Brute Force Analysis

Brute force attacks involve repeated authentication attempts with different credentials to gain unauthorized access. Analysis focuses on identifying attack patterns, timing, success/failure, and scope

Detection Indicators

• Multiple failed authentication attempts in short timeframe

• Sequential username/password variations

• Repeated connection attempts from same source

• Consistent timing patterns between attempts

• Multiple response codes indicating authentication failure

Analysis Workflow

1. Identify Suspicious Traffic

• Filter by protocol and source IP

In Wireshark

ip.src == [ATTACKER_IP] and ftp

Adapt for other protocols:

ip.src == [ATTACKER_IP] and ssh or http

• Look for repeated authentication commands

2. Pattern Recognition

• Examine authentication attempts for patterns:

  • Username enumeration (same password, different users)

  • Password spraying (same user, different passwords)

  • Credential stuffing (both changing)

• Note the frequency and timing between attempts

• Count total number of attempts

3. Timeline Analysis

• Set proper time display format (UTC recommended for correlation)

In Wireshark:

View > Time Display Format > UTC Date and Time

• Identify attack start time (first authentication attempt)

• Identify attack end time

• Calculate attack duration and attempt rate

4. Success/Failure Analysis

• Monitor response codes to determine outcomes:

FTP: 530 (login failed) vs 230 (login successful)
HTTP: 401/403 (unauthorized) vs 200/302 (success)
SSH: "Failed password" vs "Accepted password" in logs

• Identify if any attempt succeeded

• Document successful credentials if found

5. Scope Assessment

• Identify all targeted accounts

• Determine if attack targeted single or multiple services

• Check for lateral movement after successful authentication

• Correlate with other logs (system logs, application logs)

Key Wireshark Techniques

• Display filters: Isolate relevant traffic by IP, protocol, and commands

• Follow TCP/TLS Stream: View complete conversation context

• Statistics > Conversations: Identify connection patterns

• Export Objects: Extract any files transferred after successful login

• String Search in Packet Data: Find specific keywords across filtered traffic

  • Enter search term ( Login successful, Login incorrect, Authentication failed)

  • Works across protocols, search for 200 OK, 401, denied, accepted, etc.

Documentation

• Attack timeline (start/end)

• Source IP address(es)

• Targeted service(s) and port(s)

• Number of attempts

• Successful credentials (if any)

• Actions taken post-compromise

• Attack pattern type (enumeration, spraying, stuffing)

Log Detection

Count failed attempts by IP

grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn

Failed attempts in specific timeframe

grep "Failed password" /var/log/auth.log | grep "2025-12-29 05:"

Accounts targeted in brute force

grep "Failed password" /var/log/auth.log | awk '{print $(NF-5)}' | sort | uniq -c | sort -rn

Successful login after multiple failures (potential compromise)

grep "Failed password" /var/log/auth.log | tail -20
grep "Accepted password" /var/log/auth.log | tail -20