Focused On Your Success [Image] Deception Toolkit The Deception Toolkit Home Page [nn].response format The [nn].response file describes to listen.pl and Generic.pl (and some day - maybe - deception.pl) how to respond to inputs. The following example fakes out a trivial sendmail responder. It works almost as well as a real sendmail responder with none of the nasty side effects of getting spammed or anything like that. file formats: tab separated fields as follows: State Input NexStat Exit lf/file output/filename State: name of state (I use 0, 1, etc. but strings are allowed. Always start at 0 Input: all lower case EXCEPT for START, ERROR, NIL, NOTICE, and ! which are special cases Next State: name of the state to go to after doing this output Exit: 0 for exit - 1 for remain operating lf/file: 0 for no [crlf], 1 for [crlf], 2 for output from the file specified output/filename: the output Exceptions: State NOTICE program-name arguments runs program-name with arguments to notify administrators of events unlike everything else, this is done upon entry into state - before input State ! NexStat Exit lf/file match-for action if match-for appears anywhere in the input line, do the rest State /reg-exp/ NexStat Exit lf/file action if the reg-exp regular expression matches anything in this liput, trigger A mild example comes from a fake port 25 program: # State Input NexStat Exit lf/file output/filename # comment lines start with the pound sign (#) # we are faking sendmail version 8.1.2/8.1.3 0 START 0 1 1 220 all.net ESMTP Sendmail 8.1.2/8.1.3; 0 ERROR 0 1 1 500 Command unrecognized - please say "Helo" 0 help 0 1 1 214-No help available # if they say helo, we acknowledge and go to state 2 0 helo 1 1 1 250 all.net, pleased to meet you 0 quit 0 0 1 221 all.net closing connection # if you don't get anything - just ignore it and wait 0 nil 0 1 0 # we got a Helo request # it contained something with /etc/passwd in it - let's simulate a big hole 1 ! 4 1 2 /etc/passwd @fake.passwd # this regular expression matched something in the input line - let's simulate a big hole 1 /cat\spasswd/ 4 1 2 @fake.passwd 1 mail 2 1 1 250 proceed 1 rcpt 1 1 1 500 Must say "HELO" first 1 help 1 1 1 214-No help available 1 quit 1 0 1 221 all.net closing connection 1 nil 1 1 0 1 ERROR 1 0 1 500 Server Configuration Error - all.net closing connection # even a rcpt - this guy's good!!! 2 rcpt 3 1 1 250 proceed end with a '.' 2 help 2 1 1 214-No help available. 2 quit 2 0 1 221 all.net closing connection 2 nil 2 1 0 2 ERROR 2 0 1 500 Server Configuration Error - all.net closing connection # getting mail - what do I do?!?!? 3 nil 1 1 1 500 Mailbox full - please start again 3 ERROR 3 0 0 500 Server Configuration Error - all.net closing connection # I sent them a password file - better notify the authorities 4 NOTICE notify.pl Email fc@all.net Just sent a password file to an attacker - sendmail exploit 4 NIL 0 1 1 214-Unknown configuration error 4 ERROR 0 0 0 500 Server Configuration Error - all.net closing connection ---------------------------------------------------------------------------