Log Parsing

It started out with me making fun of a co-worker for taking 2 hours to create a pretty cool Powershell script to parse a log file.  It ended with 10 min, a single line of Bash script, and a mic being dropped.

(In all seriousness, his powershell script was fancier than mine, and did what he wanted.  I just wanted a challenge...)

So my co-worker setup a SSH Honeypot using Kippo and put it on the Internet.  He wanted to see what types of username/password combos were being used "in the wild".  A fun little project if I must say so myself.  He needed a way to parse out the logs looking for username/password combos and wanted them written out to three files.  One file with the username/password combos, one with just the usernames (sorted and unique'd), and one with just the passwords (also sorted and unique'd).  I told him to give me 10 minutes, and I would have a one-liner that does what he needs.

(This one-liner is quick and dirty, and will probably be re-written at some point to clean it up, but does what it needs to.)

First, we have our log files.  For this, I used the file 'fulllog.txt', which you can download and follow along with.

Let's take a look at the contents:

#cat fulllog.txt

That is a lot of info.  We want to specifically look at login attempts.  If we look at one of the attempt lines, we see the word 'attempt' is in it.  Cool, then lets just grep for 'attempts'.

#grep attempt fulllog.txt

That is better, but still not what we want.  We need to get just the username/password combos at the end.  I want to cut where the "[" symbol is, as well as the "]" symbol is.  First, the "[" symbol.

#grep attempts fulllog.txt | cut -d"[" -f3

Next, the "]" symbol.

#grep attempts fulllog.txt | cut -d"[" -f3 | cut -d"]" -f1

Awesome!  Here is our list of usernames/passwords.  Now we want that in a file, so just output the results!

 #grep attempts fulllog.txt | cut -d"[" -f3 | cut -d"]" -f1 > UPCombos.txt

Now we need to split out the usernames and passwords from the UPCombos.txt file.  To keep it to one line, we throw in the "&&" to run the command if the first succeeds.  We then pull out just the usernames using cut, sort the output, and uniq it, finally outputting to a file.

#grep attempts fulllog.txt | cut -d"[" -f3 | cut -d"]" -f1 > UPCombos.txt && cat UPCombos.txt | cut -d"/" -f1 | sort | uniq > Usernames.txt

Next up, the passwords.  Basically the same thing, just with the passwords.

#grep attempts fulllog.txt | cut -d"[" -f3 | cut -d"]" -f1 > UPCombos.txt && cat UPCombos.txt | cut -d"/" -f1 | sort | uniq > Usernames.txt && cat UPCombos.txt | cut -d"/" -f2 | sort | uniq > Passwords.txt

And there we have it folks.  A one-line script to parse the SSH logs to see what username/password combos are being used and outputting to three different files.

And all within the 10 min I set out to complete in...

I leave you with this....

Popular Posts