From: dtk@all.net Reply-to: dtk@all.net Organization: Deception ToolKit Mailing List Subject: DTK Mailing List 980316 
---------------------------------------------
From POPmail Fri Mar 13 13:05:07 1998
 with Netcom Interactive Netcom POP3 (version 2.01  Mon Oct 20 16:14:44 CDT 1997) Fri Mar 13 15:02:11 1998
X-From_: taldric@nswc.navy.mil  Fri Mar 13 14:59:48 1998
Received: from relay2.nswc.navy.mil (relay2.nswc.navy.mil [128.38.48.157]) by multi33.netcomi.com (8.8.5/8.7.3) with SMTP id OAA00213 for ; Fri, 13 Mar 1998 14:59:48 -0600
Received: from amesserver.nswc.navy.mil by relay2.nswc.navy.mil (4.1/SMI-4.1)
	id AA24511; Fri, 13 Mar 98 16:00:11 EST
Received: from [128.38.31.21] by amesserver.nswc.navy.mil
 with ESMTP (Eudora Internet Mail Server 1.2); Fri, 13 Mar 1998 16:04:18 -0500
X-Sender: taldric@amesserver.nswc.navy.mil
Message-Id: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 13 Mar 1998 16:01:10 -0500
To: jkerby@nswc.navy.mil, snorthc@nswc.navy.mil
From: "Timothy M. Aldrich" 
Subject: Deception Toolkit (DTK) - First Look
Cc: fred at all.net, Dennis.Poindexter@bmdo.osd.mil, jegreen@nswc.navy.mil,
        wralph@nswc.navy.mil, virwin@nswc.navy.mil, navcirt@fiwc.navy.mil
Status: RO

Deception Toolkit (DTK) v0.1
	- First Look -

Fred Cohen's Deception Toolkit (DTK)  is a
promising new tool to assist in intrusion detection.  The toolkit consists
of a listening/parsing engine and a series of finite state machine scripts.
The engine, written in PEARL, listens on a given port and responds to
activity on that port based on the content of the appropriate finite state
machine script.  In addition, the engine logs each access with all
interesting internet information (source IP, source port, destination port,
time/date, etc.), but it also logs all characters sent into that port
(i.e., if the attacker typed a username and a password, these are captured
to the log).  The engine can either run the I/O stream directly or through
TCP-Wrappers.

The intended use for this tool is to deceive an attacker into believing he
has located a machine which he may be able to break into.  The tool allows
the attacker to carry out the attack (based on the content of the script),
but the machine is never in danger since it is the DTK, and not a real
server-application, parsing the input.

I downloaded the toolkit and installed it today for the first time.  After
some initial problems with installation (the included text and web-based
instructions leave out a few critical steps and ideas) I got the toolkit
acting as a POP3 server.  It performed exactly as advertised, simulating
what looked like a valid POP3 server connection sequence.  All characters
were trapped and logged, and there was no obvious way to gain access to the
underlying machine.

Although this tool shows great promise, it is not yet a finished product.
The installation instructions are vague and leave out some steps in the
process.  There are also a very limited number of finite state machine
scripts provided, meaning only a limited number of ports this tool can be
used on.  The tool also provides logs in a unique format which requires
special post-processing, thus giving us yet another log we need to review
regularly.

I believe, however, that this toolkit is one which could provide a great
pay back, especially when deployed on a wide array of machines.  The more
machines that appear to have known vulnerabilities, but are actually quite
safe, the more time attackers waste. In addition, the system admin can
gather valuable data on the attack sequence, password/usernames used, and
perhaps even data on vulnerabilities we didn't know existed. Time and
effort does, however, need to be spent to develop more and varied scripts.



/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
 Tim Aldrich                             Naval Surface Warfare Center
 SHADOW team member                      Dahlgren Division, Code CD2S
 taldric@nswc.navy.mil                   17320 Dahlgren Road
 Phone: (540) 653-7270                   Dahlgren, Virginia  22448-5100
---------------------------------------------