The Channel logo


By | Darren Pauli 7th March 2016 08:30

Dell offers sweet, sweet, free honeypot tool to trap hungry hackers

Canary squeals when domain admin credentials are pinched

RSA 2016 Dell SecureWorks duo Joe Stewart and James Bettke have created a free honeypot loaded with fake domain credentials in a bid to help admins trap and block attackers.

The researchers built the Domain Controller Enticing Password Tripwire (DCEPT) tool designed to help organisations unmask hackers and shore up defences ahead of attacks.

Windows Active Directory credentials are among the most common and handy tools in an attacker's arsenal and the pair hope to foil those who access them with the tool.

Network administrators often use domain administrator accounts to access network computers. If any of those machines are compromised, attackers can swipe the credentials stored in cache using tools like Mimikatz.

"With this information, the attacker gains total control of the network," the pair say.

"These types of attacks can potentially terminate a company’s ability to do business.

"Espionage or advanced-persistent-threat-style attacks have used this technique for years to compromise networks and steal protected data."

The pair say the method is as common as it is effective, and has led to fleets of computers being permanently destroyed.

"Even with reliable and recent data backups, the manpower it would take to restore an entire enterprise network is daunting."

Stewart and Bettke, both seasoned forensic investigators, say solutions that identify anomalies are expensive and must be trained to capture normal behaviour.

The DCEPT tool launched at the RSA San Francisco conference last week will identify what credential or honeytoken was stolen and from which machine.

It sports an agent that drops honeytoken passwords into memory on endpoints, a network service that generates unique honeytokens at the request of an agent, and a sniffer service that looks at network traffic for signs that credentials are being stolen.

The tool can be downloaded from GitHub and is available as a Docker container. ®

comment icon Read 6 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe