WEBVTT

00:00.000 --> 00:03.195
>> Hello everyone and
welcome back to the course,

00:03.195 --> 00:05.565
identifying web
attacks through logs.

00:05.565 --> 00:07.380
In the last video,
we talked about

00:07.380 --> 00:09.555
vulnerability scans
and their logs.

00:09.555 --> 00:10.980
In this video, we'll talk about

00:10.980 --> 00:13.230
brute force attacks
and their logs.

00:13.230 --> 00:15.510
The objectives of this
video are to review

00:15.510 --> 00:17.610
brute force attacks
and to identify

00:17.610 --> 00:19.560
the brute force attacks using

00:19.560 --> 00:22.800
web server logs. Let's begin.

00:22.800 --> 00:25.635
What are brute force attacks?

00:25.635 --> 00:27.825
A brute force attack occurs when

00:27.825 --> 00:29.775
someone is trying to get
access to your system,

00:29.775 --> 00:32.260
or in our case, to our web page.

00:32.260 --> 00:34.370
It's usually done
with multiple login

00:34.370 --> 00:35.720
and password attempts.

00:35.720 --> 00:38.800
The attacker is forcing
the authentication.

00:38.800 --> 00:41.300
To perform brute force
attacks it's common

00:41.300 --> 00:43.685
to use dictionaries or
leaked information.

00:43.685 --> 00:46.290
A dictionary is just a
common password list,

00:46.290 --> 00:48.020
and linked information
about users and

00:48.020 --> 00:51.420
passwords can obviously make
the attack much easier.

00:51.920 --> 00:55.130
If the brute force attacker
uses the dictionary,

00:55.130 --> 00:56.870
the attacker will take a lot of

00:56.870 --> 00:59.330
guesses and may use
a lot of automation.

00:59.330 --> 01:01.250
The leaked information
could have

01:01.250 --> 01:03.500
the username and password
that the attacker needs.

01:03.500 --> 01:06.800
The attacker may need
to try fewer options.

01:06.800 --> 01:08.750
That's why it's really
important to change

01:08.750 --> 01:10.670
your password after
some period of time

01:10.670 --> 01:11.930
or when you hear about

01:11.930 --> 01:13.310
leaked information
from a website

01:13.310 --> 01:15.165
that you have an account with.

01:15.165 --> 01:18.115
For web applications,
the most common targets

01:18.115 --> 01:19.930
are HTTP forms.

01:19.930 --> 01:21.850
Depending on the web
application the form

01:21.850 --> 01:24.030
can use GET or POST methods.

01:24.030 --> 01:27.715
You'll see there is a difference
between both requests.

01:27.715 --> 01:29.620
If you remember from OWASP,

01:29.620 --> 01:31.105
the brute force
attack is related to

01:31.105 --> 01:33.920
A2, the broken authentication.

01:33.920 --> 01:37.335
To see an example of the
most common password,

01:37.335 --> 01:39.540
check this web page.

01:39.540 --> 01:42.755
In this attack
we'll use our lab.

01:42.755 --> 01:45.895
There is a vulnerable HTTP form.

01:45.895 --> 01:48.985
Some tools will help us
to perform the attack.

01:48.985 --> 01:52.810
We'll use the Hydra and
Burp Community Edition.

01:52.810 --> 01:56.360
Here we have the
logs of the attack.

01:57.630 --> 01:59.620
Notice the username and

01:59.620 --> 02:01.419
>> password information
on the log.

02:01.419 --> 02:04.314
>> There are many different
usernames and passwords,

02:04.314 --> 02:06.640
checking the date and time
it's also possible to

02:06.640 --> 02:09.265
see many requests in a
short period of time.

02:09.265 --> 02:13.434
One user sent seven requests
in less than 10 seconds.

02:13.434 --> 02:16.075
Here you have more than
one username as a target.

02:16.075 --> 02:19.630
If you are thinking that a
user forgot his password,

02:19.630 --> 02:21.890
many usernames
doesn't make sense.

02:21.890 --> 02:24.845
Also, you have
administrator logins.

02:24.845 --> 02:28.940
For more information, here's
the detail of one logline.

02:28.940 --> 02:31.090
Here we can see the
typical behavior

02:31.090 --> 02:32.665
of a brute force attack.

02:32.665 --> 02:35.500
The first has many requests
to log in web page in

02:35.500 --> 02:37.000
a small period of time and

02:37.000 --> 02:40.070
different usernames
and passwords sent.

02:40.670 --> 02:43.180
Here's another example.

02:43.180 --> 02:46.895
In this case, only one
username is the target.

02:46.895 --> 02:50.140
The username Pablo
is the target.

02:50.140 --> 02:52.900
Notice that the
behavior is similar in

02:52.900 --> 02:54.110
many requests in a small

02:54.110 --> 02:56.434
>> period of time
from the same IP.

02:56.434 --> 02:59.975
>> I said before we can
use GET or POST methods.

02:59.975 --> 03:02.780
In the last example, it
was easy to identify

03:02.780 --> 03:03.950
the username and the password

03:03.950 --> 03:05.674
>> because of the GET method.

03:05.674 --> 03:07.070
>> Here we have an example of

03:07.070 --> 03:09.140
a request using the POST method.

03:09.140 --> 03:10.730
Notice that we don't have

03:10.730 --> 03:13.795
the username and the
password in the request.

03:13.795 --> 03:17.045
This happens because of the
request is in the payload.

03:17.045 --> 03:20.705
Later in this course, we'll
analyze the HTTP payload.

03:20.705 --> 03:23.390
Since it's a log,
let's analyze it.

03:23.390 --> 03:24.755
Check this user agent.

03:24.755 --> 03:26.705
Hydra is a well-known tool

03:26.705 --> 03:29.135
used to perform
brute force attacks.

03:29.135 --> 03:31.340
It's also possible
to see we have

03:31.340 --> 03:32.960
many requests in a short period

03:32.960 --> 03:35.224
>> of time from the same IP.

03:35.224 --> 03:38.270
>> All these requests are
to the login web page.

03:38.270 --> 03:41.180
One more example,
check this log.

03:41.180 --> 03:42.380
Here we have a POST,

03:42.380 --> 03:44.195
but the user agent looks normal.

03:44.195 --> 03:47.820
In the real-world things
will not be so easy.

03:48.670 --> 03:51.290
You always need to ask,

03:51.290 --> 03:53.615
is this unexpected behavior?

03:53.615 --> 03:55.940
Same IP, small time between

03:55.940 --> 04:00.560
requests and the login web
page looks suspicious.

04:00.560 --> 04:02.420
You can see the refer and

04:02.420 --> 04:04.490
the requested page are the same.

04:04.490 --> 04:06.640
This could be someone
trying to log in.

04:06.640 --> 04:09.350
The user types the wrong
username or password,

04:09.350 --> 04:11.225
and the login page is reloaded.

04:11.225 --> 04:13.010
But could someone
type the username or

04:13.010 --> 04:15.470
password in three
or four seconds?

04:15.470 --> 04:18.515
Our conclusion is that
this is an attack,

04:18.515 --> 04:21.635
specifically a
brute force attack.

04:21.635 --> 04:24.635
In this video, we use two tools,

04:24.635 --> 04:27.830
THC-Hydra and Burp
Community Edition.

04:27.830 --> 04:29.690
The difference between both is

04:29.690 --> 04:31.480
the number of the requests.

04:31.480 --> 04:33.485
With Hydra, we did many requests

04:33.485 --> 04:35.085
in a small period of time.

04:35.085 --> 04:37.130
There are many other
tools we can use to

04:37.130 --> 04:39.380
perform the brute
force attacks though.

04:39.380 --> 04:41.350
Now, let me give you

04:41.350 --> 04:44.859
some directions to identify
these brute force attacks.

04:44.859 --> 04:46.930
The first is to look for

04:46.930 --> 04:48.790
many requests in a small period

04:48.790 --> 04:50.695
of time to the login pages.

04:50.695 --> 04:53.080
The same IP doing
many requests is

04:53.080 --> 04:55.990
a good indicator of a brute
force attack as well.

04:55.990 --> 04:58.540
If your web
application uses GET,

04:58.540 --> 05:01.345
look for different
users or passwords.

05:01.345 --> 05:04.000
For POST requests look for

05:04.000 --> 05:06.310
the number of the
requests and the time.

05:06.310 --> 05:09.890
Don't forget to check
the user agents.

05:10.730 --> 05:13.500
Post assessment question,

05:13.500 --> 05:15.325
you can always identify

05:15.325 --> 05:19.390
a brute force attack analyzing
just the user agent.

05:19.390 --> 05:23.135
Is this information
true or false?

05:23.135 --> 05:26.550
This information is false.

05:26.550 --> 05:28.970
The username would help,
but an attacker can

05:28.970 --> 05:32.030
change it as we saw
in some examples.

05:32.030 --> 05:34.055
For the next question,

05:34.055 --> 05:37.250
analyze the log below and
identified the IP source,

05:37.250 --> 05:41.190
type of attack and what the
attacker is trying to do.

05:43.810 --> 05:47.540
We can easily identify
the source IP address.

05:47.540 --> 05:49.940
The requested page
has a login page,

05:49.940 --> 05:51.530
many username and password

05:51.530 --> 05:54.455
combinations IN a
small period of time.

05:54.455 --> 05:57.755
Usually administrator is
an important username.

05:57.755 --> 05:59.540
Why would someone trying to get

05:59.540 --> 06:02.195
administrator access
to this web page?

06:02.195 --> 06:04.715
In summary, we have

06:04.715 --> 06:06.230
the source IP is trying to

06:06.230 --> 06:07.819
>> perform a brute force attack,

06:07.819 --> 06:09.410
>> and the attack is trying to

06:09.410 --> 06:11.940
obtain the
administrator password.

06:12.230 --> 06:15.650
Video summary. In today's video,

06:15.650 --> 06:17.375
we discussed the
brute force attack.

06:17.375 --> 06:18.830
Analyze the two types of

06:18.830 --> 06:21.860
brute force attacks using
both GET and POST methods,

06:21.860 --> 06:25.649
and identified the attack,
analyzing the logs.

06:25.720 --> 06:29.360
During the analysis,
look for user agents,

06:29.360 --> 06:32.420
many requests in a small
period of time request to

06:32.420 --> 06:33.980
the login web pages

06:33.980 --> 06:37.500
and suspicious usernames
like administrator.

06:38.170 --> 06:40.640
In the next video, we'll have

06:40.640 --> 06:42.710
a brief review of SQL injections

06:42.710 --> 06:44.180
and we'll analyze the logs to

06:44.180 --> 06:47.580
identify the SQL injections.