Automated VPS for Attack and Defense
This article was written by ThinkCyber students after finishing basic cyber training, being able to create cyber automation for both attack and defense.
Glenn Bravy, Eli Ergun, Gen Kawaguchi
When launching a VPS (Virtual Private Server), there are a few important ideas to consider in gaining oversight of the network traffic as well as for planning how to attack and defend the server appropriately. To simulate such a scenario, we launched a VPS as a classwork assignment and developed automated scripts that sit on a local machine and are sent to the remote server. The scripts download/install all necessary tools, harden the system, and identify intruders.
A few benefits for running the attack and defense scenario through a VPS rather than our local machines are:
The VPS runs 24/7 with a small computing cost.
Connecting anonymously to the VPS makes it more challenging for others to determine our true identities.
If a VPS is burned, we can launch a new server.
Not only are our personal machines unaffected but we can be up and running at the previous state in a few minutes.
How We Automate Tools
● Nipe - Similar to Tor in that it anonymizes your identity between the local and remote machines. To ensure we don’t connect directly to the VPS, a script runs to test if Nipe is installed and running. If it’s installed, it starts. If it’s not installed, then it is downloaded and installed. All of this runs without needing to turn it on, as per the script. The downside to using Nipe is that, in our case, it causes issues with nmap. To use nmap, we use Tor instead.
● Tor - Tor is much slower than Nipe because packets travel through three machines in either direction instead of just the one. To make up for that, we minimize the number of connections required and use Tor to connect and transfer automated scripts to the VPS. Because Tor and nmap are both slow, we opt out of using nmap and instead use Shodan.
● Shodan - A fantastic passive network scanner and substitute for nmap for our purposes. It runs much faster because it’s passive rather than active (nmap). Our service and vulnerability scans run in seconds rather than minutes. The scanning function from our script brings a vulnerability scan from Shodan against the IPs that have been brute forcing our account.
● Metasploit - Metasploit is a well-known program to run exploits against target machines. Jumping off what we said with Shodan, you can use Metasploit to exploit target machines. Following the scan, it’s possible to run the list of CVEs on the attackers’ machines against a list of chosen highly critical CVEs in our CVEbank. Rather than manually entering in the IP, port, exploit and more, put those into a file
to run with Metasploit to attack the target with selecting ‘Attack’ from your script and then selecting which CVE to use for the attack. Everything else runs in the background.
● Port Knocking - This is a method of externally opening ports to connect to the VPS following a sequence of correct connection attempts. Let’s say that a user must send a TCP packet to ports 1000, 3000 and 5000, in that order, and only then is the SSH port opened. That will deter nearly all attacks we encountered as they are attacking by simple methods on a large scale and are looking for the low-hanging fruit. If an attacker simply port scans us first or attempts to connect to port 22 as a default, the connection will be dropped.
72 Hours After Launching the VPS
We took a baseline of 72 hours after the VPS was live to test what action we had on the VPS. That gave attackers enough time to find the server and attempt to gain access to it. The authentication logs showed that attackers attempted to enumerate potential usernames a grand total of 12,529 times! Below, you can see the usernames used and which IPs they came from -- for example, “Failed password for invalid user joe from 220.127.116.11.”
Enumerating usernames is valuable in that many people will set up the VPS with a generic username and an easy-to-remember password such as ‘123456’. Attackers know this and so they will brute force the username with some generic password. Fortunately for us, after submitting either a valid or invalid username with an incorrect password, the attacker is denied access. The VPS authentication process does not provide any helpful error messages, and the attacks continue.
After 72 hours, a total of 12,529 attempts were made across all usernames, not including ‘root’. So far, no login attempt has been successful. Since most names use a single
password attempt, having a slightly complex password easily evades those attacks. Be sure not to use a password on a “most common passwords of the year” list to reduce the chances of non-authorized users logging in. 123456 is a bad password.
Some usernames received more attention than others. As one could imagine, VPS owners would be expected to use ‘Admin’ more often than ‘mc’ so that is why attackers try those usernames with multiple passwords in a single attack. Below are the 15 most common usernames:
For the top 15 usernames attempted, excluding ‘root’, ‘Admin’ is the most common with 2% of all the attempts. That’s good, but it pales in comparison to ‘root’ with 33% of all attempts. That should not be surprising as ‘root’ is the default username.
If an attacker is not enumerating passwords, they may be attempting to brute force the password itself with the assumption that ‘root’ may be the username. Of the 6167 attempts at brute forcing the password for ‘root’, they all came from 9 IPs (ignoring my IP with wrong attempts), as seen in the screenshot below:
Attackers and Country of Origin
The top 5 IPs who hit us are from China. While I cannot be certain where the other attackers are from, regardless of the IP’s locations, I can be fairly certain that the four IPs with 218.92.0.x are from the organization physically located within China. In general, attackers will mask their identities as they don’t want to be identified or attacked back. However, there are attackers from China and some other countries who do not care to mask themselves and will scan the world’s available IPs to see if they can get access. By the law of large numbers, they are likely to gain access to some machines and can attack them right away and/or create backdoors to save them for later.
Simple Defense and Hardening Practices
A weak password is only good if no one tries to guess it. If you use a password with ten characters and a complex character set, it should take 289,217 years to brute force it or about three years with a supercomputer or botnet. Having an easy-to-remember and hard-to-guess password is key here. A complex password with sufficient length and complexity will ward off attackers who will only try for several days before moving on.
Now that we can be assured of authentication security through credential access, we can harden our system to protect against many further attacks. Having a password that will stop the thousands of attacks from being successful is good but blacklisting those IPs are five failed attempts is even better. Fail2Ban is an intrusion protection framework which blocks the IPs of users who fail to authenticate correctly after a given number of tries. Lastly, because a third of all attempts at brute forcing the account is on the user ‘root’, change config settings to not allow root login. Now the only attackers left hit us a handful of times where even weak passwords should prevail.
Update: Ten Days Live
We continued monitoring the VPS to see if the attacks tapered off or intensified after the VPS was live for ten days. The figures below tell the story. The top nine IPs all come from China with a machine in Latvia making a show in tenth place.
We were surprised to see that China dominated the top 10. As stated previously, we cannot be sure of the actual location of most of the IPs. Most servers for rent in the world are in China and the United States. Checking the logs, we see that regardless of the large increase in the number of password brute force attacks, there continues to be no successful unauthorized logins.