Some Basic Credential and Country Analysis of Incoming Mirai (IoT Botnet) Traffic

I’ve been messing with Robert Graham’s TelnetLogger project today and captured some IPs and credentials over around two hours.

I was curious of two things:

1. Which credentials would be most popular

2. Which were the most common source IPs

The listener has options for capturing both via:

telnetlogger -p passwds.txt -i ips.txt

What I did was create a simple script (HoneyCredIPTracker) that processes the output. It basically summons the all-powerful combo of:

sort | uniq -c | sort -nr

Fascinating to see which countries are trying most often, and what credentials they’re trying the most.

You can get the script here.

Related posts:

1. A @TomNomNom Recon Tools Primer

2. DNS Rebinding Attacks Explained