Pipal gets a Kippo log parser
Fri 1st Aug 14
For a long time I've been curious what passwords lists attackers are using when they try to brute force my ssh servers so I finally got round to setting up a Kippo honeypot and writing a custom Pipal Splitter to parse through the logs and pull out the info.
My honeypot has only been running a day but has already collected over 1000 hits so I thought I'd release an analysis of those as a taster but then find some way to automate creating a rolling report showing the last day, week and maybe month.
The splitter is now checked in to the Pipal GitHub Master branch with the name "kippo_file.rb" and, as the name suggests, this parses the text log files. I am thinking of moving my logging to MySQL so will write an appropriate splitter when I do.
The passwords I'm seeing in the logs are about what I'd expect with a few odd ones thrown in. I'm definitely planning to include these as wordlists for future testing because if the bad guys are using them some have to be ones that work.
I've included the first analysis run here but you can also download a copy.
I'll put up a new blog post once I get the automation working.
Basic Results
Total entries = 1020
Total unique entries = 438
Top 10 passwords
admin = 18 (1.76%)
qweasd = 10 (0.98%)
1qaz2wsx = 10 (0.98%)
root@123 = 10 (0.98%)
P@ssw0rd = 10 (0.98%)
1234 = 10 (0.98%)
qwe123 = 10 (0.98%)
password = 10 (0.98%)
root = 10 (0.98%)
123123 = 10 (0.98%)
Top 10 base words
admin = 57 (5.59%)
root = 49 (4.8%)
password = 28 (2.75%)
passw0rd = 20 (1.96%)
p@ssw0rd = 17 (1.67%)
qaz2wsx = 15 (1.47%)
qweasd = 15 (1.47%)
master = 11 (1.08%)
manager = 11 (1.08%)
qazxsw = 11 (1.08%)
Password length (length ordered)
2 = 1 (0.1%)
3 = 20 (1.96%)
4 = 68 (6.67%)
5 = 63 (6.18%)
6 = 244 (23.92%)
7 = 131 (12.84%)
8 = 251 (24.61%)
9 = 111 (10.88%)
10 = 52 (5.1%)
11 = 25 (2.45%)
12 = 28 (2.75%)
13 = 7 (0.69%)
14 = 6 (0.59%)
15 = 1 (0.1%)
17 = 1 (0.1%)
18 = 2 (0.2%)
19 = 3 (0.29%)
20 = 2 (0.2%)
21 = 2 (0.2%)
23 = 1 (0.1%)
24 = 1 (0.1%)
Password length (count ordered)
8 = 251 (24.61%)
6 = 244 (23.92%)
7 = 131 (12.84%)
9 = 111 (10.88%)
4 = 68 (6.67%)
5 = 63 (6.18%)
10 = 52 (5.1%)
12 = 28 (2.75%)
11 = 25 (2.45%)
3 = 20 (1.96%)
13 = 7 (0.69%)
14 = 6 (0.59%)
19 = 3 (0.29%)
20 = 2 (0.2%)
18 = 2 (0.2%)
21 = 2 (0.2%)
15 = 1 (0.1%)
17 = 1 (0.1%)
23 = 1 (0.1%)
2 = 1 (0.1%)
24 = 1 (0.1%)
| |
| |
| |
| |
| |
| |
| |
|||
||||
||||
||||
||||||
|||||||
|||||||
||||||||||
|||||||||||||||||||||||||
0000000000111111111122222
0123456789012345678901234
One to six characters = 396 (38.82%)
One to eight characters = 778 (76.27'%)
More than eight characters = 242 (23.73%)
Only lowercase alpha = 323 (31.67%)
Only uppercase alpha = 0 (0.0%)
Only alpha = 323 (31.67%)
Only numeric = 192 (18.82%)
First capital last symbol = 10 (0.98%)
First capital last number = 17 (1.67%)
Single digit on the end = 44 (4.31%)
Two digits on the end = 14 (1.37%)
Three digits on the end = 128 (12.55%)
Last number
0 = 22 (2.16%)
1 = 54 (5.29%)
2 = 23 (2.25%)
3 = 139 (13.63%)
4 = 42 (4.12%)
5 = 42 (4.12%)
6 = 44 (4.31%)
7 = 16 (1.57%)
8 = 35 (3.43%)
9 = 17 (1.67%)
|
|
|
|
|
|
|
|
|
| |
| | |
| |||| |
| |||| |
||||||| |
||||||||||
||||||||||
0123456789
Last digit
3 = 139 (13.63%)
1 = 54 (5.29%)
6 = 44 (4.31%)
4 = 42 (4.12%)
5 = 42 (4.12%)
8 = 35 (3.43%)
2 = 23 (2.25%)
0 = 22 (2.16%)
9 = 17 (1.67%)
7 = 16 (1.57%)
Last 2 digits (Top 10)
23 = 130 (12.75%)
56 = 29 (2.84%)
34 = 26 (2.55%)
45 = 20 (1.96%)
21 = 18 (1.76%)
88 = 17 (1.67%)
78 = 12 (1.18%)
89 = 12 (1.18%)
90 = 11 (1.08%)
36 = 10 (0.98%)
Last 3 digits (Top 10)
123 = 130 (12.75%)
456 = 28 (2.75%)
234 = 26 (2.55%)
345 = 20 (1.96%)
321 = 17 (1.67%)
789 = 12 (1.18%)
678 = 12 (1.18%)
890 = 11 (1.08%)
536 = 10 (0.98%)
888 = 9 (0.88%)
Last 4 digits (Top 10)
1234 = 26 (2.55%)
3456 = 26 (2.55%)
2345 = 20 (1.96%)
5678 = 12 (1.18%)
7890 = 11 (1.08%)
3123 = 11 (1.08%)
2536 = 10 (0.98%)
3465 = 9 (0.88%)
6789 = 8 (0.78%)
5588 = 8 (0.78%)
Last 5 digits (Top 10)
23456 = 26 (2.55%)
12345 = 20 (1.96%)
67890 = 11 (1.08%)
23123 = 11 (1.08%)
42536 = 10 (0.98%)
45678 = 10 (0.98%)
23465 = 9 (0.88%)
56789 = 8 (0.78%)
25588 = 8 (0.78%)
88888 = 7 (0.69%)
Character sets
loweralpha: 323 (31.67%)
loweralphanum: 270 (26.47%)
numeric: 192 (18.82%)
loweralphaspecialnum: 89 (8.73%)
mixedalphaspecialnum: 29 (2.84%)
mixedalphanum: 23 (2.25%)
specialnum: 18 (1.76%)
loweralphaspecial: 15 (1.47%)
mixedalpha: 11 (1.08%)
mixedalphaspecial: 5 (0.49%)
special: 3 (0.29%)
upperalphaspecial: 3 (0.29%)
upperalphanum: 2 (0.2%)
Character set ordering
allstring: 334 (32.75%)
othermask: 229 (22.45%)
alldigit: 192 (18.82%)
stringdigit: 154 (15.1%)
stringdigitstring: 30 (2.94%)
stringspecialdigit: 27 (2.65%)
digitstring: 21 (2.06%)
stringspecialstring: 13 (1.27%)
digitstringdigit: 11 (1.08%)
stringspecial: 5 (0.49%)
allspecial: 3 (0.29%)
specialstringspecial: 1 (0.1%)
Username Checker
================
Exact Matches
-------------
Total: 2 Unique
admin
root
Levenshtein Results
-------------------
Average distance 6.95
Close Matches
-------------
Total: 17 Unique
D: 1 U: root P: roo
D: 1 U: root P: roota
D: 2 U: root P: toor
D: 2 U: root P: root00
D: 2 U: root P: root01
D: 2 U: root P: rootme
D: 2 U: root P: root12
D: 3 U: root P: root123
D: 3 U: root P: test
D: 3 U: root P: root321
D: 3 U: root P: root001
D: 3 U: root P: boss
D: 3 U: root P: blog
D: 3 U: root P: pop
D: 3 U: admin P: admin123
D: 3 U: root P: Boss
D: 3 U: root P: tset
