|News||Articles||Tools||Deception Toolkit||Commercial products|
One of the principles of Crime Prevention is that you are
attempting to increase the perceived risk to illegitimate users and decrease the
perceived risk to legitimate users. A great way to do this with domestic housing
is to make the access to the house obscured from the road.
What this means is that the intruder must actually begin the intrusion before being able to discover if they can do the intrusion undetected -- thus we increase the perceived risk and the intruder tries somewhere else
(case in point our immediate next-door neighbor has been broken into many times, we have not - the difference? you can see their whole house from the street - you have to be at the front door of ours to see anything...).
The deception toolkit presents a system that appears to have well known vulnerabilities (i.e. old sendmail etc). The system does not actually have these vulnerabilities, but the attecker cannot discover this from an
'innocent scan' they must actually attempt to exercise the vulnerability - thus they vastly increase their risk of capture (the DTK logs attempt to exercise its 'vulnerabilities').
Fri, 1 Jan 1999 18:56:08 -0800
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Tomas Halgas: "nmap can crash microsoft telnetd"
Previous message: Troy Davis: "Re: netscan.org - broadcast ICMP list"
A quick note to say that Deception Toolkit (DTK) is now running on my SCO Open Server 5.0.2 and 5.0.4 machines with Perl5.0004_4, thanks to the generous (and patient) assistance of the author, Dr. Fred Cohen, who states that future releases will include SCO support.
This DTK is remarkable. Within three hours of successful installation, I was able to interdict a vexious (and peristent) little ankle-biter who has been troubling me for weeks.
Installation on SCO entailed generating a socket.ph.SCO file on the basis of socket.h, and editing Configure to reflect SCO as an option. After that, it was a snap.
A word of thanks is due Dr. Cohen for making this valuable tool freely available. Check it out, at http://all.net/dtk/dtk.html
Another classical case of deception are Trojan horses. fake su, for example, can be a useful Trojan horse. Fake chmod is another, but it can break some scripts.
To Build a Honeypot
Shawn F. Mckay, Dummy "su"
Abstract: This program is intended to help an intruder who does not know the system (many work from "cheat sheets") to trip alarms so the rightful sysadmin folks can charge to the rescue.
Venema, Eindhoven University of Technology, fake-rshd
Abstract: Echo the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. Works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.
Lionel Cons, Rsucker
Abstract: A perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.
When you want to lock the door after all kosher modloads and kmem writes have happened, attempt to open the device (for example, add "sh -c ' ToC
This program is intended to help an intruder who does not know the system to trip alarms so the rightful system administration will notice and respond.ToC
fake_rshd echoes the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. It works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.ToC
Rsucker is a perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.ToC
The Turing Test Is Not A Trick Turing Indistinguishability Is A Scientific Criterion
Art of Deception Government Corruption, Covert
|FakeBO fakes Back Orifice
server responses and logs every attempt to a logfile or stdout. It is
able to send fake pings and replies back to the client trying to access
This release adds a flexible routine for config fileparsing, time and date logging, buffered logging and silent mode.
|Vlatko Kosturjak, KoSt @ 12/23/98 - 13:00 EST|