Bruteforce BTLO

RDB Brute Force Attack logs Analysis

1- First Question Talking about the number of the login Failure simply I use find and count the events use 'Administrator' word because the attacker was trying to brute force to achieve the account Password

2-Here simply is asking for the username and it`s easy the same word we use for the find by the way

3- Here he was asking for the reason and after check the event file it`s the wrong password or administrator not defined but i think its a good trick from the active directory editor its Must be a found a administrator account but if the reason was only bad password the attacker is now sure that he skip the half way and start password spraying not bruteforce

4-Here he was asking for the event id and it`s also in the event file

5- Simply the source ip can easily detected from the file

6- I use abuse dp to detect the country for the attacker

7- For detect the smallest and the largest port i made a small Script to easy determine the numbers Let's extract the relevant source port numbers from the document and find the smallest and largest values.


import re

file_path = '/mnt/data/BTLO_Bruteforce_Challenge.txt'

with open(file_path, 'r') as file:
    content = file.read()

source_ports = re.findall(r'Source Port:\s+(\d+)', content)

source_ports = [int(port) for port in source_ports]

min_port = min(source_ports)
max_port = max(source_ports)

min_port, max_port

Thanks for Reading

PreviousBTLO LABS NextThe Complete Active Directory Security Handbook

Last updated 1 year ago