2

I guess it should be easily possible to open the ssh port with a fake ssh server and collect passes (I guess they aren't plain anymore and became hashes) and corresponding logins, e.g. a honey-pot. The idea behind that is to build a database and test my accounts on those. Has anyone done that already?

If you might wonder what benefit I would expect on testing my accounts with those passwords, I would argue that passwords might change during time and I could eventually anticipate a "successful" ssh-attack.

math
  • 443
  • 3
  • 10
  • Ish. I wrote a twitter bot that grabbed login attempts from denyhosts, and posted to twitter: https://twitter.com/#!/crackerwatch – Tom O'Connor Mar 18 '12 at 19:00
  • What'd be the point? There are many password lists available for download. Just use those. – uSlackr Mar 18 '12 at 19:51
  • The gathered database would be very recent. Can you give good links to download recent lists? E.g. http://www.skullsecurity.org/wiki/index.php/Passwords seems just to provide lists to 2010.. – math Mar 18 '12 at 20:00

2 Answers2

11

Yes, Stephen Murdoch at the University of Cambridge has done it, earlier this year. You can read his results in the Security Research Group blog; the initial experiment is discussed in this article, and some more results appear in this article.

My personal favourite bit was

For example, there was a log-in attempt for the usernames “root” and “dark” with the password “ManualulIngineruluiMecanic”, which I think is Romanian for Handbook of Mechanical Engineering.

Why would someone use this password, especially for the uncommon username “dark”? Is this book common in Romania; is it likely to be by the desk of a sys-admin (or hacker) trying to choose a password? Has the hacker found the password in use on another compromised system; is it the default password for anything?

Community
  • 1
MadHatter
  • 79,770
  • 20
  • 184
  • 232
4

Since SSH attacks are dictionary-attacks with some flair, downloading a text file of a dictionary would provide you with a lot of potential passwords. It wouldn't hurt to set up a honeypot as that would provide you with more common passwords.

If you feel lazy however, you could download a plaintext of password dumps from major websites, as there are plenty of those around and (after filtering them for repeats) you should get a good database of commonly used passwords.

Fortunately, since human nature is a sluggish thing, you'll be good to go on that alone until people get better memory, or until someone invents a computer that doesn't need humans to input things.

qweet
  • 731
  • 5
  • 11