Deception Toolkit

The Deception Toolkit Home Page


[nn].response format

The [nn].response file describes to listen.pl and Generic.pl (and some day - maybe - deception.pl) how to respond to inputs. The following example fakes out a trivial sendmail responder. It works almost as well as a real sendmail responder with none of the nasty side effects of getting spammed or anything like that.

file formats:
tab separated fields as follows:
	State	Input	NexStat	Exit	lf/file	output/filename

State:			name of state (I use 0, 1, etc. but strings are allowed. Always start at 0

Input:			all lower case EXCEPT for START, ERROR, NIL, NOTICE, and ! which are special cases

Next State:		name of the state to go to after doing this output

Exit:			0 for exit - 1 for remain operating

lf/file:		0 for no [crlf],
			1 for [crlf],
			2 for output from the file specified

output/filename:	the output

Exceptions:		State NOTICE program-name arguments
				runs program-name with arguments to notify administrators of events
				unlike everything else, this is done upon entry into state - before input

			State ! NexStat Exit lf/file match-for action
				if match-for appears anywhere in the input line, do the rest

			State /reg-exp/ NexStat Exit lf/file action
				if the reg-exp regular expression matches anything in this liput, trigger

A mild example comes from a fake port 25 program:

# State	Input	NexStat	Exit	lf/file	output/filename
# comment lines start with the pound sign (#)
# we are faking sendmail version 8.1.2/8.1.3
0	START	0	1	1	220 all.net ESMTP Sendmail 8.1.2/8.1.3;
0	ERROR	0	1	1	500 Command unrecognized - please say "Helo"
0	help	0	1	1	214-No help available
# if they say helo, we acknowledge and go to state 2
0	helo	1	1	1	250 all.net, pleased to meet you
0	quit	0	0	1	221 all.net closing connection
# if you don't get anything - just ignore it and wait
0	nil	0	1	0
# we got a Helo request
# it contained something with /etc/passwd in it - let's simulate a big hole
1	!	4	1	2	/etc/passwd	@fake.passwd
# this regular expression matched something in the input line - let's simulate a big hole
1	/cat\spasswd/	4	1	2	@fake.passwd
1	mail	2	1	1	250 proceed
1	rcpt	1	1	1	500 Must say "HELO" first
1	help	1	1	1	214-No help available
1	quit	1	0	1	221 all.net closing connection
1	nil	1	1	0	
1	ERROR	1	0	1	500 Server Configuration Error - all.net closing connection
# even a rcpt - this guy's good!!!
2	rcpt	3	1	1	250 proceed end with a '.'
2	help	2	1	1	214-No help available.
2	quit	2	0	1	221 all.net closing connection
2	nil	2	1	0	
2	ERROR	2	0	1	500 Server Configuration Error - all.net closing connection
# getting mail - what do I do?!?!?
3	nil	1	1	1	500 Mailbox full - please start again
3	ERROR	3	0	0	500 Server Configuration Error - all.net closing connection
# I sent them a password file - better notify the authorities
4	NOTICE	notify.pl	Email	fc at all.net Just sent a password file to an attacker - sendmail exploit
4	NIL	0	1	1	214-Unknown configuration error
4	ERROR	0	0	0	500 Server Configuration Error - all.net closing connection