heyosjabout
labs

Brutus HTB Sherlock — SSH Brute Force Investigation

Analyzing a successful SSH brute force attack against a Confluence server using Linux auth logs and wtmp data. A practical walkthrough of incident response techniques.

2025-09-204 min read

Executive Summary

Scenario: A Confluence server has been compromised via SSH brute force attack. Our investigation centers on analyzing authentication logs to identify the attack timeline, successful compromises, and threat actor tactics.

Key Findings:

  • Brute force attack originating from IP 203.101.190.9
  • Successful compromise of legitimate user account
  • Attack timeframe: [specific UTC timestamps]
  • MITRE ATT&CK techniques: T1110 (Brute Force), T1078 (Valid Accounts)

Investigation Overview

Artifacts Provided:

  • auth.log - Plaintext authentication events
  • wtmp - Binary login session history

Investigation Goals:

  1. Identify brute force attack indicators
  2. Determine successful authentication events
  3. Correlate auth.log entries with actual login sessions
  4. Establish attack timeline in UTC
  5. Map findings to MITRE ATT&CK framework

Technical Analysis

Initial Reconnaissance

First, I established the timeframe of SSH-related activity to scope the investigation:

# Identify SSH activity window
grep -i 'sshd' auth.log | head -5
grep -i 'sshd' auth.log | tail -5

This revealed authentication attempts spanning approximately [timeframe], indicating sustained malicious activity.

Brute Force Attack Analysis

Failed Authentication Attempts

To identify the primary attack source, I analyzed failed password attempts:

# Extract source IPs from failed attempts
grep -i 'failed password' auth.log | awk '{print $NF}' | sort | uniq -c | sort -nr | head -10

Results: IP 203.101.190.9 generated the highest volume of failed authentication attempts, consistent with automated brute force behavior.

Targeted Usernames

Next, I analyzed which accounts were being targeted:

# Extract attempted usernames
grep -i 'failed password' auth.log | awk '{for(i=1;i<=NF;i++) if($i=="for"){print $(i+1)}}' | sort | uniq -c | sort -nr | head -10

Key Observation: The attack pattern showed both dictionary-based username enumeration and targeted attempts against likely service accounts.

Successful Compromise Detection

Identifying Successful Authentications

# Locate successful SSH authentications
grep -i 'accepted' auth.log

User-to-IP Correlation

# Map successful logins to source IPs
grep -i 'accepted' auth.log | awk '{user=$9; ip=$NF; printf "%-20s %s\n", user, ip}' | sort | uniq

Critical Finding: User [username_masked] successfully authenticated from the same IP that conducted the brute force attack.

Session Validation

To confirm actual login sessions (not just authentication events), I cross-referenced with wtmp data:

# Verify actual login sessions
last -f wtmp | head -20

# Convert to UTC for timeline accuracy
TZ=UTC last -f wtmp | head -10

Validation: The successful authentication correlated with an actual interactive session, confirming compromise.

Timeline of Events (UTC)

  1. [Timestamp] - Initial brute force attempts begin from 203.101.190.9
  2. [Timestamp] - Peak attack activity with multiple username attempts
  3. [Timestamp] - Successful authentication for [username_masked]
  4. [Timestamp] - Interactive session established

MITRE ATT&CK Mapping

TechniqueIDEvidence
Brute Force: Password GuessingT1110.001Multiple failed password attempts from single IP
Valid Accounts: Local AccountsT1078.003Successful compromise of legitimate user account
Remote Services: SSHT1021.004SSH service used as attack vector

Key Commands Reference

# Essential analysis commands used
grep -i 'failed password' auth.log | awk '{print $NF}' | sort | uniq -c | sort -nr
grep -i 'accepted' auth.log | awk '{user=$9; ip=$NF; printf "%-20s %s\n", user, ip}'
last -f wtmp
TZ=UTC last -f wtmp

Detection & Prevention Recommendations

Immediate Actions:

  • Reset compromised account credentials
  • Review all activities performed during the session
  • Check for persistence mechanisms

Long-term Controls:

  • Implement fail2ban or similar brute force protection
  • Enable SSH key-based authentication only
  • Deploy network segmentation for critical services
  • Implement comprehensive logging and monitoring

Lessons Learned

  1. Tool Selection: Basic Unix utilities (grep, awk, sort) provide powerful analysis capabilities for log investigation
  2. Data Correlation: Always cross-reference auth.log entries with wtmp sessions to confirm actual access
  3. Timezone Consistency: Use TZ=UTC for accurate timeline establishment across systems
  4. Pattern Recognition: High-volume failed attempts from single IPs are strong brute force indicators

Conclusion

This investigation demonstrated a classic SSH brute force attack that successfully compromised a legitimate user account. The attack followed predictable patterns that could have been detected and prevented with appropriate security controls. The correlation between authentication logs and session data proved critical in confirming the actual compromise beyond just authentication events.

This analysis was conducted in a controlled lab environment. All sensitive values have been masked to protect privacy.