OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: thomas r stromberg (tstrombergrtci.com)
Date: Mon Mar 19 2001 - 15:32:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On 19-Mar-2001, shawn . moyer popped this into my mailspool:
    > James Hoagland wrote:
    >
    > > If you like that idea, you might want to check out the Deception
    > > Toolkit, originally developed a few years ago:
    > >
    > > http://www.all.net/dtk/
    > >
    > > Haven't played with it myself, but I heard Fred Cohen talk about it
    > > last week at UC Davis.
    >
    > DTK is still cool, but it hasn't been very actively maintained for
    > awhile. I do some similar stuff with netcat and fake banners (i.e. nc -l
    > < banner.txt) to create dummy services and other fun stuff. So far,
    > though, redirecting stuff to chargen has been the most fun, just to
    > watch someone hit that port and be completely baffled.

       I have even more fun now.. I setup virtual IP's on my snort box that
       appear to have a 'loaded' inetd setup, which any packet to gets
       logged into snort. Each service is actually an inetd entry pointing
       to a tiny C program I wrote this weekend:

       http://home.chaotical.ly/anglerfish2.c

       That basically sends some format attacks, flash2.c (you remember
       that IRC attack), and a bunch of beeps.. just to annoy the attacker.
       To be nice, it will only run for 10 minutes, and sets it's 'nice'
       priority to 20. It will just pump out data from inetd, and like
       chargen: a lot of it. If your wondering about the line after the
       flash/beeps, it's the keyboard layout in dvorak :)

       For humor, try LeechFTP or PuTTY against it.

       For extra humor, I also set this on our entire network:

       rdr fxp0 0.0.0.0/0 port 111 -> <angelfish ip> port 111 tcp/udp
       rdr fxp0 0.0.0.0/0 port 135 -> <angelfish ip> port 135 tcp/udp
       rdr fxp0 0.0.0.0/0 port 139 -> <angelfish ip> port 139 tcp/udp

       (disclaimer: I'm not a C programmer. Only tested in FreeBSD) 

    -- 
thomas r. stromberg                       work: tstrombergrtci.com
research triangle commerce (icc.net)      home: thomasstromberg.org
          "I believe because it is absurd" -- Tertullian.

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org

    iD8DBQE6tnr3r345RqTSlmIRAnaBAKCONhHRFpMyWmymi7Hh7Rzcb8vDGgCfRATu BpdATlbOc4uugkOC9MeHVkk= =OG9H -----END PGP SIGNATURE-----

    _______________________________________________ Snort-users mailing list Snort-userslists.sourceforge.net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users