Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release

Effugas writes "After pushing OpenSSH to perform feats of secure tunneling far beyond what I ever expected it could do, it became clear that some genuinely useful modes of network operation were simply inaccessable without either replacing or manipulating core network protocols. Since the basic infrastructure of the Internet isn't likely to change any time soon, that left...creative manipulation and reconstruction of the Lingua Reseaux: TCP/IP. Taking advantage of expectations, pitting layers against eachother, finding new uses for old options and data fields -- instead of simply unleashing the latest incarnation of some "Ping of Death", could such work unveil hidden functionality within existing networks? As I discussed at Black Hat 2002 and the inimitable Defcon X, the answer is yes. And now, proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP), The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4. The five -- scanrand, minewt, lc ( linkcat ), paratrace, and the OpenQVIS cross-disciplinary-a-go-go phentropy -- demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer Cryptography, and quite a bit more. (For details, stop by DoxPara Research or check out the latest slides. The academic paper is coming "soon".) In terms of actual usefulness, scanrand is no nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

That's Great

[cscx]

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

Re:That's Great

[fliplap]

Yeah, because if it takes em all night to scan the network they're less likely to get in right?

Re:That's Great

[Bastian]

Do you even know what this stuff does?

Most of it has little direct cracking application that I can see. We have a fancy traceroute, a system allowing multiple hosts to share an IP address and still get the correct data through MAC address translation.
I can see where scanrand could be abused, but it won't be until someone writes a script for the script kiddies to use.

As for the idea of security through not telling anyone, read The Cuckoo's Egg and study up on the Internet Worm to figure out why that idea is completely idiotic.

Re:That's Great

[Sarin]

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

great idea, finally someone get's it :)

Re:That's Great

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

No need. They can just download it.

Re:That's Great

[rindeee]

Wow...the Cukoo's Egg. What a great book (if you haven't read it, you should). I read that just before heading off to college just after (like the day it hit to store) it was published (man, has it been that long). I contacted Cliff (the author) via e-mail and had ongoing "conversations" with him. He introduced me to lots of others who introduced...you get the idea. I later worked with the Fed on early (1990-91'ish) commercial Internet security projects. Man, that was a fun time on the Internet...things have changed soooo much. Sheesh, here I am in the "way-back" machine and I'm only 30. I'm in BIG trouble. Oh well, it's fun to have "been there".

Re:That's Great

[nmg]

Indeed, the Cuckoo's Egg was a great book. Not only technically interesting, it's an exciting read.

Re:That's Great

"I later worked with the Fed"

You are from now on a governement robotron. There is no cure for that.

...wha?

...how I wish Babel Fish would have a Geek->English translation option...

Anyone here want to sum it up IN PLAIN ENGLISH, without involving beowulf clusters or "Profit!"?

Re:...wha?

1. Set up a Beowulf cluster of secure tunnelers.
2. Detect thousands of networks in seconds.
3. ?????
4. Profit!

Re:...wha?

[unicron]

Roughly translated it means they have all 3 CCIE's and get money thrown at them.

Re:...wha?

Connect to babelfish.altavista.com and select the GREEK to english translation. Use some white-out to mask off the 'R' and then hit translate. Works like a champ. ;)

Re:...wha?

[m1a1]

I'll try and hook you up here. Seeing as most of the replies to this I have checked were ridiculous. Basically what these guys are looking at is new ways to use the lower parts of the OSI model.

The networking model is divided into seven layers. These guys are looking at mainly levels 2-4. These layers are: 2) Data Link, 3) Network, 4) Transport. It looks like most of this focuses on the Network and Transport Layer, where TCP/IP live (reverse respectively). There are basic things you can do with tcp/ip values and protocols, such as trace route, ping, etc. They are finding new things. An example of the typical tcp/ip function is the traceroute. You send a packet with TTL(Time to Live) set to 1. Whoever it hits tells you it died. Then you do 2. Slowly you find your way to the destination, tracing each hop along the way. They are finding new, similar uses for tcp/ip.

Re:...wha?

[offpath3]

I though babel fish only made things harder to read...

Re:...wha?

[Lord+Flipper]

Well it's obvious what it all means to me: If i switch my web server to port 81, and they start at the other end of the earth, it'll be just a little over 9 1/2 hours before earthlink shuts me down.... assuming i'm the very last IP that gets crunched. Nice.

Re:...wha?

[scalis]

People, please. If all efforts to understand it concepts of this package fails. Read the README. Ok, I now it's cheating but still...
Quoted from the README:

"Vastly more coming soon; hopefully this helps a bit.
Yes, this is pretty pitiful."

Get it??

4 Sec?

[ProtoStar]

4 seconds for 65k address is damn fast.

Re:4 Sec?

Whoever modded up ProtoStar's post as insightful is my hero!

Re:4 Sec?

[Istealmymusic]

4 seconds for 2^16 is very fast. That's only 4(2^16) = 262,140 seconds = 4,396 minutes = 72 hours = 3 days for a sweep of the entire Internet. The viruses spreading possibilities are immense, in a mere three days a single virus could discover all exploitable hosts, though of course the time would be cut drastically due to the distributed nature of viruses. This isn't as fast as 15 minutes the Warhol Worm offers, but is faster than than most admins will be able to patch their boxes, assuming the exploit is discovered and published beforehand. The possibilities of an underground vulnerability circulating without a patch are very real, and it could easily take 3 days for a vendor to fix the problem.

"Black Ops of TCP/IP", Indeed.

Re:4 Sec?

[Jucius+Maximus]

"4 seconds for 65k address is damn fast."

Hasn't Steve Gibson been promising some sort of freeware hyper speed port scanner for months, possibly years now? If you go take his shieldsup test, there he mentions something about it on one of the pages.

Re:4 Sec?

[Arctic+Fox]

No. Less than three days. Imagine if you found the first exploitable host, infected it, then started the search from that one. Now you have two searching. You would exploit and scan, scan and exploit... Could be very fast.

Re:4 Sec?

[barake]

i was just trying to start on the math for it... it'd be a day with just two other machines involved, assuming you didn't have them doing redundant scans. coded right, after the first few machines, it might be a matter of an hour or two to scan and and infiltrate all vulnerable hosts. anyone feel like doing the math thing? i'm a lazy bastard.

Re:4 Sec?

[Deflatamouse!]

If it takes 4 seconds to spread to 2^16 computers, then it takes another 4 seconds for each of those 2^16 to spread to another 2^16 for the entire 2^32 internet. That's only 8 seconds total. Of course it really depends on where the origin is and the network topology. But it would not take days or even hours to spread to the entire internet, just minutes.

Re:4 Sec?

[mindstrm]

Keep in mind it probably used some feature of that network that worked via multicast/broadcast. I'm sure it didn't simply scan 2^16 hosts individually.

Re:4 Sec?

[OneEyedApe]

This could be used to create or even improve upon Curious Yellow

A frightening proposition

Re:4 Sec?

[Arctic+Fox]

Well, maybe not that fast.
It may take 4 seconds to scan 2^16 hosts, but to check for exploits and install itself? Maybe a minute or two.
I do agree, that it would probably be minutes. Maybe even faster than the Morris worm.

Re:4 Sec?

It's been 3 years since I initially heard about this scanner that he was planning to release "any day now". Gibson says a lot of things.

Re:4 Sec?

[Aaron+Denney]

Read the fucking article. It used standard unicast, but in a very clever way. (the part that sends out checks is not the part that listens for responses back.)

Go Dan! =)

[dew]

I roomed with the guy and can attest to the year or so he spent cobbling this stuff together. Go Dan!!

-david

Re:Go Dan! =)

[Karamchand]

I was the girlfriend oft this guy for three years and can attest he spent neglecting me and only fooling around with his computer thingies.

Re:Go Dan! =)

[unicron]

You weren't exactly his girlfriend, you were more of that thing that stood on that bridge and wouldn't let people cross until they answered riddles.

Re:Go Dan! =)

[susano_otter]

that thing that stood on that bridge and wouldn't let people cross until they answered riddles

A Monty Python nerd?

Re:Go Dan! =)

I'm this guy's cock. Still am (duh).

I can attest that he didn't touch me ONCE that entire year.

He's touching me now, though. Thanks slashdot!

Re:Go Dan! =)

[Reservoir+Penguin]

Now he has a real GD instead of geeky transvestite who surfs slashdot under female handle.

Re:Go Dan! =)

i bumped into this guy in line at Taco Bell and recall him staring at the ceiling then looking at the floor and mumbling to himself about sequential numbering and stateless bob and alice relationships...

he ordered a big beef burrito supreme. (AFAICR)

Re:Go Dan! =)

[Karamchand]

Karamchand is not a "female handle" - Karamchand is a male name from India. (Remember Mohandas Karamchand Gandhi?)

Re:Go Dan! =)

stateless bob and alice relationships

what about ted and carol?

Re:Go Dan! =)

[Reservoir+Penguin]

So you are admitting that you're really a MAN?

Re:Go Dan! =)

[Effugas]

Once while giving a talk to a bunch of students, I accidentally said something along the lines of Bob going into the hole Alice opened up, and Alice going into the hole Bob opened up...

The room was silent for a few very long seconds.

--Dan

scissors & glue

[brondsem]

linkcat, scissors and glue. is there a hidden meaning?

That's insane!

[DJayC]

"During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?

Re:That's insane!

Um, not that I would know anything about scanning that many addresses, but most of the portscanners out now can only handle 20 or so simultaneous connections and have a 2-3 second timeout. So it would depend how fast the hosts respond and what % have servers. I imagine it would be in the realm of 30 minutes or so for this network.

Re:That's insane!

Use Necrosoft Nscan http://nscan.org handles 'many' connections (100 easily on a win98, much more on a winxp), you can specify the timeouts and whatnot.

Beware, it phones home, but nothing that your firewall wouldn't detect, unless you grant it full permissions. But otherwise, a great little portscanner.

Re:That's insane!

[trezor]

• Use Necrosoft Nscan handles 'many' connections (100 easily on a win98, much more on a winxp), you can specify the timeouts and whatnot.

Why is this not modded up as Informative? Just because its a Win32-only tool?

Please be nice

[thalakan]

Hi - www.doxpara.com is temporarily pointed at shaitan.lightconsulting.com, a quad Xeon hosted at Via.net in Palo Alto. Please be nice to my server so I don't have to drive over there and fix it...

Re:Please be nice

A fan of Dune are we "shaitan"...

I shouldn't jest because I love it as well but I thought it was interesting.

Re:Please be nice

[jilliano]

A fan of Dune are we "shaitan" Or the Brian Lumley vampire books, or many other things.

Re:Please be nice

[sbwoodside]

Your server is fine. It's my brain that's been slashdotted.

Ok, I'll bite

[myowntrueself]

Was that ROT13 or Dutch?

Re:Ok, I'll bite

Hey! Dutch looks _nothing_ like ROT-13!

Dit is gewoon Nederlands, niets aan de hand, hoor. (Or, as the Babelfish would say: 'This is plain Dutch, nothing fancy going on').

Doeg!
(Bye!)

What language?

[StillAnonymous]

Lingua Reseaux? The Paketto Keiretsu? What's this guy been smoking? I'm not sure what's worse, pretentious techno-Latin babble, or "lol, k thx bye" MSN-speak.

Re:What language?

[jlittle]

keiretsu = corportation/firm in japanese
packetto = loan worn (usually in katakana) meaning packet.

ie.. Packet Company in Japanese

Re:What language?

Paketto Keiretsu is Japanese. I'm no Japanese speaker, but I believe that it roughly would translate as something like "the principle of interlocking operating relationships of packets." I could be way off, though.

Re:What language?

[jlittle]

loan word.. loan word..

sheesh!

Re:What language?

[amaterasu]

Keiretsu means series or groups. Kaisha is the Japanese word for corporations, and keiretsu gaisha (often shortened to just "keiretsu") refers to subsidiaries and affiliated companies.

That said, packet series may be one translation, but who knows.

Re:What language?

and keiretsu gaisha (often shortened to just "keiretsu") refers to subsidiaries and affiliated companies.

Presumably then keiretsu geisha refers to a group of business "ladies"...?

Re:What language?

[Reservoir+Penguin]

a beowulf cluster of "business ladies" purhaps?

I am dumb

[cygnus]

What'd he say?

What'd he say?

time to go back to TCP/IP Network Administration to learn how to decode this Slashdot article...

Re:I am dumb

[bloo9298]

Don't be a pussy. If you're going to learn it, learn it properly. Ditch your network administration book and read the good stuff:

• The Protocols (TCP/IP Illustrated, Volume 1) by W. Richard Stevens
• UNIX Network Programming by W. Richard Stevens

Re:I am dumb

[stu72]

> --
> *** information wants to be two dollah! ***

*** Information wants to be ... about treefiddy! ***

Joy...

Let loose the hounds.

Re:hey

[Second_Derivative]

Buzzwords mainly, but basically some bloke picked over the specs for TCP/IP, put together some tools that do really pathological things with packets and take advantage of what various TCP/IP implementations expect and use that to agressively map networks.

Uh... in other words, nothing new whatsoever. NMAP's been doing this for ages, this is just more of the same. At least that's what it looks like, the submitter did an absolutely lousy job of actually getting to the point (what the fuck does "Paketto Keiretsu" actually DO!?)

whoa, imagine how many IIS boxen

we could exploit now... muahahahah
KRS

I'm soo dumb

[hemingwaynet]

How come I go through my day feeling my little code is soo smart until I log in to Slasdot and read about C-level hacking of the core infrastructure of the internet by gods on human thrones and feel like a little 1st grader who has to deliver a note to a sixth grade teacher and marvels at the complex stuff on the chalk board....

*sigh*... I'm important! I swear...

Re:I'm soo dumb

[IlluminatedOne]

I think that summed up my thoughts after reading this post about as precisely as possible. Kudos!

Re:I'm soo dumb

[pumpkinescobarsof2]

well put

Re:I'm soo dumb

[Istealmymusic]

Idiots.

Re:I'm soo dumb

/me turns on Funniest Animal Outtakes

Re:I'm soo dumb

[Q+Who]

Exactly.

Re:I'm soo dumb

[monk]

You're not alone.
I've been pulling off the usual miracles for 12 years or so and working with everything from a control system for hundreds of giant mills to control software for sensors and dams across the Colorado river to big, multimillion user per day websites. I wrote a utility that would boot from a floppy and duplicate an HD over a serial port to another machine booted from floppy with no OS in long before anybody had heard of "Ghost" and left it happily churning at the company I built it for with no idea it might be worth something.

But I am just another stupid poser with nothing special to brag about. I never think of the really cool stuff.

Re:I'm soo dumb

Too bad. But if anyone has cool ideas, they should email you at monk@pathfinderconsultancy.com

No SPAM, please!

Re:I'm soo dumb

They're not gods, they're committees.

*sigh*... I'm important! I swear...

Did you vote?

Re:I'm soo dumb

That's the most mature thing I've ever seen, even moreso than the gay porno flick you did with that 75 year old shriveled black man.

Re:I'm soo dumb

Yes, for the local gubernatorial candidate representing the Nazi party. HEIL BUCKNER!

He's quite the geek, too. One need only look at his website.

Re:I'm soo dumb

[IlluminatedOne]

No, not an idiot. Also, not so pretentious to assume that one is idiot based upon my reply. My tag word for you is Hastily Judgemental or Imbesil.

to much to read

This is waaaaay to much to read while written in italics

Re:to much to read

[Wolfrider]

--It's "whilst" to YOU, you insensitive clod!!

scary as hell

[w1r3sp33d]

Long ago, when I was first thinking of network security as a career field, I thought "in a few years there might not be enough work to go around..." It looks like it could be another record year.

maybe you can calrify

[ryochiji]

What's up with the pseudo-Japanese name?

Re:maybe you can calrify

[sql*kitten]

What's up with the pseudo-Japanese name?

A node I wrote on E2 should explain.

Re:maybe you can calrify

[Effugas]

It's...a bit of a tribute. Some of the best code I've ever seen -- brilliant, mind-bogglingly cool stuff -- comes out of Japan.

OK, so maybe it's a bit of an ego trip to lump myself in with these guys...but it's Open Source, BSD stuff; if I was getting paid to write it I'd probably have to name it something like "NetXPress Pro Enterprise Edition". Since it's free, I get to call it whatever I like :-)

What code impresses me? Off the top of my head:


Gogo, world's fastest MP3 encoder.

PVNation. You really want to hear the output of Shapee.

So, that's the story.

--Dan

Greek

[andyring]

Granted, most of that post was Greek to me, it's still interesting in that I think in any technology or practically any invention, people will find ways to make them do things never even conceived of by the originator. Coming up with new uses for obscure parts of the TCP/IP stack isn't really any different than other inventive uses for common, everyday items. In all actuality, I think it's all about the oft-used phrase, "thinking outside the box."

Re:Greek

[Angry+White+Guy]

We could sue him under the DMCA and make the world safe again.

Yes, that was sarcasm...

Still Reading...

[airrage]

I will post a comment here when I'm done reading the main abstract and supplementaries. I'm also hoping to earn a PhD by proxy. Anyone got a text to speech adapter, it might be nice to hear this in my sleep. Seriously, this d00d got skillz.

Re:Still Reading...

[basschica]

genius doesn't even sell his talents. i've been friends with dan a couple years now and generally at like 10am my time (in michigan 7, his in CA) he'll message me with something that i can usually begin to understand or try but would never have come up with on my own. if you want some good reading also check out chapters 12 and 13 (i think those are the ones) in hackproofing your network 2nd ed and read doxpara.com frequently.

oh, and by the way, way to go Dan!!! =)

marianne

Reminds me a lot of work done at USANC in the '90s

This is similar to the work we did at UANC in the 1996 era. We did a lot of thing with source fragmenting of ethernet moduli, so to speak. This person's research is eerily similar, but clearly his own. I am not posting to claim copyright, blah blah. Just to point out the respect I have for someone who made it "this far!"

One of the things we did was design an ethernet hashing system that would function sort of like a dynamic roulette wheel of SYN types and packet sequence numbers. Using differing protocol sweeps, we could monitor different states without creating state ourselves! The ultimate goal was to provide inverse cascade across multiple routers and switches, allowing an attack to be sourced directly to a particular ethernet interface without the attacker's spoofing even mattering. By rotating state in real-time, using different queueing techniques, we could esentially traverse the entire network, sort of a big de-randomized traceroute, and virtually re-route all attack traffic back into the ethernet "netherworld", in a nutshell.

Very advanced stuff! I applaud your work wholeheartedly!

huh?

[circletimessquare]

i don't know a damn thing about what this story is talking about, but i've never been more scared in my life

Re:huh?

:>
My sentiments, exactly. After reading your response and laughing out loud, tho, I think the original post starts to sound like Charlie Brown's teacher.

Re:huh?

Those two statements are very closely related...

Re:Attention Slashdorks

[Drunken+Coward]

Nobody on their death bed ever said "I wish I had spent more time alone in front of my computer".

I imagine this guy would have said something along those lines.

Makes me happy I just got laid off

[jakedata]

1. I have plenty of time to play with it.

2. I don't have to worry about someone doing it to me.

Is anyone working on SNORT signatures for this stuff?

Re:Makes me happy I just got laid off

[hobuddy]

Makes me happy I just got laid off

1. I have plenty of time to play with it.

2. I don't have to worry about someone doing it to me.

Shit, even the gay porn industry is laying people off these days?

Re:Reminds me a lot of work done at USANC in the '

ah yea, now that you say I can remember working at USANC! Woa, it was a cool time with you guys :-) Designing a ethernet hashing system at 2 in the morning and ordering a new pizza.. very cute. Actually I really miss these times.
I'd be glad to see you again guys!

So what is it?

[Sarin]

The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.

Hmm let me guess you have to compile this as root, after that it will give "proof of concept" to the black hat 2002 people that indeed there are previously untapped capacities deep within my server, somewhere remotely hidden on the outer reaches of my port range? ;)

Re:So what is it?

[LostCluster]

No, this doesn't work on the horizontal edges of your port range. This works below your TCP and UDP ports. It sends messages that don't quite make it that far up there in order to just see what happens.

If you don't know what the OSI Networking Model is yet I suggest you go look it up...

Re:So what is it?

[crawling_chaos]

I think your humor detector may need a little fine tuning. I think he was referring to the fact that this is an incredibly complex piece of software, written by people We Really Should Not Trust. Who knows what else might be lurking in there, particularly if it has to be compiled as root?

Now since he's released the tools as source, I doubt that there's anything particularly nasty in there. Paranoia is still a virtue in the sysadmin business, however.

Re:So what is it?

[Effugas]

I'm quite trustable, but like you said, I released source very much because I have no problems proving that.

Email me privately if you'd like a bit of history about where I'm coming from.

--Dan

Re:hey

[ChazeFroy]

He should have spent more time writing decent error pages for his website, ones that don't reveal the absolute path directory structure to his stuff. Try clicking on the "paratrace" link from the slashdot story and you'll see this URL in your browser's bar:

http://www.doxpara.com/404.php?f=/home/effugas/d ox para/writings/docs/paratrace.xml

Re:Hi-yo Captain Obvious!

Yeah, but that's still two seconds slower than he finishes with his girlfriend.

Note to the editors:

[perrin5]

When choosing to post articles, some quick things to bear in mind:
1) What the hell is he talking about?
2) No Really, I got layer 2-4 networking, I even got "TCP/IP", but what, precisely has he done that is worthy of note here?
3) Besides which, to whom is this software suite useful? Does it have exploit probing, does it simply tell you what stuff lives where? Is it something faster than normal scanning procedures?
4) Background?

All of these things could be (if you were so inclined) attached to the end of our user's posts so that those of us who are interested, but completely lost by the pure amount of jargon flying about to understand, can figure out what is going on...

On a side note,

What the hell is the general purpose of these tools, indivdually or as a group?

Re:Note to the editors:

[ProtonMotiveForce]

The purpose is obvious - win at Bullshit Bingo!

Looks like a lot of big words thrown about so it looks a lot more important than it is. We've revolutionized.. something or other.

Why, look at all these cool (i.e. standard, well known) things we've done with OpenSSH!

My Grandma's done most of those things with SSH, I don't see her publishing a PDF on it.

Re:Note to the editors:

[CounterZer0]

Welcome to the dumbing down of /.
This is News for Nerds - if it was something joe-shmoe Wallstreet journal reader could understand, then it would be in the Wallstreet Journal. If you don't understand it, LOOK IT UP.

Re:Note to the editors:

[ealar+dlanvuli]

I know it's a really strange concept, but if you will note some of the words are underlined in his post.

READ THE FUCKING ARTICLES.

Re:Note to the editors:

[EllF]

I'm going to burn some karma.

Somebody needs to moderate the parent comment up. This article is not merely masturbation for some geek - these are fundamentally cooler tools than what we've had before. Why? Because they do what they do - port scanning, routing, etc. - in new and more flexible ways.

One of the problems with releasing a powerful tool is that you need to *train* people to use it. Even moreso than in meatspace, virtual tools like these require you to grok both the code and the environment in which the code runs. In this case, you need to understand how TCP/IP works, what the OSI layers are and how they interrelate, how existing implementations have been done, and how these tools are different.

It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"

*sigh*

Re:Note to the editors:

[perrin5]

OK, asshole alert.

I can, and do try to RTFA, if at all understandable, but when the POST ITSELF is merely a bunch of rambling, usless links to logs, explanations of RFCs of the protocol he's worked off of, a link to stuff he's done in the past, and one POWER POINT FUCKING link, what do you propose I read?

Re:Note to the editors:

[Luke-Jr]

Last time I checked, portscanning 64K IPs would take a whole lot longer than 4 seconds...

Re:Note to the editors:

er yeah sorry I guess you do have a point, I followed the links in the articles themselves and found some interesting explination. The post was exceptionally crapy.

Re:Note to the editors:

[CounterZer0]

Thanks for the help - that was really unexpected, given the volume of 'WTF does this thing mean? What's 'Keiretsu'? Why do we need another port scanner?'. Glad to see I'm not the only one who was really engrossed by AMAZING network theory work....The first 'innovative' stuff I've seen in this arena in a few years. WAY TO GO DAN!

Now I just wish I could go to Hivercon and see him speak......

Re:Note to the editors:

You've been fooled by big words and other people hyping this thing because they've been fooled as well. There's nothing innovative here and certainly nothing "black op" about it. Sheesh, this is as bad as Gibson's articles.

Re:Note to the editors:

Except, it WASN'T just a bunch of jargon. It made sense if you understood the concepts, if you didn't, move on to the next article.

Just because you don't understand it doesn't mean that it's crap. In this case it means that it's just above you.

Re:Note to the editors:

64K IP range in 4 seconds...
so a 1Gbps Ethernet has ~1.5Mpps @ minimum size (64-byte).

It will take ~0.044 seconds to transmit your 64K 'SYN' packets. (Hope your routers don't drop any due to congestion :)
Now wait some reasonable time for the last of the responses to trickle in: ~200ms.
8300 responses: ~0.006s.

So the time would be:
0.044+0.200+0.006 = ~250ms.

Now, assume you have 100T. This is x10 for the send/receive time, the same for the latency, so ~700ms.

So the network in question had ~30Mbps of bandwidth available.

seems possible.

Re:Note to the editors:

[jericho4.0]

He has come up with some very novel and bright ways to do several old things. The tools aren't blackhat or whitehat by themselves, but have one big blackhat advantage in that the're not going to be detected by anyone yet. They all have interesting uses in network admin or debuging.

I haven't tried them so I'm probably missing things.The tools are;

1) a _very_ fast portscanner. It lets you find computers and services on a given network.

2) a virtual router. Lets multiple hosts share the same IP address.

3) a pipe to ethernet thingy, lets you type directly out onto the network. You'ld be quite the 31337 hacker if you used this one regulary.

4) a silent traceroute that'll let you probe behind a NAT firewall. wow. That's kinda nasty.

5) and the coolest one of the bunch, a program that renders the randomness of a remote-machines packets into 3D space. Cool.

Re:Note to the editors:

[baptiste]

It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"

The latter is understandable - a whole lot of /. folks just realized they need to brush up on TCP/IP theory - and that's a good thing. I know I pulled out my cheat sheets while reading his presentation.

But the former is just plain annoying. Dan has done some really impressive work, using a very mature system in innovative ways. What did you expect? That he wrote some killer app that would make you rich during the IPO? This is great stuff - some of which doesn't have real world applicability (right now anyway), but so what? He's doing research into what CAN be done. I work in IT at a large research university and it really brings home the importance of research for research's sake. Others will come up with commercial applications where appropriate. But research is pushing the boundaries of existing knowledge or delving into completely new areas. For the sake of knowledge and learning.

That said, for all of you saying 'this isn't new' or 'it's no big deal till they write scripts for the script kiddies' what crack are you on? In addition to making my head spin this early in the morning, Dan's presentation and ideas sent a shiver down my spine. I administer an academic network which means no firewall. Dan's ideas, which I could use for good, can also be used for evil. Easily. This kind of stuff is scary.

Think about how much time, bandwidth and effort CodeRed wasted trying to spread itself probing systems that were not web servers. Imagine using this scanning technology as an opening salvo to a new exploit attack via port 80. BANG! Your network security folks sit up with a start as your Class B just got hammered hard. But it was over in 10 seconds. You look into it, but aren't really sure what it was. But now the attacker knows EVERY SINGLE HOST on your network running something on port 80. You (and the rest of the network) just got infected that much faster. Yes, previous papers already theorized this was possible (Warhol Worm, etc) But this makes it even scarier. A two stage worm could really blow things away. The first stage uses ultra fast scanning to build hosts responding to a given port. These first stage hosts develop into a network gathering available hosts to hit based on these ultra quick scans and then fire off stage two infections with pre-seeded network lists most likely to be vulnerable or offer the most targets.

Hell, the second stage would be WELL underway by the time most network security admin's pagers went off.

I tip my hat to Dan - this is great stuff with many useful applications, even if some are less than savory.

I think this is huge...

[TerryAtWork]

I just wish I understood half of it.

Re:I think this is huge...

Yeah, I wish you understood half of it too.

Re:Hi-yo Captain Obvious!

Word.

translation

[frenetic3]

"the protocols the internet uses today are not conducive to certain types of networking tasks. however, tcp/ip, one of the internet's framework protocols, has a bunch of obscure parameters and fields that can be exploited to do new things [this isn't a very new concept.] i wrote a network scanner, fake NAT client, packet sniffer, traceroute utility, and some odd visualization tool. i like big words."

basically he wrote some new tools that are like the tools we already have but implemented in a slightly different way, except these tools were heralded by an obtuse 500-word self-aggrandizing technobabbling post on slashdot.

-fren

Re:translation

[frenetic3]

admittedly, he uses some cool techniques and goes pretty low level to achieve many of these things (and the tracing, sniffing, and broadcasting techniques are probably not logged by most firewalls/routers and/or can slip detection).

and that's a pretty fast scan utility. however, esoteric tools like this exist all over the place, and though interesting, this is nothing revolutionary. well, compared to the intel pentium iii processor which lets me not just get onto the internet, but get into it.

-fren

Re:translation

[schon]

he wrote some new tools that are like the tools we already have but implemented in a slightly different way

Slightly different?

Yeah, and a cellphone is just like two cans and some string, only slightly more useful.

There are some seriously funky tools in there - check them out.

Re:translation

[belloc]

translation...basically he wrote some new tools that are like the tools we already have but implemented in a slightly different way, except these tools were heralded by an obtuse 500-word self-aggrandizing technobabbling post on slashdot.

Can someone translate this for us?

Belloc

Re:translation

Now that we have a good explanation, would some moderator please care to mod the parent (-1, Overrated)? Thank you for helping Slashdot becoming a better place.

Re:translation

[ryanr]

They're just a little bit more than slightly different. Try them out, you might be surprised.

Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.

Re:translation

[Angry+White+Guy]

Yeah, here goes: I never really understood the article, but I'm going to try to make everyone feel dumb by grossly overgeneralizing and hoping nobody calls my bluff!

Hey pal, anyone can break an internet protocol, but it takes skill to bend the hell out of it. This guy dumps more braincells everytime his girlfriend spits after oral sex then you could ever hope to have. This guy speaks in TCP/IP, you just speak in condescending technocratic bullshit. You're the reason information is not free-as-in-beer free.
Hey Slashdot, we're going to get a big group of us together and go beat the fuck outta Stephen Hawking! Who the fuck does he think he is looking at the universe in a slightly diiferent way, except those views were heralded by an obtuse 500 page self-aggrandizing technobabbling hardcover!

I'll post at +1, I've got karma to burn....

AWG

Re:translation

someone please mod this idiot (parent) down...

Re:translation

Translation:
I didn't/couldn't invent it, so I'll criticize it.

Re:translation

Not nearly as eloquent as mine, but mad props to you.

AWG

Re:translation

I went to school with this guy. Yes, he likes big words and is quite a boring person.

Re:translation

Karma: Excellent (mostly affected by moderation done to your comments)

Still there....

Re:translation

"This guy dumps more braincells everytime his girlfriend spits after oral sex then you could ever hope to have."

So how did you determine this? Is there a difference in taste? Don't worry young gaylord, I won't reveal your angry white secret.

Re:translation

Aww, did I hit a nerve? You are really showing your intelligence here.

Re:translation

[frenetic3]

chill dude, (well, angry white guy, ha :P)

i looked at more of it after posting that (especially some of the more esoteric features like crypto and mapping network traffic to 3d coordinates/strange attractors) and before the stream of bitter replies i got and some of it is pretty cool in a fucked up way.

my *point* was more along the lines of this isn't as revolutionary as it was advertised, and it was advertised in an amusingly dense way. but, agreed, it is still pretty cool, especially since so much of it is done in user space.

and if his girlfriend is spitting out brain cells after oral sex, i think they're doing it wrong ;)

-fren

Re:translation

[matman]

I agree, the description looked like it was written by a marketing deptartment. It sounded like these tools were too good to be true, which they're not. I was totally reminded of Gibson Research Corporation ;) The tools are indeed clever, and not to play down the interesting accomplishment, but there are a lot of other neat tools out there too. The tools aren't really revolutionary; they're solutions to specific problems that were identified with some current solutions. Performance, firewall restrictions, etc. Nice work, but hardly the work of 'gods' as some would suggest (and I'm sure that the authors would agree).

Re:translation

Sheesh, calm down! You should really stop idolizing people as much as you do. It's really pathetic when people suck up as much as you did in that post. Are you hoping to get a referral from this guy or something??

These people have a point there. There was a LOT of useless vocabulary in there. The guy needs to take a technical writing course to clean up his rhetoric and just get the damn point across. "Guerilla multicast"? "Parasitic tracerouting"? "Black Ops of TCP/IP"? What's with the sensationalistic adjectives? This comes off like a wrestling commentary, not a technical description.

Re:translation

[Sri+Lumpa]

"Yeah, and a cellphone is just like two cans and some string, only slightly more useful."

And without the string, of course.

Re:translation

[Effugas]

I officially agree -- both with the fact that I wrote it marketroid style (I was petrified of "l33t new hax0r tools, he's gonna destroy the web!"; the concept that people would think I didn't do anything at all never occurred to me) and that I'm no god...just someone who plays with TCP/IP :-)

--Dan

Re:translation

[matman]

Cool. I hope that you didn't take my comment to mean that the tools weren't neat, or useful, because they are. Have you ever read Gibson Research's 'nanoprobe' papers? Goto grc.com and see why some people are sensitive to that kind of vague, buzzword laden, hype generating writing :)

Alex, I can scan that net in 30ms.

Let's see...

ping 160.1.255.255

Duck and cover, here comes the smurf...

Re:Alex, I can scan that net in 30ms.

And who configures their machines to respond to broadcast pings anymore? Even worse would be:

ping -f 160.1.255.255

scanrand and paratrace

[Wanker]

I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?

I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.

The "paratrace" program is quite interesting-- from the README:

paratrace

Paratrace traces the path between a client and a server, much like "traceroute", but with a major twist: Rather than iterate the TTLs of UDP, ICMP, or even TCP SYN packets, paratrace attaches itself to an existing, stateful-firewall-approved TCP flow, statelessly releasing as many TCP Keepalive messages as the software estimates the remote host is hop-distant. The resultant ICMP Time Exceeded replies are analyzed, with their original hop count "tattooed" in the IPID field copied into the returned packets by so many helpful routers. Through this process, paratrace can trace a route without modulating a single byte of TCP/Layer 4, and thus delivers fully valid (if occasionally redundant) segments at Layer 4 -- segments generated by another processe ntirely.

Nutshell summary: this uses an existing open TCP connection to run a traceroute through a firewall that would otherwise tell you to take off. I could certainly see this being useful.

Some good background reading on O'Reilly's Safari online books site if your TCP/IP internals are a bit rusty:

Internet Core Protocols: The Definitive Guide

TCP/IP Illustrated, Volume 1: The Protocols

Re:scanrand and paratrace

[ryanr]

I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.

With a traditional scanner, the scanner either has to maintain state (i.e. don't accept a reply to my scan request if I haven't sent it yet, nor if it doesn't match my sequence number, etc..) or it will be subject to the scanee spoofing replies. For example, if you figure out that I'm scanning you, then you can just start generating SYN-ACK packets and lie to me.

By using inverse SYN cookies, the scanee can't reply until/unless it gets the actual SYN packet, and the scanner doesn't have to maintain any state, and can just blast full-speed.

Re:scanrand and paratrace

[Electrum]

I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?

I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.

Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:

http://cr.yp.to/syncookies.html

Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.

Re:scanrand and paratrace

If you detect a scan, why would you want to send back MORE syn/acks? If anything, I'd want to start playing dead by sending RSTs at you. The last thing I'd want to do is look "interesting" when there are so many other targets for you to pursue instead of me.

The way I see it, if I piss off some kiddie that's scanning my network, I'll be eating billions of bits for several hours. If I look boring, then they'll go pick on some twit who has no protection at all.

Re:scanrand and paratrace

[ryanr]

Plenty of reasons.. to direct one to a honeynet, to lie to the OS fingerprinter, to make the attacker spin more cycles, to give inconsistent results each time...

Re:scanrand and paratrace

[LinuxGeek8]

This sounds like the same thing that tcptraceroute does. It sends a tcp/ip packet to an open port and receives an icmp packet as reply. From that it builds the traceroute, even with the hosts behind a firewall.

Re:scanrand and paratrace

[John+Sullivan]

If you detect a scan, why would you want to send back MORE syn/acks? If anything, I'd want to start playing dead by sending RSTs at you.

There are several things you can do to discourage an attempted scan. One, as you say, you can send an RST to force the other side to abandon the connection. Another is to just drop incoming packets on the floor - the other end won't know whether you're doing this or the network between is flaky, so they have potentially long time-out delay before they can move on to the next port/machine. (You can scan multiple targets in parallel of course, but if they all black-hole you you're still going to get wedged at some point.)

A more involved one is to tar-pit (or teergrube) them. In SMTP this is used against spammers, but the principal is quite general. The mechanism you would use in this case is to ack their syn, then drop completely any further packets from them. If you drop or reset immediately then they can wait for a fairly short timeout period and/or close their end of the connection immediately with no penalty to them. If they are using anything remotely like a normal TCP implementation then by acking them you are forcing them to make a more long-lasting entry in their socket table, and wait for a much longer timeout period (longer than SYN-SENT retransmission timeouts) causing their socket table to fill up, therefore slowing them down as they try to scan yours or other peoples' networks.

Since you're only ever sending valid protocol responses or ignoring them, rather then actively attacking them, it is hoped that they will decide to give up rather than DOS you.

okay, this guy is smarter than me

but i'm better looking and get laid more.

Slashdot Comment Plot

Proof that reply's to your comment be taken with a grain of salt:

http://www.doxpara.com/pics/index.php?album=phen tropy%2F&pic=slashdot_comments1.jpg

8300 web servers...?

> scanrand detected 8300 web servers across 65,536
> addresses. Time elapsed: approximately 4 seconds.

I was a little curious how much detections I would get, so I started scanrad on this 256*256*256*256 adresses network. Time it will take: approximately 3 days. Stay tuned for the results...

Re:Hi-yo Captain Obvious!

You are so mean, making fun of a man who lost his right hand in a terrible accident.

Why is God's name

Are the parentheses around LinkCat hyperlinks to glue and scissors??

Re:Why is God's name

Yeah, good question!

and what's this all about:

Ideal for all paper crafts. Does not sour or spoil. In plastic jars.

Who cares if GLUE goes sour or spoils??

Or do kids really eat the paste? I thought that was a joke.

Re:Why is God's name

Ya know, looking at the subject it looks like you got cut off right before you could reveal to us God's true name. That's funny.

It sure is great.

[Inoshiro]

Because most people won't lift a finger when someone says "theoretical" or "possible" or "probable" -- but watch those deadlines jump up when you have an actual break in!

Because insurance companies don't require an authorized audit of computer security (yet), most places are wide-open. Think of this as the example of how to start fires, and why the government should have laws about the fire protection that public theatres (ecommerce sites) should have. Most companies are happy to let a room full of patrons burn to death -- that's why we need examples and government intervention. Besides, I'd rather that fellows like this release what they've been working on, so I know what to look out for, and can apply their methods against my systems at leisure in order to find problems and address them.

Re:It sure is great.

[LordofEntropy]

Oh yay, just what we need, more laws.

Re:It sure is great.

[Effugas]

Inoshiro--

There's a fire, you no longer have a building, but you do have corpses.

There's a hack, you still have your building, you still have your servers, you have no corpses.

This, at the end of the day, is why computer security isn't big on insurance company lists.

Credit card numbers are not lives! And the moment the theft of them becomes a real problem -- and believe me, despite the numbers I've seen, they apparently pale vs. legitimate use -- we'll see digital credit cards secure against replay attacks (i.e. they'll output a signature value tied to the merchant, the date of the transaction, the price of the transaction, and a nonce).

Bruce Schneier was giving this talk where he said two things: A) Infosec needs a risk management approach, and B) Business needs to take computer security seriously. I had to point out to him -- the two are contradictory, if risk management deems the benefit of insecurity greater than the amortized risk of insecurity.

--Dan

Oh, so what up with the scissors and paste links?

[JungleBoy]

Um, I'm so confused about the scissors and paste that I need to sit down. Note the links attributed to the open and close parens around 'linkcat'

(linkcat)

Would someone please call me dumb and tell me the answer?

I applaud him

Even if all he did was manage to do the same thing nmap does but in a diffrent manner. I still thing being able to scan a class B in 4 seconds is nothing to laugh about. I think we should not forget this simply a repackaging of some proof of point software.

This winter will truly be the season of the lanjacker.

So with this utility program

[kensai]

I can haxor the Gibson and become 3l33t

I want to be a troll now

[meshko]

OK, this pretty much pushes me over. I've been considering becoming a slashdot troll for some time and I think this article finishes it. First interesting story in a week or two. It gets more moronic posts than anything I've ever seen on slashdot. The best posts here are of the type "this is way over my head". If this is over your head, but you think it's interesting stfu and don't post anything. I don't even want to talk about others.
The compost bin story got a more meaningful discussion that this.
90% of people here think that case mods are cool
99% of people here look at a program which allows you to traceroute without icmp or udp (just to name one thing) and say "yeah, but what's the use"?
WTF?

I shall go and troll in the story about case with 6 neon lights attached to it now. See ya.

Re:I want to be a troll now

[feronti]

Damn I wish I had some mod points... I'd mod him up! I read the article at DoxPara (which I have looked at in the past and said "whoa... that's really cool... I wish I could really grok it...") and was hoping some of the better educated network folks would comment and help me understand this. I have to agree completely with the sentiment.

Re:I want to be a troll now

You must be a very special person.

Re:I want to be a troll now

[Victors+Monster]

The article is highly technical. But if Dan had explained his work succinctly instead of bragging, there would have been more interesting conversation. I think people were put off by Dan's purple style as much as the difficulty of the material.

The tech stuff doesn't come until more than halfway through the article, starting with the link to paketto. Come on, Lingua Reseux? This kind of over-done, flowery arrogance is what is and was always lame about Wired and their make-believe digeratti horseshit. The lack of that pretention here is part of what is cool about /. - You may think Slashdotters are dummy case-modders but at least they're down to earth.

Re:I want to be a troll now

65% of the posts here come from Windows machines. What do you expect? Maybe had the story been written along the lines of ....right click, left click, ask Clippy.

Re:I want to be a troll now

[maelstrom]

don't worry dude, slashdot hasn't been really technical for a _long_ _long_ time. it's more fun watching the downward spiral, there is no need to help it along. :)

Re:I want to be a troll now

[Effugas]

You are, of course, right.

I was actually fearing getting labelled the creator of some new toolkit for destroying networks. Instead, I got myself labelled as someone all talk, no code.

Oops.

--Dan

Re:I want to be a troll now

[Victors+Monster]

I can't tell if you're being sarcastic or not. I, for one, said no such thing. In fact, it's obvious that you are making great achievements in coding.

Further, I can't really fault you for bragging because you are bringing the innovation. Unfortunately, that doesn't make your style less annoying or distracting to your readers.

Re:I want to be a troll now

[schlach]

No, he's got a real good point. Of course, by the time I read the article, two intelligent posts had managed to float their way up to the surface. The problem isn't with idiots on slashdot. They've always been there. The problem is moderation.

I think a lot of people have noticed a stark decline in slashdot quality the last three or four weeks. This is about the time the editors changed the code to post notice about your mod points on the top of the front page when you log in. According to CmdrTaco, the number of mod points in use jumped from 4 per 10 comments to ~8 per 10 comments. To me this means two things:

• there is twice as much uselessly moderated crap at +4 and +5.
  
• half the moderators running loose on slashdot are people who until recently never bothered to read the discussions, as they would have figured out they had mod-points at that point, under the old system.

This is dangerous. We're talking about a Byzantine failure model with half of our population being bent on our destruction. We can tolerate 20-25%, but once half the moderators are aligned against intelligent conversation, the system breaks down.

Might want to read Taco's journal. He talks about the moderation system, and they're trying to figure out what to do about the sudden inflation of mod-points. They're not working very fast, granted, but they're working.

It's also time for everyone to start thinking about what's broken, specifically, as opposed to the general "slashdot is totally populated by trolls" theory. The population of slashdot has not changed significantly in the last month! But the way we listen to them has. And so we're hearing more useless chatter. Slashdot isn't dead, it's just broken. I've come up with some ideas that I'll post to my journal - or a story about the slashdot malaise that may or may not get posted on the front page - to solicit public comments on what should be changed/fixed. Wish I had already, but been busy.

Don't worry though. I'm sure that if slashdot does die, whatever succeeds it will first be posted about on slashdot. =)

Re:I want to be a troll now

[sco08y]

This is why I hate the fucking karma whores.

All I ask is that I be able to filter out posts from anyone with capped karma.

The karma whores post for each other. They rule moderation. Because they're a very particular mentality, there are some subjects they know nothing about. Because they're karma whores, they still comment. Because they're karma whores, their posts get modded up.

As a result, the top posts reflect an incredibly narrow mindset, the Slashdot karam whore mindset. Every other POV is suppressed, automatically.

You know what's interesting about this? It's nothing new! It's the same effect that gives you talking heads on television, just on a larger scale. And what's also amazing is that the outlook is the same as the talking heads: vaguely lefty, wannabe trendy, parochial outside their little world and most of all shallow, shallow, shallow.

You can leave Slashdot, but you're going to have to put up with these people wherever you go because they always seem to dominate the discussion unless it's explicitly ideological, e.g. on conservative boards.

Re:I want to be a troll now

[Effugas]

No sarcasm. I truly sounded all talk, no code. My original post was hardcore tech and I was afraid of all these responses AIIIIIGH HE'S GOING TO DESTROY THE EENTERNET.

I honestly never expected "I can't see him say he did anything except a port scanner, so I assume he did nothing but nmap".

You happen to be right -- the writeup sucked. Life in here got *much* better once I did the English writeup, though.

--Dan

Re:I want to be a troll now

[Effugas]

Heh, I have capped Karma :-)

But then, I don't post unless I've got something to say, and I've been capped since they had a cap.

--Dan

All I want to know is. ...

[frodo+from+middle+ea]

which *@#$ing multinational would allow their Class B network to be used for "proof of Concept" work by some BlackHats ?
Authorise my a$$.

Re:All I want to know is. ...

[fshalor]

It must have been M$...

Oh, sorry, just kidding. I meant IBM. I could see them letting this thing run. The're smart enough to figure out if it's really gonna hurt them.

Re:All I want to know is. ...

[Effugas]

Who said anything about Black Hats?

Breaking into networks, crashing people's systems...unnecessary and boring, in that order.

You don't need to be a Black Hat to play with protocols. Not in the slightest.

--Dan

Re:All I want to know is. ...

[packeteer]

IBM has a class A. They own 9.0.0.0 - 9.255.255.255

no, no, this IS revolutionary!

basically, this guy found a way to say "i will die alone" in over five hundred words, including the words "link layer" and "phentropy".

What Paketto Is (In Simpler Terms)

[Effugas]

SCANRAND
========
Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down "yes" or "no" depending on the response. Normally, there's lots of overhead as you keep track of who you sent requests to and thus who you're expected responses from. Overhead, or "state", makes things slow. So scanrand is stateless -- right when you start up, it splits in two. One half asks everyone, "Heh! What are you hosting!" The other half picks up responses, "Hmmm, some guy just said he has a web server."

Now, there's a problem: If someone knows I'm not keeping track of who I'm scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request -- the "Sequence Number". This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that's talking to me, and immediately know whether I ever scanned this guy in the first place.

So, that's why I get to scan really fast. Mind you, it's the least impressive part of Paketto in raw technical terms -- but it's definitely useful as hell.

MINEWT
======
What if you could just run a program, and a router showed up on your network? I don't mean physically, but I also don't mean "having anything visibly related to the computer hosting it". It'd be virtual, with its own separate IP addresses and it's own MAC addresses too. It'd be portable to any machine on the LAN, maybe it'd be fast, but it'd definitely be amazingly flexible -- no chips to make, no wires to crimp. Run this software, and there's something new on your net.

That's what minewt is -- a new router that just shows up and works. Now, it happens to do some funky things -- Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it's flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool -- NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*'s an 192.168.*'s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.

It ain't your gateway that downloaded all those MP3's, even if that's the IP address on that flow of music.

Well, there's also this tech called ARP -- the Address Resolution Protocol. Your local network doesn't have a clue about IP addresses -- it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP -- 10.* or whatever -- to the MAC address the factory assigned.

NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).

MAT -- MAC Address Translation -- just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).

End result? Multiple hosts can share the same IP address. Cool.

LC [LINKCAT]
============
I've got a wire. I want to talk on it -- but I can't, I've got all these sockets and programs and limitations in the way. Or at least, I had them.

1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.
3) Profit.

Or,

1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.
3) Profit.

lc has a really interesting mode that's based on the fact that you can actually put data in a frame *after* IP is done with it -- it's called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it -- lets sign our frame! Basic support for SHA-1 HMAC's is provided.

PARATRACE
=========
Alright, this is kinda neat. You've got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you're gonna start up a whole new connection. Paratrace gets around that -- you see, TCP lets you repeat packets; actually, by repeat, it's more like "The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine." So instead of spawning a whole new connection for our traces, we run our traceroute -- which is entirely a Layer 3 IP hack -- using a legitimate Layer 4 TCP packet. When the data eventually gets there, it's mostly ignored -- oh, the network screwed up again.

If there's a stateful firewall in the way, well, it's looking at Layer 4 data, which is 100% valid.

PHENTROPY
=========
See a cloud? Might be random. See a bunch of triangles? That ain't random. See the Borg Cube? Yeah, that's the FreeBSD kernel. This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.

Terribly sorry I didn't do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.

Re:What Paketto Is (In Simpler Terms)

[ruckc]

OpenQVIS?

www.google.com/search?q=OpenQVIS returns 4 results, 5 if you allow omissions.

http://freshmeat.net/search/?q=OpenQVIS&section=pr ojects returns No Matches.

What is it? Where can I find it?

Re:What Paketto Is (In Simpler Terms)

[Effugas]

Yeah, that'll be fixed when Google picks the link up off my home page. Anyway, it's the next story after Paketto.

--Dan

Re:What Paketto Is (In Simpler Terms)

[meshko]

a) You never mention what OS are supported. Is my understanding that it should compile on FreeBSD, OpenBSD and Linux correct?

b) 'bug report': you have docs directory stored inside itself along with the CVS subdir (paketto-1.0.tar.gz)

c) Ain't no way I'm building this on my machine before someone smarter than me looks at it. Sorry ;)

Re:What Paketto Is (In Simpler Terms)

[Effugas]

a) Testing was completed on FreeBSD and Linux. We're trying to get Solaris up; I just got a patch for OpenBSD. Win32 is...hmmm. Theoretically possible.

b) Docs were added at last minute; I've yet to write a true manual.

c) The code's tiny and mostly self contained, but I understand your worries. Contact me privately and I'll give you a bit of my history.

--Dan

Re:What Paketto Is (In Simpler Terms)

[psychosis]

Very nice links to 'cut' and 'paste'... classic!
I enjoyed your talks out in Vegas - keep up the excellent research and work!

Re:What Paketto Is (In Simpler Terms)

Just out of curiosity, would you consider these manglings of the protocol deficiencies or merely just innovative applications of the protocol?

Re:What Paketto Is (In Simpler Terms)

[CoolVibe]

Hmm, the thing doesn't want to compile with the Coin library and SoQt inventor-qt bindings. Is OpenQvis qt2/openinventor/SoQT only?

Are there statically compiled bins (modulo OpenGL) available for several operating systems?

Re:What Paketto Is (In Simpler Terms)

[CoolVibe]

Duh, I of course mean all of that stuff _and_ Qt 3.1. So KDE3 users can't compile OpenQvis. Hmm... I was looking forward to looking at 3d graphs of my network :(.

Re:What Paketto Is (In Simpler Terms)

[feepcreature]

Interesting ideas, but i'm still kind of hazy....

scanrand: is encrypting and decrypting or digesting packets any more efficient than maintaining a state table? Is this just a RAM vs CPU tradeoff?

minewt - NIC listening in promiscuous mode... and you'd have to alternate the sending MAC address too... and not clash with anything else on the switch, to avoid ARP cache problems... Never tried that.

lc (read): kind of like tcpdump? low level debugging.

lc (write): I've used protocol testers - it's hard to keep links up, typing packet responses by hand... Not sure how you can interfere with normal communications more efficiently than a special purpose tool. To do general stuff, wouldn't you need the brain of a router, and the typing speed of some of those infinite monkeys (if you can distract them from working on Shakespeare's complete works)?

paratrace: I kind of see at the handwaving level how the "twisted packets" get out through the firewall. How does this make the intermediate systems in the stream emit responses (that actually make it back)?

phentropy: Cooler visualisation than nmapfe? I suppose you can use human image processing abilities to make sense of complex patterns? Failing that, it should look cool...

Must think about this later when I have more time...

--
P.

Re:What Paketto Is (In Simpler Terms)

[Rolo+Tomasi]

Would you mind posting the patch for OpenBSD, here or somewhere else? I can't get it to compile ...

Re:What Paketto Is (In Simpler Terms)

[Rolo+Tomasi]

Alright, after a bit of fiddling, I got it to work. If anyone's interested, here's how I did it:

1. ./configure
2. dos2unix libtomcrypt/makefile (this makefile is totally fscked ... and it's in CR+LF format, so you have to convert it first)
3. vi libtomcrypt/makefile
4. 1. :13s/rs/rc/
   2. :5s/O6/O2/
   3. :41,46s/zlib\///g
5. make clean && make
6. ranlib libtomcrypt/libtomcrypt.a
7. make clean && make

Re:What Paketto Is (In Simpler Terms)

[fshalor]

How hard would it be to adapt Scanrand to do state-less packet inspection. Like on a router? This could be the "profit" point to the argument.

Re:What Paketto Is (In Simpler Terms)

[Bandman]

Wouldn't it require XP, due to lack of raw socket support previous?

Re:What Paketto Is (In Simpler Terms)

Any chance of getting help in compiling the OpenQVis beast... at least version numbers which you have of the libraries would be nice. The latest versions seem to make it cry :-(

Re:What Paketto Is (In Simpler Terms)

To do general stuff, wouldn't you need the brain of a router, and the typing speed of some of those infinite monkeys

I don't think he's actually suggesting that you type out the packets. The tool takes input on STDIN. Pipe something to it. Welcome to UNIX.

Re:What Paketto Is (In Simpler Terms)

"He", yeah right.

Re:What Paketto Is (In Simpler Terms)

[ethereal]

This commentary helps the slides make a lot more sense; maybe you could include this in the "Notes" section of the applicable slides? In particular, the fuzzy triangles didn't make much sense at all on the slides until I read this.

Thanks a lot for some pretty cool ideas!

Interesting

[motox]

But too much techno babbling, such as in statements like "Userspace manipulation of packets can lead to less overhead" because "Kernels are optimized to talk to other hosts, not to scan them". Ok so you invented raw sockets, not to mention the fact that it's possible to send arbitrary packets from the kernel too, although from userspace it's for sure a more portable way. And MAC based networking , i can mention at least 3 commercial products that do that ( and in a much more flexible way). ( i maintain one of them :) Anyway, some stuff is really interesting, a few new toys to play with i guess ;)

Re:Interesting

[OneEyedApe]

"...turning toys/into tools..." -Skinny Puppy, Killing Game, off of Last Rights, if I recall correctly. Sums it up nicely, I think.

Re:Oh, so what up with the scissors and paste link

[handsomepete]

It's quite simple. Either the submitter or /. have resorted to not-so-well disguised subliminal advertising within submissions. Look how many people have questioned why those links exist - hell, the links are nearly slashdotted. Someone is making traffic revenue off that, I reckon... or maybe I need a bigger tinfoil hat. Whatever.

My new business

[enos]

1. Make a Geek/English translator 2. ... 3. Profit!

Clarification

[dew]

Dan enjoys being witty with words. A "keiretsu" is a conglomeration of not-100%-related business units under a single roof. Mitsubishi makes cars and huge boats, Yamaha makes motorcycles and electronic synthesizers, etc.

The Paketto Keirestu is a conglomeration of program units that do really bastardized and interesting things with packet manipulation and flow. It's a catchy little title, I thought, but that's MHO. ;) Dan, for those curious, is (AFAIK) not proficient in Japanese. =)

-david

Re:Clarification

[ryochiji]

>A "keiretsu" is a conglomeration of not-100%-related business units under a single roof

I happen to be Japanese, so I just thought it was rather...odd. Maybe it's because I've never seen the word "keiretsu" used in a context other than the one you described.

Re:Clarification

The word you are looking for is Zaibatsu. DAIWOO, Yamaha, Fuji, Mitsubishi... those are all Zaibatsu corporations.

Note: I don't know Japanese, just played GTA2. ;)

Re:Clarification

noted.

Re:Clarification

Allow me to explain. You see, there are people in america who are as we say "hot shit". By using foreign words they barely understand to imply superiority, much like a bear stretching its arms outward to project size and strength.

Re:Clarification

Or perhaps they are just geeked out anime nerds.

Re:Clarification

Wow.
First you try to correct a guy who is (apparently) natively Japanese

Then you call a Korean company (Daewoo, not to mention spelled wrong) Japanese

Then your correction is wrong in the first place; Zaibatsu is a more specific term

Re:Clarification

Thats my vote.
pocket keiretsu
In english packet
In japanese Pokketto

Re:Clarification

A.) The guy who is "natively Japanese" said he had never heard the term.

B.) I never said Daewoo was a Japanese company, but it defines the word Zaibatsu.

C.) I didn't mean it as a correction, but I do know it is the more common term for "mega-corporation." It is correct I assure you.

Re:Clarification

Actually I think he just stole my name.

Robin Keir

Re:Clarification

A) Wrong, I didn't see that anywhere. If he is Japanese, he does know this word (I do, and I'm not japanese)

B) Right, Daewoo is a zaibatsu. More correctly (in Korean), it is a chaebol. In Chinese, chaebol and zaibatsu are written the same way.

C) Zaibatsu is an older term with a different meaning, referring to pre-war family-run corporations like current Korean chaebol. But zaibatsu and keiretsu are used interchangeably all the time by people in the West, so you aren't too wrong.

Re:Clarification

[4of12]

Thanks for the clarification.

I've seen "keiretsu" previously.

I've sometimes confused keiretsu with another Japanese word, "karoshi", which might just as well apply:)

Re:SHORTEST AND LONGEST BOOKS

[rocketfairy]

French gov't not nice to foreigners? Bollocks! The Vichy state was perfectly friendly to the Nazis.

DOG Re:Go Dan! =)

I was the Dog of the guy and can attest to nothing 'cause I don't understand this. But I had to pee on the floor way too much

Re:Oh, so what up with the scissors and paste link

[Effugas]

Cut and Paste. Linkcat lets you do that with packets :-)

--Dan

not possible

Bandwith MATH:
1) assume that each scan probe is a byte and a reply is a byte.
2) 65000 scans mean that 65000x2=130000 bytes
were exchanged in 4 seconds, or in bps, we
multiply by 8 to arrive at
1040000 bps or 1040kbps all accross the organizations......

Socket MATH:
the scan requires at least 65535 sockets initiated, if sequential and each socket takes 4/60000 of a second to do, than this will happen in 4 seconds, not counting processing the replies.

Re:not possible

[Effugas]

Scan requires one socket.

Kernel has no idea what's going on, it RSTs anything it gets (which is fine by me).

--Dan

Re:hey

I think that in light of this, the parent comment should be modded:

• (-1, Trigger Happy) Because he didn't wait for an explanation of what the tool does before bashing it;
  
• (-1, Troll) Because he explains what the tool does, and then admits in the end he has no clue;
  
• (-1, Flamebait) Because the tone of the first sentence is quite inflammatory;
  
• (-1, Overrated) Because it is overrated.
  

(-1, Overrated) is perhaps the best one to choose, or else you'll be negatively metamoderated by people who didn't read the context (and I can quite understand them).

Moderators, do your job!

Odd links

[Omniscient+Ferret]

Am I missing the importance of safety scissors & Elmer's glue? Or are the links on the parentheses around linkcat just for kicks?

Re:Odd links

[CoolVibe]

safety scissors - Cut
Elmer's glue - Paste

Re:Odd links

[Omniscient+Ferret]

Ooooh.

Don't be so anal

[itwerx]

If you read a little earlier in the comments you'll see that in order to prevent his site getting slashdotted he very kindly moved it to a temporary higher-capacity server.
So yeah, maybe he didn't transition the site perfectly - just be glad you even got to see that URL!!

Where?

[Luke-Jr]

Where can I get the mentioned programs?

Re:SHORTEST AND LONGEST BOOKS

yeah, that was pretty lame. you obviously don't have too much time infront of your computer hey?

Re:hey

My guess...

"Paketto Keiretsu"

Engrish: Paketto - Packet
Japanese: Keiretsu - To crack..

Re:not possible - bad math

Correct Bandwidth Math:

1) A scan is probably about 40 bytes (ip+tcp headers) + 40 bytes in reply, say 80 bytes. (Much more than the 2 you posit...)

2) 65000 scans is 5200000 bytes, just under 5Mb.

Pretty trivial to send 2.5 Mbytes in 4 seconds, and get 2.5Mbytes back again - thats about 600kbytes/second in each direction - well within the capacity of a standard 10M ethernet.

Socket Math:

What Dan Said. The whole point of these tools is they don't do stuff the 'conventional' way. I tried them, they work and are very fast...

Re:Oh, so what up with the scissors and paste link

[Soko]

I saw that too. Sublime, yet obvious. Just beautiful. As is the rest of your work, BTW.

A tip of my tin-foil hat to you, sir.

Soko

Fun with errors?

[LostCluster]

Maybe it's too early for anybody to make sense of this thing... but here's what I've got so far: It seems that the great advance here is based on using the IP protocol all by itself in situations where conventionally we use TCP wrapping IP. (Remember class, we had a discussion on leaky abstractions recently where we remembered that TCP is what we use when we want to forget that IP exists.) By taking advantage of obscure parts of the IP protocol that we don't usually concern ourselves with, he's been able to use intentionally wayward packets to learn about the network. For example, sending an IP packet with a hopelessly short time to live to take advantage of the fact that whomever has the packet when it when it times out is supposed to send back a packet indicating that error. Turns out most routers do, so he collects that information and gets a traceroute that can go into places where a traditonal traceroute meets with a firewall. And that brings up the potentially dangerous side of things. This flies below our radars, it stays below our firewalls. His packets never go higher than the IP layer of our OSI model stack. (Remember that 7-layer thing that we all had to memorize in networking classes...) I'm not quite sure yet what poking around there gets them other than network topology info, but I kinda get the feeling that if there is something destructive that can be done, we're gonna get blindsided with it.

Re:Fun with errors?

[Angry+White+Guy]

How about fun with lots of errors. If you can manipulate ip enough to do this, what's to say that you can't redirect that in a giant smurfing of the internet. 65k packets in 4 seconds could easily clog a semi-full link, if it was sustained.

It's a layer 2 /. effect!

Re:Fun with errors?

[Penguin+Follower]

"I'm not quite sure yet what poking around there gets them other than network topology info, but I kinda get the feeling that if there is something destructive that can be done, we're gonna get blindsided with it."

Ditto... You're not the only one worried about it!

Re:Fun with errors?

[brianvan]

Can someone hack a highly "secure" network with this? Well, they can certainly see and do things that normally cannot be seen or done, but I'm frankly not overly worried about intruder access with this. I think there's more of a threat from crackers thoroughly violating an unsecured SQL server setup, and there doesn't have to be a terrible lot of skill in that.

This, however, puts a whole new angle on espionage, insider corruption, coordinated intruder-assisted theft and cracking, and possibly underground peer-to-peer networks. Just to get the tip of the iceberg.

One would argue that some of this stuff may not be new, but it's certainly the first I'm hearing of any such tools or concepts being used.

I like the LC program a lot. Someone could build a whole new network on that concept. It probably doesn't make much sense outright, but I can see all kinds of nasty tricks being played with that. That traceroute-like tool is also impressive... it could be downright dangerous for certain people with a level of network knowledge and intent of evil far beyond mine.

Re:Fun with errors?

[DarkZero]

I'm not quite sure yet what poking around there gets them other than network topology info, but I kinda get the feeling that if there is something destructive that can be done, we're gonna get blindsided with it.

The guy that came up with this released it so that we can all see it, use it, understand it, and adapt to the problems that come with it. That's not "getting blindsided". Getting blindsided is the guy that came up with it realizing that incredible destructive power may be in his hands and that he could just use it right then and there when no one even understands what he's doing on a very basic level.

Since this is just a rearranging of what was already in TCP/IP, it was already there, sitting in some deep corner of the internet and the logic of how it works. Rather than being afraid of what it could do, I'm just thankful that the guy that found it decided to let everyone know about it so that we can take advantage of its good parts and protect ourselves against its bad parts.

Loose Source Route scanner and tunnels

[lamour]

A friend of mine wrote an LSR scanner and an LSR tunnel tool which you probably won't understand either. Go get them, play with them, and then think about what it means. Here's his short paper on LSR.

While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about. ;-)

IMHO,
Michael

Re:Loose Source Route scanner and tunnels

[Effugas]

Michael--

Funny story, actually.

For quite a while, I thought IP Options just didn't work in the Core...wasn't till recently that I discovered the two PIXes I live behind block them uncontrollably.

Scanrand's traceroute mode will eventually support some remote mesh discovery using LSRR. Thanks for the link! This will help immensely.

--Dan

Warning Geek at Work

[cranos]

Okay first off let me say I am not a TCP/IP expert by any means however this does present some interesting points.

Firstly as a poster has noted before, by going under the radar by directly using the IP layer, this is going to open up a whole new rash of attack methods which we would be much better investigating and defending against.

Secondly, I think its cool, it renews my faith in the basic tenet of geekdom - play with it until you break it, then learn to fix it again.

Re:Warning Geek at Work

Everyone's focusing on the possiblity for attacks and getting scared and so on; That's a weak attitude to take.

How about looking at research that allows 4 second network scans, and going WOW! Network video streaming just got a shitload more efficient. Or, I can now security scan my network in a fraction of the time it used to take.

There are a LOT of good things that will come out of this guys work.

Re:Warning Geek at Work

[Effugas]

PK 2.0 will do some really, really cool things with video streaming. The idea is to take multicast -- which doesn't work over the internet -- and confine it to a single subnet. So there's a unicast IP that shows up and handles traffic everyone wants, with replies coming back to that IP. But guess what the MAC address of that IP is...

FF:FF:FF:FF:FF:FF

--Dan

From the authors description. (on DoxPara)

[tolan-b]

funnily enough Dan Kaminski himself begins describing LinkCat:

"
I've got a wire. I want to talk on it -- but I can't, I've got all these sockets and programs and limitations in the way. Or at least, I had them.

1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.

3) Profit.
"

absolutely priceless :)

oops..

[tolan-b]

forgot the main reason of my post which is that he wrote a nice description for those with a clue, but without hardcore knowledge of the lower levels of tcp/ip. 'tis here

MOD ALL PARENTS DOWN!!

Since this is thick and requires people to actually read the links to actually understand what's being discussed, of course every post within the first minutes of this thread is of the innane nature of somebody who doesn't understand what this is about. Yet, instead of filtering these clueless posters out... they get mod points for "Funny". Huh? I don't think there's anything funny in people proclaiming they know nothing in an attempt to do slightly better than just try to blurt out "First Post!" Moderators, there's a lot of Overrated (-1)'s that need to be applied up here...

Re:hey

[photon317]

Moron. This guy's got skills, and you don't even see it. These tools are very impressive. Paketto Kieretsu is to nmap what a Ferrari is to a Pinto.

Amen

[arcadum]

WTF?

I became equally disillusioned and have been trolling since...

I wrote an article about my dirersion at About.com

kieretsu

a kieretsu is actually a little more than just the word for corporation. it's a structure whereby multiple companies own stock in each other in a ring formation. so A owns stock in B which owns stock in C which owns stock in A. good and bad theories on the purpose. some think it's a useful way of monitoring performance because companys are watching other companies (but are in turn being watched etc...) which is more efficient than individual shareholders watching companies. others thinks its a way for managers to remain entrenched (i won't vote to fire you if you don't vote to fire me). not sure what any of tha that has to do with packet scanning/mangling tools.

Re:kieretsu

[DarkZero]

A Japanese culture geek put together a set of tools that have nothing to do with one another in one package and figured that it's sort of like a keiretsu, since those companies usually produce varied products that have nothing to do with one another, like jet skis and keyboards.

Re:kieretsu

[Effugas]

Well, it's a bit more complex than that. Scanrand was branched to form Paratrace. Linkcat's -f/-F flags output integers suitable for graphing by Phentropy. Minewt gets its ass kicked by scanrand, and will eventually support the ethernet crypto of linkcat.

--Dan

So..

[mindstrm]

why not mention those 3 commercial products? Provide some enlightenment here instead of just saying "no big deal"

The point isn't that he can send raw packets, it's that he can send them in a useful, simple way.

XBox article in disguise?!

[Viewsonic]

If you put all the words backwards and rearrange them just a little the article says "Buy an XBox" over and over. Damnit, I thought Slashdot would at least a DAY without another XBox promo..

And in other news, METROID PRIME IS OUT !!! GameCube Platinum with Metroid bundle = $169!!

I think this sums it up nicely...

[sfgoth]

It's by far the best meta-slashdot comment I've ever read:

http://apple.slashdot.org/comments.pl?sid=44091&ci d=4592270

Caffeine

drink less of it :)

Chris Knight: ... I am only saying that because I care - there's a lot of decaffeinated brands on the market that are just as tasty as the real thing.

Holy bejesus...

[xchino]

"8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds.."

God damnit. It doesn't take an ISS consultant to figure out that the above stats + a slapper/scalper worm = Oh shit some monday morning when one arrives at work. Above stats + asiapacific spammers = Useless mailboxi

Seriously, if these stats hold true it could streamline the whole process of scanning for exploitable hosts to a degree that if you're service is exploitable it will be exploited. Kinda scary to me..

Re:Holy bejesus...

[cyberon22]

It would discover which hosts are running webservers... but presumably not which webservers are exploitable. Mind you, that this speeds up the task of identifying webservers at all makes it really bad news for anyone (like me) who runs a relatively-secure webserver at home, but doesn't take the care to upgrade it more than once a month.

This is also where someone corrects me for not knowing what I'm talking about. Kudos to Dan for putting these tools online though. As a Linux user, I'm thrilled to have new and cool stuff to play with.

Mmmmmminewt. :)

Re:Holy bejesus...

[alizard]

Seriously, if these stats hold true it could streamline the whole process of scanning for exploitable hosts to a degree that if you're service is exploitable it will be exploited. Kinda scary to me..

Isn't that the assumption anyone who has to secure a server or network is supposed to work under?

Re:Holy bejesus...

[xchino]

True it wouldn't be able to test servers for exploitablility, but at scan rates that fast, who needs to? Just run your expolit against all servers in the list you've found.

Yeah.

[blair1q]

I remember my first checksum.

Neat hacks, but not profound discoveries

[Animats]

Yes, you can do this stuff, but it's not that profound.

His "router" seems pointless, unless it's attached to someone else's LAN. Yes, you can write a single-port NAT router that allows multiple machines on the same LAN to have the same IP address. But then they can't talk to each other. (They can talk to the "router" and perhaps, via it, the outside world.) Apparently he did this to get around some restriction on his dorm LAN in college.

Re:Neat hacks, but not profound discoveries

[Effugas]

College was entertaining. Damn near got kicked out translating Windows print requests to the local Novell printers, so people could avoid installing Client32.

Anyway, I used Proxy ARP to get around college LAN restrictions. I couldn't have done Minewt way back when. Minewt is an extension of Doxroute, which was written to allow routing rules based on anything I damn well felt like.

--Dan

TCP traceroute

[Animats]

Yes, with this you can do traceroutes through firewalls that block ICMP, but pass TCP. That could actually be useful.

TCP Traceroute is useful enough that it's already been implemented by somebody else. GPL, and for Linux, with an RPM available, even.

Re:+1 Funny

[multisync]

+1 Insightful

nice... check the parent link...

[netsrek]

Hey thanks for that. most informative... alas no mod points...

Ping of Death!

[SaxMaster]

He who sendith the Ping of Death must answer thee these packets three. Ere the other router he see...

Another unintended use of protocols

People interested in this might also be interested in, "Covert Channels in the TCP/IP Protocol Suite".

Re:Oh, so what up with the scissors and paste link

some day you will find yourself senile, requiring medical attention, speaking in a langauge that you once taught yourself and ONLY yourself to speak. then you'll die, thinking that the doctor "should have just understood you"

Nitpicking

[Bartmoss]

There is no Class B. It's called a /16.

Errr...uhm...what was that in the middle part?

[Qbertino]

Warning: Serious TCP/IP territory here!
Of limits for ye olde slashdotters.

Let me fist get the Crab-Book (http://www.oreilly.com/catalog/tcp3/) and read it. And then post this thing again a half a year later, so I can add my smartass remark.

Here's for the ones who like pictures (Hehehe...):
http://www.aw.com/catalog/academic/p roduct/1,4096, 0201776316,00.html

Geez, I really have to get my TCP/IP sorted out. This stuff sounds to cool to miss out.

Re:Oh, so what up with the scissors and paste link

[baptiste]

Cut and Paste. Linkcat lets you do that with packets :-)

This, sir, was genius. After reading your presentation at 5AM and not having my head explode, seeing this made me laugh out loud. I'd love to see the look on some webmaster's face trying to figure out why their obscure online store got so much traffic in a 4 hour window their server crashed.

"Linkcat? Whats that? Is Radio Shack giving away useless toys again? Who are all these geeks and why did they crash my store? Hey Lloyd, we better quadruple our stock of scissors - don't ask!"

Paranoia is still a virtue

[wiredog]

Personally, I regard paranoia as a necessity.

Re:Paranoia is still a virtue

just because you're paranoid
don't mean they're not after you
</cobain>

Re:Paranoia is still a virtue

Relax... You're not paranoid.

We're really out to get you...

Nano Prob Technology?

I bet you this new scanner is EXACTLY what Steve Gibson over at grc.com is claming to have done with his "nano probe technology" http://grc.com/np/np.htm which can instantly scan a huge network. He's been promising this for at least a year with no sign of relase date. The reason I believe this to be true is because he supposedly created syn-cookies on his own without the knowledge that it even existed and this fast scanner uses syn-cookie technology to work.

Re:Nano Prob Technology?

[Effugas]

I don't get it :-) It's the least impressive work I've done, but it's what everyone talks about, and then everyone says it's not so technically impressive... well duh :-)

If it didn't support stateless tracerouting w/ passive hopcount detection and split mode operation, I'd almost be too embarassed to release it.

--Dan

Interesting stuff.

[turambar386]

I'll have to play with this some. Then I'll have to figure out how the hell to write Firewall-1 rules to mess with anyone using it to scan my network..

Re:Reminds me a lot of work done at USANC in the '

This is complete nonsense...

Re:hey

fuckin' penis popper... find something better to do

Reminds Me of Total BS

This is total bullshit. Why do people moderate stuff they do not actually understand?

paratrace - not through all firewalls

[feepcreature]

Paratrace may not be that all-pervasive.

...The resultant ICMP Time Exceeded replies are analyzed...

Nutshell summary: this uses an existing open TCP connection to run a traceroute through a firewall that would otherwise tell you to take off. I could certainly see this being useful.

If this works by causing ICMP time exceeded packets to be generated, a suitably paranoid firewall will drop the time exceeded responses just as readily as it would drop ICMP Echo responses from a normal traceroute.

You can be as secure as you want to be.

P.

"I'm quite trustable"

.......said the shifty fellow.

Re:Reminds me a lot of work done at USANC in the '

UANC! I wank! We all wank for... ice cream?

Must be cold out.

Re:Reminds me a lot of work done at USANC in the '

Why would someone wank for ice cream if it's cold out?

It's Protecting against the bad parts"

[complexmath]

that will be the challenge. Remember, these are completely legitimate uses of the IP protocol. It's not like we could (probably) detect any of these techniques.

The traceroute bit offers some interesting MITM possibilities. Yes, it requires a connection to be established, which assumes that the client is legitimate, but what about someone upstream that's messing with the IP packet before passing it on?

All in all these are incredibly clever hacks. My compliments to the chef.

Hi - have you submitted this to the USPTA?

[martintt]

From the quality of the work here you should get some recognition. There really should be an award for stuff like this. It's first class and thourougly deserves the score 5, it's a great pitty you at the UANC don't believe in karma.

Very effective stuff!I applaud your work wholeheartedly!

--
And bigger trolls have lesser trolls and so ad-infinitum.

Re:hey

[Effugas]

nmap's much more mature and reliable -- but perhaps it's reliability starts too early...

Notice..

[mindstrm]

I said "probably", implying to everyone but you that I don't KNOW what it used, because I haven't read the article yet.

Next time, be more fucking polite.

yup.

windoze blows.

Last Post!

[alpg]

Okay, Okay -- I admit it. You didn't change that program that worked
just a little while ago; I inserted some random characters into the
executable. Please forgive me. You can recover the file by typing in
the code over again, since I also removed the source.

- this post brought to you by the Automated Last Post Generator...