Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release 319
Effugas writes "After pushing OpenSSH
to perform feats of secure tunneling far beyond what I ever expected it could
do, it became clear that some genuinely useful modes of network operation were
simply inaccessable without either replacing or manipulating core network protocols.
Since the basic infrastructure of the Internet isn't likely to change any time
soon, that left...creative manipulation and reconstruction of the Lingua Reseaux:
TCP/IP. Taking advantage of expectations,
pitting layers against eachother, finding new uses for old options and data fields -- instead of simply
unleashing the latest incarnation of some "Ping of Death", could such work
unveil hidden functionality within existing networks? As I discussed at
Black Hat 2002 and the inimitable
Defcon X, the answer is yes. And now,
proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP),
The Paketto Keiretsu, Version 1.0,
is a collection of five interwoven
"proof of concepts" that explore, extract, and expose previously
untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
The five --
scanrand,
minewt,
lc
(
linkcat
),
paratrace,
and the OpenQVIS
cross-disciplinary-a-go-go phentropy --
demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer
Cryptography, and quite a bit more. (For details, stop by DoxPara Research
or check out the latest slides. The academic paper is coming "soon".)
In terms of actual usefulness, scanrand is no
nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B,
scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
...wha? (Score:3, Funny)
Anyone here want to sum it up IN PLAIN ENGLISH, without involving beowulf clusters or "Profit!"?
Re:...wha? (Score:4, Funny)
2. Detect thousands of networks in seconds.
3. ?????
4. Profit!
Re:...wha? (Score:4, Funny)
Re:...wha? (Score:4, Informative)
The networking model is divided into seven layers. These guys are looking at mainly levels 2-4. These layers are: 2) Data Link, 3) Network, 4) Transport. It looks like most of this focuses on the Network and Transport Layer, where TCP/IP live (reverse respectively). There are basic things you can do with tcp/ip values and protocols, such as trace route, ping, etc. They are finding new things. An example of the typical tcp/ip function is the traceroute. You send a packet with TTL(Time to Live) set to 1. Whoever it hits tells you it died. Then you do 2. Slowly you find your way to the destination, tracing each hop along the way. They are finding new, similar uses for tcp/ip.
Go Dan! =) (Score:2, Interesting)
-david
maybe you can calrify (Score:3, Interesting)
Clarification (Score:5, Informative)
The Paketto Keirestu is a conglomeration of program units that do really bastardized and interesting things with packet manipulation and flow. It's a catchy little title, I thought, but that's MHO.
-david
Re:Clarification (Score:3, Interesting)
I happen to be Japanese, so I just thought it was rather...odd. Maybe it's because I've never seen the word "keiretsu" used in a context other than the one you described.
Re:maybe you can calrify (Score:2)
A node [everything2.com] I wrote on E2 should explain.
Re:Go Dan! =) (Score:5, Funny)
Re:Go Dan! =) (Score:3, Funny)
A Monty Python nerd?
That's insane! (Score:3, Interesting)
That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?
Re:That's insane! (Score:4, Interesting)
Please be nice (Score:5, Informative)
Ping of Death! (Score:2, Funny)
I'm soo dumb (Score:5, Funny)
*sigh*... I'm important! I swear...
Re:I'm soo dumb (Score:2)
Greek (Score:2, Insightful)
Still Reading... (Score:2)
Reminds me a lot of work done at USANC in the '90s (Score:2, Troll)
One of the things we did was design an ethernet hashing system that would function sort of like a dynamic roulette wheel of SYN types and packet sequence numbers. Using differing protocol sweeps, we could monitor different states without creating state ourselves! The ultimate goal was to provide inverse cascade across multiple routers and switches, allowing an attack to be sourced directly to a particular ethernet interface without the attacker's spoofing even mattering. By rotating state in real-time, using different queueing techniques, we could esentially traverse the entire network, sort of a big de-randomized traceroute, and virtually re-route all attack traffic back into the ethernet "netherworld", in a nutshell.
Very advanced stuff! I applaud your work wholeheartedly!
huh? (Score:2, Insightful)
Makes me happy I just got laid off (Score:3, Funny)
2. I don't have to worry about someone doing it to me.
Is anyone working on SNORT signatures for this stuff?
So what is it? (Score:5, Funny)
Hmm let me guess you have to compile this as root, after that it will give "proof of concept" to the black hat 2002 people that indeed there are previously untapped capacities deep within my server, somewhere remotely hidden on the outer reaches of my port range?
Re:So what is it? (Score:3, Informative)
If you don't know what the OSI Networking Model is yet I suggest you go look it up... [google.com]
Re:So what is it? (Score:2)
Now since he's released the tools as source, I doubt that there's anything particularly nasty in there. Paranoia is still a virtue in the sysadmin business, however.
Paranoia is still a virtue (Score:2)
Alex, I can scan that net in 30ms. (Score:4, Funny)
ping 160.1.255.255
Duck and cover, here comes the smurf...
scanrand and paratrace (Score:5, Informative)
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
The "paratrace" program is quite interesting-- from the README:
Nutshell summary: this uses an existing open TCP connection to run a traceroute through a firewall that would otherwise tell you to take off. I could certainly see this being useful.
Some good background reading on O'Reilly's Safari online books site if your TCP/IP internals are a bit rusty:
Internet Core Protocols: The Definitive Guide [oreilly.com]
TCP/IP Illustrated, Volume 1: The Protocols [oreilly.com]
Re:scanrand and paratrace (Score:5, Informative)
With a traditional scanner, the scanner either has to maintain state (i.e. don't accept a reply to my scan request if I haven't sent it yet, nor if it doesn't match my sequence number, etc..) or it will be subject to the scanee spoofing replies. For example, if you figure out that I'm scanning you, then you can just start generating SYN-ACK packets and lie to me.
By using inverse SYN cookies, the scanee can't reply until/unless it gets the actual SYN packet, and the scanner doesn't have to maintain any state, and can just blast full-speed.
Re:scanrand and paratrace (Score:2)
Re:scanrand and paratrace (Score:5, Interesting)
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:
http://cr.yp.to/syncookies.html [cr.yp.to]
Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.
Re:scanrand and paratrace (Score:2)
Oh, so what up with the scissors and paste links? (Score:2)
( [wholesaled...supply.com]linkcat) [allartsupplies.com]
Would someone please call me dumb and tell me the answer?
Re:Oh, so what up with the scissors and paste link (Score:5, Interesting)
--Dan
Re:Oh, so what up with the scissors and paste link (Score:2)
A tip of my tin-foil hat to you, sir.
Soko
Re:Oh, so what up with the scissors and paste link (Score:2)
This, sir, was genius. After reading your presentation at 5AM and not having my head explode, seeing this made me laugh out loud. I'd love to see the look on some webmaster's face trying to figure out why their obscure online store got so much traffic in a 4 hour window their server crashed.
"Linkcat? Whats that? Is Radio Shack giving away useless toys again? Who are all these geeks and why did they crash my store? Hey Lloyd, we better quadruple our stock of scissors - don't ask!"
So with this utility program (Score:3, Funny)
I want to be a troll now (Score:5, Insightful)
The compost bin story got a more meaningful discussion that this.
90% of people here think that case mods are cool
99% of people here look at a program which allows you to traceroute without icmp or udp (just to name one thing) and say "yeah, but what's the use"?
WTF?
I shall go and troll in the story about case with 6 neon lights attached to it now. See ya.
I think this sums it up nicely... (Score:2)
http://apple.slashdot.org/comments.pl?sid=44091&c
Re:I want to be a troll now (Score:2)
Re:I want to be a troll now (Score:3)
I think a lot of people have noticed a stark decline in slashdot quality the last three or four weeks. This is about the time the editors changed the code to post notice about your mod points on the top of the front page when you log in. According to CmdrTaco, the number of mod points in use jumped from 4 per 10 comments to ~8 per 10 comments. To me this means two things:
This is dangerous. We're talking about a Byzantine failure model with half of our population being bent on our destruction. We can tolerate 20-25%, but once half the moderators are aligned against intelligent conversation, the system breaks down.
Might want to read Taco's journal [slashdot.org]. He talks about the moderation system, and they're trying to figure out what to do about the sudden inflation of mod-points. They're not working very fast, granted, but they're working.
It's also time for everyone to start thinking about what's broken, specifically, as opposed to the general "slashdot is totally populated by trolls" theory. The population of slashdot has not changed significantly in the last month! But the way we listen to them has. And so we're hearing more useless chatter. Slashdot isn't dead, it's just broken. I've come up with some ideas that I'll post to my journal - or a story about the slashdot malaise that may or may not get posted on the front page - to solicit public comments on what should be changed/fixed. Wish I had already, but been busy.
Don't worry though. I'm sure that if slashdot does die, whatever succeeds it will first be posted about on slashdot. =)
no, no, this IS revolutionary! (Score:3, Funny)
basically, this guy found a way to say "i will die alone" in over five hundred words, including the words "link layer" and "phentropy".
What Paketto Is (In Simpler Terms) (Score:5, Informative)
========
Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down "yes" or "no" depending on the response. Normally, there's lots of overhead as you keep track of who you sent requests to and thus who you're expected responses from. Overhead, or "state", makes things slow. So scanrand is stateless -- right when you start up, it splits in two. One half asks everyone, "Heh! What are you hosting!" The other half picks up responses, "Hmmm, some guy just said he has a web server."
Now, there's a problem: If someone knows I'm not keeping track of who I'm scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request -- the "Sequence Number". This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that's talking to me, and immediately know whether I ever scanned this guy in the first place.
So, that's why I get to scan really fast. Mind you, it's the least impressive part of Paketto in raw technical terms -- but it's definitely useful as hell.
MINEWT
======
What if you could just run a program, and a router showed up on your network? I don't mean physically, but I also don't mean "having anything visibly related to the computer hosting it". It'd be virtual, with its own separate IP addresses and it's own MAC addresses too. It'd be portable to any machine on the LAN, maybe it'd be fast, but it'd definitely be amazingly flexible -- no chips to make, no wires to crimp. Run this software, and there's something new on your net.
That's what minewt is -- a new router that just shows up and works. Now, it happens to do some funky things -- Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it's flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool -- NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*'s an 192.168.*'s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.
It ain't your gateway that downloaded all those MP3's, even if that's the IP address on that flow of music.
Well, there's also this tech called ARP -- the Address Resolution Protocol. Your local network doesn't have a clue about IP addresses -- it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP -- 10.* or whatever -- to the MAC address the factory assigned.
NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).
MAT -- MAC Address Translation -- just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).
End result? Multiple hosts can share the same IP address. Cool.
LC [LINKCAT]
============
I've got a wire. I want to talk on it -- but I can't, I've got all these sockets and programs and limitations in the way. Or at least, I had them.
1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.
3) Profit.
Or,
1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.
3) Profit.
lc has a really interesting mode that's based on the fact that you can actually put data in a frame *after* IP is done with it -- it's called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it -- lets sign our frame! Basic support for SHA-1 HMAC's is provided.
PARATRACE
=========
Alright, this is kinda neat. You've got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you're gonna start up a whole new connection. Paratrace gets around that -- you see, TCP lets you repeat packets; actually, by repeat, it's more like "The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine." So instead of spawning a whole new connection for our traces, we run our traceroute -- which is entirely a Layer 3 IP hack -- using a legitimate Layer 4 TCP packet. When the data eventually gets there, it's mostly ignored -- oh, the network screwed up again.
If there's a stateful firewall in the way, well, it's looking at Layer 4 data, which is 100% valid.
PHENTROPY
=========
See a cloud? Might be random. See a bunch of triangles? That ain't random. See the Borg Cube? Yeah, that's the FreeBSD kernel. This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.
Terribly sorry I didn't do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.
Re:What Paketto Is (In Simpler Terms) (Score:3, Informative)
--Dan
Re:What Paketto Is (In Simpler Terms) (Score:2)
Are there statically compiled bins (modulo OpenGL) available for several operating systems?
Re:What Paketto Is (In Simpler Terms) (Score:2)
Re:What Paketto Is (In Simpler Terms) (Score:5, Informative)
b) Docs were added at last minute; I've yet to write a true manual.
c) The code's tiny and mostly self contained, but I understand your worries. Contact me privately and I'll give you a bit of my history.
--Dan
Re:What Paketto Is (In Simpler Terms) (Score:2)
Re:What Paketto Is (In Simpler Terms) (Score:3, Informative)
Odd links (Score:2, Insightful)
Re:Odd links (Score:3, Informative)
Elmer's glue - Paste
Fun with errors? (Score:5, Informative)
Re:Fun with errors? (Score:2, Interesting)
It's a layer 2
Re:Fun with errors? (Score:2, Informative)
Ditto... You're not the only one worried about it!
Re:Fun with errors? (Score:2)
This, however, puts a whole new angle on espionage, insider corruption, coordinated intruder-assisted theft and cracking, and possibly underground peer-to-peer networks. Just to get the tip of the iceberg.
One would argue that some of this stuff may not be new, but it's certainly the first I'm hearing of any such tools or concepts being used.
I like the LC program a lot. Someone could build a whole new network on that concept. It probably doesn't make much sense outright, but I can see all kinds of nasty tricks being played with that. That traceroute-like tool is also impressive... it could be downright dangerous for certain people with a level of network knowledge and intent of evil far beyond mine.
Re:Fun with errors? (Score:5, Insightful)
The guy that came up with this released it so that we can all see it, use it, understand it, and adapt to the problems that come with it. That's not "getting blindsided". Getting blindsided is the guy that came up with it realizing that incredible destructive power may be in his hands and that he could just use it right then and there when no one even understands what he's doing on a very basic level.
Since this is just a rearranging of what was already in TCP/IP, it was already there, sitting in some deep corner of the internet and the logic of how it works. Rather than being afraid of what it could do, I'm just thankful that the guy that found it decided to let everyone know about it so that we can take advantage of its good parts and protect ourselves against its bad parts.
TCP traceroute (Score:3, Informative)
TCP Traceroute is useful enough that it's already been implemented by somebody else. [toren.net] GPL, and for Linux, with an RPM available, even.
Warning Geek at Work (Score:3, Insightful)
Firstly as a poster has noted before, by going under the radar by directly using the IP layer, this is going to open up a whole new rash of attack methods which we would be much better investigating and defending against.
Secondly, I think its cool, it renews my faith in the basic tenet of geekdom - play with it until you break it, then learn to fix it again.
Between this and the Lego Escher... (Score:2)
Anyone try under RedHat 8? (Score:2)
Scanrand works excellent under RH8... I can't believe how fast it is... WOW! Going to have to play with this one a little more. Definately blows the doors of nmap. The good news is that none of these scans seems to crash anything. The "ping of death" comparison in the article description made me a bit tense, since it's my job to defend the empire.
Re:Anyone try under RedHat 8? (Score:2)
I wouldn't toss nmap out the window just yet if I were you.
LOOK OUT! (Score:3, Interesting)
Can you imagine the damage that might occur if this hyperspeed scanner were combined with a Code-Red style worm? We've already talked about infection rates of few days, and with some optimization [slashdot.org], much less.
But couldn't scanning tools like these cut the time for 100% Internet saturation down to something like 5 minutes?
-Ben
Keep yer shirt on (Re:LOOK OUT!) (Score:5, Informative)
As for your worries about hyperspeed scanning, well, it's quite bandwith intensive. I guess network operators would notice if someone was scanning the entire internet this way. 2^16 hosts scanned in 4 seconds at full throttle means that 2^32 hosts takes 2^16 times longer. If the network was being satrurated for that amount of time, network operators _WILL_ notice.
Re:Keep yer shirt on (Re:LOOK OUT!) (Score:2)
Re:Keep yer shirt on (Re:LOOK OUT!) (Score:3, Informative)
Err... it's the reverse SYN that makes the Keiretsu port scanner interesting. Still it's not one bit stealthier than an nmap doing the ordinary SYN scanning.
For example banks record every incoming TCP SYN packet that leaver a socket half-open (i.e. for which the responded SYN ACK is never acked in return) and their alarms sound when they start receiving TCP SYN packets for "suspicious" port numbers, for a bank webserver that is pretty much anything outside 80. Well, not alarms, but they do usually take action if there are more of such packets (indicating a pattern, e.g. a scan).
Then again, port scanning in an environment where it may get logged indicates that some basic things have been forgotten. Attacking a bank on an IP level and looking for open ports is like trying to score J.Lopez, theoretically possible but pointless in practice.
Re:Keep yer shirt on (Re:LOOK OUT!) (Score:2)
Yeah, and worms will certainly rate-limit themselves and be nice to your network, won't they? ;-)
No. That would mean that scanning a single host would only take 4/2^16 seconds, or 0.06 msec. This seems too short to me, actually it probably is below your network's latency, even in a local network, so you cannot scan a single host that fast. The scanner works that fast by not scanning the hosts sequentially, but by sending requests out in parallel, and then collecting the responses as they come in. So I suppose the time it takes to scan a network doesn't linearly depend on the number of hosts.
Well, when we're talking about worms, we're also talking about admins who leave their servers unpatched for months, so I'm not sure if they would notice. But the worm doesn't have to scan the whole internet anyway, because every infected machine will infect any other vulnerable host that it finds.
The real question is whether what slows worms down is the time it takes to portscan, or the time it takes to actually try to infect other hosts that you've found. I have no data to back up my claim, but I suppose that the actual infection takes much longer in comparison, so speeding up the port scanning will not significantly improve the speed of the whole "infection process."
Re:Keep yer shirt on (Re:LOOK OUT!) (Score:2)
Re:LOOK OUT! (Score:2)
This isn't improved with faster port scanning. Port scanning might help you while you're making your seed file, but once you've found all those webservers, you still have to check each one to see if it's vulnerable.
Iduno. I think.
Yeah. (Score:2)
Neat hacks, but not profound discoveries (Score:3, Interesting)
His "router" seems pointless, unless it's attached to someone else's LAN. Yes, you can write a single-port NAT router that allows multiple machines on the same LAN to have the same IP address. But then they can't talk to each other. (They can talk to the "router" and perhaps, via it, the outside world.) Apparently he did this to get around some restriction on his dorm LAN in college.
Re:Neat hacks, but not profound discoveries (Score:3, Interesting)
Anyway, I used Proxy ARP to get around college LAN restrictions. I couldn't have done Minewt way back when. Minewt is an extension of Doxroute, which was written to allow routing rules based on anything I damn well felt like.
--Dan
Nitpicking (Score:2)
Errr...uhm...what was that in the middle part? (Score:2)
Of limits for ye olde slashdotters.
Let me fist get the Crab-Book (http://www.oreilly.com/catalog/tcp3/) and read it. And then post this thing again a half a year later, so I can add my smartass remark.
Here's for the ones who like pictures (Hehehe...):
http://www.aw.com/catalog/academic/
Geez, I really have to get my TCP/IP sorted out. This stuff sounds to cool to miss out.
Re:What language? (Score:4, Informative)
packetto = loan worn (usually in katakana) meaning packet.
ie.. Packet Company in Japanese
Re:That's Great (Score:2, Insightful)
Re:That's Great (Score:4, Insightful)
Most of it has little direct cracking application that I can see. We have a fancy traceroute, a system allowing multiple hosts to share an IP address and still get the correct data through MAC address translation.
I can see where scanrand could be abused, but it won't be until someone writes a script for the script kiddies to use.
As for the idea of security through not telling anyone, read The Cuckoo's Egg and study up on the Internet Worm to figure out why that idea is completely idiotic.
It sure is great. (Score:4, Insightful)
Because insurance companies don't require an authorized audit of computer security (yet), most places are wide-open. Think of this as the example of how to start fires, and why the government should have laws about the fire protection that public theatres (ecommerce sites) should have. Most companies are happy to let a room full of patrons burn to death -- that's why we need examples and government intervention. Besides, I'd rather that fellows like this release what they've been working on, so I know what to look out for, and can apply their methods against my systems at leisure in order to find problems and address them.
Re:Attention Slashdorks (Score:2)
I imagine this guy [slashdot.org] would have said something along those lines.
Re:hey (Score:2)
http://www.doxpara.com/404.php?f=/home/effugas/
Re:hey (Score:2)
Moron. This guy's got skills, and you don't even see it. These tools are very impressive. Paketto Kieretsu is to nmap what a Ferrari is to a Pinto.
Re:Note to the editors: (Score:5, Insightful)
This is News for Nerds - if it was something joe-shmoe Wallstreet journal reader could understand, then it would be in the Wallstreet Journal. If you don't understand it, LOOK IT UP.
Re:Note to the editors: (Score:5, Insightful)
I'm going to burn some karma.
Somebody needs to moderate the parent comment up. This article is not merely masturbation for some geek - these are fundamentally cooler tools than what we've had before. Why? Because they do what they do - port scanning, routing, etc. - in new and more flexible ways.
One of the problems with releasing a powerful tool is that you need to *train* people to use it. Even moreso than in meatspace, virtual tools like these require you to grok both the code and the environment in which the code runs. In this case, you need to understand how TCP/IP works, what the OSI layers are and how they interrelate, how existing implementations have been done, and how these tools are different.
It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"
*sigh*
Re:Note to the editors: (Score:2)
Now I just wish I could go to Hivercon and see him speak......
Re:Note to the editors: (Score:5, Insightful)
The latter is understandable - a whole lot of /. folks just realized they need to brush up on TCP/IP theory - and that's a good thing. I know I pulled out my cheat sheets while reading his presentation.
But the former is just plain annoying. Dan has done some really impressive work, using a very mature system in innovative ways. What did you expect? That he wrote some killer app that would make you rich during the IPO? This is great stuff - some of which doesn't have real world applicability (right now anyway), but so what? He's doing research into what CAN be done. I work in IT at a large research university and it really brings home the importance of research for research's sake. Others will come up with commercial applications where appropriate. But research is pushing the boundaries of existing knowledge or delving into completely new areas. For the sake of knowledge and learning.
That said, for all of you saying 'this isn't new' or 'it's no big deal till they write scripts for the script kiddies' what crack are you on? In addition to making my head spin this early in the morning, Dan's presentation and ideas sent a shiver down my spine. I administer an academic network which means no firewall. Dan's ideas, which I could use for good, can also be used for evil. Easily. This kind of stuff is scary.
Think about how much time, bandwidth and effort CodeRed wasted trying to spread itself probing systems that were not web servers. Imagine using this scanning technology as an opening salvo to a new exploit attack via port 80. BANG! Your network security folks sit up with a start as your Class B just got hammered hard. But it was over in 10 seconds. You look into it, but aren't really sure what it was. But now the attacker knows EVERY SINGLE HOST on your network running something on port 80. You (and the rest of the network) just got infected that much faster. Yes, previous papers already theorized this was possible (Warhol Worm, etc) But this makes it even scarier. A two stage worm could really blow things away. The first stage uses ultra fast scanning to build hosts responding to a given port. These first stage hosts develop into a network gathering available hosts to hit based on these ultra quick scans and then fire off stage two infections with pre-seeded network lists most likely to be vulnerable or offer the most targets.
Hell, the second stage would be WELL underway by the time most network security admin's pagers went off.
I tip my hat to Dan - this is great stuff with many useful applications, even if some are less than savory.
Loose Source Route scanner and tunnels (Score:4, Interesting)
While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about.
IMHO,
Michael
nice... check the parent link... (Score:2)
Re:Loose Source Route scanner and tunnels (Score:3, Interesting)
Funny story, actually.
For quite a while, I thought IP Options just didn't work in the Core...wasn't till recently that I discovered the two PIXes I live behind block them uncontrollably.
Scanrand's traceroute mode will eventually support some remote mesh discovery using LSRR. Thanks for the link! This will help immensely.
--Dan
Re:Note to the editors: (Score:3, Informative)
I haven't tried them so I'm probably missing things.The tools are;
1) a _very_ fast portscanner. It lets you find computers and services on a given network.
2) a virtual router. Lets multiple hosts share the same IP address.
3) a pipe to ethernet thingy, lets you type directly out onto the network. You'ld be quite the 31337 hacker if you used this one regulary.
4) a silent traceroute that'll let you probe behind a NAT firewall. wow. That's kinda nasty.
5) and the coolest one of the bunch, a program that renders the randomness of a remote-machines packets into 3D space. Cool.
Re:translation (Score:5, Funny)
Slightly different?
Yeah, and a cellphone is just like two cans and some string, only slightly more useful.
There are some seriously funky tools in there - check them out.
Re:translation (Score:2)
Can someone translate this for us?
Belloc
Re:translation (Score:5, Insightful)
Hey pal, anyone can break an internet protocol, but it takes skill to bend the hell out of it. This guy dumps more braincells everytime his girlfriend spits after oral sex then you could ever hope to have. This guy speaks in TCP/IP, you just speak in condescending technocratic bullshit. You're the reason information is not free-as-in-beer free.
Hey Slashdot, we're going to get a big group of us together and go beat the fuck outta Stephen Hawking! Who the fuck does he think he is looking at the universe in a slightly diiferent way, except those views were heralded by an obtuse 500 page self-aggrandizing technobabbling hardcover!
I'll post at +1, I've got karma to burn....
AWG
Re:translation (Score:5, Interesting)
Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.
Re:4 Sec? (Score:2, Interesting)
"Black Ops of TCP/IP", Indeed.
Re:All I want to know is. ... (Score:5, Insightful)
Breaking into networks, crashing people's systems...unnecessary and boring, in that order.
You don't need to be a Black Hat to play with protocols. Not in the slightest.
--Dan
Re:not possible (Score:4, Informative)
Kernel has no idea what's going on, it RSTs anything it gets (which is fine by me).
--Dan
Re:kieretsu (Score:2)
Re:kieretsu (Score:3, Informative)
--Dan
Re:Holy bejesus... (Score:2)
This is also where someone corrects me for not knowing what I'm talking about. Kudos to Dan for putting these tools online though. As a Linux user, I'm thrilled to have new and cool stuff to play with.
Mmmmmminewt.
Re:Holy bejesus... (Score:2)
Isn't that the assumption anyone who has to secure a server or network is supposed to work under?
Re:Nano Prob Technology? (Score:4, Funny)
If it didn't support stateless tracerouting w/ passive hopcount detection and split mode operation, I'd almost be too embarassed to release it.
--Dan