Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release

Effugas writes "After pushing OpenSSH to perform feats of secure tunneling far beyond what I ever expected it could do, it became clear that some genuinely useful modes of network operation were simply inaccessable without either replacing or manipulating core network protocols. Since the basic infrastructure of the Internet isn't likely to change any time soon, that left...creative manipulation and reconstruction of the Lingua Reseaux: TCP/IP. Taking advantage of expectations, pitting layers against eachother, finding new uses for old options and data fields -- instead of simply unleashing the latest incarnation of some "Ping of Death", could such work unveil hidden functionality within existing networks? As I discussed at Black Hat 2002 and the inimitable Defcon X, the answer is yes. And now, proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP), The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4. The five -- scanrand, minewt, lc ( linkcat ), paratrace, and the OpenQVIS cross-disciplinary-a-go-go phentropy -- demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer Cryptography, and quite a bit more. (For details, stop by DoxPara Research or check out the latest slides. The academic paper is coming "soon".) In terms of actual usefulness, scanrand is no nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

Go Dan! =)

[dew]

I roomed with the guy and can attest to the year or so he spent cobbling this stuff together. Go Dan!!

-david

That's insane!

[DJayC]

"During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?

maybe you can calrify

[ryochiji]

What's up with the pseudo-Japanese name?

Re:That's insane!

[Anonymous Coward]

Um, not that I would know anything about scanning that many addresses, but most of the portscanners out now can only handle 20 or so simultaneous connections and have a 2-3 second timeout. So it would depend how fast the hosts respond and what % have servers. I imagine it would be in the realm of 30 minutes or so for this network.

Re:4 Sec?

[Istealmymusic]

4 seconds for 2^16 is very fast. That's only 4(2^16) = 262,140 seconds = 4,396 minutes = 72 hours = 3 days for a sweep of the entire Internet. The viruses spreading possibilities are immense, in a mere three days a single virus could discover all exploitable hosts, though of course the time would be cut drastically due to the distributed nature of viruses. This isn't as fast as 15 minutes the Warhol Worm [berkeley.edu] offers, but is faster than than most admins will be able to patch their boxes, assuming the exploit is discovered and published beforehand. The possibilities of an underground vulnerability circulating without a patch are very real, and it could easily take 3 days for a vendor to fix the problem.

"Black Ops of TCP/IP", Indeed.

Re:Clarification

[ryochiji]

>A "keiretsu" is a conglomeration of not-100%-related business units under a single roof

I happen to be Japanese, so I just thought it was rather...odd. Maybe it's because I've never seen the word "keiretsu" used in a context other than the one you described.

Re:Oh, so what up with the scissors and paste link

[Effugas]

Cut and Paste. Linkcat lets you do that with packets :-)

--Dan

Re:scanrand and paratrace

[Electrum]

I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?

I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.

Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:

http://cr.yp.to/syncookies.html [cr.yp.to]

Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.

Re:translation

[ryanr]

They're just a little bit more than slightly different. Try them out, you might be surprised.

Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.

Loose Source Route scanner and tunnels

[lamour]

A friend of mine wrote an LSR scanner and an LSR tunnel tool which you probably won't understand either. Go get them, play with them, and then think about what it means. Here's his short paper on LSR [synacklabs.net].

While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about. ;-)

IMHO,
Michael

Re:Fun with errors?

[Angry White Guy]

How about fun with lots of errors. If you can manipulate ip enough to do this, what's to say that you can't redirect that in a giant smurfing of the internet. 65k packets in 4 seconds could easily clog a semi-full link, if it was sustained.

It's a layer 2 /. effect!

LOOK OUT!

[mcrbids]

I got to reading this, and thought how cool it was. Then a cold chill ran through me...

Can you imagine the damage that might occur if this hyperspeed scanner were combined with a Code-Red style worm? We've already talked about infection rates of few days, and with some optimization [slashdot.org], much less.

But couldn't scanning tools like these cut the time for 100% Internet saturation down to something like 5 minutes?

-Ben

Neat hacks, but not profound discoveries

[Animats]

Yes, you can do this stuff, but it's not that profound.

His "router" seems pointless, unless it's attached to someone else's LAN. Yes, you can write a single-port NAT router that allows multiple machines on the same LAN to have the same IP address. But then they can't talk to each other. (They can talk to the "router" and perhaps, via it, the outside world.) Apparently he did this to get around some restriction on his dorm LAN in college.

Re:Loose Source Route scanner and tunnels

[Effugas]

Michael--

Funny story, actually.

For quite a while, I thought IP Options just didn't work in the Core...wasn't till recently that I discovered the two PIXes I live behind block them uncontrollably.

Scanrand's traceroute mode will eventually support some remote mesh discovery using LSRR. Thanks for the link! This will help immensely.

--Dan

Re:Neat hacks, but not profound discoveries

[Effugas]

College was entertaining. Damn near got kicked out translating Windows print requests to the local Novell printers, so people could avoid installing Client32.

Anyway, I used Proxy ARP to get around college LAN restrictions. I couldn't have done Minewt way back when. Minewt is an extension of Doxroute, which was written to allow routing rules based on anything I damn well felt like.

--Dan