1aN0rmus

The below report attempts to provide answers to the objectives set in the "NETWORK CHALLENGE - 001 - LINUX":

1. Determine what likely occurred based on the evidence from the PCAP.
2. Identify any network and/or host artifacts that could be used to scope this incident further.
3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity.

The report comprises of multiple sections:

1aN0rmus

Unique values (135526 connections):
 - usernames    8600
 - passwords    75780
 - sources      1985


# SSH client versions Count
--------------------------------------------------------------
1  SSH-2.0-libssh-0.1                            109840
2  SSH-2.0-libssh-0.2                            13500

1aN0rmus

root
a
b
user1
oracle
postgres
test
kippo
nagios
zabbix

1aN0rmus

122.226.95.166
50.63.54.215
222.80.80.100
114.79.58.109
174.139.119.26
117.21.127.215
147.30.82.47
116.255.184.150
61.156.238.56
222.186.130.242

1aN0rmus

root	pts/0	173.72.189.207	Thu Jan 24 20:59 - 21:00 (00:10)
root	pts/0	54.235.161.133	Thu Jan 24 20:58 - 21:08 (10:01)
root	pts/0	54.235.161.133	Thu Jan 24 21:54 - 21:55 (01:14)
root	pts/0	173.72.189.207	Thu Jan 24 21:58 - 21:59 (00:18)
root	pts/0	218.26.89.179	Fri Jan 25 03:51 - 03:51 (00:05)
root	pts/0	218.26.89.179	Fri Jan 25 03:51 - 03:51 (00:08)
root	pts/0	218.26.89.179	Fri Jan 25 03:51 - 03:51 (00:04)
root	pts/0	218.26.89.179	Fri Jan 25 03:51 - 03:51 (00:08)
root	pts/0	218.26.89.179	Fri Jan 25 03:51 - 03:51 (00:06)

1aN0rmus

remnux@remnux:~/custom_tools/pipal$ ./pipal.rb ../TekDefense/wordlist.txt 
Generating stats, hit CTRL-C to finish early and dump stats on words already processed.

Basic Results

Total entries = 203400
Total unique entries = 75627

Top 10 passwords
123456 = 3561 (1.75%)