From: dtk@all.net Reply-to: dtk@all.net Organization: Deception ToolKit Mailing List Subject: DTK Mailing List 981031 --------------------------------------------- Announcing the DTK V0.6 upgrade: DTK Version 0.6 adds the 'slowly' pragma to 'orders'. Slowly is used to make things happen at a slower rate. This can simulate a slow machine, or be used to intentionally make things that you don't want to happen quickly happen more slowly. It also includes Syslog support and deceptions for Back Orafice and NetBus Windows-based attacks. V0.6 also adds logging of accesses by IP address and retrieval of roll-up information from these log files via the deception port in a manner similar to that of InfoCon information. This is particularly helpful in rapid remote analysis of incidents across a network. For example, by asking a series of machines for this listing, you can very quickly correlate breadth-first search attacks on a network, find class C and class B networks that are using multiple addresses to attack, and drill-down to gather all the details from the entire network on activities from a particular IP address or set of addresses. The ultimate objective is to determine where an attack is coming from and switch an entire network to deceptions or denial for that IP address untill the attack wanes. Thus even if a machine has a legitimate service on a particular port, it can find out from the rest of the network that a remote host is attacking and switch the legitimate service over to a deception. V0.6 also adds time-based passwords (also can be used in a use-based mode if desired) and the utility program tbp.pl. TBP allows remote systems to authenticate themselves automatically over time without reuse of the same old passwords. TBP is based on the md5 hashing algorythm which is used to hash a monotonically increasing integer on an IP-address by IP-address basis. The hash is formed from the secret key appended to the time in miliseconds from the beginning of time. When TBP is chosen as the basis for remote authentication, the TBP key is taken from the user and provided to the system components as part of the configuration process. Remote systems get a copy of tbp.pl and run the program to generate a valid key to fetchin information. For example, I just typed tbp.pl and got this string: 909870941 18619820543f74cd1456b60390f8b939 If I send this as a response to a request for a TBP hash -AND- the remote system shares my secret key -AND- the time (e.g., 909870941) is further advanced than the current time specified for the IP address I am coming from, I will be authenticated -AND- the time stamp for my IP address will be set to the new value. Thus, authentication reuse is impossible, time always advances, but absolute time within some select set of bound is not required. If desired, time could simply be incremented by 1 on each use, and thus we would have use-based passwords. The scheme also avoids denial of services because the time specified for the IP address is only advanced if the authentication is valid. It has the limitation (feature?) that only pre-specified IP addresses can authenticate themselves with TBPs. How to do it: If you place a line like: ! slowly 10 # ten second delay for each response - we are slow... in a response file, it will cause a 10 second delay after each input before providing output. Choose another integer (less than the timeout value) and it takes that long. This was motivated by the Teergrubbing FAQ (http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html) which suggests that to reduce SPAM, we could all have our mail recievers send a few million bytes of comment (e.g., the following) 250-This is Sendmail version 8.8.5 250-This is Sendmail version 8.8.5 250-This is Sendmail version 8.8.5 250-This is Sendmail version 8.8.5 250-This is Sendmail version 8.8.5 250-This is Sendmail version 8.8.5 250-This is Sendmail version 8.8.5 ... 250 OK to go now You do this for all known spam hosts. The result os that to the normal mailer, it slows things down but does not block functionality, while to the SPAM site which is connecting to millions of hosts doing the same thing, it would wreak havvoc. It turns out that if you want to avoid spam from a known host it's probably better to simply tell the host that there is no such user (in your reply to the 'mail to ' input, but the idea of slowing things down has virtue, so we put it in. Syslog support is used by specifying Y (sYslog) as the audit option in the Configure program. Back Orafice and NetBus deceptions correspond to ports now added to the dtk.rc.local file. On system reboot, this file is normally executed and the deceptions are engaged. One-time-pad generation improvements are transparent upon use of Configure to configure DTK. IP address logging is automatic and stored in the IP directory under the directory used for the rest of DTKs activities. This logging uses the same format as is in use for other logging activities. This is not done when SysLog logging is used. Unlike the normal log file, these files are not backed up and cleaned out when a new dtk configuration is loaded. Fetching this information remotely is demonstrated in the 365.response file delivered with DTK. TBP services are implemented by selecting TBP as the authentication scheme and specifying a password. The DTK_PASSWORD field in response files is then used to require an authentication. To authorize an IP address to do TBP authentication, you must create a file in the installation directory (typically /dtk) with the name TBP.ipaddress where ipaddress is the IP address of the remote host being authenticated. For example, the file TBP.1.2.3.4 would authorize TBP authentication from 1.2.3.4 - if place in the DTK installation directory. Initial file contents can be set to the character 0 (zero) to assure that the first authentication will work. From then on, time will move with the remote system's time. To be useful, you should copy the tbp.pl script and the md5 executable to the remote system to be authenticated. From that system authentication is generated by running tbp.pl - the results of which can be sent for authentication to systems running TBP. FC ---------------------------------------------