Great Circle Associates Firewalls
(January 1995)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: dummy server
From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Date: Wed, 18 Jan 1995 10:41:10 -0500
To: firewalls @ greatcircle . com, marc @ tky . icdc . fr

>Date: 18 Jan 95 13:51:12 GMT
>From: Marc Samama <marc @
 tky .
 icdc .
 fr>
>Message-Id: <9501180451 .
 AA08669 @
 tky>
>To: firewalls @
 greatcircle .
 com
>Subject: dummy server
>
>With this current discution on firewall logs going on, I was wondering if
>some people were willing to release exemples of dummy servers, or packet
>suckers they'd be using on their firewall (anonymous posting is welcome
>for those who are paranoid about revealing their sources. :)

Here is a "tar baby" telnet session emulator that I've used when we've
suspected or seen from logs that someone has been trying to telnet into
a particular machine.  It is useful for picking up accounts and passwords
that the intruder knows or thinks they know.

It doesn't actually replace in.telnetd, though it uses a modified one.
Instead it replaces the /bin/login program which would normally be invoked.

It appears just like a normal telnet server session, with a banner, prompting
for usernames and passwords (only it never lets you in, and always give the
'Login incorrect' message.

This is fairly SunOS specific (note that it disables normal telnet sessions!) :

1.	Copy /usr/etc/in.telnetd to another location (i.e. 
	/local/etc/in.telnetd is fine).

	Use Emacs to find the occurences of the string "/bin/login"
	and replace them with the string "/local/foo" (you need to
	use Emacs overwrite mode, you'll notice that the two strings
	are of the same length).

2.	Edit /etc/inetd.conf and change the entry for telnet to 
	point to the new executable ( ie. /local/etc/in.telnetd ).

	Send the pid for inetd a hangup signal ( kill -HUP InetdPID).

3.	Put the following C shell script in as the file /local/foo 
	(make sure to make it executable) :


#!/bin/csh -f
#
#	Dummy replacement for /bin/login called by telnetd.
#
#	N.B. C shell scripts are considered harmful.
#
#	H. Morrow Long ( Morrow .
 Long @
 Yale .
 EDU )
#
 
onintr death

set session="`tty` .
 $$ @
 `/bin/hostname`"
 
echo "$session" " : DATE : " `/bin/date` >>& /local/log
echo "$session" " : ARGS : " $* >>& /local/log
( finger @$argv[2] >>&  /local/log.finger & ) >& /dev/null 
 
foreach attempt ( 1 2 3 4 5 )
   username:
        echo -n 'login: '
        set loginname=$<
        if ( "$loginname" == "" ) then
                goto username
        endif
        echo -n Password:
        stty -echo
        set password=$<
        stty echo
        echo ' '
        echo 'Login incorrect'
        echo "$session" " : ATTEMPT #" $attempt " USER = " $loginname " PASS = " $password >>& /local/log
end

death:

	sleep 60
	exit 1


4.	Test by telnetting to the host with the modified telnet daemon :

bigbadwolf% telnet tarbaby
Trying 10.0.0.1 ...
Connected to tarbaby.
Escape character is '^]'.
 
 
SunOS UNIX (tarbaby)
 
login: blah
Password: 
Login incorrect
login: remus
Password: 
Login incorrect
login: yuck
Password: 
Login incorrect
login: me
Password: 
Login incorrect
login: root
Password: 
Login incorrect

5.		You should be collecting account names and passwords
		in the file /local/log (it should probably be made readable
		only by root) :

/dev/ttyp3 .
 17146 @
 tarbaby  : DATE :  Wed Jan 18 10:20:41 EST 1995
/dev/ttyp3 .
 17146 @
 tarbaby  : ARGS :  -h bigbadwolf -p
/dev/ttyp3 .
 17146 @
 tarbaby  : ATTEMPT # 1  USER =  blah  PASS =  halB
/dev/ttyp3 .
 17146 @
 tarbaby  : ATTEMPT # 2  USER =  remus  PASS =  uncle
/dev/ttyp3 .
 17146 @
 tarbaby  : ATTEMPT # 3  USER =  yuck  PASS = kcuY
/dev/ttyp3 .
 17146 @
 tarbaby  : ATTEMPT # 4  USER =  me  PASS = iMiM
/dev/ttyp3 .
 17146 @
 tarbaby  : ATTEMPT # 5  USER =  root  PASS = TooR


If your machine is able to finger the intruder's machine you may also
find useful information in /local/log.finger (then again you may not).

-----------------------------------

- Morrow
 

Indexed By Date Previous: Re: Cisco Logging
From: Howard Berkowitz <hcb @ clark . net>
Next: Consultant Qualifications
From: Henry Lemon <LEMONH%A1%Aristech_Chemical_Corporation @ mcimail . com>
Indexed By Thread Previous: dummy server
From: Marc Samama <marc @ tky . icdc . fr>
Next: Livingston Firewall IRX router, any good?
From: Keinanen Vesa <vjk @ relevantum . fi>

Google
 
Search Internet Search www.greatcircle.com