Obsidian Vault
15 - ftp.log

FTP log
...

less -S ftp.log

Pasted image 20231213182143.png

in zeek if we have any field related to password zeek won't show it.
Pasted image 20231213182251.png

Editting /usr/local/zeek/share/zeek/base/protocols/ftp/main.zeek:

deleted the password line which had <hiddedn> term written in the script and then again i ran

zeek -C -r Capture.pcap local

Pasted image 20231213182639.png

now we can see the passwords.

root@53ef41d5da39:/mnt# cat ftp.log | zeek-cut user password | sort | uniq -c | sort -n
      6 tony.shephard   Summer2023!
     41 abdullah.yasin  XhlhGame_90HJLDASxfd&hoooad

another edit in the ftp/main.zeek to see the wrong passwords used by attacker

Pasted image 20231213190959.png

Password spray
...

cat ftp.log | zeek-cut user password | sort | uniq -c | sort -n

Pasted image 20231213191255.png
not we can see the password spray

Attackers' IP
...

cat ftp.log | zeek-cut id.orig_h | sort | uniq -c | sort -n

Pasted image 20231213191508.png

3.109.209.43
120.78.199.189

root@53ef41d5da39:/mnt# grep 120.78.199.189 *.log | awk -F: '{print $1}' | sort -n | uniq -c
    932 conn.log
    930 ftp.log


root@53ef41d5da39:/mnt# grep 3.109.209.43 *.log | awk -F: '{print $1}' | sort -n | uniq -c
  65641 conn.log
      3 dns.log
     34 files.log
    191 ftp.log
      2 ssh.log
Interactive Graph
Table Of Contents

15 - ftp.log

FTP log

Password spray

Attackers' IP