Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release 319
Effugas writes "After pushing OpenSSH
to perform feats of secure tunneling far beyond what I ever expected it could
do, it became clear that some genuinely useful modes of network operation were
simply inaccessable without either replacing or manipulating core network protocols.
Since the basic infrastructure of the Internet isn't likely to change any time
soon, that left...creative manipulation and reconstruction of the Lingua Reseaux:
TCP/IP. Taking advantage of expectations,
pitting layers against eachother, finding new uses for old options and data fields -- instead of simply
unleashing the latest incarnation of some "Ping of Death", could such work
unveil hidden functionality within existing networks? As I discussed at
Black Hat 2002 and the inimitable
Defcon X, the answer is yes. And now,
proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP),
The Paketto Keiretsu, Version 1.0,
is a collection of five interwoven
"proof of concepts" that explore, extract, and expose previously
untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
The five --
scanrand,
minewt,
lc
(
linkcat
),
paratrace,
and the OpenQVIS
cross-disciplinary-a-go-go phentropy --
demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer
Cryptography, and quite a bit more. (For details, stop by DoxPara Research
or check out the latest slides. The academic paper is coming "soon".)
In terms of actual usefulness, scanrand is no
nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B,
scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
Go Dan! =) (Score:2, Interesting)
-david
That's insane! (Score:3, Interesting)
That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?
maybe you can calrify (Score:3, Interesting)
Re:That's insane! (Score:4, Interesting)
Re:4 Sec? (Score:2, Interesting)
"Black Ops of TCP/IP", Indeed.
Re:Clarification (Score:3, Interesting)
I happen to be Japanese, so I just thought it was rather...odd. Maybe it's because I've never seen the word "keiretsu" used in a context other than the one you described.
Re:Oh, so what up with the scissors and paste link (Score:5, Interesting)
--Dan
Re:scanrand and paratrace (Score:5, Interesting)
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:
http://cr.yp.to/syncookies.html [cr.yp.to]
Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.
Re:translation (Score:5, Interesting)
Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.
Loose Source Route scanner and tunnels (Score:4, Interesting)
While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about.
IMHO,
Michael
Re:Fun with errors? (Score:2, Interesting)
It's a layer 2
LOOK OUT! (Score:3, Interesting)
Can you imagine the damage that might occur if this hyperspeed scanner were combined with a Code-Red style worm? We've already talked about infection rates of few days, and with some optimization [slashdot.org], much less.
But couldn't scanning tools like these cut the time for 100% Internet saturation down to something like 5 minutes?
-Ben
Neat hacks, but not profound discoveries (Score:3, Interesting)
His "router" seems pointless, unless it's attached to someone else's LAN. Yes, you can write a single-port NAT router that allows multiple machines on the same LAN to have the same IP address. But then they can't talk to each other. (They can talk to the "router" and perhaps, via it, the outside world.) Apparently he did this to get around some restriction on his dorm LAN in college.
Re:Loose Source Route scanner and tunnels (Score:3, Interesting)
Funny story, actually.
For quite a while, I thought IP Options just didn't work in the Core...wasn't till recently that I discovered the two PIXes I live behind block them uncontrollably.
Scanrand's traceroute mode will eventually support some remote mesh discovery using LSRR. Thanks for the link! This will help immensely.
--Dan
Re:Neat hacks, but not profound discoveries (Score:3, Interesting)
Anyway, I used Proxy ARP to get around college LAN restrictions. I couldn't have done Minewt way back when. Minewt is an extension of Doxroute, which was written to allow routing rules based on anything I damn well felt like.
--Dan