Beyond the leak : analyzing the real-world exploitation of stolen credentials using honeypots

Rabzelj, Matej; Sedlar, Urban

Podrobno

Beyond the leak : analyzing the real-world exploitation of stolen credentials using honeypots
ID Rabzelj, Matej (Avtor), ID Sedlar, Urban (Avtor)

	PDF - Predstavitvena datoteka, prenos (4,42 MB) MD5: 21E318DB6D06EF6F93EBE29B8FF4296A
	URL - Izvorni URL, za dostop obiščite https://www.mdpi.com/1424-8220/25/12/3676

Izvleček

This study presents one of the most extensive analyses of the lifecycle of leaked authentication credentials to date, bridging the gap between database breaches and real-world cyberattacks. We analyze over 27 billion leaked credentials—nearly 4 billion unique—using a sophisticated data filtering and normalization pipeline to handle breach inconsistencies. Following this analysis, we deploy a distributed sensor network of 39 honeypots running 14 unique services across 9 networks over a one-year-long experiment, capturing one of the most comprehensive authentication datasets in the literature. We analyze leaked credentials, SSH and Telnet session data, and HTTP authentication requests for their composition, characteristics, attack patterns, and occurrence. We comparatively assess whether credentials from leaks surface in real-world attacks. We observe a significant overlap of honeypot logins with common password wordlists (e.g., Nmap, John) and defaultlists (e.g., Piata, Mirai), and limited overlaps between leaked credentials, logins, and dictionaries. We examine generative algorithms (e.g., keywalk patterns, hashcat rules), finding they are widely used by users but not attackers—unless included in wordlists. Our analyses uncover unseen passwords and methods likely designed to detect honeypots, highlighting an adversarial arms race. Our findings offer critical insights into password reuse, mutation, and attacker strategies, with implications for authentication security, attack detection, and digital forensics.

Jezik:	Angleški jezik
Ključne besede:	cyberattack analysis, data breach, honeypots, leaked credentials, service modeling, username and password analysis
Vrsta gradiva:	Članek v reviji
Tipologija:	1.01 - Izvirni znanstveni članek
Organizacija:	FE - Fakulteta za elektrotehniko
Status publikacije:	Objavljeno
Različica publikacije:	Objavljena publikacija
Leto izida:	2025
Št. strani:	44 str.
Številčenje:	Vol. 25, issue 12, art. 3676
PID:	20.500.12556/RUL-169933
UDK:	007:004.056
ISSN pri članku:	1424-8220
DOI:	10.3390/s25123676
COBISS.SI-ID:	239917315
Datum objave v RUL:	19.06.2025
Število ogledov:	569
Število prenosov:	92
Metapodatki:
:	Kopiraj citat
Objavi na:

Gradivo je del revije

Naslov:	Sensors
Skrajšan naslov:	Sensors
Založnik:	MDPI
ISSN:	1424-8220
COBISS.SI-ID:	10176278

Licence

Licenca:	CC BY 4.0, Creative Commons Priznanje avtorstva 4.0 Mednarodna

Povezava:	http://creativecommons.org/licenses/by/4.0/deed.sl
Opis:	To je standardna licenca Creative Commons, ki daje uporabnikom največ možnosti za nadaljnjo uporabo dela, pri čemer morajo navesti avtorja.

Sekundarni jezik

Jezik:	Slovenski jezik
Ključne besede:	analiza kibernetskih napadov, odtekanje podatkov, kibernetske vabe, modeliranje storitev, analiza uporabniških imen in gesel

Projekti

Financer:	ARIS - Javna agencija za znanstvenoraziskovalno in inovacijsko dejavnost Republike Slovenije
Številka projekta:	V2-2378
Naslov:	Kibernetska varnost obrambnih sistemov in kritičnih infrastruktur

Financer:	ARIS - Javna agencija za znanstvenoraziskovalno in inovacijsko dejavnost Republike Slovenije
Številka projekta:	V2-24009
Naslov:	Modeliranje groženj in kibernetskih napadov na kibernetskem vadbišču MO

Financer:	ARIS - Javna agencija za znanstvenoraziskovalno in inovacijsko dejavnost Republike Slovenije
Številka projekta:	P2-0425
Naslov:	Decentralizirane rešitve za digitalizacijo industrije ter pametnih mest in skupnosti

Podobna dela

Podobna dela v RUL:
Podobna dela v drugih slovenskih zbirkah:

Nazaj