BTLO - Bruteforce

Challenge: https://blueteamlabs.online/home/challenge/bruteforce-16629bf9a2

Scenario

Can you analyze logs from an attempted RDP bruteforce attack?

One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log.

There are a number of different ways to approach the analysis of these logs! Consider the suggested tools, but there are many others out there!

Q1

How many Audit Failure events are there? (Format: Count of Events)

Recon

直接用timeline explorer下4625的條件

Exploit

Flag: 3103

Q2

What is the username of the local account that is being targeted? (Format: Username)

Recon

直接看./BTLO_Bruteforce_Challenge.txt的Account Name，總共有

• administartor
• BTLO
• EC2AMAZ-UUEMPAU$
• SYSTEM

Flag: administrator

Q3

What is the failure reason related to the Audit Failure logs? (Format: String)

Recon

直接看./BTLO_Bruteforce_Challenge.txt的Failure Reason Failure Reason: Unknown user name or bad password.

Flag: Unknown user name or bad password.

Q4

What is the Windows Event ID associated with these logon failures? (Format: ID)

Recon

以為是陷阱題，但還是4625

Flag: 4625

Q5

What is the source IP conducting this attack? (Format: X.X.X.X)

Recon

直接看./BTLO_Bruteforce_Challenge.txt的Source Network Address Source Network Address: 113.161.192.227

Flag: 113.161.192.227

Q6

What country is this IP address associated with? (Format: Country)

Recon

直接看該IP的訊息，用whois來看相關內容，詳細query result可以看這邊

Flag: Vietnam

Q7

What is the range of source ports that were used by the attacker to make these login requests? (LowestPort-HighestPort - Ex: 100-541)

Recon

寫個簡單的script

1	$ cat BTLO_Bruteforce_Challenge.txt | grep "Source Port:" > Extracted_port.txt

1 2 3 4 5

f = open('./Extracted_port.txt', 'r').read().replace(' Source Port: ', '').replace('-\n', '').split('\n')[:-1] # for i in range(len(f)): # print(f[i]) print(f'Min: {min(f)}, Max: {max(f)}')

Flag: 49162-65534

Reference