🔓 DejaVU - Open Source Deception Framework
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
ll0_0ll 05cb0f40f2
Updated syslog parameters
3 weeks ago
Console/Decoify Fixed bugs 3 weeks ago
Engine/Decoify Updated syslog parameters 3 weeks ago
images Delete test 3 months ago
Console_ESXI.pdf Installation Guide - VMware ESXi 3 months ago
Engine_ESXI.pdf Installation Guide - VMware ESXi 3 months ago
LICENSE Create LICENSE 3 weeks ago
README.md Update README.md 3 months ago
architecture.png images 3 months ago

README.md

Download

We started DejaVu in 2018 and initially presented our work at Blackhat, Defcon, and HITB. Over the last two years we have added various new decoys, breadcrumbs and changed our architecture based on the feedback from organisations using it. Latest DejaVu platform can be downloaded by using the below link:

Download Preconfigured DejaVu images from here: Camolabs.io (Default credentials : administrator:changepassword)

Quick Setup Guide

Virtual Box: Link

VMware ESXi : Console and Engine

DejaVU - Open Source Deception Framework

DejaVu is an open source deception framework which can be used to deploy decoys across the infrastructure. This could be used by the defender to deploy multiple interactive (Server and Client) decoys strategically across their network on different VLAN’s. To ease the management of decoys, we have built a web based platform which can be used to deploy, administer and configure all the decoys effectively from a centralized console. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured on how these alerts should be handled. If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be discarded, this can be configured which effectively would mean very few false positives.

Alerts only occur when an adversary is engaged with the decoy, so now when the attacker touches the decoy during reconnaissance or performs authentication attempts this raises a high accuracy alert which should be investigated by the defense. Decoys can also be placed on the client VLAN’s to detect client side attacks such as responder/LLMNR attacks using client side decoys. Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys, luring the attacker and enabling detection.

One of the major advantages of DejaVu is - Using a single platform you can deploys decoys across different VLANS and manage, monitor them.

Use Cases

Below are few examples attack vectors using DejaVu platform you can detect:

  • (Attack) : Port Scan/Enumeration

    (Defense) : Fake Services spread out throughout the network

  • (Attack) : Password Spray/ Brute Force Attack

    (Defense) : Deploy multiple common services, attempts on two/more decoys potentially a password spray attempt

  • (Attack) : Attacker targeting low hanging fruits - Tomcat/MSSQL/Jenkins

    (Defense) : Deploy common platforms attackers look for initial foothold

  • (Attack) : Responsder/ LLMNR Poisoning

    (Defense) : NBNS client side decoys to detect MITM attacks

  • (Attack) : Bloodhound/Similar tools to identify attack path

    (Defense) : DNS Records Manipulation and fake servers

  • (Attack) : Lateral Movement - Pass the Hash

    (Defense) : Fake Sessions and Injecting Memory Credentials Tokens

  • (Attack) : Kerberoast attack

    (Defense) : Kerberoasting Service Accounts Honey Tokens

  • (Attack) : Data Ex-filtration

    (Defense) : Honeyfiles to detect ex-filtration occurrences

Architecture

Architecture

  • DejaVu Engine: This is used deploy decoys across your infrastrucure. So let's you have multiple offices, you would depoloy an engine in each.
  • DejaVu Console: A centralized console to view and manager all the alerts from your various engines. Think of this as your dashboard. Engines connect to Console.

Decoy Types

  • Server Decoys

    • MYSQL
    • SNMP
    • Custom HTTP Decoy - You can configure this with a custom HTML template
    • TELNET
    • SMB Server with custom files
    • FTP
    • TFTP
    • Web Server - Tomcat, Apache, Basic Auth
    • SSH Interactive and Non-Interactive
    • SMTP
    • RDP Interactive and Non-Interactive
    • VNC
    • HONEYCOMB (To capture events from Honey Docs)
    • ICS/SCADA Decoys - Modbus and S7COMM
  • Client Decoys

    • NBNS Decoy
    • MITM Decoy
    • SSDP Client
    • Email Client
  • BreadCrumbs

    • Honey Docs
    • HoneyHash - Injects creds into memory
    • Kerberoast Honey Account

Sneak Peek

Authors

Credits

  • Big shout to open source community for previous work on Honeypots