Digitala Vetenskapliga Arkivet

Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A case study of unauthorized login attempts against honeypots via remote desktop
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering.
2023 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

 Remote service software is typically used to establish a connection to an asset on another network. There are a variety of services depending on which asset needs to be accessed and whichinformation needs to be transferred. One of these is Remote Desktop Protocol (abbreviatedRDP), a communication protocol that allows clients to connect to another computer over anetwork. Microsoft developed The protocol and introduced it in their operating systems inthe late 90s. The most common authorization method is by using credentials. These can becreated locally on the host or managed centrally via Kerberos / Active Directory.RDP is an attack surface that is heavily exposed. There are several vulnerabilities against thisprotocol. One is the possibility of eavesdropping on credentials. However, the most commonreason intrusions occur via RDP is not because malicious actors have obtained the credentialsvia eavesdropping. They have managed to guess those with a dictionary- or brute force attack.This observational study was performed with three honeypots that were exposed to attacksvia remote desktop for 37 days. More than 120,000 login attempts were recorded and the firstattempts occurred within 24 hours. One of the research questions being studied is how availability is affected for an asset that is applied with a login rate limit. As this kind of control canbe abused and exploited as a denial of service attack.One of the honeypots was configured with "Account Lockout Policy" which is an integratedfeature into the Microsoft Windows operating system. The policy was configured according toMicrosoft’s recommendation. The results show that the brute force attacks had a small impacton the availability. However, this is mainly due to the fact that the most active malicious actorsdid not target the administrator’s account in their attempts to gain access. If they had chosento do so, availability would have been significantly more affected.Another honeypot was configured to use a non-standard port for the remote service, to studywhether attacks can be avoided by trying to hide that the service is active and available. Thisturned out, not to be a good security enhancement as the remote service on this honeypotwas discovered after 15 days and login attempts were conducted by several different actors.Previous research on attacks against the remote desktop has shown that this is an attractivetarget and a common attack surface. The results of this study support and confirm this. 

Place, publisher, year, edition, pages
2023. , p. 35
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:ltu:diva-99239OAI: oai:DiVA.org:ltu-99239DiVA, id: diva2:1784631
Subject / course
Student thesis, at least 30 credits
Educational program
Information Security, master's level (120 credits)
Presentation
2023-06-07, Online, -, -, 11:00 (English)
Supervisors
Examiners
Available from: 2023-08-10 Created: 2023-07-28 Last updated: 2023-09-19Bibliographically approved

Open Access in DiVA

fulltext(2023 kB)142 downloads
File information
File name FULLTEXT02.pdfFile size 2023 kBChecksum SHA-512
24b2c96f790311e590dc74439fd687babc303b5bd5d1523b184a6624b66004259f29adae9c885f4819a362a5b2a53145c6856668841cd9fb546370506f7bd598
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Rehnbäck, Oscar
By organisation
Department of Computer Science, Electrical and Space Engineering
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 142 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 495 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf