
         Focused On Your Success                       [Image]
                                                  Deception Toolkit

                      The Deception Toolkit Home Page

[nn].response format

The [nn].response file describes to listen.pl and Generic.pl (and some day
- maybe - deception.pl) how to respond to inputs. The following example
fakes out a trivial sendmail responder. It works almost as well as a real
sendmail responder with none of the nasty side effects of getting spammed
or anything like that.

file formats:
tab separated fields as follows:
        State   Input   NexStat Exit    lf/file output/filename

State:                  name of state (I use 0, 1, etc. but strings are allowed. Always start at 0

Input:                  all lower case EXCEPT for START, ERROR, NIL, NOTICE, and ! which are special cases

Next State:             name of the state to go to after doing this output

Exit:                   0 for exit - 1 for remain operating

lf/file:                0 for no [crlf],
                        1 for [crlf],
                        2 for output from the file specified

output/filename:        the output

Exceptions:             State NOTICE program-name arguments
                                runs program-name with arguments to notify administrators of events
                                unlike everything else, this is done upon entry into state - before input

                        State ! NexStat Exit lf/file match-for action
                                if match-for appears anywhere in the input line, do the rest

                        State /reg-exp/ NexStat Exit lf/file action
                                if the reg-exp regular expression matches anything in this liput, trigger

A mild example comes from a fake port 25 program:

# State Input   NexStat Exit    lf/file output/filename
# comment lines start with the pound sign (#)
# we are faking sendmail version 8.1.2/8.1.3
0       START   0       1       1       220 all.net ESMTP Sendmail 8.1.2/8.1.3;
0       ERROR   0       1       1       500 Command unrecognized - please say "Helo"
0       help    0       1       1       214-No help available
# if they say helo, we acknowledge and go to state 2
0       helo    1       1       1       250 all.net, pleased to meet you
0       quit    0       0       1       221 all.net closing connection
# if you don't get anything - just ignore it and wait
0       nil     0       1       0
# we got a Helo request
# it contained something with /etc/passwd in it - let's simulate a big hole
1       !       4       1       2       /etc/passwd     @fake.passwd
# this regular expression matched something in the input line - let's simulate a big hole
1       /cat\spasswd/   4       1       2       @fake.passwd
1       mail    2       1       1       250 proceed
1       rcpt    1       1       1       500 Must say "HELO" first
1       help    1       1       1       214-No help available
1       quit    1       0       1       221 all.net closing connection
1       nil     1       1       0
1       ERROR   1       0       1       500 Server Configuration Error - all.net closing connection
# even a rcpt - this guy's good!!!
2       rcpt    3       1       1       250 proceed end with a '.'
2       help    2       1       1       214-No help available.
2       quit    2       0       1       221 all.net closing connection
2       nil     2       1       0
2       ERROR   2       0       1       500 Server Configuration Error - all.net closing connection
# getting mail - what do I do?!?!?
3       nil     1       1       1       500 Mailbox full - please start again
3       ERROR   3       0       0       500 Server Configuration Error - all.net closing connection
# I sent them a password file - better notify the authorities
4       NOTICE  notify.pl       Email   fc@all.net Just sent a password file to an attacker - sendmail exploit
4       NIL     0       1       1       214-Unknown configuration error
4       ERROR   0       0       0       500 Server Configuration Error - all.net closing connection

---------------------------------------------------------------------------
