A Study of Passwords and Methods Used in BruteForce SSH Attacks

1
A Study of Passwords and Methods Used in
Brute-Force SSH Attacks

• Jim Owens
• Advisor Jeanna Matthews
• April 3, 2008

2
Overview

• Introduction and Motivation
• Experimental Setup
• Honeypot configuration and deployment
• Overview of data collection system
• Experimental Results
• High-level overview of results
• Analysis of passwords and methods
• Analysis of SSH Attack Tools
• Future Work
• Conclusions

3
Introduction and Motivation

• Secure Shell or SSH
• A network protocol for exchanging data over a
  secure channel between two computers
• Widely supported on modern operating systems,
  including Unix, Linux, Mac OS X, Solaris, and
  OpenVMS
• Commonly provides command line access to the host
  system
• Supports various methods for authentication
  including passwords, public key, keyboard
  interactive, and General Security Services API

4
Introduction and Motivation

• Brute-force password attacks against SSH
• Represent the most common form of attack on
  servers facing the Internet
• Routinely compromise systems with weak passwords
  for user accounts
• Successful attacks provide a beachhead for
  privilege escalation exploits and installation of
  rootkits to hide the compromise
• Can be a used as a technique to compromise even
  fully patched systems

Source SANS Top-20 2007 Security Risks
5
Introduction and Motivation

• Linux systems running SSH servers are a popular
  target
• Support for raw sockets provides flexibility in
  staging a variety of network attacks
• Package management systems provide for rapid,
  free installation of Web and other servers
• Mismanagement by inexperienced users leaves
  systems vulnerable to attack
• Identified as a favored platform for phishing
  sites and botnet command and control nodes

6
Experimental Setup

• Honeypot configuration and deployment
• Low-end PCs with minimal Linux installs
• Two SSH servers installed on each
• Standard SSH server running on a non-standard
  port
• Patched SSH server, modified to capture
  passwords, running on the standard SSH port (TCP
  port 22)
• Database server and supporting scripts installed
  for data collection and aggregation
• Three honeypots deployed on separate networks
• Business network (68.236)
• Residential DSL (74.71)
• Campus network (128.153)

7
Experimental Setup

• Patched server logs
• Feb 10 111704 stella sshd12137 PW-ATTEMPT
  id from 64.81.132.214
• Feb 10 111704 stella sshd12137 Failed
  password for invalid user root from 64.81.132.214
  port 17346 ssh2
• Feb 10 111705 stella sshd12142 PW-ATTEMPT
  1234567 from 64.81.132.214
• Feb 10 111705 stella sshd12142 Failed
  password for invalid user root from 64.81.132.214
  port 17697 ssh2
• Feb 10 111706 stella sshd12144 PW-ATTEMPT
  asdfghjkl from 64.81.132.214
• Feb 10 111706 stella sshd12144 Failed
  password for invalid user root from 64.81.132.214
  port 17769 ssh2
• Feb 10 111707 stella sshd12146 PW-ATTEMPT
  0246 from 64.81.132.214
• Feb 10 111707 stella sshd12146 Failed
  password for invalid user root from 64.81.132.214
  port 17862 ssh2

8
Experimental Setup
Database entries based on patched server log
entries
9
Experimental Setup

• Overview of automated data collection
• Honeypots continually gather and log attack data
  through the patched SSH server
• Local script, running daily on the honeypots
• Parses logs, inserting attack data into local
  database
• Extracts research data and synchronizes with a
  central (and backup) server
• Script on central server, running daily
• Aggregates, sorts, and compresses research data
  for download and analysis
• Password data integrated monthly into the Open
  Source cracklib project

10
Experimental Results

• Data collection spanned approx. 13 weeks
• mid-July through late-August 2007
• mid-December 2007 through mid-February 2008
• Overall attack statistics
• 333 distinct IPs counted 14 IPs attacked two
  honeypots just 1 IP attacked all three

11
Experimental Results
Top 20 passwords observed
12
Experimental Results

• Attack dictionaries
• Common lists of username/password pairs
• Use indicated by similarity in attacks across the
  honeypots
• Initial search based on total login attempts per
  attack, then by inspection
• Strict criteria used to define a dictionary the
  same number of identical username/password pairs
  used in multiple attacks by different IPs
• Dictionary names based on the number of included
  login pairs

13
Experimental Results

• Dictionaries were used in 17 of attacks

14
Experimental Results
Dictionary-9
15
Experimental Results

• Attack methods
• Roughly 1/3 of attacks consisted of 10 or fewer
  login attempts
• About 10 of attacks included 1,000 or more login
  attempts
• A small number of attacks appear specially
  designed to evade intrusion prevention systems
• Slow motion attack A series of login attempts
  from one IP address spaced out over time
• Distributed attack A series of coordinated login
  attempts distributed among multiple source IPs

16
Analysis of SSH Attack Tools

• We captured two SSH attack toolkits in a separate
  low-interaction honeypot project
• webmin, on 1/24/08
• TurboB, on 3/23/08
• A typical SSH tool set includes
• One or more driver scripts
• Port sweep tool
• SSH scanner
• Username/password list(s)
• Optionally, supporting scripts and word lists

17
Analysis of SSH Attack Tools

• webmin
• Parts of three SSH tool sets, one complete
• Three attack dictionary files, including an exact
  match for Dictionary-168
• Supporting scripts and a list of 3,342 common
  words
• TurboB
• One complete SSH tool set, including two driver
  scripts, two port sweep tools one SSH scanner
• 107 username/password pairs hard-coded into SSH
  scanner observed in four separate attacks

18
Analysis of SSH Attack Tools

• Based on our analysis, SSH attack tools are
• Compact and simple to deploy
• Extremely easy to use
• Fast An entire Class B network can be scanned in
  a matter of minutes
• Flexible Components mix and match scan can be
  emailed to attacker or just stored locally
• Effective Web searches return numerous posts
  regarding real system compromises

19
Future Work

• Refine honeypot software to allow simple
  deployment by untrusted participants, to provide
  a wider view of SSH attacks
• Expand research efforts beyond usernames and
  passwords to study of source IPs, attack
  frequencies and timing, etc.
• Deploy multiple honeypots on one network to
  search for possible IPS evasion methods across
  network clients

20
Conclusions

• SSH attacks are a clear and present danger for
  Linux/Unix servers that permit passwords for
  authentication
• Accounts with vulnerable passwords present a
  dangerous Achilles heel for SSH servers
• There's little evidence of systematic
  brute-forcing of passwords guessing is the
  rule
• Widely shared password lists are commonly used in
  attacks these same lists should be used to
  strengthen users' password selection