Discover Deception
DiscoverDeception probes a remote host to see if it is running any decoy services. This action has a few other actions as prerequisities to run successfully. This tutorial will go over them briefly, but for more information on them, check their individual tutorial pages.
Here we will first find the known subnet, discover the hosts present on that subnet, choose two hosts and discover the services on each, then finally discover deception on both hosts.
Red Agent Preamble
First, we check Red's initial observations to find the subnet Red starts the scenario knowing.
Code Output
{'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'interface_name': 'eth0',
'ip_address': IPv4Address('10.0.96.73')}],
'Processes': [{'PID': 5753,
'username': 'ubuntu'}],
'Sessions': [{'PID': 5753,
'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'timeout': 0,
'username': 'ubuntu'}],
'System info': {'Architecture': <Architecture.x64: 2>,
'Hostname': 'contractor_network_subnet_user_host_4',
'OSDistribution': <OperatingSystemDistribution.KALI: 9>,
'OSType': <OperatingSystemType.LINUX: 3>,
'OSVersion': <OperatingSystemVersion.K2019_4: 11>,
'position': array([0., 0.])},
'User Info': [{'Groups': [{'GID': 0}],
'username': 'root'},
{'Groups': [{'GID': 1}],
'username': 'user'}]},
'success': <TernaryEnum.UNKNOWN: 2>}
Here, the subnet is 10.0.96.0/24.
We then execute DiscoverRemoteSystems to discover the other hosts present on the subnet.
| red_discover_deception.py | |
|---|---|
Code Output
{'10.0.96.108': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.108')}]},
'10.0.96.119': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.119')}]},
'10.0.96.172': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.172')}]},
'10.0.96.177': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.177')}]},
'10.0.96.211': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.211')}]},
'10.0.96.252': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.252')}]},
'10.0.96.253': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.253')}]},
'10.0.96.254': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.254')}]},
'10.0.96.73': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}]},
'action': DiscoverRemoteSystems 10.0.96.0/24,
'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}],
'Sessions': [{'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'username': 'ubuntu'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_4'}},
'success': <TernaryEnum.TRUE: 1>}
These are: 10.0.96.108, 10.0.96.119, 10.0.96.172, 10.0.96.177, 10.0.96.211, 10.0.96.252, 10.0.96.253, 10.0.96.254, and 10.0.96.73.
Running ServiceDiscovery on a host is necessary for DiscoverDeception to work, as Red needs to know the services the host is running to ascertain if any of those services are decoys.
Here, we are using AggressiveServiceDiscovery as stealth is not important for this demonstration. We are also investigating both hosts 10.0.96.177 and 10.0.96.108, to demonstrate the different results DiscoverDeception can produce.
| red_discover_deception.py | |
|---|---|
| red_discover_deception.py | |
|---|---|
We are omitting the observation output here, as it is not necessary in this tutorial.
Discover Deception - Decoy Found
This first execution of DiscoverDeception is on host 10.0.96.177, which does have a decoy service. This action takes two ticks, so we must wait.
| red_discover_deception.py | |
|---|---|
Code Output
{'action': DiscoverDeception contractor_network_subnet_user_host_0,
'contractor_network_subnet_user_host_0': {'Interface': [{'ip_address': IPv4Address('10.0.96.177')}],
'Processes': [{'PID': 9877,
'Properties': ['decoy'],
'service_name': <ProcessName.MYSQLD: 9>,
'username': 'user'}]},
'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}],
'Sessions': [{'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'username': 'ubuntu'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_4'}},
'success': <TernaryEnum.TRUE: 1>}
The observation result includes a key contractor_network_subnet_user_host_0, whose value contains information about the host we just investigated: 10.0.96.177. Under Processes within that information is the decoy process:
'Processes': [{'PID': 9877,
'Properties': ['decoy'],
'service_name': <ProcessName.MYSQLD: 9>,
'username': 'user'}]
Now Red knows not to attempt to exploit this service.
Discover Deception - Decoy Not Found
This next execution of DiscoverDeception is on host 10.0.96.108, which does NOT have a decoy service.
| red_discover_deception.py | |
|---|---|
Code Output
{'action': DiscoverDeception contractor_network_subnet_user_host_5,
'contractor_network_subnet_user_host_4': {'Interface': [{'Subnet': IPv4Network('10.0.96.0/24'),
'ip_address': IPv4Address('10.0.96.73')}],
'Sessions': [{'Type': <SessionType.RED_ABSTRACT_SESSION: 10>,
'agent': 'red_agent_0',
'session_id': 0,
'username': 'ubuntu'}],
'System info': {'Hostname': 'contractor_network_subnet_user_host_4'}},
'success': <TernaryEnum.TRUE: 1>}
Unlike the first execution on 10.0.96.177, the observation result for 10.0.96.108 does not include an entry for this host. This is the result when no decoy services have been detected.
It should be noted that the action's success key in the observation result has the value TRUE for DiscoverDeception regardless of whether a decoy has been found.