DejaVU – Open Source Deception Framework
- Host OS: Primary OS hosting the DejaVU virtual box. Note: Primary
host can be OS independent Windows/Linux and can be based on
corporate hardening guidelines.
- DejaVu Virtual Box: Debian based image containing open source deception framework to deploy multiple interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, client side – NBNS).
- Management Interface – An interface to access web based management console. (Recommended to be isolated from internal network.)
- Decoy Interface – Trunk/Access interface for inbound connections from different networks towards the interactive decoys. (Recommended to block outbound connections from this interface)
- Virtual Interfaces – Interfaces bridged with decoy interface to channel traffic towards the decoys.
- Server Dockers – Docker based service containers – HTTP(Tomcat/Apache), SQL, SMB, FTP, SSH
- Client Dockers – Docker based client container – NBNS client
- Management Console (Web + DB) – A centralized console to deploy, administer and configure all the decoys effectively along with logging and alerting dashboard to display detailed information about the alerts generated.
- Configure Username/Password for admin panel
php config.php --username=<provide username> --password=<provide password> --email=<provide email>
- Default URL to access admin panel – http://192.168.56.102
- Virtualbox network adapter type should be “PCNet”(full name is something like PCnet-FAST III)
- Set SMTP configuration on “mailalert.php” to recieve Email alerts
Now when you go to the default URL, you are greeted by the logon prompt:
Add Server Decoy
- To add a decoy, we first need to add a VLAN on which we want to later deploy Decoys.
- Select Decoy Management -> Add VLAN
- Enter the VLAN ID. Use the “List Available VLANs” option to list the VLANs tagged on the interface.
- To add server decoy :
- Select Decoy Management ->Add Server Decoy
- Provide the details for new decoy as shown below. Select the services (SMB/FTP/MySQL/FTP/Web Server/SSH) to be deployed, use dynamic or provide a static IP address.
- Let’s do some port scan’s + Auth attempts from attacker machine on server VLAN and analyze the alerts
- View the alerts triggered when the attacker scanned our decoy and tried to authenticate.
- Select Log Management -> List Events
Add Client Decoy
- To add Client Decoy
- Select Decoy Management ->Add Client Decoy
- Provide the details for new decoy as shown below. It’s recommended to place the client decoy on user VLANs to detect responder/LLMNR attacks.
- Let’s run responder from attacker machine on end user VLAN and analyze the alerts
- View the alerts triggered when the attacker scanned our decoy and tried to authenticated.
- Log management -> List Events
- Alerts can be configured based on various parameters. Example – Don’t send alerts from IP – 10.1.10.101. If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be whitelisted.
- Code Cleanup and sanitization
- Persistance on reboot
- Add client side decoys generating HTTP, FTP traffic
- ISO image
Bhadresh Patel (@bhdresh)
Harish Ramadoss (@hramados)