Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release

Effugas writes "After pushing OpenSSH to perform feats of secure tunneling far beyond what I ever expected it could do, it became clear that some genuinely useful modes of network operation were simply inaccessable without either replacing or manipulating core network protocols. Since the basic infrastructure of the Internet isn't likely to change any time soon, that left...creative manipulation and reconstruction of the Lingua Reseaux: TCP/IP. Taking advantage of expectations, pitting layers against eachother, finding new uses for old options and data fields -- instead of simply unleashing the latest incarnation of some "Ping of Death", could such work unveil hidden functionality within existing networks? As I discussed at Black Hat 2002 and the inimitable Defcon X, the answer is yes. And now, proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP), The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4. The five -- scanrand, minewt, lc ( linkcat ), paratrace, and the OpenQVIS cross-disciplinary-a-go-go phentropy -- demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer Cryptography, and quite a bit more. (For details, stop by DoxPara Research or check out the latest slides. The academic paper is coming "soon".) In terms of actual usefulness, scanrand is no nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

That's Great

[cscx]

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

What language?

[StillAnonymous]

Lingua Reseaux? The Paketto Keiretsu? What's this guy been smoking? I'm not sure what's worse, pretentious techno-Latin babble, or "lol, k thx bye" MSN-speak.

Reminds me a lot of work done at USANC in the '90s

This is similar to the work we did at UANC in the 1996 era. We did a lot of thing with source fragmenting of ethernet moduli, so to speak. This person's research is eerily similar, but clearly his own. I am not posting to claim copyright, blah blah. Just to point out the respect I have for someone who made it "this far!"

One of the things we did was design an ethernet hashing system that would function sort of like a dynamic roulette wheel of SYN types and packet sequence numbers. Using differing protocol sweeps, we could monitor different states without creating state ourselves! The ultimate goal was to provide inverse cascade across multiple routers and switches, allowing an attack to be sourced directly to a particular ethernet interface without the attacker's spoofing even mattering. By rotating state in real-time, using different queueing techniques, we could esentially traverse the entire network, sort of a big de-randomized traceroute, and virtually re-route all attack traffic back into the ethernet "netherworld", in a nutshell.

Very advanced stuff! I applaud your work wholeheartedly!

Re:Go Dan! =)

[unicron]

You weren't exactly his girlfriend, you were more of that thing that stood on that bridge and wouldn't let people cross until they answered riddles.

Re:Note to the editors:

[ProtonMotiveForce]

The purpose is obvious - win at Bullshit Bingo!

Looks like a lot of big words thrown about so it looks a lot more important than it is. We've revolutionized.. something or other.

Why, look at all these cool (i.e. standard, well known) things we've done with OpenSSH!

My Grandma's done most of those things with SSH, I don't see her publishing a PDF on it.

Amen

[arcadum]

WTF?

I became equally disillusioned and have been trolling since...

I wrote an article about my dirersion at About.com