I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years. Sample Log 20210422-190644: 192.168.25.9:8088-112.112.86.46:53540 data CONNECT www.voanews.com:443 HTTP/1.1 The statistic are kind of interesting, username:password combination goes from mostly random to easily recognisable. Top 5 Most Popular Hashes Og== → : Top 10 Hashes Beside a single column : being the most common empty username:password combination used in the large majority of the scans, admin:admin and root:admin which comes second and forth are still active and popular today. As for the third password, I published a diary in October 2019 about this activity noted active until May 2020, looking for NVMS9000 Digital Video Recorder which goes into more details about this activity [1]. Other often seen username:password combination that are easily guessable: 48691994@qq.com:Jxl112912 admin: Other interesting stats over the past 3 years is the HTTP requests and the activity by continents. If unsure what services are being shared to the world, check what Shodan or Censys has been able to discover from a malicious actor perspective. As a home user, you can go to this page to see what Censys has been able to discover on what the router is sharing to the world. [1] https://isc.sans.edu/forums/diary/Scanning+Activity+for+NVMS9000+Digital+Video+Recorder/25434/ ----------- |
Guy 523 Posts ISC Handler Apr 24th 2021 |
Thread locked Subscribe |
Apr 24th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!