A look at a simple SSH probe and password crack

Here's an annotated look at how an attacker using a SSH password cracker compromises servers.


First the attacker probes to see if SSH is accepting connections.  Most likely the scanner also attempted to fingerprint the IP address to identify the operating system.  This is most likely an automated process on a compromised system.

2011-10-05 05:08:56-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:35868 (192.168.1.165:22) [session: 0]
2011-10-05 05:08:56-0400 [HoneyPotTransport,0,221.176.11.13] connection lost

Next the attacker begins attempting to crack the SSH password for the root user.  Once again these attempts are automated, and use a cracking tool which is based upon SSH-2.0-libssh-0.11.

2011-10-05 05:30:40-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:57366 (192.168.1.165:22) [session: 1]
2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] Remote SSH version: SSH-2.0-libssh-0.11
2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] outgoing: aes256-cbc hmac-sha1 none
2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] incoming: aes256-cbc hmac-sha1 none
2011-10-05 05:30:41-0400 [HoneyPotTransport,1,221.176.11.13] NEW KEYS
2011-10-05 05:30:42-0400 [HoneyPotTransport,1,221.176.11.13] starting service ssh-userauth
2011-10-05 05:30:42-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] root trying auth keyboard-interactive
2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] login attempt [root/root123] failed
2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] root failed auth keyboard-interactive
2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] unauthorized login:
2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] root trying auth password
2011-10-05 05:30:43-0400 [SSHService ssh-userauth on HoneyPotTransport,1,221.176.11.13] login attempt [root/root123] failed
2011-10-05 05:30:44-0400 [-] root failed auth password
2011-10-05 05:30:44-0400 [-] unauthorized login:
2011-10-05 05:30:44-0400 [HoneyPotTransport,1,221.176.11.13] Got remote error, code 11
    reason: Bye Bye
2011-10-05 05:30:44-0400 [HoneyPotTransport,1,221.176.11.13] connection lost
2011-10-05 05:30:55-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:60753 (192.168.1.165:22) [session: 2]
2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] Remote SSH version: SSH-2.0-libssh-0.11
2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] outgoing: aes256-cbc hmac-sha1 none
2011-10-05 05:30:55-0400 [HoneyPotTransport,2,221.176.11.13] incoming: aes256-cbc hmac-sha1 none
2011-10-05 05:30:56-0400 [HoneyPotTransport,2,221.176.11.13] NEW KEYS
2011-10-05 05:30:56-0400 [HoneyPotTransport,2,221.176.11.13] starting service ssh-userauth
2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] root trying auth keyboard-interactive
2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] login attempt [root/123456] succeeded
2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] root authenticated with keyboard-interactive
2011-10-05 05:30:57-0400 [SSHService ssh-userauth on HoneyPotTransport,2,221.176.11.13] starting service ssh-connection
2011-10-05 05:30:57-0400 [HoneyPotTransport,2,221.176.11.13] Got remote error, code 11
    reason: Bye Bye
2011-10-05 05:30:57-0400 [HoneyPotTransport,2,221.176.11.13] connection lost
2011-10-05 05:31:45-0400

Once the SSH password has been cracked, the attacker connects manually from another IP address, most likely his/her system.  Note that the attacker is using Putty, indicating he/she is using a Windows system.

[kippo.core.honeypot.HoneyPotSSHFactory] New connection: 2.192.102.247:50155 (192.168.1.165:22) [session: 3]
2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] Remote SSH version: SSH-2.0-PuTTY_Release_0.61
2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] outgoing: aes256-ctr hmac-sha1 none
2011-10-05 05:31:46-0400 [HoneyPotTransport,3,2.192.102.247] incoming: aes256-ctr hmac-sha1 none
2011-10-05 05:31:48-0400 [HoneyPotTransport,3,2.192.102.247] NEW KEYS
2011-10-05 05:31:48-0400 [HoneyPotTransport,3,2.192.102.247] starting service ssh-userauth
2011-10-05 05:31:50-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] root trying auth none
2011-10-05 05:31:50-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] root trying auth keyboard-interactive
2011-10-05 05:31:55-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] login attempt [root/123456] succeeded
2011-10-05 05:31:55-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] root authenticated with keyboard-interactive
2011-10-05 05:31:55-0400 [SSHService ssh-userauth on HoneyPotTransport,3,2.192.102.247] starting service ssh-connection
2011-10-05 05:31:55-0400 [SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] got channel session request

Finally the attacker performs several simple commands to identify the operating system, then disconnects, recording the compromised systems for future use. 

2011-10-05 05:31:55-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] channel open
2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] pty request: xterm (24, 80, 0, 0)
2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Terminal size: 24 80
2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] getting shell
2011-10-05 05:31:56-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Opening TTY log: log/tty/20111005-053156-9094.log
2011-10-05 05:31:57-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] /etc/motd resolved into /etc/motd
2011-10-05 05:31:57-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] /var/run/motd resolved into /var/run/motd
2011-10-05 05:32:01-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] CMD: uptime
2011-10-05 05:32:01-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Command found: uptime
2011-10-05 05:32:05-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] CMD: uname -a
2011-10-05 05:32:05-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,3,2.192.102.247] Command found: uname -a
2011-10-05 05:32:37-0400 [HoneyPotTransport,3,2.192.102.247] connection lost

I'll keep an eye out for future attempts to use this honeypot from that IP address for malicious purposes.  Hopefully I'll get some interesting results.

Some interesting info on the attacker's "real" IP address:

http://network-tools.com/default.asp?prog=express&host=2.192.102.247


% Information related to '2.192.0.0 - 2.195.255.255'

inetnum: 2.192.0.0 - 2.195.255.255
netname: TIM-NET
descr: Telecom Italia Mobile
descr: Service Provider
country: IT
It appears our attacker is using a mobile phone as his internet connection.

Related Reading:
Best Practices for Enterprise Network Security
This paper discusses aligning security policies to correspond with the priorities of business assets, establishing security profiles for users and all the types of devices accessing your network, and creating online self-service centers for users.