Monday, March 7, 2016

Fingerprinting DCEPT

I read recently about the release of DCEPT and I thought it was an interesting implementation of a novel (albeit old) concept for trapping the dumping of passwords. Actually, it doesn't trap someone dumping credentials, it alerts sysadmins when someone or something attempts to authenticate over kerberos using the previously fake and planted credentials.

There are several ways you can know if the creds are fake or not but I decided to take a look on the network for another portion of the DCEPT install. When you set up and install the docker image you'll find a python http server listening on port 80. When I made a request to this machine I got a set of fake creds. The format is the same everytime a new one was generated:

$ curl 'http://192.168.50.192/?machine=asdf'
{'d':'ALLSAFE.LAN','u':'Administrator',p:'bKpNYszxy2'}

$ curl 'http://192.168.50.192/?machine=asdf'
{'d':'ALLSAFE.LAN','u':'Administrator',p:'l2qF5JvlXk'}

$ curl 'http://192.168.50.192/?machine=asdf'
{'d':'ALLSAFE.LAN','u':'Administrator',p:'Eb7uy6VWb8'}

$ curl 'http://192.168.50.192/?machine=asdf'
{'d':'ALLSAFE.LAN','u':'Administrator',p:'l0Qms52qbu'}

Which results in server log output of:

So all I did was write up a quick scanner that checks for the expected response.

No comments:

Post a Comment