Last active
September 24, 2020 09:34
-
-
Save felmoltor/53dccadb0cb1b051a92e to your computer and use it in GitHub Desktop.
Kippo statistic extraction script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| TOPIP=15 | |
| TOPUP=30 | |
| TOPU=30 | |
| TOPP=30 | |
| TOPLU=15 | |
| TOPLP=15 | |
| GEOLITEDB="/home/<username>/maxmind/GeoIPCountryWhois.db" # Use the sqlite3 db created with http://pastebin.com/9WxCy5ks | |
| #================================ | |
| ip2dec () { | |
| local a b c d ip=$@ | |
| IFS=. read -r a b c d <<< "$ip" | |
| printf '%d\n' "$(((a * 256 ** 3) + (b * 256 ** 2) + (c * 256) + d))" | |
| } | |
| #================================ | |
| # saca el ranking de IPs con mas intentos de fuerza bruta | |
| echo "====================" | |
| echo "= Top $TOPIP source IP =" | |
| echo "====================" | |
| iplist=$(grep "login attempt" kippo.log* kippo.log | cut -f 6,9 -d' ' | cut -f3 -d',' | sed s/\\]\\s\\[/:/g | tr -d ']' | cut -f1 -d: | gawk '{for(i=1;i<=NF;i++)a[$i]++}END{ for(o in a) printf "%s:%s\n ",o,a[o]}' | sort -t: -k2 -nr | tr -d ' ' | head -n $TOPIP) | |
| for ip_and_count in $iplist | |
| do | |
| country="<UNKNOWN COUNTRY>" | |
| if [[ -f $GEOLITEDB ]]; then | |
| ip=$(echo $ip_and_count | cut -d':' -f1) | |
| ipdec=$(ip2dec $ip) | |
| query="select cty_name from GeoIPCountryWhois where $ipdec between CAST(initipdec AS INTEGER) and CAST(endipdec AS INTEGER) limit 1;" | |
| country=$(sqlite3 $GEOLITEDB "$query") | |
| else | |
| echo "Can't find GeoIP database $GEOLITEDB" | |
| fi | |
| echo "$ip_and_count ($country)" | |
| done | |
| echo "==========================" | |
| echo "= Top $TOPUP user/passwords =" | |
| echo "==========================" | |
| grep "login attempt" kippo.log* kippo.log | awk '{print $9}' | tr -d ']' | tr -d '[' | sort | uniq -c | sort -nr | head -n $TOPUP | |
| echo "===================" | |
| echo "= Top $TOPU users =" | |
| echo "===================" | |
| grep "login attempt" kippo.log* kippo.log | awk '{print $9}' | awk '{FS="/"}{print $1}' | tr -d ']' | tr -d '[' | sort | uniq -c | sort -nr | head -n $TOPU | |
| echo "=======================" | |
| echo "= Top $TOPP passwords =" | |
| echo "=======================" | |
| grep "login attempt" kippo.log* kippo.log | awk '{print $9}' | awk '{FS="/"}{print $2}' | tr -d ']' | tr -d '[' | sort | uniq -c | sort -nr | head -n $TOPP | |
| echo "=======================" | |
| echo "= Last $TOPLU users =" | |
| echo "=======================" | |
| # grep "login attempt" kippo.log* kippo.log | awk '{print $9}' | awk '{FS="/"}{print $1}' | tr -d ']' | tr -d '[' | tail -n $TOPLU | |
| grep -h "login attempt" kippo.log* kippo.log | tail -n $TOPLU | awk '{print $9" ("$1" "$2")"}' | sed -r 's/\[(.*)\/(.*)\]( \(.*\))/\1\3/g' | |
| echo "=======================" | |
| echo "= Last $TOPLP passwords =" | |
| echo "=======================" | |
| # grep "login attempt" kippo.log* kippo.log | awk '{print $9}' | awk '{FS="/"}{print $2}' | tr -d ']' | tr -d '[' | tail -n $TOPLP | |
| grep -h "login attempt" kippo.log* kippo.log | tail -n $TOPLU | awk '{print $9" ("$1" "$2")"}' | sed -r 's/\[(.*)\/(.*)\]( \(.*\))/\2\3/g' | |
| echo "===================" | |
| echo "= Fails / Success =" | |
| echo "===================" | |
| success=$(grep -E "login attempt \[.*/.*\] succeeded" kippo.log* kippo.log | wc -l) | |
| fails=$(grep -E "login attempt \[.*/.*\] failed" kippo.log* kippo.log | wc -l) | |
| echo "Nº Authentication Success: $success" | |
| echo "Nº Authentication Fails: $fails" | |
| #percentage=$((($success / $fails)*100)) | |
| #echo "Percentage of success: $percentage" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ==================== | |
| = Top 15 source IP = | |
| ==================== | |
| 103.41.124.12:6480 (Hong Kong) | |
| 103.41.124.53:6363 (Hong Kong) | |
| 103.41.124.19:5809 (Hong Kong) | |
| 117.27.249.4:1470 (China) | |
| 122.225.109.126:987 (China) | |
| 122.225.109.112:847 (China) | |
| 122.225.109.210:783 (China) | |
| 61.147.103.135:700 (China) | |
| 54.165.178.152:633 (United States) | |
| 122.225.109.207:581 (China) | |
| 218.244.130.250:567 (China) | |
| 222.186.34.244:552 (China) | |
| 61.174.51.197:537 (China) | |
| 61.174.51.232:522 (China) | |
| 122.225.97.89:512 (China) | |
| ========================== | |
| = Top 30 user/passwords = | |
| ========================== | |
| 374 root/admin | |
| 178 admin/ | |
| 111 root/123456 | |
| 105 admin/admin | |
| 86 root/root | |
| 84 root/abcd1234 | |
| 84 root/12qwaszx | |
| 82 root/1q2w3e4r5t6y | |
| 81 root/Qwer1234 | |
| 81 root/PassWord | |
| 80 root/1a2s3d4f | |
| 78 root/abcd@123 | |
| 77 root/1qazXSW@ | |
| 74 root/ans#150 | |
| 73 root/xiaozhe | |
| 72 root/password | |
| 72 root/1122334455 | |
| 71 root/qwerty123456 | |
| 71 root/password321 | |
| 71 root/Password! | |
| 71 root/danny | |
| 71 root/1q2w3e | |
| 71 admin/password | |
| 70 root/start123 | |
| 70 root/rootpass | |
| 70 root/changeme | |
| 69 root/zxm10 | |
| 69 root/poiuyt | |
| 69 root/pass123 | |
| 69 root/~!@#$%^& | |
| =================== | |
| = Top 30 users = | |
| =================== | |
| 41965 root | |
| 2392 admin | |
| 122 test | |
| 83 oracle | |
| 78 ubnt | |
| 65 guest | |
| 58 user | |
| 46 www | |
| 45 mysql | |
| 44 linux | |
| 44 apache | |
| 41 toor | |
| 41 tomcat | |
| 32 pi | |
| 32 nagios | |
| 29 testing | |
| 28 ftp | |
| 25 support | |
| 25 administrator | |
| 23 PlcmSpIp | |
| 22 default | |
| 21 alex | |
| 19 teamspeak | |
| 19 postgres | |
| 18 info | |
| 18 aaron | |
| 17 backup | |
| 17 adm | |
| 16 xbian | |
| 16 vyatta | |
| ======================= | |
| = Top 30 passwords = | |
| ======================= | |
| 501 admin | |
| 316 | |
| 213 123456 | |
| 165 password | |
| 159 root | |
| 123 12345 | |
| 108 1234 | |
| 101 abcd1234 | |
| 97 test | |
| 97 default | |
| 95 toor | |
| 92 1qaz2wsx | |
| 88 1q2w3e | |
| 88 123 | |
| 86 oracle | |
| 84 admin123 | |
| 84 12qwaszx | |
| 83 12345678 | |
| 82 1q2w3e4r5t6y | |
| 81 Qwer1234 | |
| 81 PassWord | |
| 80 1a2s3d4f | |
| 80 123123 | |
| 78 qwe123 | |
| 78 abcd@123 | |
| 78 1234567890 | |
| 77 1qazXSW@ | |
| 76 root123 | |
| 76 linux | |
| 76 cisco | |
| ======================= | |
| = Last 15 users = | |
| ======================= | |
| admin (2015-01-16 04:21:23+0100) | |
| admin (2015-01-16 04:21:25+0100) | |
| admin (2015-01-16 04:21:26+0100) | |
| admin (2015-01-16 05:16:33+0100) | |
| admin (2015-01-16 05:16:34+0100) | |
| admin (2015-01-16 05:16:36+0100) | |
| admin (2015-01-16 06:12:30+0100) | |
| admin (2015-01-16 06:12:32+0100) | |
| admin (2015-01-16 06:12:33+0100) | |
| admin (2015-01-16 06:54:17+0100) | |
| administrator (2015-01-16 07:45:56+0100) | |
| administrator (2015-01-16 07:45:57+0100) | |
| administrator (2015-01-16 07:45:59+0100) | |
| administrator (2015-01-16 08:34:33+0100) | |
| administrator (2015-01-16 08:34:34+0100) | |
| ======================= | |
| = Last 15 passwords = | |
| ======================= | |
| abc123 (2015-01-16 04:21:23+0100) | |
| abcd1234 (2015-01-16 04:21:25+0100) | |
| qwerty (2015-01-16 04:21:26+0100) | |
| 1234 (2015-01-16 05:16:33+0100) | |
| 1234qwer (2015-01-16 05:16:34+0100) | |
| 1234qwerty (2015-01-16 05:16:36+0100) | |
| 1q2w3e (2015-01-16 06:12:30+0100) | |
| admin1234 (2015-01-16 06:12:32+0100) | |
| sysadmin (2015-01-16 06:12:33+0100) | |
| sysadm (2015-01-16 06:54:17+0100) | |
| administrator (2015-01-16 07:45:56+0100) | |
| administrator123 (2015-01-16 07:45:57+0100) | |
| adm (2015-01-16 07:45:59+0100) | |
| sysadmin (2015-01-16 08:34:33+0100) | |
| sysadm (2015-01-16 08:34:34+0100) | |
| =================== | |
| = Fails / Success = | |
| =================== | |
| Nº Authentication Success: 389 | |
| Nº Authentication Fails: 45792 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment