Section 16.14 Monitoring the Scanners with Deception Tool Kit (DTK) | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

16.14 Monitoring the Scanners with Deception Tool Kit (DTK)

The Deception Tool Kit (DTK) was created around early 1998. It provides fake versions of popular services that crackers seek but which you do not run on a particular system or which you allow only on certain client systems. It feeds the crackers false information, wastes their time, logs their entry for you to deal with, and can chase them away. It can give them a fake /etc/passwd file that appears to have real users. They then may download it to their own systems, crack the passwords, and then be puzzled when the cracked passwords do not work. Some fake services will appear to core dump in response to attacks.

DTK's technique of optionally offering "attractive" services frequently is called a honey pot. Sometimes, a site will create a whole system whose sole purpose is to serve as a honey pot to draw a cracker away from systems running important applications. The honey pot will log an intruder's actions to see what his capabilities are, to provide evidence to take action against him, and to add his IP address to those blocked by the firewall or similar software.

Keep in mind that an attack against a honey pot might not be a crime against you under the theory of Entrapment. Thus, you need to balance a risk of reduced ability to prosecute against increased detection, and thus, protection. (Choose increased detection and protection.) The FBI did state to this author that they do want to know about attacks against honey pots because this evidence can be valuable during sentencing of a cracker found guilty of attacking another site.

One of DTK's novel features is that it can pretend to be providing services on a variety of different operating systems, such as NT, various UNIX boxen, and Linux. DTK is driven by a Perl script, Generic.pl, that operates as a state machine. A state machine really is just an interpreter with numbered states, starting with 0. The script, located in /dtk/default, for a given port number is the "machine." It lists a sequence of possible expected user input, each with a corresponding output and the new state number. This allows it to have a believable dialogue with the cracker that has connected to the particular service (port number). It is easy to customize these scripts (machines) or to create new ones for additional services.

It optionally listens on DTK's official port (365) as a warning to crackers that they will be deceived so they can save time and go away now. Many will go away just from this warning. It requires the use of TCP Wrappers but TCP Wrappers is standard with most distributions now. DTK can be downloaded from the creator's site

http://all.net/dtk/

Alternatively, it can be copied from this book's companion CD-ROM. In the latter place, it is compressed so you will need to run gunzip on the dtk.tar.gz file. The following build instructions assume that you are starting with the compressed version. Select an unused UID and GID for the new user and group dtk. It is suggested that a range of these UIDs and GIDs be used for isolating systems, such as DTK, named, ftpd, etc. This reduces the likelihood that these UIDs and GIDs will be used accidentally for other purposes too, which would compromise security.

By default, DTK runs as root. This is unnecessary risk, especially for a script. The instructions given here will run it as an ordinary user to increase the number of "Rings of Security."

 Create ordinary group dtk with groupadd Create ordinary user dtk with adduser umask 077 mkdir /dtk chown dtk.dtk /dtk su dtk gunzip dtk.tar.gz mkdir dtk-disk cd dtk-disk tar -xf ../dtk.tar su ./Configure

The Configure shell script will ask you some questions to guide it to an appropriate installation. A RETURN is a reasonable response to most. When it prompts for "Which fully qualified domainname" it should return, specify yours. If you do not have your own domain pointing at your network, for example, you have a home system or small business where you.com "A" records point to your ISP or do not exist, you might want to specify how you appear under your ISP's domain, for example:

 you.users.earthlink.com

Pick this name carefully, because it will be added to many files. When it prompts for a password, you can enter one to use. It is best to use a different password than you use for root or other accounts because it is stored in plain text under /dtk.

Now comes the fun part. Use your favorite editor and copy some of the lines from /dtk/dtk.hosts.allow into your actual /etc/hosts.allow file. This determines which services you want to fake. You do not want to fake real services nor any that the Cracker Trap is listening on. Although it is possible to have both DTK and the Cracker Trap on the same port by having each invoked out of /etc/hosts.allow, this might not accomplish much. If you will be using the Cracker Trap to lock them out, why bother to "dance with them a while first"? (You could "dance one dance" and then lock them out.) Some of the services offered are listed next; look at the number at the beginning of file names in /dtk/default to see all default services offered. Pick any combination of those that you are not running "for real."

 in.telnetd httpd in.pop3d in.wrapd portmap

Look at the /dtk/dtk.* files and add appropriate lines from it to your actual files in /etc. The entries in /dtk/dtk.* are confusing. The following have been tested. These lines were added to /etc/services:

 # DTK dtk     365/tcp        # Deception toolkit port dtk     365/udp        # Deception toolkit port wrapd   421/tcp        # TCP wrappers attack deception

These lines were added to /etc/inetd.conf:

 #DTK manually-added entries #These run under the "dtk" user, not "root" pop-3  stream tcp nowait dtk /usr/sbin/tcpd /none/in.pop3d sunrpc stream tcp nowait dtk /usr/sbin/tcpd /none/sunrpc wrapd  stream tcp nowait dtk /usr/sbin/tcpd /none/in.wrapd dtk    stream tcp nowait dtk /usr/sbin/tcpd /none/dtk

These lines were added to /etc/hosts.allow:

 in.pop3d: all:    twist /dtk/Generic.pl %a 110 %u %d unknown sunrpc:   all:    twist /dtk/Generic.pl %a 111 %u %d unknown in.wrapd: all:    twist /dtk/Generic.pl %a 421 %u %d unknown dtk:      all:    twist /dtk/Generic.pl %a 365 %u %d unknown

At this point, you are ready to start DTK. This is done with the following command, as root:

 killall -HUP inetd

The TCP services easily may be tested with telnet by invoking it with a second argument, which is the numeric port number or its symbolic name in /etc/services. Any of these DTK services will time out. The timeout value is configurable but typically is 30 seconds. To see what the dtk service on port 365 does, issue this command:

 telnet yoursys.pentacorp.com dtk

If you selected ordinary logging when you ran Configure, /dtk/log will contain all the client-entered commands as well as an entry for their initial connection. Additionally, under /dtk/IP there will be a log file for each unique numeric IP of a client system that tries to access a service. The name of each of these log files is that of the numeric IP address in dotted-quad notation, for example:

 /dtk/log/192.168.43.184

The file /dtk/README explains the format and usage of the state description files under /dtk/default. It explains how to configure a state machine so that some IP addresses get the real service and the rest get the deception. Additionally, it explains how to also run another process, for example, blockip to then lock out the system using Adaptive TCP Wrappers. The latter is discussed in detail in "Adaptive Firewalls: Raising the Drawbridge with the Cracker Trap" on page 559.

Top