Slashdot Mirror

← Back to Stories (view on slashdot.org)

Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release

Posted by timothy on from the read-among-the-lines dept.

Effugas writes "After pushing OpenSSH to perform feats of secure tunneling far beyond what I ever expected it could do, it became clear that some genuinely useful modes of network operation were simply inaccessable without either replacing or manipulating core network protocols. Since the basic infrastructure of the Internet isn't likely to change any time soon, that left...creative manipulation and reconstruction of the Lingua Reseaux: TCP/IP. Taking advantage of expectations, pitting layers against eachother, finding new uses for old options and data fields -- instead of simply unleashing the latest incarnation of some "Ping of Death", could such work unveil hidden functionality within existing networks? As I discussed at Black Hat 2002 and the inimitable Defcon X, the answer is yes. And now, proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP), The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4. The five -- scanrand, minewt, lc ( linkcat ), paratrace, and the OpenQVIS cross-disciplinary-a-go-go phentropy -- demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer Cryptography, and quite a bit more. (For details, stop by DoxPara Research or check out the latest slides. The academic paper is coming "soon".) In terms of actual usefulness, scanrand is no nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

5 of 303 comments (clear)

  1. Re:That's insane! by Anonymous Coward · · Score: 4, Interesting

    Um, not that I would know anything about scanning that many addresses, but most of the portscanners out now can only handle 20 or so simultaneous connections and have a 2-3 second timeout. So it would depend how fast the hosts respond and what % have servers. I imagine it would be in the realm of 30 minutes or so for this network.

  2. Re:Oh, so what up with the scissors and paste link by Effugas · · Score: 5, Interesting

    Cut and Paste. Linkcat lets you do that with packets :-)

    --Dan

  3. Re:scanrand and paratrace by Electrum · · Score: 5, Interesting

    I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?

    I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.

    Because it allows much faster scanning than can be done with a traditional scanner. You need to understand SYN cookies:

    http://cr.yp.to/syncookies.html

    Instead of sending a SYN and waiting for the response, as a normal scanner has to do, scanrand sends thousands of SYN packets at once, without tracking them. It determines the port based on the ``inverse SYN cookie'' that the response contains.

  4. Re:translation by ryanr · · Score: 5, Interesting

    They're just a little bit more than slightly different. Try them out, you might be surprised.

    Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.

  5. Loose Source Route scanner and tunnels by lamour · · Score: 4, Interesting

    A friend of mine wrote an LSR scanner and an LSR tunnel tool which you probably won't understand either. Go get them, play with them, and then think about what it means. Here's his short paper on LSR.

    While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about. ;-)

    IMHO,
    Michael