Deception Toolkit
The Deception Toolkit Home Page
[nn].response format
The [nn].response file describes to listen.pl and Generic.pl (and some day -
maybe - deception.pl) how to respond to inputs. The following example fakes
out a trivial sendmail responder. It works almost as well as a real sendmail
responder with none of the nasty side effects of getting spammed or anything
like that.
file formats:
tab separated fields as follows:
State Input NexStat Exit lf/file output/filename
State: name of state (I use 0, 1, etc. but strings are allowed. Always start at 0
Input: all lower case EXCEPT for START, ERROR, NIL, NOTICE, and ! which are special cases
Next State: name of the state to go to after doing this output
Exit: 0 for exit - 1 for remain operating
lf/file: 0 for no [crlf],
1 for [crlf],
2 for output from the file specified
output/filename: the output
Exceptions: State NOTICE program-name arguments
runs program-name with arguments to notify administrators of events
unlike everything else, this is done upon entry into state - before input
State ! NexStat Exit lf/file match-for action
if match-for appears anywhere in the input line, do the rest
State /reg-exp/ NexStat Exit lf/file action
if the reg-exp regular expression matches anything in this liput, trigger
A mild example comes from a fake port 25 program:
# State Input NexStat Exit lf/file output/filename
# comment lines start with the pound sign (#)
# we are faking sendmail version 8.1.2/8.1.3
0 START 0 1 1 220 all.net ESMTP Sendmail 8.1.2/8.1.3;
0 ERROR 0 1 1 500 Command unrecognized - please say "Helo"
0 help 0 1 1 214-No help available
# if they say helo, we acknowledge and go to state 2
0 helo 1 1 1 250 all.net, pleased to meet you
0 quit 0 0 1 221 all.net closing connection
# if you don't get anything - just ignore it and wait
0 nil 0 1 0
# we got a Helo request
# it contained something with /etc/passwd in it - let's simulate a big hole
1 ! 4 1 2 /etc/passwd @fake.passwd
# this regular expression matched something in the input line - let's simulate a big hole
1 /cat\spasswd/ 4 1 2 @fake.passwd
1 mail 2 1 1 250 proceed
1 rcpt 1 1 1 500 Must say "HELO" first
1 help 1 1 1 214-No help available
1 quit 1 0 1 221 all.net closing connection
1 nil 1 1 0
1 ERROR 1 0 1 500 Server Configuration Error - all.net closing connection
# even a rcpt - this guy's good!!!
2 rcpt 3 1 1 250 proceed end with a '.'
2 help 2 1 1 214-No help available.
2 quit 2 0 1 221 all.net closing connection
2 nil 2 1 0
2 ERROR 2 0 1 500 Server Configuration Error - all.net closing connection
# getting mail - what do I do?!?!?
3 nil 1 1 1 500 Mailbox full - please start again
3 ERROR 3 0 0 500 Server Configuration Error - all.net closing connection
# I sent them a password file - better notify the authorities
4 NOTICE notify.pl Email fc at all.net Just sent a password file to an attacker - sendmail exploit
4 NIL 0 1 1 214-Unknown configuration error
4 ERROR 0 0 0 500 Server Configuration Error - all.net closing connection