Hacking Tutorials
Hacking Tutorials
c
2017 Avinash Kak, Purdue University
Goals:
CONTENTS
2
Computer and Network Security by Avi Kak Lecture 24
• In this lecture I will focus on how people try to break into port 22
that is used for the SSH service. This is a critical service since
its use goes way beyond just remote login for terminal sessions. It
is also used for secure pickup of email from a mail-drop machine
and a variety of other applications.
3
Computer and Network Security by Avi Kak Lecture 24
search space in a brute-force attack increases exponentially with the lengths of the usernames and passwords
used in the attack, it is not generally feasible to mount such attacks through the internet. ]
• If you are logged into a Ubuntu machine, you can see these at-
tempts on an ongoing basis by running the following command
line in a separate window
• I will now show just a two minute segment of this log pro-
duced not too long ago on the host moonshine.ecn.purdue.edu. To
make it easier to see the usernames being tried by the attacker,
I have made a manual entry in a separate line for just the user-
name that the attacker tries in the next break-in attempt. Note
that the third line shown for each break-in attempt is truncated
because it is much too long. Nonetheless, you can see all of the rel-
evant information in what is displayed. This scan was mounted
from the IP address 61.163.228.117. If you enter this IP ad-
dress in the query window of http://www.ip2location.com/
or http://geoiptool.com, you will see that the attacker is
4
Computer and Network Security by Avi Kak Lecture 24
5
Computer and Network Security by Avi Kak Lecture 24
webadmin
linux
admin
ftp
mysql
oracle
guest
postgres
test
sales
staff
user
• All of the log entries I showed earlier were for accounts that do
not exist on moonshine.ecn.purdu.edu. What I show next is a
concerted attempt to break into the machine through the root
account that does exist on the machine. This attack is from the
IP address 202.99.32.53. As before, if you enter this IP address
in the query window of http://www.ip2location.com/ or
http://www.geoiptool.com/, you will see that the attacker
is logged into a network that belongs to the CNCGroup Beijing
Province Network in Beijing, China. Note that this is just a three
minute segment of the log file.
Apr 10 16:23:20 moonshine sshd[32301]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:23:22 moonshine sshd[32301]: Failed password for root from 202.99.32.53 port 42273 ssh2
7
Computer and Network Security by Avi Kak Lecture 24
Apr 10 16:23:29 moonshine sshd[32303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:23:32 moonshine sshd[32303]: Failed password for root from 202.99.32.53 port 42499 ssh2
Apr 10 16:23:39 moonshine sshd[32305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:23:41 moonshine sshd[32305]: Failed password for root from 202.99.32.53 port 42732 ssh2
Apr 10 16:23:48 moonshine sshd[32307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:23:50 moonshine sshd[32307]: Failed password for root from 202.99.32.53 port 42976 ssh2
Apr 10 16:23:58 moonshine sshd[32309]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:23:59 moonshine sshd[32309]: Failed password for root from 202.99.32.53 port 43208 ssh2
Apr 10 16:24:06 moonshine sshd[32311]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:24:08 moonshine sshd[32311]: Failed password for root from 202.99.32.53 port 43439 ssh2
Apr 10 16:24:15 moonshine sshd[32313]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:24:17 moonshine sshd[32313]: Failed password for root from 202.99.32.53 port 43659 ssh2
Apr 10 16:24:24 moonshine sshd[32315]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:24:26 moonshine sshd[32315]: Failed password for root from 202.99.32.53 port 43901 ssh2
Apr 10 16:24:33 moonshine sshd[32317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:24:35 moonshine sshd[32317]: Failed password for root from 202.99.32.53 port 44128 ssh2
Apr 10 16:24:42 moonshine sshd[32319]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:24:44 moonshine sshd[32319]: Failed password for root from 202.99.32.53 port 44352 ssh2
Apr 10 16:24:51 moonshine sshd[32321]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:24:53 moonshine sshd[32321]: Failed password for root from 202.99.32.53 port 44577 ssh2
Apr 10 16:25:00 moonshine sshd[32323]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:01 moonshine sshd[32323]: Failed password for root from 202.99.32.53 port 44803 ssh2
Apr 10 16:25:09 moonshine sshd[32325]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:11 moonshine sshd[32325]: Failed password for root from 202.99.32.53 port 45024 ssh2
Apr 10 16:25:18 moonshine sshd[32327]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:20 moonshine sshd[32327]: Failed password for root from 202.99.32.53 port 45269 ssh2
Apr 10 16:25:27 moonshine sshd[32329]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:29 moonshine sshd[32329]: Failed password for root from 202.99.32.53 port 45496 ssh2
Apr 10 16:25:36 moonshine sshd[32331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:38 moonshine sshd[32331]: Failed password for root from 202.99.32.53 port 45725 ssh2
Apr 10 16:25:45 moonshine sshd[32333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:47 moonshine sshd[32333]: Failed password for root from 202.99.32.53 port 45951 ssh2
Apr 10 16:25:54 moonshine sshd[32335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:25:56 moonshine sshd[32335]: Failed password for root from 202.99.32.53 port 46186 ssh2
Apr 10 16:26:03 moonshine sshd[32337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:26:05 moonshine sshd[32337]: Failed password for root from 202.99.32.53 port 46402 ssh2
Apr 10 16:26:12 moonshine sshd[32339]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:26:14 moonshine sshd[32339]: Failed password for root from 202.99.32.53 port 46637 ssh2
Apr 10 16:26:21 moonshine sshd[32341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 10 16:26:23 moonshine sshd[32341]: Failed password for root from 202.99.32.53 port 46859 ssh2
....
....
....
8
Computer and Network Security by Avi Kak Lecture 24
Apr 10 21:41:58 moonshine sshd[757]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:41:58 moonshine sshd[757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:41:59 moonshine sshd[757]: Failed password for root from 78.153.210.68 port 43828 ssh2
Apr 10 21:42:01 moonshine sshd[759]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:01 moonshine sshd[759]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:02 moonshine sshd[759]: Failed password for root from 78.153.210.68 port 43948 ssh2
9
Computer and Network Security by Avi Kak Lecture 24
Apr 10 21:42:03 moonshine sshd[761]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:04 moonshine sshd[761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:06 moonshine sshd[761]: Failed password for root from 78.153.210.68 port 44058 ssh2
Apr 10 21:42:08 moonshine sshd[763]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:08 moonshine sshd[763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:09 moonshine sshd[763]: Failed password for root from 78.153.210.68 port 44210 ssh2
Apr 10 21:42:11 moonshine sshd[765]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:11 moonshine sshd[765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:12 moonshine sshd[765]: Failed password for root from 78.153.210.68 port 44330 ssh2
Apr 10 21:42:14 moonshine sshd[767]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:14 moonshine sshd[767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:16 moonshine sshd[767]: Failed password for root from 78.153.210.68 port 44440 ssh2
Apr 10 21:42:17 moonshine sshd[769]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:17 moonshine sshd[769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:19 moonshine sshd[769]: Failed password for root from 78.153.210.68 port 44568 ssh2
Apr 10 21:42:20 moonshine sshd[771]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:20 moonshine sshd[771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:22 moonshine sshd[771]: Failed password for root from 78.153.210.68 port 44698 ssh2
Apr 10 21:42:23 moonshine sshd[773]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:23 moonshine sshd[773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:25 moonshine sshd[773]: Failed password for root from 78.153.210.68 port 44818 ssh2
Apr 10 21:42:27 moonshine sshd[775]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:27 moonshine sshd[775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:29 moonshine sshd[775]: Failed password for root from 78.153.210.68 port 44928 ssh2
Apr 10 21:42:30 moonshine sshd[777]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:30 moonshine sshd[777]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:32 moonshine sshd[777]: Failed password for root from 78.153.210.68 port 45089 ssh2
Apr 10 21:42:33 moonshine sshd[779]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:33 moonshine sshd[779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:34 moonshine sshd[779]: Failed password for root from 78.153.210.68 port 45186 ssh2
Apr 10 21:42:36 moonshine sshd[781]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:36 moonshine sshd[781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:37 moonshine sshd[781]: Failed password for root from 78.153.210.68 port 45299 ssh2
Apr 10 21:42:38 moonshine sshd[783]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:38 moonshine sshd[783]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:40 moonshine sshd[783]: Failed password for root from 78.153.210.68 port 45405 ssh2
Apr 10 21:42:41 moonshine sshd[785]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:41 moonshine sshd[785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
10
Computer and Network Security by Avi Kak Lecture 24
Apr 10 21:42:43 moonshine sshd[785]: Failed password for root from 78.153.210.68 port 45521 ssh2
Apr 10 21:42:45 moonshine sshd[787]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:45 moonshine sshd[787]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:47 moonshine sshd[787]: Failed password for root from 78.153.210.68 port 45663 ssh2
Apr 10 21:42:48 moonshine sshd[789]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:48 moonshine sshd[789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:49 moonshine sshd[789]: Failed password for root from 78.153.210.68 port 45778 ssh2
Apr 10 21:42:51 moonshine sshd[791]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:51 moonshine sshd[791]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:53 moonshine sshd[791]: Failed password for root from 78.153.210.68 port 45882 ssh2
Apr 10 21:42:54 moonshine sshd[793]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:54 moonshine sshd[793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:55 moonshine sshd[793]: Failed password for root from 78.153.210.68 port 46011 ssh2
Apr 10 21:42:57 moonshine sshd[795]: reverse mapping checking ..... [78.153.210.68] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 21:42:57 moonshine sshd[795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost
Apr 10 21:42:58 moonshine sshd[795]: Failed password for root from 78.153.210.68 port 46123 ssh2
....
....
....
11
Computer and Network Security by Avi Kak Lecture 24
12
Computer and Network Security by Avi Kak Lecture 24
13
Computer and Network Security by Avi Kak Lecture 24
14
Computer and Network Security by Avi Kak Lecture 24
• Until recently, DenyHosts was the most popular tool used for
keeping an eye on the sshd server access logs (in /var/log/auth.log
on Linux machines). DenyHosts, however, was removed from
Ubuntu distributions of Linux sometime in 2014 for “unaddressed
security issues” and other reasons.
you will soon see, by using regex based filters, Fail2Ban can also try to detect malicious behaviors by the
connections made by IP addresses (say, for downloading web pages) and subsequently it can take any action
]
you wish vis-a-vis those IP addresses.
15
Computer and Network Security by Avi Kak Lecture 24
16
Computer and Network Security by Avi Kak Lecture 24
activity is involved, it can take different actions. If you examine the file jail.conf, you will see entries for an
application that is named [apache-badbots] that monitors accesses to HTTP and HTTPS in order to catch
intruders that make seemingly ordinary web accesses but for the sole purpose of mining email addresses from
the web pages being doled out. Fail2Ban detects activities with the help of filters based on regular expressions.
A certain number of these filters are predefined in the /etc/fail2ban/ directory. However, you can create your
own filters to supersede those that come predefined or that are new for new kinds of behaviors by malicious
hosts. ]
• Fail2Ban is written in Python and all of its files are in the direc-
tory /etc/fail2ban. That directory and its subdirectories contain
a number of config files that can be used to specify different crite-
ria for trapping IP addresses that make intrusion attempts (and
17
Computer and Network Security by Avi Kak Lecture 24
It should return:
Status
|- Number of jail: 1
‘- Jail list: sshd
18
Computer and Network Security by Avi Kak Lecture 24
ride the corresponding entries in the “.conf” files. This ploy allows the “.conf” files to be changed with upgrades
19
Computer and Network Security by Avi Kak Lecture 24
install of Fail2Ban):
bantime = 3600
findtime = 3600
maxretry = 5
mta = sendmail
destemail = root@localhost
action = %(action_mwl)s
tool.
your needs. For example, when I used to use DenyHosts on my Linux laptop, I changed the ADMIN EMAIL
to kak@localhost, uncommented the SMTP FROM and SYNC SERVER lines, set PURGE DENY to 1w, BLOCK SERVICE
to ALL, DENY THRESHOLD INVALID to 3, DENY THRESHOLD VALID to 5, SYNC INTERVAL to 1h, SYNC UPLOAD to
21
Computer and Network Security by Avi Kak Lecture 24
Apr 25 16:29:03 moonshine sshd[31037]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:03 moonshine sshd[31037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:04 moonshine sshd[31037]: Failed password for root from 190.12.41.50 port 54042 ssh2
Apr 25 16:29:08 moonshine sshd[31039]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:08 moonshine sshd[31039]: Invalid user apple from 190.12.41.50
Apr 25 16:29:08 moonshine sshd[31039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:10 moonshine sshd[31039]: Failed password for invalid user apple from 190.12.41.50 port 54102 ssh2
Apr 25 16:29:13 moonshine sshd[31041]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:13 moonshine sshd[31041]: Invalid user magazine from 190.12.41.50
Apr 25 16:29:13 moonshine sshd[31041]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:15 moonshine sshd[31041]: Failed password for invalid user magazine from 190.12.41.50 port 54163 ssh2
Apr 25 16:29:18 moonshine sshd[31043]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:18 moonshine sshd[31043]: Invalid user sophia from 190.12.41.50
Apr 25 16:29:18 moonshine sshd[31043]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:20 moonshine sshd[31043]: Failed password for invalid user sophia from 190.12.41.50 port 54227 ssh2
Apr 25 16:29:23 moonshine sshd[31045]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
22
Computer and Network Security by Avi Kak Lecture 24
Apr 25 16:29:28 moonshine sshd[31047]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:28 moonshine sshd[31047]: Invalid user taylor from 190.12.41.50
Apr 25 16:29:28 moonshine sshd[31047]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:30 moonshine sshd[31047]: Failed password for invalid user taylor from 190.12.41.50 port 54351 ssh2
Apr 25 16:29:33 moonshine sshd[31049]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:33 moonshine sshd[31049]: Invalid user vanessa from 190.12.41.50
Apr 25 16:29:33 moonshine sshd[31049]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:34 moonshine sshd[31049]: Failed password for invalid user vanessa from 190.12.41.50 port 54406 ssh2
Apr 25 16:29:38 moonshine sshd[31051]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:38 moonshine sshd[31051]: Invalid user alyson from 190.12.41.50
Apr 25 16:29:38 moonshine sshd[31051]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:39 moonshine sshd[31051]: Failed password for invalid user alyson from 190.12.41.50 port 54467 ssh2
Apr 25 16:29:42 moonshine sshd[31053]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:42 moonshine sshd[31053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:44 moonshine sshd[31053]: Failed password for root from 190.12.41.50 port 54509 ssh2
Apr 25 16:29:48 moonshine sshd[31055]: reverse mapping .... [190.12.41.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 25 16:29:48 moonshine sshd[31055]: Invalid user research from 190.12.41.50
Apr 25 16:29:48 moonshine sshd[31055]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rho
Apr 25 16:29:50 moonshine sshd[31055]: Failed password for invalid user research from 190.12.41.50 port 54581 ssh2
• From the segment of the log file shown above, you can see that the
intruder made 10 attempts before getting trapped by DenyHosts.
How many attempts an intruder is allowed to make before any
further connection requests are summarily refused depends on the
23
Computer and Network Security by Avi Kak Lecture 24
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
where the first number sets the limit on how many times an
intruder can try to gain entry with usernames that do NOT exist
in the /etc/passwd file and the second sets a similar limit on
trying to gain entry through usernames that actually do exist. I
subsequently changed the former to 3 and the latter to 5.
• Obviously, what values you choose for the two parameters shown
above and other similar parameters in the config file depends on
how much latitude you want to give the legitimate users of your
host with regarding to any accidental mis-entry of user names
and passwords.
is making only 4 attempts for each login name, one less than it
takes to get disbarred by the config settings shown previously. To
see the source of the attack, enter the IP address 66.135.39.212 in
the query window of http://www.ip2location.com and you will notice
that this address belongs to a company called Zartana based in
Brazil. In its description at LinkedIn, this company claims to
be able to deliver 2,000,000 email messages per hour.
May 5 10:11:23 moonshine sshd[27483]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:23 moonshine sshd[27483]: Invalid user ecn from 66.135.39.212
May 5 10:11:23 moonshine sshd[27483]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:23 moonshine sshd[27483]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:25 moonshine sshd[27483]: Failed password for invalid user ecn from 66.135.39.212 port 33901 ssh2
May 5 10:11:25 moonshine sshd[27485]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:25 moonshine sshd[27485]: Invalid user ecn from 66.135.39.212
May 5 10:11:25 moonshine sshd[27485]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:25 moonshine sshd[27485]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:28 moonshine sshd[27485]: Failed password for invalid user ecn from 66.135.39.212 port 34028 ssh2
May 5 10:11:29 moonshine sshd[27487]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:29 moonshine sshd[27487]: Invalid user ecn from 66.135.39.212
May 5 10:11:29 moonshine sshd[27487]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:29 moonshine sshd[27487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:31 moonshine sshd[27487]: Failed password for invalid user ecn from 66.135.39.212 port 34163 ssh2
May 5 10:11:32 moonshine sshd[27489]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:32 moonshine sshd[27489]: Invalid user ecn from 66.135.39.212
May 5 10:11:32 moonshine sshd[27489]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:32 moonshine sshd[27489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:34 moonshine sshd[27489]: Failed password for invalid user ecn from 66.135.39.212 port 34282 ssh2
May 5 10:11:35 moonshine sshd[27491]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:35 moonshine sshd[27491]: Invalid user moonshine from 66.135.39.212
May 5 10:11:35 moonshine sshd[27491]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:35 moonshine sshd[27491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:37 moonshine sshd[27491]: Failed password for invalid user moonshine from 66.135.39.212 port 34384 ssh2
25
Computer and Network Security by Avi Kak Lecture 24
May 5 10:11:37 moonshine sshd[27493]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:37 moonshine sshd[27493]: Invalid user moonshine from 66.135.39.212
May 5 10:11:37 moonshine sshd[27493]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:37 moonshine sshd[27493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:40 moonshine sshd[27493]: Failed password for invalid user moonshine from 66.135.39.212 port 34514 ssh2
May 5 10:11:41 moonshine sshd[27495]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:41 moonshine sshd[27495]: Invalid user moonshine from 66.135.39.212
May 5 10:11:41 moonshine sshd[27495]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:41 moonshine sshd[27495]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:43 moonshine sshd[27495]: Failed password for invalid user moonshine from 66.135.39.212 port 34637 ssh2
May 5 10:11:43 moonshine sshd[27497]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:43 moonshine sshd[27497]: Invalid user moonshine from 66.135.39.212
May 5 10:11:43 moonshine sshd[27497]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:43 moonshine sshd[27497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:46 moonshine sshd[27497]: Failed password for invalid user moonshine from 66.135.39.212 port 34759 ssh2
May 5 10:11:47 moonshine sshd[27499]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:47 moonshine sshd[27499]: Invalid user purdue from 66.135.39.212
May 5 10:11:47 moonshine sshd[27499]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:47 moonshine sshd[27499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:49 moonshine sshd[27499]: Failed password for invalid user purdue from 66.135.39.212 port 34906 ssh2
May 5 10:11:49 moonshine sshd[27501]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:49 moonshine sshd[27501]: Invalid user purdue from 66.135.39.212
May 5 10:11:49 moonshine sshd[27501]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:49 moonshine sshd[27501]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:52 moonshine sshd[27501]: Failed password for invalid user purdue from 66.135.39.212 port 35030 ssh2
May 5 10:11:52 moonshine sshd[27503]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:52 moonshine sshd[27503]: Invalid user purdue from 66.135.39.212
May 5 10:11:52 moonshine sshd[27503]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:52 moonshine sshd[27503]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:54 moonshine sshd[27503]: Failed password for invalid user purdue from 66.135.39.212 port 35189 ssh2
May 5 10:11:55 moonshine sshd[27505]: reverse mapping checking getaddrinfo for server2.tusom.org [66.135.39.212] failed - POSSIBL
May 5 10:11:55 moonshine sshd[27505]: Invalid user purdue from 66.135.39.212
May 5 10:11:55 moonshine sshd[27505]: pam_unix(sshd:auth): check pass; user unknown
May 5 10:11:55 moonshine sshd[27505]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.
May 5 10:11:58 moonshine sshd[27505]: Failed password for invalid user purdue from 66.135.39.212 port 35321 ssh2
26
Computer and Network Security by Avi Kak Lecture 24
27
Computer and Network Security by Avi Kak Lecture 24
• The following two facts have given much impetus to the develop-
ment of password cracking methods during the last twenty years:
(1) The older versions of the Microsoft Windows platform used
an extremely weak method for hashing passwords; and (2) The
near universality of the Windows machines all around the world.
• Since the LM Hash has served as such a magnet for the develop-
ment of password cracking algorithms, it is educational to review
it. For the LM Hash algorithm, a password is limited to a maxi-
mum of 14 ASCII characters and zero-padded to 14 if shorter than
that. Any lowercase characters in the password are converted to
uppercase. Subsequently, this 14-character string is divided into
two 7-character substrings, with the 56 bits of each substring used
28
Computer and Network Security by Avi Kak Lecture 24
29
Computer and Network Security by Avi Kak Lecture 24
30
Computer and Network Security by Avi Kak Lecture 24
the key would be the hash of a password and the value the password itself. For a disk-based hash table for LM
password cracking, each key C would require 8 bytes and each P 7 bytes. Therefore, each <key,value> pair
would require a total of 15 bytes. This implies the hash table would require 15 × 9 × 1012 bytes of storage —
that is 135 terabytes of disk storage. Considering that RAID array storage is now down to around $100 per
terabyte, creating a full lookup table for attacking the LM Hash passwords is not that out of the question any
longer. ]
• If the size of the disk space mentioned above seems large, you can
reduce the space needed considerably if you assume that random
juxtapositions of the characters are unlikely to exist in a pass-
word. You can construct lookup tables whose sizes are only a
few gigabytes by just using concatenations of meaningful word
fragments. If the passwords are short enough, such lookup tables
can be deadly effective in instantly revealing a user’s password
string.
31
Computer and Network Security by Avi Kak Lecture 24
• If you still believe that the disk storage needed for a lookup table
attack is much too large for the sort of password hashes you
want to attack, or if your goal is to attack (or, say, to attempt
attacking) longer passwords, you are going to need the rainbow
tables.
• Let p be the plaintext password and c be its hash. Let the hashing
function that takes us from p to c be the function H(.). So we
have c = H(p). Let’s now envision a reduction function R(.)
that when applied to c yields a string that looks like a plaintext.
Let p′ be the plaintext that results from applying the reduction
function to c. So we can write p′ = R(c).
• Given the pair of functions H() and R() as defined above, starting
from some randomly chosen plaintext p1 from the space of all
passwords, we can now construct a hash chain in the following
manner:
p1 −→ c1=H(p1 ) −→ p2=R(c1 ) −→ c2=H(p2 ) −→ p3=R(c2 ) −→ c3=H(p3 ) −→ p4=R(c3 ) −→ · · ·
p11 p1k
p21 p2k
p31 p3k
··· ···
• Let’s say that a password cracker wants to use the above table
to crack a given hash C. The cracker creates a chain — let’s
refer to as the test hash chain — by first applying R() to C get
q1 = R(C), and then applying H() to q1 to get d1 = H(q1), and
so on. The test chain will now look like:
q1=R(C) −→ d1=H(q1 ) −→ q2=R(d1 ) −→ d2=H(q2 ) −→ q3=R(d2 ) −→ · · ·
endpoint entry pik in the second column of the table, the cracker
can expect with a high probability that the password associated
with C is in the chain that corresponds to the ith row of the
table. The starting point in this row is given by pi1. The cracker
will now regenerate the chain for the ith row of the table. The
regenerated chain will look like:
pi1 −→ ci1=H(pi1 ) −→ pi2 = R(ci1 ) −→ ci2=H(pi2 ) −→ · · · · · · −→ cik−1=H(pik−1 ) −→ pik=R(cik−1 )
With a significant probability, the cracker will find that his hash
C matches one of the hashes in this chain. [Note that the hash C
that the cracker wants to crack can be anywhere in the chain.] Once a match is
found, the password that the cracker is looking for is the plaintext
that immediately precedes C in the chain.
• That leads to the question of how long to grow the test chain
starting with C as we look for plaintext matches with the end-
points in the table. The answer is that if the test hash chain was
grown through k steps, which is the same number of steps used
in the hash chain table, and if no plaintext matched with any of
the endpoints, then the password that the cracker is looking for
does NOT exist in any of the chains stored in the table.
• Additionally, let’s say that as we grow the test hash chain one
step at a time starting with the hash C to be cracked, we run
into a qm that matches one of the endpoints in our table, but we
are unable to find C in the chain for that row. In such an event,
we continue to grow the test chain and look for another qn that
35
Computer and Network Security by Avi Kak Lecture 24
• Ideally, the hash chain table should have the property that the
passwords stored implicitly in all the chains should span (to the
maximum extent possible) the space of all possible passwords.
This is for the obvious reason that if a legitimate password is
neither a starting point, nor an endpoint, and nor in the interior
of any of the chains, then there would be no way to get to this
password from its hash. Said another way, if a password is NOT
reduced to during the construction of the hash chain table, then
that password cannot be inferred from its hash.
37
Computer and Network Security by Avi Kak Lecture 24
much lower probability than was the case with hash-chain tables
as presented above. This also takes care of one more problem
with the old-style hash-chain tables. You see, in hash-chain ta-
bles as explained above, there is always a possibility that you will
encounter a loop as you grow a chain. Since a reduction func-
tion is intentionally many-to-one, there is always a chance that
the password that is reduced to will be the same at two different
places in a chain. [Obviously, this can also happen in a test hash chain.] As
with chain collisions, such loops reduce the efficiency of a hash
chain table. However, when you use different reduction functions
for the successive reduction steps in a chain, you are less likely to
run into loops.
38
Computer and Network Security by Avi Kak Lecture 24
39
Computer and Network Security by Avi Kak Lecture 24
• Now that you know about password cracking, the very first thing
you need to become aware of is the fact that there do not yet exist
any tools for cracking passwords that are hashed with state-of-
the-art password hashing schemes that use variable “salts” and
variable “rounds”. As to what is meant by “salt” and “round”
will become clear from the presentation in this section. An
example of such a state-of-the-art password hashing scheme is
sha512 crypt. I’ll have more to say about this scheme later in
this section.
• The main reason why you cannot just directly apply an algorithm
such as SHA-512 to a user-entered password string is because the
resulting hash values would still be crackable despite the fact that
hash function itself is cryptographically secure and possesses the
one-way property defined in Lecture 15. [To explain this issue, let’s
say there are no constraints placed on the lengths of the passwords chosen by the
users. Assume for the sake of argument that the passwords used by some folks have
only six characters in them and they all consist of lowercase letters. Total number
of such passwords that can be composed with exactly six characters is only 266 =
308915776. Given a hash of such a password, even when that hash is produced by,
say, the cryptographically secure SHA-512 algorithm, it would be trivial to construct
a lookup table for all such hashes and acquire the password in less time than it takes
to blink an eye. Now imagine an intruder who has no desire to crack all the passwords
in, say, the /etc/shadow file maintained by the network administrator. All that the
intruder wants is to break into just a couple of accounts where he/she can install his
own software. For such an intruder, just being able to crack short passwords is good
enough.]
41
Computer and Network Security by Avi Kak Lecture 24
you will realize that each line in the file /etc/shadow consists of 9 colon-separated
field. The first field is always the username; the second field is the password hash that
is shown below; the third field the date of last password change; the fourth field the
number of days the user must wait before he/she is allowed to change the password;
the fifth the number of days after which the user will be forced to change the password;
and so on. Shown below is what is stored in the second field — the password hash field
— for some user.]
$6$rounds=40000$ZVzZ72hf$Tf19cHUK0g.nf.I/Bpn5jd3jokKMEAIHssRW2OEUGfneuTUzkhNmGv9iDhjfeDpJtqOyGjtSeXSq8
or, when the “number of rounds” is set to its default value 5000,
like
$<identifier>$<salt>$<password-hash>
salt: ZVzZ72hf
Note again that, except for bsd nthash, the names of all the Pass-
word Hashing Schemes mentioned above end in the substring
“crypt”. [The bcrypt password hashing scheme is used in Unix/Solaris systems.
The underlying hashing algorithm in bcrypt is Blowfish. The password hash output by
bcrypt omits the separator character ‘$’.]
The table I have shown above is
reproduced from http://packages.python.org/passlib/modular_crypt_format.html. As
mentioned there, MCF is not an official standard, but a com-
monly used format today for storing password hashes.
• Let’s now examine the second field of the /etc/shadow entry for
the password hash shown earlier in this section. This entry says:
rounds=40000. As you will soon see, modern password hashing
schemes hash a password (along with its salt – whose meaning
will soon be explained) multiple times. You might ask: To what
purpose? You are even more likely to raise this question after
you realize that an intruder who has stolen the /etc/shadow or
an equivalent file can see the number of rounds applied by the
password hashing scheme. So, in order to crack a password hash,
this intruder can use the same number of rounds. Note that the
intruder already has access to the password hashing scheme used
since they are all in the public domain. For the answer to this
very reasonable question, read on.
44
Computer and Network Security by Avi Kak Lecture 24
more powerful and should massive disk storage become even more
inexpensive, the additional protection made possible a variable
number of rounds would certainly be put to greater use. [There
is also a minimum and a maximum on the number of rounds.
The minimum is 1000 and maximum is 999,999,999. Specifying a
value below 1000 would cause 1000 to be used for the number of
rounds and specifying a value of 1 billion or greater would cause
999,999,999 to be used for the number of rounds.]
45
Computer and Network Security by Avi Kak Lecture 24
• Note that a side benefit of using a random value for salt is that it
makes less likely that any two usernames will have the same pass-
46
Computer and Network Security by Avi Kak Lecture 24
• Now that you know about the purpose of salts and rounds in pass-
word hashing schemes, it’s time to become familiar with the logic
of an actual password hashing scheme. You goal should be to un-
47
Computer and Network Security by Avi Kak Lecture 24
48
Computer and Network Security by Avi Kak Lecture 24
49
Computer and Network Security by Avi Kak Lecture 24
Note that this password hash does not explicitly mention the
number of rounds because the number 5000 is universally ac-
knowledged to be the default value for this parameter. Here are
some additional examples of calls to the passlib library for cre-
ating password hashes:
print passlib.hash.sha512_crypt.encrypt(‘‘avikak’’, rounds=5000, salt_size=8)
50
Computer and Network Security by Avi Kak Lecture 24
52
Computer and Network Security by Avi Kak Lecture 24
53