TI – Protocol agnostic bruteforce detection across many servers

TI – Protocol agnostic bruteforce detection across many servers

Keywords: Duration: 5-10 months Context: HBO/WO thesis Context: Bruteforcing of credentials and the current trend of…

Keywords:

Duration: 5-10 months
Context: HBO/WO thesis

Context:

Bruteforcing of credentials and the current trend of credential testing using data from breaches is a problem for many organizations. Logging of successful and failed attempts will help but probably still hard to detect bruteforce attempts over multiple systems or services.

A network sensor using (Suricata and/or Bro) can extract login attempts easily from network traffic (eg: HTTP Basic Auth, Kerberos/NTLM) and can be easily extended using custom policies for other sources. The idea is that when you can detect successful and failed login attempts and you log this to a central system you could determine if a specific account is being bruteforced and maybe even determine if a one or more source addresses are bruteforcing other accounts as well.

For example, the opensource project weakforced is aimed to accomplish this.

Excerpt from the project:
The goal of ‘wforce’ is to detect brute forcing of passwords across many servers, services and instances. In order to support the real world, brute force detection policy can be tailored to deal with “bulk,  but legitimate” users of your service, as well as botnet-wide slowscans of passwords.

Activities:

Research/implement the feasibility of weakforced or maybe some other tool in combination of logs feeded from a network sensor to detect bruteforce accross multiple servers.

Neem contact op

+31 (0) 15 284 79 99

fox@fox-it.com

Delft