be,
03:22
I said, before we can use Get a Post methods in. The less examples was easy to identify the username and the person
03:31
because of the get method.
03:35
Here we have an example off the requests using the post method
03:39
notice that we do not have the user name and password in the request. This happy is because the request is in the payload,
03:49
letting this course we want allies. They teach people a look. See, sits a log. Let's analyze.
03:55
Check this user Asians.
03:58
Hydra is a well know, too chipper for brute force attacks. It is also possible to see that we have made a request in a few period of time from the same i p
04:09
and all these requests are to the looking web page.
04:13
One more example.
04:15
Check this low
04:16
here. We have opposed,
04:17
but they use agent looks normal
04:20
in the real world.
04:23
Things will not be easy. You always need to ask. Is this unexpected behavior
04:29
say might be is more space between requests?
04:32
Looking webpage
04:33
Look suspicious. You can see that the refer her and the requested page are the same.
04:41
This could be someone trying to log
04:44
the user types. They're wrong user name or password
04:47
and the looking Paige is reloaded. But could someone type user name and password in three or four seconds?
04:56
So our conclusion is this is an attack, a brute force attack.
05:01
In this video, we use judo's
05:04
th see Hydra and burb community magician.
05:10
The difference between both is the number off the requests with Hydra. We did men request in a smaller period of time. There are many of the tools to perform the brute force attacks.
05:23
Now some directions to identify the brute force attacks.
05:27
The first is look for men requests in I smile, period of time to the log in patients.
05:33
The same might be doing many requests
05:36
is a good indicator off the brute force attack. If our Web application uses scared,
05:43
look for different users of passwords for posting requests. Look the number off the requests in the time.
05:50
Don't forget to check the user. Asians
05:55
Post assessment question.
05:57
You always king defy a brute force attack analyzing just a user agent.
06:02
Is this information to or false?
06:06
This information is false. They use the name would help
06:11
barren attacker can change it. As we saw in some examples
06:16
for the next question on ELISA. Log below and identify the source
06:21
type of attack
06:24
and what a talker is trying to do.
06:28
We can easily identify the source i p address.
06:30
They requested Page as a Logan page,
06:34
many user name and password combinations. And is my period of time
06:40
usually anti me straight? Oh, is important using a Why would someone trying to get at least a little access to this Web page
06:49
somebody we have the suicide be?
06:53
It's trying to perform a brute force attack,
06:56
and the attack is trying to obtain the administrator password
07:00
video summary.
07:02
In today's video, we discussed
07:04
the brute force attack,
07:06
analyzed the two types off brute force attack using get in post methods
07:12
and you didn't find the attack analyzing the logs
07:15
and during their analyses, look for user's agents.
07:19
Men requests a nice small period of time
07:23
requests to the Logan Web pages
07:26
and suspicions user names like a demonstrator.
07:30
In the next video,
07:31
we will have a brief review off S K rejections and analyze the logs. She didn't fight the SQL injection attacks.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor