Deception-based Security Tools

One of the principles of Crime Prevention is that you are attempting to increase the perceived risk to illegitimate users and decrease the perceived risk to legitimate users. A great way to do this with domestic housing is to make the access to the house obscured from the road.

What this means is that the intruder must actually begin the intrusion before being able to discover if they can do the intrusion undetected -- thus we increase the perceived risk and the intruder tries somewhere else
(case in point our immediate next-door neighbor has been broken into many times, we have not - the difference? you can see their whole house from the street - you have to be at the front door of ours to see anything...).

The deception toolkit presents a system that appears to have well known vulnerabilities (i.e. old sendmail etc). The system does not actually have these vulnerabilities, but the attecker cannot discover this from an
'innocent scan' they must actually attempt to exercise the vulnerability - thus they vastly increase their risk of capture (the DTK logs attempt to exercise its 'vulnerabilities').

root6 ([email protected])
Fri, 1 Jan 1999 18:56:08 -0800

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Tomas Halgas: "nmap can crash microsoft telnetd"
Previous message: Troy Davis: "Re: netscan.org - broadcast ICMP list"

A quick note to say that Deception Toolkit (DTK) is now running on my SCO Open Server 5.0.2 and 5.0.4 machines with Perl5.0004_4, thanks to  the generous (and patient) assistance of the author, Dr. Fred Cohen, who states that future releases will include SCO support.

This DTK is remarkable. Within three hours of successful installation, I was able to interdict a vexious (and peristent) little ankle-biter who has been troubling me for weeks.

Installation on SCO entailed generating a socket.ph.SCO file on the basis of socket.h, and editing Configure to reflect SCO as an option. After that, it was a snap.

A word of thanks is due Dr. Cohen for making this valuable tool freely available. Check it out, at http://all.net/dtk/dtk.html

Another classical case of deception are Trojan horses.  fake su, for example, can be a useful Trojan horse.  Fake chmod is another, but it can break some scripts.

Articles

To Build a Honeypot

Deception Toolkit

Tools

Shawn F. Mckay, Dummy "su" program
Abstract: This program is intended to help an intruder who does not know the system (many work from "cheat sheets") to trip alarms so the rightful sysadmin folks can charge to the rescue.

Wietse Venema, Eindhoven University of Technology, fake-rshd
Abstract: Echo the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. Works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.

Lionel Cons, Rsucker
Abstract: A perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.

Real-time Attack Response

When you want to lock the door after all kosher modloads and kmem writes have happened, attempt to open the device (for example, add "sh -c ' ToC

This program is intended to help an intruder who does not know the system to trip alarms so the rightful system administration will notice and respond.ToC

fake_rshd echoes the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. It works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.ToC

Rsucker is a perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.ToC

Under fire!

The Turing Test Is Not A Trick Turing Indistinguishability Is A Scientific Criterion

Anecdotes

• Illusionworks

Art of Deception Government Corruption, Covert