RE: cybercop sting

[Michael_Staggs () nai com (Staggs, Michael)]

CyberCop Sting emulates the existence of Cisco routers running IOS 11.2, NT
IIS FTP services and Solaris 2.6 machines. It does so by residing on an NT
box and starting deamons that listen on TCP/IP address/port pairs. 

For example, our NT Sting Box has a real address of 10.0.0.1 and is single
homed. On its sole NIC, this box has a bound address of 10.0.1.1 that routes
packets destined to 10.10.10.0, our "virtual network". Your real gateway has
this info in its routing table. Virtual network 10.10.10.0 has (say) 5
Solaris boxes and 2 NT IIS virtual hosts. Each of these virtual hosts has a
very real IP address and TCP port that responds to requests via the deamons
started on original IP address 10.0.0.1- our REAL and ONLY real NIC. These
virtual hosts may have addresses 10.10.10.1-7.

Attacker pings 10.10.10.1. It's alive. Portscan comes next. Ports 7, 9, 13,
19, 79, 2000, 4000 and 6000 are all active on 10.10.10.1. One even receives
a telnet prompt on 2000, 4000 and 6000. Sounds a whole lot like a CISCO box.
A few banners don't hurt either. Someone got cute and named the box with
hostname "CISCO_PRIVATE". Let's grab some user name and info from the finger
deamon... maybe start grinding passwords on telnet.

Hmmm, PRIVATE? Lets scan some more on this subnet. Hosts 10,10.10.2-5
respond on 21, 23, 25, 61, 62 and 79. Finger again anyone? OOOH! What's
this? A pwd file? Lets grab it and start cracking!

10.10.10.6-7 are a little less interesting. Looks like an NT box with IIs on
it. Only port 21 is active. Let's try grinding some passwords from our
finger recon usernames on it.

All of the above activity is real time alarmed and logged. Good for you and
your local computer crime officer, bad for the *&%!^% trying to crack your
network.

CyberCop Sting DOES NOT emulate a hub or switch. It also DOES NOT actually
emulate a vulnerability beyond the pwd deal. It is only at rev 2 and still
needs some work to become a fully mature product. The developers at NAI are
hot on the trail of these improvements. If you must have a real
vulnerability, build a sacrificial lamb box and give it no rights- just
disinformation files. Imagine the fun of giving your corporate competition
some really wacky financial data- say a plan to do a hostile takeover of
company XYZ- XYZ just happens to be the intruder. Use your imagination.

The really good part is that the Sting comes with the CyberCop Scanner and
Monitor. Scanner simply rocks as both a tool and a tutorial and the Monitor
for IDS is pretty cool too.

Want an eval copy? 

-----Original Message-----
From: Isman [mailto:kukulkan () netsecure fsksm utm my]
Sent: Thursday, October 07, 1999 5:37 AM
To: ids () uow edu au
Subject: IDS: cybercop sting

hi,
   i am just a curious student about cybercop sting. I 've read that
cybercop sting could emulate the existence of router/switch/hubs and etc
in the network. but can it also emulates the bugs/vulnerabilities like
dtk? if it do, how does it emulate those router/switch/hubs? Any IP
aliasing and virtual  services stuph can be applied here? maybe the
creator of sentinel-1(old name for cybercop sting) can  give an
explanation.

regards,
Isman