PDA

View Full Version : Brute Force attack in progress!!!!



adri_ht_
11-17-2008, 11:34 PM
Unbelievable, I just got home from school and when I look up to my router the internet led and my FTP Server led are constantly flashing. I can't believe someone is trying to brute force my FTP Server that I have on the open... Thanks to all of you I know many tricks now.

Anyways, I couldn't get any logs out of my router which is using dd-wrt (if any of you know please let me know). My FTP Server is simple a NAS which doesn't log a thing. Nevertheless, I did a MITM attack on the internal IP of my FTP server and now I'm able to catch every single ftp brute force attempt with wireshark. Which means I have prove and even more the Public IP address of my dear offender.

Since I my router had NAT set up, the guy obviously wasn't able to fingerprint my NAS; therefore he is using the wrong default username. Although I don't like people sneaking on my network I think is fun seen an attack in progress.

Please help on how to proceed, are the wireshark catchs enough to bring down the guy. He is down currently in letter C of his dictionary, I think I will let him run a little bit more. I would stay up all night, but unfortunately I have a Calculus test tomorrow! Thanks

streaker69
11-17-2008, 11:43 PM
Honestly, chances are, it's not worth pursuing via Law Enforcement. If they never really got in, then no one is going to be interested in pressing charges.

But you can pursue it through the originating ISP. Gather as much information as you can and email the logs to whatever the ISP's Abuse@ email address. Be sure to include all appropriate TimeStamps as well as what TimeZone you're in.

Don't threaten them (unless you actually have the power to pull the threat off*) but tell them that a user on their network has violated the ToS/AUP of their service and you expect them to take whatever measures necessary to prevent it from happening again.

Chances are, you'll never hear anything back, but you'll probably never see an attack from that IP again.

*If you work for a public utility, you can threaten ISP's. As interference with a Public Utility is frowned upon by the Fed's and ISP's hate having the Fed's show up and want to see their logs. It's amazing the number of IP's that have never shown back up in my logs. :)

adri_ht_
11-18-2008, 12:01 AM
Honestly, chances are, it's not worth pursuing via Law Enforcement. If they never really got in, then no one is going to be interested in pressing charges.

But you can pursue it through the originating ISP. Gather as much information as you can and email the logs to whatever the ISP's Abuse@ email address. Be sure to include all appropriate TimeStamps as well as what TimeZone you're in.

Don't threaten them (unless you actually have the power to pull the threat off*) but tell them that a user on their network has violated the ToS/AUP of their service and you expect them to take whatever measures necessary to prevent it from happening again.

Chances are, you'll never hear anything back, but you'll probably never see an attack from that IP again.

*If you work for a public utility, you can threaten ISP's. As interference with a Public Utility is frowned upon by the Fed's and ISP's hate having the Fed's show up and want to see their logs. It's amazing the number of IP's that have never shown back up in my logs. :)

Thanks for the quick reply, anyways I just did a geographic IP lookup on two sites and is coming from China.... Here is the information:


CHINA BEIJING CNCGROUP HENAN PROVINCE NETWORK

I bet my ISP has no power nor jurisdiction over there, so I will just settle by closing my FTP port and sending the logs to my ISP aswell as the ISP from the offender. I would love to send a message back saying at least back-off or something, but I guess that will take scanning him for possible holes and will make it illegal from my part, right? Any other way or should I just settle by walking away from the issue... Thanks

Note: I really have to go, I will get back tomorrow.

Virchanza
11-18-2008, 01:04 AM
I would love to send a message back saying at least back-off or something, but I guess that will take scanning him for possible holes and will make it illegal from my part, right? Any other way or should I just settle by walking away from the issue...No no no, don't close your FTP port! :eek:

What you want to do is change your username and password so that he will crack it pretty soon. But of course, before you do that, you download some images of some Chinese girls doing some very questionable things with horses, and you save these images to your FTP folder.

That's EXACTLY what I'd do, and I'm not even joking (note the lack of smiley).

fastboi
11-18-2008, 01:36 AM
No no no, don't close your FTP port! :eek:

What you want to do is change your username and password so that he will crack it pretty soon. But of course, before you do that, you download some images of some Chinese girls doing some very questionable things with horses, and you save these images to your FTP folder.

That's EXACTLY what I'd do, and I'm not even joking (note the lack of smiley).

wow what a mental image you just gave me. I was about to hit the bed, but now i am scared of getting nightmares about horses and Chinese girls lol. But yeah... thats a pretty nice idea haha. Also image editing of Chinese flag would be great lol

Virchanza
11-18-2008, 01:42 AM
wow what a mental image you just gave me. I was about to hit the bed, but now i am scared of getting nightmares about horses and Chinese girls lol. But yeah... thats a pretty nice idea haha. Also image editing of Chinese flag would be great lolDon't forget to write a program that deletes all your files and save it as "college_project.exe". Oh wups sorry, don't do that, it would be terrible if the intruder were to open it, oh God that would be just terrible. Forget the idea.

streaker69
11-18-2008, 08:02 AM
Thanks for the quick reply, anyways I just did a geographic IP lookup on two sites and is coming from China.... Here is the information:


CHINA BEIJING CNCGROUP HENAN PROVINCE NETWORK

I bet my ISP has no power nor jurisdiction over there, so I will just settle by closing my FTP port and sending the logs to my ISP aswell as the ISP from the offender. I would love to send a message back saying at least back-off or something, but I guess that will take scanning him for possible holes and will make it illegal from my part, right? Any other way or should I just settle by walking away from the issue... Thanks

Note: I really have to go, I will get back tomorrow.

Nope, not much you can do, other than make the entire Pacific Rim disappear. For example, I have my mail server configured that any traffic that comes from certain subnets gets dropped before they connect. Seeing how we generally do no business with any company on the PacRim, I can safely drop the entire region.

Thorn
11-18-2008, 09:02 AM
Don't forget to write a program that deletes all your files and save it as "college_project.exe". Oh wups sorry, don't do that, it would be terrible if the intruder were to open it, oh God that would be just terrible. Forget the idea.That's horrid, mean, and low down.

I knew that there was something I liked about you.


Nope, not much you can do, other than make the entire Pacific Rim disappear. For example, I have my mail server configured that any traffic that comes from certain subnets gets dropped before they connect. Seeing how we generally do no business with any company on the PacRim, I can safely drop the entire region.Agreed. I've blocked out huge chunks of the Pac Rim on both my email server and firewall, as well as those for clients.

Virchanza
11-18-2008, 09:31 AM
That's horrid, mean, and low down.

I knew that there was something I liked about you.I'd be giddy as a school girl if I was the original poster, I'd be thinking "Hmm do I wanna put in a backdoor, or will I just screw up his master boot record?". It's brilliant, the hunter becomes the hunted, there's nothing better than watching someone who's watching you, you can paint your face and make a fort out of blankets and boxes. Don't forget to turn out to lights and turn on the black light :D

I'm not into doing anything malicious to people who haven't asked for it (peace and unity among all and all that). I like hacking but I've no desire to delete people's college work or to screw up their business. However... if I found someone trying to brute force my FTP server, well then my moral compass would spin right the way around and point South. To be honest I think I'd go for the backdoor, which still leaves the option open of destroying data later on. Actually a thought just came to me know, I'd probably try to overclock his CPU, proper crank it through the roof til it melts.

...but only if I had his permission, of course. It might be illegal in some jurisdictions to retaliate against an attacker, but thankfully right now I'm living in a country where they'd probably give you a medal if you murdered someone burglarizing your home. Back in my home country of Ireland the judicial system favours the criminal over the victim -- you'd have to dispose of the body and never mention it ever again or else run the risk of being convicted of "manslaughter" or some other bullshit offence. I'm with Randy Marsh on this one, "I'm sorry I thought this was America".

purehate
11-18-2008, 09:36 AM
Agreed. I've blocked out huge chunks of the Pac Rim on both my email server and firewall, as well as those for clients.
You guys are missing out on all the best pr0n, bootleg copies of windows and you'll never know if your the heir to a Chinese emperor who left you a small fortune.:D:D:D:D:D

Barry
11-18-2008, 09:53 AM
You guys are missing out on all the best pr0n, bootleg copies of windows and you'll never know if your the heir to a Chinese emperor who left you a small fortune.:D:D:D:D:D

Dear Mr. Pureh@te, On behalf of the late Emperor........

streaker69
11-18-2008, 10:13 AM
Dear Mr. Pureh@te, On behalf of the late Emperor........

Dear Mr. PureH@te

My name is Mr. Long Duck Dong, and I am writing you on behalf of our Late Emperor Sum Yung Guy whom passed away without leaving an heir to throne of our glorious nation...

Barry
11-18-2008, 10:28 AM
Dear Mr. PureH@te

My name is Mr. Long Duck Dong, and I am writing you on behalf of our Late Emperor Sum Yung Guy whom passed away without leaving an heir to throne of our glorious nation...

Just shows you get more spam than I do. :D

streaker69
11-18-2008, 10:42 AM
Just shows you get more spam than I do. :D

Uh, yeah. Here's a message I got from one of my least favorite people today.



I just wanted you to be aware that since yesterday, I received 5 “spam” emails to my internal email address. I cannot add the sender to my “junk mail” list since my address is internal to our organization. Not sure where these are coming from, but I thought you may want to know. Thanks.


GASP! 5 Spam messages? OMFG, whatever will they do. Nevermind the filter has blocked 3240 messages since Monday. I just went to my boss and said that the Spam filter must not be doing it's job, so from now on, I will read all inbound mail and determine if it's spam or not and then forward the messages to the appropriate people. He told me to not bother. :)

Virchanza
11-18-2008, 10:54 AM
Nope, not much you can do, other than make the entire Pacific Rim disappear. Did anyone else hold on to their chair when they read that? :confused:

streaker69
11-18-2008, 11:01 AM
Did anyone else hold on to their chair when they read that? :confused:

I guess if you're living in the PacRim that sound scary doesn't it?

Barry
11-18-2008, 11:03 AM
Uh, yeah. Here's a message I got from one of my least favorite people today.



GASP! 5 Spam messages? OMFG, whatever will they do. Nevermind the filter has blocked 3240 messages since Monday. I just went to my boss and said that the Spam filter must not be doing it's job, so from now on, I will read all inbound mail and determine if it's spam or not and then forward the messages to the appropriate people. He told me to not bother. :)

Just forward all spam mail to that user for a day.

adri_ht_
11-18-2008, 09:38 PM
No no no, don't close your FTP port! :eek:

What you want to do is change your username and password so that he will crack it pretty soon. But of course, before you do that, you download some images of some Chinese girls doing some very questionable things with horses, and you save these images to your FTP folder.

That's EXACTLY what I'd do, and I'm not even joking (note the lack of smiley).

I wish I could have done that... Such a dirty and easy way of coming back at him. From all of the ones mentioned below, this is definitely the only one I think I can accomplish on my own!!

Unfortunately I had no time at all yesterday to do anything fancy.


Originally Posted by streaker69 View Post
Nope, not much you can do, other than make the entire Pacific Rim disappear.

I would do it if had the list of networks to drop from the Pacific Rim.

Thorn
11-18-2008, 10:07 PM
I would do it if had the list of networks to drop from the Pacific Rim.Start with the attacking network and work backwards to the /1. The look at you server logs, and you'll start seeing a lot. Again, work backwards on those. Finally, look at APNIC.

adri_ht_
11-18-2008, 11:25 PM
Start with the attacking network and work backwards to the /1. The look at you server logs, and you'll start seeing a lot. Again, work backwards on those. Finally, look at APNIC.

Thanks I will work on that! BTW I found some good rules for iptables for those of you running a Linux Router. It will limit the number of attempts on an open port. I did some minor modifications from the original source in dd-wrt:


iptables -t nat -I PREROUTING -p tcp -d $wan_ip --dport 21 -j DNAT --to 192.168.1.10:21
iptables -I FORWARD -p tcp -d 192.168.1.10 --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -p tcp -d 192.168.1.10 --dport 21 -m state --state NEW -m limit --limit 1/min --limit-burst 1 -j ACCEPT
iptables -I FORWARD 3 -p tcp -d 192.168.1.10 --dport 21 -j logreject

Basically it will only allow an attempt per minute on port 21. I did some testing with Hydra and it worked perfectly.

Virchanza
11-19-2008, 12:59 AM
I've always thought brute-force attacks on servers could be easily prevented by enforcing a 30-second delay between accesses. For instance, instead of:


Start of Loop
Wait for Request
Process Request
End of Loop
You have:


Start of Loop
Wait for Request
Process Request
Sleep for 30 Seconds
End of Loop
I'd like to see you get through a dictionary at 2 words per second! I realise this could lead to people launching DoS attacks (DoS = Denial of Service), so as soon as someone tries to use a dodgy password, block the IP address for 30 minutes (or infinity, whichever you like).