bhdresh / dejavu Goto Github PK

Hey, i am running into some new wierd issues.

I've got single vlan interface setup working but its not very feasible since we got a lot of vlans, so i am trying out the trunk option. I'm am trying a few different options now which involves making the incoming interface a trunk port and tag all the vlans, but Dejavu aint seeing the vlans. I've tried it as a edge port and tag all the vlans but Dejavus doesn't see our vlans still, tried with reboots of host and vm's but no luck. Have been looking for documentation on this but can't find any. I've been looking at the virtualbox documentation on this but it doesn't help.

Am i missing something in my setup?

Couldn't find any in docs.

btw, is there a documentation besides installation pdf's?

When I boot up the VM it's taking me to the login screen. I've tried root/root and root/toor but they didn't work. I also bridged the adapters, but I cannot get a connection to either one.

Looking for how to use authentication with smtp for alerts, i've found (it seems) that it is currently not implemented, yet it apparently was at a time.
Am I right in this assumption ? If yes, is it to be introduced again, and is there a temporary solution that I can use ?

Thank you for this solution that works like a charm otherwise ! Waiting for your response.

I am following the setup video, and when I browse to the web interface for the first time it presents me with the login page, rather than the setup page. I attempted to manually browse to the setup page, which does not work either.

The script generated by the HoneyHash functionality injects the wrong password into memory when the password provided contains characters considered significant by Powershell, such as a "$"

For example, providing the following input into DejaVu:

Produces the following from mimikatz:

The underlying cause seems to be that the password in the script is enclosed by double-quotes ("P@$$WORD!123"), when it really should be single-quotes ('P@$$WORD!123')

Hello,

i use version 11 and want to upgrade to the newst. I have downloaded the upgrade.zip (11->12) and use the function "settings -> Backup&Upgrade -> Upgrade" I select the upgrade.zip on Dejavu engine and click "Upgrade Dejavu Enngine". I do the same on the
Dejavu Console and wait about 30 Min. Then i reboot the Engine and the Console and booth are always shows version 11.

What make i wrong?

It is possible to upgrade from version 11 directly to version 14?

With friendly Regards

Mathias

Framework/Tool is published here: Beta V9

the link Beta V9 is 404 error 。
thanks for fix

I converted the VMware disk images to VHDX and set up a test lab in Hyper-V. The images boot and work to some extent, but not completely. In essence, the engine can receive incoming packets from the virtual switch on eth1, but nothing goes out to the virtual switch from the engine.

I presume this has something to do with interface virtual1000 on the engine being in promiscuous mode. Is there any way around this, or do I need to keep looking for alternatives that work in Hyper-V?

The Add Decoy to Domain function produces an erroneous ps1 command.

Generating an Add Decoy to Domain script for a domain called TestDomain.local and a decoy called SMBDecoy produces the following Powershell script:

Import-Module ActiveDirectory
New-ADComputer -Name SMBtest -DNSHostName SMBtest.TestDomain.local
dnscmd /recordadd TestDomain.local SMBtest A 192.168.215.43
dnscmd /recordadd 215.168.192.in-addr.arpa 43 PTR SMBtest.TestDomain.local

Running this on the Domain Controller produces an error saying that the domain doesn't exist. This is because the name of the domain is missing from the last line of the script. The last line should instead read:
dnscmd /recordadd TestDomain.local 215.168.192.in-addr.arpa 43 PTR SMBtest.TestDomain.local

Hi,

firstly like to say that i am glad i got things running, the vlan tagging is working perfectly with Hypver-V. Looking forward to finally settings this up at work in production.

I remember settings this up on my test server at work using the production smtp server on port 25, and this worked. Now i am testing it in my home lab using the gmail smtp server on poort 587 and smtp.gmail.com but this doesn't seem to be working. Is this a known issue?

regards,

Lennart

Hello,
I am trying to install your Console and Engine VDI file. I have successfully downloaded the Console VDI file, But i am unable to download the Engine VDI file. I have noticed that it gives out an error after 1.5-2GB download completed. I have tried from multiple devices and multiple internet connections, but i get the same error Please help.

Hi
I made an installation, guided by pdf
when i configure a new decoy.. i can ping briefly for a few seconds.. but after that.. i´m not able to ping
but, inside the engine console.. i can ping the decoys...
if I reboot the appliance engine.. i get the same scenario.. ping 3 or for times after the reboot.. and dies again
any ideas ?

We have a few systems (Zabbix, Tenable.SC, etc. that will scan the network and I see those triggering alerts. Is there a way to configure this to ignore these known systems so it does not trigger an alert?

TIA

I can't complete the registeration however i can login to the console ssh
(1) when i load https://192.168.56.109/ --> redirects to https://192.168.56.109/Decoify/loginView.php
(2) i tried to load https://192.168.56.109/Decoify/registerView.php mannually
(3) I fill all fields and click "get started" to redirect to loginView.php again
(4) loginView.php always give "invalid username/passwor"

I have not noticed anywhere that we can add additional users to the platform (unless I am missing something)

Thanks!

Hello, @bhdresh I received the email to download Preconfigured images
I look forward to reviewing your product, it's certainly something I have been looking for and really like what you have done.
However, I have a question

1. When a launch image in virtualbox, it's requesting creds as shown here.

Thank you

Hi guys, i have been trying VMware since my experience with Virtualbox didn't work out. I couldn't reply on the question if VMware worked out for me the last time, sorry for that.

I am now having some issues with Vmware though. I have followed the instructions for vmware esx and all looks great after the installations of both the console and the engine. I am now having difficulties reaching the default ip address. From my Virtualbox experience i could access those ip addresses from the local machine where virtualbox was running on and finish the configuration. Under VMware i'm struggling to figure out where things are failing. I am sure i am missing something in Vmware to somehow enable access to the default network those vm's start in.

regards,

Lennart

running V12 I have alerts setup and I have tested SMTP and it will send test message but when active attack is happening no alerts are sent

Hello, Dejavu Deception framework is working nice but do you guys building some quick start quide or some manual for this.? so why am I asking this cuz need some information how is working, how services are working etc ..

i have trouble from instalation

Hey guys how to reset the password and username of dejavu console dashboard

https://camolabs.io site is down, Please fix it. I can not download .vmdk file

Hi,
during the creation of the new decoy with all configurations, we receive this message: "Decoy Group can only contain alphanumeric characters" as the image in the attachment.

Can you help us about that?
Best regards

Rox

Hi
where is php command for call getopt() function in mailAlert.php?

Hi guys. Please help me.

How to shedule esxi older snapshot remove. No option on vcenter.

hi the dev team,
thxx a lot for this great tool, i have few questions for you if you don t mind:
before i ve used open canary, you install this sort of honeypot on rpi, and plug it here and there on your network. Because i have like 150 different offices, it require a bit of organisation.

In the dashboard, i guess what i used to have on a rpi is what is called a client decoy, right?

if my dejavu server is on 192.168.56.102 how do you proceed to "deploy" decoy on other ip range?
i ve added a decoy client in the same ip range than the pc hosting the vm, can t reach it, doesn t work.
Can i from a single vm deploy virtual decoy on all my subnet?
thank you for your time, truelly appreciate.

He there, is project alive?

Hi, first off, great tool/platform, very appriciated!

I do have some weird saving issue, i am receiving a view false positives and i want to filter them out using multiple match criteria, but unfortunately its not saving the additional match criteria, am i doing something wrong or is this a bug?

regards and keep up the good work!

Lennart

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

• Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
• Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
• Fast: Using static and client side technologies resulting in fast browsing.
• Rich tables: search, sort, browse, filter, clear
• Fancy informational popups
• Badges / Shields
• Static API
• Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

• Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
• Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
• Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

So what?

That's all, this message is just to notify you if you care.

The Kerberoast HoneyAccount functionality produces an erroneous PowerShell script. Generating a script with a service name of "RealService" and an SPN Name of RealSPN produced the following script:

Import-Module ActiveDirectory New-ADUser -Name "RealService" -SamAccountName "RealService" -DisplayName "RealService" -ServicePrincipalNames "RealSPN" -AccountPassword (ConvertTo-SecureString "FRPoc2oCIQ)CbOpw#1I$C%5qsnJ6Sv" -AsPlainText -Force) -Enabled $True -GivenName "RealService" -PasswordNeverExpires $True

Running this script in PowerShell resulted in errors. I was able to fix the errors and successfully achieve creating of the service account by replacing -ServicePrinicalName "RealSPN" with REAL/RealSPN.TestDomain.local I also added -UserPrincipalName [email protected], but I don't know if that was necessary.

After setting up VMs from the links in email, there is the following error when navigating to IP address hosting the Console for first time.

My colleague who set this up mentioned:

Couple things I did: I changed networking to get IP addresses from dhcp and modified apache2 config to listen on all IP addresses (there were hardcoded IPs from manuals before)

Not sure if either is causing the "No such file" error.

During my testing of this tool we noticed that if the system attempts to vMotion from one host to another, it corrupted the vmdk. We were able to fix that corruption, but any time we see this system try to vMotion, it crashes the system. Any thoughts?

While testing your solution we detected some misconfigurations in decoys? (RDP, SMB decoys). Where I can find their configs to change that?

Deployed decoys and they trigger alerts but do not respond to pings, ssh traffic or web traffic. I can see attackers in logs but from an attackers view the nmap scans are dead

I've downloaded both VDI and VMDK image, and it has same issue, the registration page isn't working. Please check it.

I follow the instruction video, and wondering why every time I register my account, it doesn't show any notification such as "User registered! Please login". Turns out I can only login with admin:admin.

When changing time zone to any time zone or using any NTP you get error message "wrong timezone"

Thanks for your project. While reviewing it for the security tools section on our website, I couldn't find the license. Can you add one?

Has anyone done it?
Any difficulties\hints?

The user interface (updateSettingsView.php) states that SMTP credentials are optional, however alert emails are not sent if authentication is not used. Upon looking at mailAlert.php we find the following code:

if($hostname && $username && $password){
                //Create a new PHPMailer instance
                $mail = new PHPMailer;
                $mail->isSMTP();
                //Enable SMTP debugging
                $mail->SMTPDebug = 2;
                $mail->Host = $hostname;
                $mail->Port = 25;
                ...

This if statement is not followed by and else/else if statement - therefore, the process to create and send an email is only started when a username and password are provided. I confirmed that this was causing the issue by removing && $username && $password from the conditional statement, and which point I started getting email alerts as expected.

Hi
Looks like upgrade file is missing is releases section

ps:thanks for awesome work!

Hi, I would like to integrate console to SIEM.

What is the path of attack logs and raw logs . I can read logs via ssh

By the way. You are awesome guys.

Love it !!1

If an attack occurs, it would be great if we could send an custom API call to a third party NAC device. Simple details like attacker IP address.

This is a great product. Keep up the good work!

Dear Experts, I have deployed Dejavu on my LAN which is not connected to internet. Everything is working and I am getting logs on console, but attack graph is not visible. How I can view attack graph?

Is it possible to change default IP during installation process?

Hi,

First of all, I would like to echo the sentiments of others that this is a great tool! I am just curious if it is being actively maintained?