For full text search please use the '?' prefix. e.g. ? Onboarding

Secure Shell

Challenge

Hey! We had a SSH service on a system and noticed unusual change in size of the log file. Don’t panic, it was the new IT guys’ daughter who said she was able to break into the system. I had given her permission to test some of these services. I am giving you the log file, can you solve the following queries?

Solution

  1. Is it an internal or external attack, what is the attacker IP? (5 points)

    Line 64:

    8932 2021-04-29 23:52:25.989 Connection from 192.168.1.17 port 49338 on 192.168.1.20 port 22

    Answer: internal:192.168.1.17

  2. How many valid accounts did the attacker find, and what are the usernames? (5 points)

    First we have to look for all the usernames that were attempted to get logged into:

    cat sshlog.log | sed -n -e 's/^.*userauth-request for user //p' | sed "s/\s.*//" | sort | uniq

    Then we need to look for the usernames that were valid accounts:

    cat sshlog.log | sed -n -e 's/^.*Accepted password for //p' | sed "s/\s.*//" | sort | uniq

    Answer: 1:sophia

  3. How many times did the attacker login to these accounts? (5 points)

    We simply need to remove the uniq from the previous command:

    cat sshlog.log | sed -n -e 's/^.*Accepted password for //p' | sed "s/\s.*//" | sort

    Answer: 2

  4. When was the first request from the attacker recorded? (5 points)

    We need to find the first line that contains the attacker IP:

    cat sshlog.log | grep 192.168.1.17 | head -n 1

    Answer: 2021-04-29 23:52:25.989

  5. What is the log level for the log file? (5 points)txt

    Answer: Debug

  6. Where is the log file located in Windows? (5 points)

    Source: https://mjcb.io/blog/2019/01/15/openssh-client-and-openssh-server-on-windows/

    Answer: C:\ProgramData\ssh\logs\sshd.log

Tags

  1. ssh (Private)
  2. 30 points (Private)
  3. hard (Private)