1
00:00:01,040 --> 00:00:05,460
OK, this is the last thing that we have left to cover.

2
00:00:06,110 --> 00:00:12,920
Now, this is not necessarily a bug, but it's something that could be useful for you to know and that

3
00:00:12,920 --> 00:00:16,700
is insufficient logging and monitoring.

4
00:00:17,880 --> 00:00:25,590
Now, most of the websites and applications and all of that have their own logs and log is something

5
00:00:25,590 --> 00:00:33,480
that is tracking different traffic, perhaps on the website, different HTP requests, different form

6
00:00:33,480 --> 00:00:35,670
submissions and all of that.

7
00:00:36,810 --> 00:00:42,930
It is a good skill to know how to read different locks, and it's rather easy.

8
00:00:42,960 --> 00:00:43,730
Most of the time.

9
00:00:44,190 --> 00:00:47,810
So let's take a look at this quick example right here.

10
00:00:48,450 --> 00:00:53,460
So if we click on insufficient logging and monitoring, which is task 30.

11
00:00:54,480 --> 00:01:01,830
I advise you to read through this to get a better grasp as to what this actually is, and now we're

12
00:01:01,830 --> 00:01:07,500
going to download the task file so there is not a virtual machine that we must start here.

13
00:01:07,510 --> 00:01:10,260
We are downloading files in this specific case.

14
00:01:10,260 --> 00:01:12,180
It is a file login.

15
00:01:12,210 --> 00:01:15,660
But let's click on Say.

16
00:01:17,040 --> 00:01:21,930
And while that is downloading, let's go down to check out what are our challenges.

17
00:01:23,050 --> 00:01:30,310
So the first question is, what IP address is the attacker using and the second question is what kind

18
00:01:30,310 --> 00:01:32,260
of attack is being carried out?

19
00:01:33,210 --> 00:01:43,520
Let's go to our file, let's open it double click login, and it will open this small loks file.

20
00:01:44,370 --> 00:01:50,280
By the first look, I can already see that it is a part of a log file from different users trying to

21
00:01:50,280 --> 00:01:57,960
get access on our website at logging directory, so they're most likely trying to log in with username

22
00:01:57,960 --> 00:01:59,070
and password.

23
00:02:00,260 --> 00:02:06,680
We have two hundred code, OK, four first six users, and that means that they successfully logged

24
00:02:06,680 --> 00:02:07,490
in to the page.

25
00:02:08,449 --> 00:02:12,080
This is most likely their usernames right here.

26
00:02:12,080 --> 00:02:16,550
And this is the time when they performed the login request here.

27
00:02:16,560 --> 00:02:18,240
We also have their IP address.

28
00:02:18,650 --> 00:02:20,810
So what is of right here?

29
00:02:21,650 --> 00:02:27,370
Well, these four or one requests that say unauthorized do look suspicious.

30
00:02:27,650 --> 00:02:33,110
Of course, it can be different users that mistype their passwords so they got unauthorized error.

31
00:02:33,680 --> 00:02:38,590
But we will notice that it's all coming from the same IP address.

32
00:02:38,600 --> 00:02:41,780
So all four requests are coming from the same IP address.

33
00:02:42,810 --> 00:02:50,550
With different usernames, this could point to a brute force attack, for example, we can also see

34
00:02:50,550 --> 00:02:53,960
that the user is trying to authenticate as the admin.

35
00:02:54,450 --> 00:02:56,490
So that is also suspicious.

36
00:02:57,150 --> 00:03:02,940
So we can conclude that this user right here is trying to perform a brute force attack, for example.

37
00:03:03,890 --> 00:03:11,300
Let's answer the first question, what IP address is the attacker using, so let's copy the IP address.

38
00:03:13,360 --> 00:03:21,670
Like this specified right here and for some reason it won't copy, so let's just type it for nine nine

39
00:03:21,670 --> 00:03:23,170
nine one three one six.

40
00:03:26,220 --> 00:03:29,640
Let's click on Submit, and that is the correct answer.

41
00:03:29,970 --> 00:03:32,190
What kind of attack is being carried out?

42
00:03:32,220 --> 00:03:36,000
Well, we already mentioned that it's most likely a brute force attack.

43
00:03:36,330 --> 00:03:38,100
SLED specified that right here.

44
00:03:39,750 --> 00:03:40,590
Click on Submit.

45
00:03:41,580 --> 00:03:44,010
And that's also the correct answer.

46
00:03:44,700 --> 00:03:50,520
So this was a quick example of how to read logs and how to find something that might look suspicious.

47
00:03:51,630 --> 00:03:58,100
Nonetheless, let's move on to the next lecture where we are going to cover how can we monetize fogbound

48
00:03:58,170 --> 00:04:00,780
skills that we learned throughout this course?