search

Man or Machine?

circle-info

This one is simple. There's a pcap which contains 100 SSH connections.

Only 1 of the connections was human driven. The rest weren't. All we want to know is the source port number for that 1 connection. You ONLY have 2 attempts, so don't bruteforce guess!

All the connections used the same client, server, and configurations. If everything is the same and the payload contents are encrypted, what else could you compare?

Lets run the pcap through the ssh protocols 

@load base/protocols/ssh
@load base/frameworks/notice

redef exit_only_after_terminate = F;

event zeek_init(){

}
.
β”œβ”€β”€ 100-ssh.pcap
β”œβ”€β”€ conn.log
β”œβ”€β”€ main.zeek
β”œβ”€β”€ packet_filter.log
└── ssh.log

Looking for interesting metrics in the log output. ssh.log doesn't show much. However in the conn.log we find the following line.

1580833725.124151   CgvmB23cju7ppajiwf  127.0.0.1       54712   127.0.0.1          22   tcp      ssh       53.446830   7173      3274189        SF               -           -   0           ShAdDaFf    20466   1071413 34606   5073721 -   1:vp2K1lvIUDDpljQ8WIBn+8DF/Xs=

We find this entry had substantially more orig_ip_bytes

circle-check

The solution

PreviousRDP AuthenticationNextHash Yourself

Last updated