anode Posted January 9, 2015 Share Posted January 9, 2015 Hi guys, have a VPS I'm not utilizing much. But after looking through the logs, I see a LOT of ssh login attempts. (of course I've moved my actual ssh port off 22) So here's my idea: Set up a fake login prompt to harvest the names & PWs they try. (could be very useful in oclHashcat!!) Anything already out there for it? Or can a simple bash or Python script do it? (I'm happy to try *if* its possible. I hate chasing the unobtainable) Would like it to bail on the IP after x failed attempts. (logging the IPs would be nice but not a must) TIA Quote Link to comment Share on other sites More sharing options...
cooper Posted January 9, 2015 Share Posted January 9, 2015 GuardMoony was playing with this back in august. Quote Link to comment Share on other sites More sharing options...
digip Posted January 10, 2015 Share Posted January 10, 2015 You could use netcat as a basic gathering tool, but if they check for the banner header, or key sequence exchange of a real SSH handshake, then they may not attempt to login. Example: "nc -l 22 > /your/path/log.txt" would write any connecting data they send, to log.txt so long as nothing else uses port 22. I do something similar for my honeypots with PHP, but they just grab any form data sent to the pages and log all of it at the web server end, including file upload attempts(all your shell.php files are belong to me..thank you) You could probably script up something with netcat in some manner though and automate a fake banner response and key exchange, then log whatever is sent to the port though. Be careful in how you setup nc because if open and accepting raw commands on your system, you just gave them root, hence, writing to a log file with the output > redirect. Quote Link to comment Share on other sites More sharing options...
anode Posted January 10, 2015 Author Share Posted January 10, 2015 GuardMoony was playing with this back in august. Thanks for the reply! I did a cursory look at kippo (listened to info about it on a podcast) But it goes further then I want. From what I have gathered (by a quick look at it, could be wrong) is it provides a sandboxed shell on the 'hacked' remote system for the attacked to play in. I'd like to stop it before being (falsely authenticated) and have them try *more* login attempts for me to log names/pws I'm trying to build word lists for usernames and pw's Quote Link to comment Share on other sites More sharing options...
digip Posted January 10, 2015 Share Posted January 10, 2015 (edited) Thanks for the reply! I did a cursory look at kippo (listened to info about it on a podcast) But it goes further then I want. From what I have gathered (by a quick look at it, could be wrong) is it provides a sandboxed shell on the 'hacked' remote system for the attacked to play in. I'd like to stop it before being (falsely authenticated) and have them try *more* login attempts for me to log names/pws I'm trying to build word lists for usernames and pw's Forgot to mention, you need to keep the connection alive for each user who disconnects, and also, useful to add CRLF's..lol. "nc -Clkv 22 > log.txt" Mind you, this will probably fail on true SSH clients being used since there won't be any true protocol established, handshake, etc, but people with raw scripted telnet, perl, python or netcat bruteforcers, etc, that just send raw data, it will capture it all to a file. edit: Someone on Twitter also just mentioned to me, use fail2ban and log analysis. https://twitter.com/xxDigiPxx/status/553713910281699329 Edited January 10, 2015 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.