Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release 319
Effugas writes "After pushing OpenSSH
to perform feats of secure tunneling far beyond what I ever expected it could
do, it became clear that some genuinely useful modes of network operation were
simply inaccessable without either replacing or manipulating core network protocols.
Since the basic infrastructure of the Internet isn't likely to change any time
soon, that left...creative manipulation and reconstruction of the Lingua Reseaux:
TCP/IP. Taking advantage of expectations,
pitting layers against eachother, finding new uses for old options and data fields -- instead of simply
unleashing the latest incarnation of some "Ping of Death", could such work
unveil hidden functionality within existing networks? As I discussed at
Black Hat 2002 and the inimitable
Defcon X, the answer is yes. And now,
proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP),
The Paketto Keiretsu, Version 1.0,
is a collection of five interwoven
"proof of concepts" that explore, extract, and expose previously
untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
The five --
scanrand,
minewt,
lc
(
linkcat
),
paratrace,
and the OpenQVIS
cross-disciplinary-a-go-go phentropy --
demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer
Cryptography, and quite a bit more. (For details, stop by DoxPara Research
or check out the latest slides. The academic paper is coming "soon".)
In terms of actual usefulness, scanrand is no
nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B,
scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
Re:That's Great (Score:2, Insightful)
Greek (Score:2, Insightful)
huh? (Score:2, Insightful)
Re:That's Great (Score:4, Insightful)
Most of it has little direct cracking application that I can see. We have a fancy traceroute, a system allowing multiple hosts to share an IP address and still get the correct data through MAC address translation.
I can see where scanrand could be abused, but it won't be until someone writes a script for the script kiddies to use.
As for the idea of security through not telling anyone, read The Cuckoo's Egg and study up on the Internet Worm to figure out why that idea is completely idiotic.
It sure is great. (Score:4, Insightful)
Because insurance companies don't require an authorized audit of computer security (yet), most places are wide-open. Think of this as the example of how to start fires, and why the government should have laws about the fire protection that public theatres (ecommerce sites) should have. Most companies are happy to let a room full of patrons burn to death -- that's why we need examples and government intervention. Besides, I'd rather that fellows like this release what they've been working on, so I know what to look out for, and can apply their methods against my systems at leisure in order to find problems and address them.
Re:Note to the editors: (Score:5, Insightful)
This is News for Nerds - if it was something joe-shmoe Wallstreet journal reader could understand, then it would be in the Wallstreet Journal. If you don't understand it, LOOK IT UP.
I want to be a troll now (Score:5, Insightful)
The compost bin story got a more meaningful discussion that this.
90% of people here think that case mods are cool
99% of people here look at a program which allows you to traceroute without icmp or udp (just to name one thing) and say "yeah, but what's the use"?
WTF?
I shall go and troll in the story about case with 6 neon lights attached to it now. See ya.
Re:Note to the editors: (Score:5, Insightful)
I'm going to burn some karma.
Somebody needs to moderate the parent comment up. This article is not merely masturbation for some geek - these are fundamentally cooler tools than what we've had before. Why? Because they do what they do - port scanning, routing, etc. - in new and more flexible ways.
One of the problems with releasing a powerful tool is that you need to *train* people to use it. Even moreso than in meatspace, virtual tools like these require you to grok both the code and the environment in which the code runs. In this case, you need to understand how TCP/IP works, what the OSI layers are and how they interrelate, how existing implementations have been done, and how these tools are different.
It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"
*sigh*
Odd links (Score:2, Insightful)
Re:translation (Score:5, Insightful)
Hey pal, anyone can break an internet protocol, but it takes skill to bend the hell out of it. This guy dumps more braincells everytime his girlfriend spits after oral sex then you could ever hope to have. This guy speaks in TCP/IP, you just speak in condescending technocratic bullshit. You're the reason information is not free-as-in-beer free.
Hey Slashdot, we're going to get a big group of us together and go beat the fuck outta Stephen Hawking! Who the fuck does he think he is looking at the universe in a slightly diiferent way, except those views were heralded by an obtuse 500 page self-aggrandizing technobabbling hardcover!
I'll post at +1, I've got karma to burn....
AWG
Warning Geek at Work (Score:3, Insightful)
Firstly as a poster has noted before, by going under the radar by directly using the IP layer, this is going to open up a whole new rash of attack methods which we would be much better investigating and defending against.
Secondly, I think its cool, it renews my faith in the basic tenet of geekdom - play with it until you break it, then learn to fix it again.
Re:All I want to know is. ... (Score:5, Insightful)
Breaking into networks, crashing people's systems...unnecessary and boring, in that order.
You don't need to be a Black Hat to play with protocols. Not in the slightest.
--Dan
Re:translation (Score:1, Insightful)
These people have a point there. There was a LOT of useless vocabulary in there. The guy needs to take a technical writing course to clean up his rhetoric and just get the damn point across. "Guerilla multicast"? "Parasitic tracerouting"? "Black Ops of TCP/IP"? What's with the sensationalistic adjectives? This comes off like a wrestling commentary, not a technical description.
Re:Fun with errors? (Score:5, Insightful)
The guy that came up with this released it so that we can all see it, use it, understand it, and adapt to the problems that come with it. That's not "getting blindsided". Getting blindsided is the guy that came up with it realizing that incredible destructive power may be in his hands and that he could just use it right then and there when no one even understands what he's doing on a very basic level.
Since this is just a rearranging of what was already in TCP/IP, it was already there, sitting in some deep corner of the internet and the logic of how it works. Rather than being afraid of what it could do, I'm just thankful that the guy that found it decided to let everyone know about it so that we can take advantage of its good parts and protect ourselves against its bad parts.
Re:Note to the editors: (Score:5, Insightful)
The latter is understandable - a whole lot of /. folks just realized they need to brush up on TCP/IP theory - and that's a good thing. I know I pulled out my cheat sheets while reading his presentation.
But the former is just plain annoying. Dan has done some really impressive work, using a very mature system in innovative ways. What did you expect? That he wrote some killer app that would make you rich during the IPO? This is great stuff - some of which doesn't have real world applicability (right now anyway), but so what? He's doing research into what CAN be done. I work in IT at a large research university and it really brings home the importance of research for research's sake. Others will come up with commercial applications where appropriate. But research is pushing the boundaries of existing knowledge or delving into completely new areas. For the sake of knowledge and learning.
That said, for all of you saying 'this isn't new' or 'it's no big deal till they write scripts for the script kiddies' what crack are you on? In addition to making my head spin this early in the morning, Dan's presentation and ideas sent a shiver down my spine. I administer an academic network which means no firewall. Dan's ideas, which I could use for good, can also be used for evil. Easily. This kind of stuff is scary.
Think about how much time, bandwidth and effort CodeRed wasted trying to spread itself probing systems that were not web servers. Imagine using this scanning technology as an opening salvo to a new exploit attack via port 80. BANG! Your network security folks sit up with a start as your Class B just got hammered hard. But it was over in 10 seconds. You look into it, but aren't really sure what it was. But now the attacker knows EVERY SINGLE HOST on your network running something on port 80. You (and the rest of the network) just got infected that much faster. Yes, previous papers already theorized this was possible (Warhol Worm, etc) But this makes it even scarier. A two stage worm could really blow things away. The first stage uses ultra fast scanning to build hosts responding to a given port. These first stage hosts develop into a network gathering available hosts to hit based on these ultra quick scans and then fire off stage two infections with pre-seeded network lists most likely to be vulnerable or offer the most targets.
Hell, the second stage would be WELL underway by the time most network security admin's pagers went off.
I tip my hat to Dan - this is great stuff with many useful applications, even if some are less than savory.