Deception Toolkit

The Deception Toolkit Home Page

Getting and setting up DTK

To get DTK press here. NOTICE: By taking this copy, you agree that all updates and modifications will be reported back to us, that you will only use it to defend systems and not to figure out how to attack them, that we retain all rights to the software provided to you and any revisions, enhancements, or derivitive works that may result from it, that you will retain all copyright notices on all copies you distribute elsewhere, and that anyone you give it to will also agree to these terms.

DTK currently uses Perl and C programs and, if the "" program is used, requires that TCP wrappers be in place. If you don't have a C compiler and Perl interpreter, you will have to load them to run DTK.

Copy the distribution file to a convenient directory (an empty one) and unpack, unzip, untar, or whatever else you have to do to get to the files into that directory. For example, if you get it as a tar file, you might type "mkdir dtk-dist;cd dtk-dist;tar -xvof ../dtk.tar". This will create a dtk-dist directory and place the untar'ed content in that directory for you. Please DO NOT use the same directory for this as you use to install DTK in the next step - it will screw up

Configure dtk by typing "Configure". You may have to make certain that the the working directory ('.'), Perl libraries and the Perl interpreter are in your path. Normally, you want to place the distribution in some convenient directory that you use and the results of the Configure in the /dtk directory. You can take defaults for most of the entries most of the time. We will assume you have chosen /dtk as the location of the running programs for the rest of this instruction. Configure helps implement the deception by renaming all of the system-dependent entries in the deceptions and the programs so that everything appears to be coming from your system and so that email and other things done by DTK go to the right places.

If you are running the "" script, Install TCP wrappers with all the options for extended languages, and so on turned on. Test TCP wrappers to make sure it works right before you add DTK. Copy the relevant lines from the /dtk/dtk.hosts.allow file into your /etc/hosts.allow file to implement the desired deceptions from addresses not otherwise authorized to perform the applicable services.

Add the appropriate lines from the /dtk/dtk.inetd.conf file into your /etc/inetd.conf file to enable the services you want to provide deception for. DO NOT do the 'kill -HUP' on inetd yet!!!

Add the appropriate lines from the /dtk/ file into your /etc/services file to reflect the services you are providing deception for and to add the now official DTK "deception active" port - 365 to your services file.

NOW - find the process of the inet daemon - "ps -a | grep inetd" works on a lot of Unix systems - and send a hangup signal to it to get it to reload the /etc/inetd.conf file into it's memory - "kill -HUP " where is the process Id discovered by the precious ps command does this on many Unix systems.

Test deception out by trying something like: "telnet localhost 365". The result should be a slight delay followed by a message indicating that DTK is operating. Test out each service you provide.

Update your rc.local file to include services that do not need to go through TCP wrappers. This will enable them at startup. A typical example is given in /dtk/dtk.rc.local which is to be added (on some Unix systems) to /etc/rc.d/rc.local to be run at startup. You might want to start these services up right away for testing purposes. Just take the commands as they appear in the /dtk/dtk.rc.local file and run them as root.

VERY IMPORTANT!!! In order for DTK to be as effective as possible to as wide a set of people as possible, it is important to have a large number of different response scripts for each service. Customize response files to suit your desires and needs and send the customizations and improvements in for others to use. This will make it very hard for the attackers to keep up with all the versions and figure out quickly whether they are trying to break into a deception port or a real port. This creates more uncertainty for the bad guys, makes it harder and harder for them to go undetected, and forces them to take more and more time and effort to get into fewer and fewer systems.