Blue Teams Labs Online | Bruteforce

Aditya Sharma
3 min readSep 4, 2022

--

This would be the seventeenth write-up of Blue Team labs- challenge series. We’ll be going to complete Bruteforce challenge.

Brief on Bruteforce?
A brute force attack is a trial-and-error method used to decode sensitive data. The most common applications for brute force attacks are cracking passwords.

How to protect against Bruteforce
- Use strong password
- Restrict Access to Authentication URLs
- Limit Login Attempts
- Use Two-Factor Authentication (2FA)

Given Scenario,
Can you analyze logs from an attempted RDP bruteforce attack?
One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log.
There are a number of different ways to approach the analysis of these logs! Consider the suggested tools, but there are many others out there!

In order to solve this challenge, a zip file would be available to download “Bruteforce.zip”. Password to access this zip is given the picture below. Inside which you will find 3 files to play with.

Tools/Utility Used,
1. Excel
2. Notepad
3. Searching

Q. How many Audit Failure events are there? (Format: Count of Events)

A. 3103

Filter out “Audit Failure”

Q. What is the username of the local account that is being targeted? (Format: Username)

A. administrator

TargetUserName

Q. What is the failure reason related to the Audit Failure logs?

A. Unknown user name or bad password.

Failure Reason

Q. What is the Windows Event ID associated with these logon failures?

A. 4625 (Well Known ;)

Q. What is the source IP conducting this attack? (Format: X.X.X.X)

A. 113.161.192.227

IP Address

Q. What country is this IP address associated with? (Format: Country)

A. Vietnam

IP Void / VirusTotal

Q. What is the range of source ports that were used by the attacker to make these login requests? (LowestPort-HighestPort — Ex: 100–541)

A. 49162–65534

--

--