Pipal gets a Kippo log parser

Fri 1st Aug 14

For a long time I've been curious what passwords lists attackers are using when they try to brute force my ssh servers so I finally got round to setting up a Kippo honeypot and writing a custom Pipal Splitter to parse through the logs and pull out the info.

My honeypot has only been running a day but has already collected over 1000 hits so I thought I'd release an analysis of those as a taster but then find some way to automate creating a rolling report showing the last day, week and maybe month.

The splitter is now checked in to the Pipal GitHub Master branch with the name "kippo_file.rb" and, as the name suggests, this parses the text log files. I am thinking of moving my logging to MySQL so will write an appropriate splitter when I do.

The passwords I'm seeing in the logs are about what I'd expect with a few odd ones thrown in. I'm definitely planning to include these as wordlists for future testing because if the bad guys are using them some have to be ones that work.

I've included the first analysis run here but you can also download a copy.

I'll put up a new blog post once I get the automation working.

Basic Results

Total entries = 1020
Total unique entries = 438

Top 10 passwords
admin = 18 (1.76%)
qweasd = 10 (0.98%)
1qaz2wsx = 10 (0.98%)
root@123 = 10 (0.98%)
P@ssw0rd = 10 (0.98%)
1234 = 10 (0.98%)
qwe123 = 10 (0.98%)
password = 10 (0.98%)
root = 10 (0.98%)
123123 = 10 (0.98%)

Top 10 base words
admin = 57 (5.59%)
root = 49 (4.8%)
password = 28 (2.75%)
passw0rd = 20 (1.96%)
p@ssw0rd = 17 (1.67%)
qaz2wsx = 15 (1.47%)
qweasd = 15 (1.47%)
master = 11 (1.08%)
manager = 11 (1.08%)
qazxsw = 11 (1.08%)

Password length (length ordered)
2 = 1 (0.1%)
3 = 20 (1.96%)
4 = 68 (6.67%)
5 = 63 (6.18%)
6 = 244 (23.92%)
7 = 131 (12.84%)
8 = 251 (24.61%)
9 = 111 (10.88%)
10 = 52 (5.1%)
11 = 25 (2.45%)
12 = 28 (2.75%)
13 = 7 (0.69%)
14 = 6 (0.59%)
15 = 1 (0.1%)
17 = 1 (0.1%)
18 = 2 (0.2%)
19 = 3 (0.29%)
20 = 2 (0.2%)
21 = 2 (0.2%)
23 = 1 (0.1%)
24 = 1 (0.1%)

Password length (count ordered)
8 = 251 (24.61%)
6 = 244 (23.92%)
7 = 131 (12.84%)
9 = 111 (10.88%)
4 = 68 (6.67%)
5 = 63 (6.18%)
10 = 52 (5.1%)
12 = 28 (2.75%)
11 = 25 (2.45%)
3 = 20 (1.96%)
13 = 7 (0.69%)
14 = 6 (0.59%)
19 = 3 (0.29%)
20 = 2 (0.2%)
18 = 2 (0.2%)
21 = 2 (0.2%)
15 = 1 (0.1%)
17 = 1 (0.1%)
23 = 1 (0.1%)
2 = 1 (0.1%)
24 = 1 (0.1%)

      | |                                                               
      | |                                                               
      | |                                                               
      | |                                                               
      | |                                                               
      | |                                                               
      | |                                                               
      |||                                                               
      ||||                                                              
      ||||                                                              
      ||||                                                              
    ||||||                                                              
    |||||||                                                             
    |||||||                                                             
   ||||||||||                                                           
|||||||||||||||||||||||||                                               
0000000000111111111122222
0123456789012345678901234

One to six characters = 396 (38.82%)
One to eight characters = 778 (76.27'%)
More than eight characters = 242 (23.73%)

Only lowercase alpha = 323 (31.67%)
Only uppercase alpha = 0 (0.0%)
Only alpha = 323 (31.67%)
Only numeric = 192 (18.82%)

First capital last symbol = 10 (0.98%)
First capital last number = 17 (1.67%)

Single digit on the end = 44 (4.31%)
Two digits on the end = 14 (1.37%)
Three digits on the end = 128 (12.55%)

Last number
0 = 22 (2.16%)
1 = 54 (5.29%)
2 = 23 (2.25%)
3 = 139 (13.63%)
4 = 42 (4.12%)
5 = 42 (4.12%)
6 = 44 (4.31%)
7 = 16 (1.57%)
8 = 35 (3.43%)
9 = 17 (1.67%)

   |                                                                    
   |                                                                    
   |                                                                    
   |                                                                    
   |                                                                    
   |                                                                    
   |                                                                    
   |                                                                    
   |                                                                    
 | |                                                                    
 | |  |                                                                 
 | |||| |                                                               
 | |||| |                                                               
||||||| |                                                               
||||||||||                                                              
||||||||||                                                              
0123456789

Last digit
3 = 139 (13.63%)
1 = 54 (5.29%)
6 = 44 (4.31%)
4 = 42 (4.12%)
5 = 42 (4.12%)
8 = 35 (3.43%)
2 = 23 (2.25%)
0 = 22 (2.16%)
9 = 17 (1.67%)
7 = 16 (1.57%)

Last 2 digits (Top 10)
23 = 130 (12.75%)
56 = 29 (2.84%)
34 = 26 (2.55%)
45 = 20 (1.96%)
21 = 18 (1.76%)
88 = 17 (1.67%)
78 = 12 (1.18%)
89 = 12 (1.18%)
90 = 11 (1.08%)
36 = 10 (0.98%)

Last 3 digits (Top 10)
123 = 130 (12.75%)
456 = 28 (2.75%)
234 = 26 (2.55%)
345 = 20 (1.96%)
321 = 17 (1.67%)
789 = 12 (1.18%)
678 = 12 (1.18%)
890 = 11 (1.08%)
536 = 10 (0.98%)
888 = 9 (0.88%)

Last 4 digits (Top 10)
1234 = 26 (2.55%)
3456 = 26 (2.55%)
2345 = 20 (1.96%)
5678 = 12 (1.18%)
7890 = 11 (1.08%)
3123 = 11 (1.08%)
2536 = 10 (0.98%)
3465 = 9 (0.88%)
6789 = 8 (0.78%)
5588 = 8 (0.78%)

Last 5 digits (Top 10)
23456 = 26 (2.55%)
12345 = 20 (1.96%)
67890 = 11 (1.08%)
23123 = 11 (1.08%)
42536 = 10 (0.98%)
45678 = 10 (0.98%)
23465 = 9 (0.88%)
56789 = 8 (0.78%)
25588 = 8 (0.78%)
88888 = 7 (0.69%)

Character sets
loweralpha: 323 (31.67%)
loweralphanum: 270 (26.47%)
numeric: 192 (18.82%)
loweralphaspecialnum: 89 (8.73%)
mixedalphaspecialnum: 29 (2.84%)
mixedalphanum: 23 (2.25%)
specialnum: 18 (1.76%)
loweralphaspecial: 15 (1.47%)
mixedalpha: 11 (1.08%)
mixedalphaspecial: 5 (0.49%)
special: 3 (0.29%)
upperalphaspecial: 3 (0.29%)
upperalphanum: 2 (0.2%)

Character set ordering
allstring: 334 (32.75%)
othermask: 229 (22.45%)
alldigit: 192 (18.82%)
stringdigit: 154 (15.1%)
stringdigitstring: 30 (2.94%)
stringspecialdigit: 27 (2.65%)
digitstring: 21 (2.06%)
stringspecialstring: 13 (1.27%)
digitstringdigit: 11 (1.08%)
stringspecial: 5 (0.49%)
allspecial: 3 (0.29%)
specialstringspecial: 1 (0.1%)

Username Checker
================

Exact Matches
-------------
Total: 2 Unique

admin
root

Levenshtein Results
-------------------
Average distance 6.95

Close Matches
-------------
Total: 17 Unique

D: 1 U: root P: roo
D: 1 U: root P: roota
D: 2 U: root P: toor
D: 2 U: root P: root00
D: 2 U: root P: root01
D: 2 U: root P: rootme
D: 2 U: root P: root12
D: 3 U: root P: root123
D: 3 U: root P: test
D: 3 U: root P: root321
D: 3 U: root P: root001
D: 3 U: root P: boss
D: 3 U: root P: blog
D: 3 U: root P: pop
D: 3 U: admin P: admin123
D: 3 U: root P: Boss
D: 3 U: root P: tset