Slashdot Mirror
Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release
Effugas writes "After pushing OpenSSH
to perform feats of secure tunneling far beyond what I ever expected it could
do, it became clear that some genuinely useful modes of network operation were
simply inaccessable without either replacing or manipulating core network protocols.
Since the basic infrastructure of the Internet isn't likely to change any time
soon, that left...creative manipulation and reconstruction of the Lingua Reseaux:
TCP/IP. Taking advantage of expectations,
pitting layers against eachother, finding new uses for old options and data fields -- instead of simply
unleashing the latest incarnation of some "Ping of Death", could such work
unveil hidden functionality within existing networks? As I discussed at
Black Hat 2002 and the inimitable
Defcon X, the answer is yes. And now,
proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP),
The Paketto Keiretsu, Version 1.0,
is a collection of five interwoven
"proof of concepts" that explore, extract, and expose previously
untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
The five --
scanrand,
minewt,
lc
(
linkcat
),
paratrace,
and the OpenQVIS
cross-disciplinary-a-go-go phentropy --
demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer
Cryptography, and quite a bit more. (For details, stop by DoxPara Research
or check out the latest slides. The academic paper is coming "soon".)
In terms of actual usefulness, scanrand is no
nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B,
scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
...how I wish Babel Fish would have a Geek->English translation option...
Anyone here want to sum it up IN PLAIN ENGLISH, without involving beowulf clusters or "Profit!"?
I roomed with the guy and can attest to the year or so he spent cobbling this stuff together. Go Dan!!
-david
David E. Weekly
Code / Think / Teach / Learn
h4x0r for
linkcat, scissors and glue. is there a hidden meaning?
"a quote" -me
"During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?
Hi - www.doxpara.com is temporarily pointed at shaitan.lightconsulting.com, a quad Xeon hosted at Via.net in Palo Alto. Please be nice to my server so I don't have to drive over there and fix it...
-- thalakan
What'd he say?
What'd he say?
time to go back to TCP/IP Network Administration to learn how to decode this Slashdot article...
Just raise the taxes on crack.
How come I go through my day feeling my little code is soo smart until I log in to Slasdot and read about C-level hacking of the core infrastructure of the internet by gods on human thrones and feel like a little 1st grader who has to deliver a note to a sixth grade teacher and marvels at the complex stuff on the chalk board....
*sigh*... I'm important! I swear...
Bruce Werner http://www.kidventus.com
keiretsu = corportation/firm in japanese
packetto = loan worn (usually in katakana) meaning packet.
ie.. Packet Company in Japanese
Yeah, because if it takes em all night to scan the network they're less likely to get in right?
Long ago, when I was first thinking of network security as a career field, I thought "in a few years there might not be enough work to go around..." It looks like it could be another record year.
What's up with the pseudo-Japanese name?
---
Open Source Shirts
Granted, most of that post was Greek to me, it's still interesting in that I think in any technology or practically any invention, people will find ways to make them do things never even conceived of by the originator. Coming up with new uses for obscure parts of the TCP/IP stack isn't really any different than other inventive uses for common, everyday items. In all actuality, I think it's all about the oft-used phrase, "thinking outside the box."
I will post a comment here when I'm done reading the main abstract and supplementaries. I'm also hoping to earn a PhD by proxy. Anyone got a text to speech adapter, it might be nice to hear this in my sleep. Seriously, this d00d got skillz.
"This isn't a study in computer science, its a study in human behavior"
This is similar to the work we did at UANC in the 1996 era. We did a lot of thing with source fragmenting of ethernet moduli, so to speak. This person's research is eerily similar, but clearly his own. I am not posting to claim copyright, blah blah. Just to point out the respect I have for someone who made it "this far!"
One of the things we did was design an ethernet hashing system that would function sort of like a dynamic roulette wheel of SYN types and packet sequence numbers. Using differing protocol sweeps, we could monitor different states without creating state ourselves! The ultimate goal was to provide inverse cascade across multiple routers and switches, allowing an attack to be sourced directly to a particular ethernet interface without the attacker's spoofing even mattering. By rotating state in real-time, using different queueing techniques, we could esentially traverse the entire network, sort of a big de-randomized traceroute, and virtually re-route all attack traffic back into the ethernet "netherworld", in a nutshell.
Very advanced stuff! I applaud your work wholeheartedly!
i don't know a damn thing about what this story is talking about, but i've never been more scared in my life
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Nobody on their death bed ever said "I wish I had spent more time alone in front of my computer".
I imagine this guy would have said something along those lines.
Have you been stalked by Seth today?
1. I have plenty of time to play with it.
2. I don't have to worry about someone doing it to me.
Is anyone working on SNORT signatures for this stuff?
Do you even know what this stuff does?
Most of it has little direct cracking application that I can see. We have a fancy traceroute, a system allowing multiple hosts to share an IP address and still get the correct data through MAC address translation.
I can see where scanrand could be abused, but it won't be until someone writes a script for the script kiddies to use.
As for the idea of security through not telling anyone, read The Cuckoo's Egg and study up on the Internet Worm to figure out why that idea is completely idiotic.
loan word.. loan word..
sheesh!
The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
;)
Hmm let me guess you have to compile this as root, after that it will give "proof of concept" to the black hat 2002 people that indeed there are previously untapped capacities deep within my server, somewhere remotely hidden on the outer reaches of my port range?
He should have spent more time writing decent error pages for his website, ones that don't reveal the absolute path directory structure to his stuff. Try clicking on the "paratrace" link from the slashdot story and you'll see this URL in your browser's bar:
d ox para/writings/docs/paratrace.xml
http://www.doxpara.com/404.php?f=/home/effugas/
Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.
:)
great idea, finally someone get's it
I just wish I understood half of it.
It's Christmas everyday with BitTorrent.
Let's see...
ping 160.1.255.255
Duck and cover, here comes the smurf...
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
The "paratrace" program is quite interesting-- from the README:
Nutshell summary: this uses an existing open TCP connection to run a traceroute through a firewall that would otherwise tell you to take off. I could certainly see this being useful.
Some good background reading on O'Reilly's Safari online books site if your TCP/IP internals are a bit rusty:
Internet Core Protocols: The Definitive Guide
TCP/IP Illustrated, Volume 1: The Protocols
Because most people won't lift a finger when someone says "theoretical" or "possible" or "probable" -- but watch those deadlines jump up when you have an actual break in!
Because insurance companies don't require an authorized audit of computer security (yet), most places are wide-open. Think of this as the example of how to start fires, and why the government should have laws about the fire protection that public theatres (ecommerce sites) should have. Most companies are happy to let a room full of patrons burn to death -- that's why we need examples and government intervention. Besides, I'd rather that fellows like this release what they've been working on, so I know what to look out for, and can apply their methods against my systems at leisure in order to find problems and address them.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
admittedly, he uses some cool techniques and goes pretty low level to achieve many of these things (and the tracing, sniffing, and broadcasting techniques are probably not logged by most firewalls/routers and/or can slip detection).
and that's a pretty fast scan utility. however, esoteric tools like this exist all over the place, and though interesting, this is nothing revolutionary. well, compared to the intel pentium iii processor which lets me not just get onto the internet, but get into it.
-fren
"Where are we going, and why am I in this handbasket?"
Welcome to the dumbing down of /.
This is News for Nerds - if it was something joe-shmoe Wallstreet journal reader could understand, then it would be in the Wallstreet Journal. If you don't understand it, LOOK IT UP.
Um, I'm so confused about the scissors and paste that I need to sit down. Note the links attributed to the open and close parens around 'linkcat'
(linkcat)
Would someone please call me dumb and tell me the answer?
"You never know when some crazed rodent with cold feet might be running loose in your pants."
-Calvin
I can haxor the Gibson and become 3l33t
OK, this pretty much pushes me over. I've been considering becoming a slashdot troll for some time and I think this article finishes it. First interesting story in a week or two. It gets more moronic posts than anything I've ever seen on slashdot. The best posts here are of the type "this is way over my head". If this is over your head, but you think it's interesting stfu and don't post anything. I don't even want to talk about others.
The compost bin story got a more meaningful discussion that this.
90% of people here think that case mods are cool
99% of people here look at a program which allows you to traceroute without icmp or udp (just to name one thing) and say "yeah, but what's the use"?
WTF?
I shall go and troll in the story about case with 6 neon lights attached to it now. See ya.
I passed the Turing test.
he wrote some new tools that are like the tools we already have but implemented in a slightly different way
Slightly different?
Yeah, and a cellphone is just like two cans and some string, only slightly more useful.
There are some seriously funky tools in there - check them out.
which *@#$ing multinational would allow their Class B network to be used for "proof of Concept" work by some BlackHats ?
Authorise my a$$.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
basically, this guy found a way to say "i will die alone" in over five hundred words, including the words "link layer" and "phentropy".
SCANRAND
========
Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down "yes" or "no" depending on the response. Normally, there's lots of overhead as you keep track of who you sent requests to and thus who you're expected responses from. Overhead, or "state", makes things slow. So scanrand is stateless -- right when you start up, it splits in two. One half asks everyone, "Heh! What are you hosting!" The other half picks up responses, "Hmmm, some guy just said he has a web server."
Now, there's a problem: If someone knows I'm not keeping track of who I'm scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request -- the "Sequence Number". This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that's talking to me, and immediately know whether I ever scanned this guy in the first place.
So, that's why I get to scan really fast. Mind you, it's the least impressive part of Paketto in raw technical terms -- but it's definitely useful as hell.
MINEWT
======
What if you could just run a program, and a router showed up on your network? I don't mean physically, but I also don't mean "having anything visibly related to the computer hosting it". It'd be virtual, with its own separate IP addresses and it's own MAC addresses too. It'd be portable to any machine on the LAN, maybe it'd be fast, but it'd definitely be amazingly flexible -- no chips to make, no wires to crimp. Run this software, and there's something new on your net.
That's what minewt is -- a new router that just shows up and works. Now, it happens to do some funky things -- Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it's flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool -- NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*'s an 192.168.*'s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.
It ain't your gateway that downloaded all those MP3's, even if that's the IP address on that flow of music.
Well, there's also this tech called ARP -- the Address Resolution Protocol. Your local network doesn't have a clue about IP addresses -- it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP -- 10.* or whatever -- to the MAC address the factory assigned.
NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).
MAT -- MAC Address Translation -- just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).
End result? Multiple hosts can share the same IP address. Cool.
LC [LINKCAT]
============
I've got a wire. I want to talk on it -- but I can't, I've got all these sockets and programs and limitations in the way. Or at least, I had them.
1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.
3) Profit.
Or,
1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.
3) Profit.
lc has a really interesting mode that's based on the fact that you can actually put data in a frame *after* IP is done with it -- it's called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it -- lets sign our frame! Basic support for SHA-1 HMAC's is provided.
PARATRACE
=========
Alright, this is kinda neat. You've got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you're gonna start up a whole new connection. Paratrace gets around that -- you see, TCP lets you repeat packets; actually, by repeat, it's more like "The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine." So instead of spawning a whole new connection for our traces, we run our traceroute -- which is entirely a Layer 3 IP hack -- using a legitimate Layer 4 TCP packet. When the data eventually gets there, it's mostly ignored -- oh, the network screwed up again.
If there's a stateful firewall in the way, well, it's looking at Layer 4 data, which is 100% valid.
PHENTROPY
=========
See a cloud? Might be random. See a bunch of triangles? That ain't random. See the Borg Cube? Yeah, that's the FreeBSD kernel. This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.
Terribly sorry I didn't do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.
But too much techno babbling, such as in statements like "Userspace manipulation of packets can lead to less overhead" because "Kernels are optimized to talk to other hosts, not to scan them". Ok so you invented raw sockets, not to mention the fact that it's possible to send arbitrary packets from the kernel too, although from userspace it's for sure a more portable way. And MAC based networking , i can mention at least 3 commercial products that do that ( and in a much more flexible way). ( i maintain one of them :) Anyway, some stuff is really interesting, a few new toys to play with i guess ;)
It's quite simple. Either the submitter or /. have resorted to not-so-well disguised subliminal advertising within submissions. Look how many people have questioned why those links exist - hell, the links are nearly slashdotted. Someone is making traffic revenue off that, I reckon... or maybe I need a bigger tinfoil hat. Whatever.
1. Make a Geek/English translator 2. ...
3. Profit!
boldly going forward, 'cause we can't find reverse
Dan enjoys being witty with words. A "keiretsu" is a conglomeration of not-100%-related business units under a single roof. Mitsubishi makes cars and huge boats, Yamaha makes motorcycles and electronic synthesizers, etc.
;) Dan, for those curious, is (AFAIK) not proficient in Japanese. =)
The Paketto Keirestu is a conglomeration of program units that do really bastardized and interesting things with packet manipulation and flow. It's a catchy little title, I thought, but that's MHO.
-david
David E. Weekly
Code / Think / Teach / Learn
h4x0r for
That said, packet series may be one translation, but who knows.
"Black Ops of TCP/IP", Indeed.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
I know it's a really strange concept, but if you will note some of the words are underlined in his post.
READ THE FUCKING ARTICLES.
I live in a giant bucket.
Cut and Paste. Linkcat lets you do that with packets :-)
--Dan
I'm going to burn some karma.
Somebody needs to moderate the parent comment up. This article is not merely masturbation for some geek - these are fundamentally cooler tools than what we've had before. Why? Because they do what they do - port scanning, routing, etc. - in new and more flexible ways.
One of the problems with releasing a powerful tool is that you need to *train* people to use it. Even moreso than in meatspace, virtual tools like these require you to grok both the code and the environment in which the code runs. In this case, you need to understand how TCP/IP works, what the OSI layers are and how they interrelate, how existing implementations have been done, and how these tools are different.
It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"
*sigh*
We who were living are now dying
With a little patience
translation...basically he wrote some new tools that are like the tools we already have but implemented in a slightly different way, except these tools were heralded by an obtuse 500-word self-aggrandizing technobabbling post on slashdot.
Can someone translate this for us?
Belloc
I got more rhymes than Jamaica got Mangoes.
Am I missing the importance of safety scissors & Elmer's glue? Or are the links on the parentheses around linkcat just for kicks?
Wow...the Cukoo's Egg. What a great book (if you haven't read it, you should). I read that just before heading off to college just after (like the day it hit to store) it was published (man, has it been that long). I contacted Cliff (the author) via e-mail and had ongoing "conversations" with him. He introduced me to lots of others who introduced...you get the idea. I later worked with the Fed on early (1990-91'ish) commercial Internet security projects. Man, that was a fun time on the Internet...things have changed soooo much. Sheesh, here I am in the "way-back" machine and I'm only 30. I'm in BIG trouble. Oh well, it's fun to have "been there".
If you read a little earlier in the comments you'll see that in order to prevent his site getting slashdotted he very kindly moved it to a temporary higher-capacity server.
So yeah, maybe he didn't transition the site perfectly - just be glad you even got to see that URL!!
They're just a little bit more than slightly different. Try them out, you might be surprised.
Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.
Scan requires one socket.
Kernel has no idea what's going on, it RSTs anything it gets (which is fine by me).
--Dan
Where can I get the mentioned programs?
Luke-Jr
Hasn't Steve Gibson been promising some sort of freeware hyper speed port scanner for months, possibly years now? If you go take his shieldsup test, there he mentions something about it on one of the pages.
Last time I checked, portscanning 64K IPs would take a whole lot longer than 4 seconds...
Luke-Jr
Yeah, here goes: I never really understood the article, but I'm going to try to make everyone feel dumb by grossly overgeneralizing and hoping nobody calls my bluff!
Hey pal, anyone can break an internet protocol, but it takes skill to bend the hell out of it. This guy dumps more braincells everytime his girlfriend spits after oral sex then you could ever hope to have. This guy speaks in TCP/IP, you just speak in condescending technocratic bullshit. You're the reason information is not free-as-in-beer free.
Hey Slashdot, we're going to get a big group of us together and go beat the fuck outta Stephen Hawking! Who the fuck does he think he is looking at the universe in a slightly diiferent way, except those views were heralded by an obtuse 500 page self-aggrandizing technobabbling hardcover!
I'll post at +1, I've got karma to burn....
AWG
You think that I'm crazy, you should see this guy!
I saw that too. Sublime, yet obvious. Just beautiful. As is the rest of your work, BTW.
A tip of my tin-foil hat to you, sir.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Maybe it's too early for anybody to make sense of this thing... but here's what I've got so far: It seems that the great advance here is based on using the IP protocol all by itself in situations where conventionally we use TCP wrapping IP. (Remember class, we had a discussion on leaky abstractions recently where we remembered that TCP is what we use when we want to forget that IP exists.) By taking advantage of obscure parts of the IP protocol that we don't usually concern ourselves with, he's been able to use intentionally wayward packets to learn about the network. For example, sending an IP packet with a hopelessly short time to live to take advantage of the fact that whomever has the packet when it when it times out is supposed to send back a packet indicating that error. Turns out most routers do, so he collects that information and gets a traceroute that can go into places where a traditonal traceroute meets with a firewall. And that brings up the potentially dangerous side of things. This flies below our radars, it stays below our firewalls. His packets never go higher than the IP layer of our OSI model stack. (Remember that 7-layer thing that we all had to memorize in networking classes...) I'm not quite sure yet what poking around there gets them other than network topology info, but I kinda get the feeling that if there is something destructive that can be done, we're gonna get blindsided with it.
A friend of mine wrote an LSR scanner and an LSR tunnel tool which you probably won't understand either. Go get them, play with them, and then think about what it means. Here's his short paper on LSR.
;-)
While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about.
IMHO,
Michael
Okay first off let me say I am not a TCP/IP expert by any means however this does present some interesting points.
Firstly as a poster has noted before, by going under the radar by directly using the IP layer, this is going to open up a whole new rash of attack methods which we would be much better investigating and defending against.
Secondly, I think its cool, it renews my faith in the basic tenet of geekdom - play with it until you break it, then learn to fix it again.
No. Less than three days. Imagine if you found the first exploitable host, infected it, then started the search from that one. Now you have two searching. You would exploit and scan, scan and exploit... Could be very fast.
a beowulf cluster of "business ladies" purhaps?
US-UK-Israel: The real Axis of Evil
i was just trying to start on the math for it... it'd be a day with just two other machines involved, assuming you didn't have them doing redundant scans. coded right, after the first few machines, it might be a matter of an hour or two to scan and and infiltrate all vulnerable hosts. anyone feel like doing the math thing? i'm a lazy bastard.
Moron. This guy's got skills, and you don't even see it. These tools are very impressive. Paketto Kieretsu is to nmap what a Ferrari is to a Pinto.
11*43+456^2
Thanks for the help - that was really unexpected, given the volume of 'WTF does this thing mean? What's 'Keiretsu'? Why do we need another port scanner?'. Glad to see I'm not the only one who was really engrossed by AMAZING network theory work....The first 'innovative' stuff I've seen in this arena in a few years. WAY TO GO DAN!
Now I just wish I could go to Hivercon and see him speak......
If it takes 4 seconds to spread to 2^16 computers, then it takes another 4 seconds for each of those 2^16 to spread to another 2^16 for the entire 2^32 internet. That's only 8 seconds total. Of course it really depends on where the origin is and the network topology. But it would not take days or even hours to spread to the entire internet, just minutes.
chill dude, (well, angry white guy, ha :P)
;)
i looked at more of it after posting that (especially some of the more esoteric features like crypto and mapping network traffic to 3d coordinates/strange attractors) and before the stream of bitter replies i got and some of it is pretty cool in a fucked up way.
my *point* was more along the lines of this isn't as revolutionary as it was advertised, and it was advertised in an amusingly dense way. but, agreed, it is still pretty cool, especially since so much of it is done in user space.
and if his girlfriend is spitting out brain cells after oral sex, i think they're doing it wrong
-fren
"Where are we going, and why am I in this handbasket?"
I agree, the description looked like it was written by a marketing deptartment. It sounded like these tools were too good to be true, which they're not. I was totally reminded of Gibson Research Corporation ;) The tools are indeed clever, and not to play down the interesting accomplishment, but there are a lot of other neat tools out there too. The tools aren't really revolutionary; they're solutions to specific problems that were identified with some current solutions. Performance, firewall restrictions, etc. Nice work, but hardly the work of 'gods' as some would suggest (and I'm sure that the authors would agree).
Sheesh, calm down! You should really stop idolizing people as much as you do. It's really pathetic when people suck up as much as you did in that post. Are you hoping to get a referral from this guy or something??
These people have a point there. There was a LOT of useless vocabulary in there. The guy needs to take a technical writing course to clean up his rhetoric and just get the damn point across. "Guerilla multicast"? "Parasitic tracerouting"? "Black Ops of TCP/IP"? What's with the sensationalistic adjectives? This comes off like a wrestling commentary, not a technical description.
a kieretsu is actually a little more than just the word for corporation. it's a structure whereby multiple companies own stock in each other in a ring formation. so A owns stock in B which owns stock in C which owns stock in A. good and bad theories on the purpose. some think it's a useful way of monitoring performance because companys are watching other companies (but are in turn being watched etc...) which is more efficient than individual shareholders watching companies. others thinks its a way for managers to remain entrenched (i won't vote to fire you if you don't vote to fire me). not sure what any of tha that has to do with packet scanning/mangling tools.
Keep in mind it probably used some feature of that network that worked via multicast/broadcast. I'm sure it didn't simply scan 2^16 hosts individually.
why not mention those 3 commercial products? Provide some enlightenment here instead of just saying "no big deal"
The point isn't that he can send raw packets, it's that he can send them in a useful, simple way.
It's by far the best meta-slashdot comment I've ever read:
i d=4592270
http://apple.slashdot.org/comments.pl?sid=44091&c
64K IP range in 4 seconds...
:)
so a 1Gbps Ethernet has ~1.5Mpps @ minimum size (64-byte).
It will take ~0.044 seconds to transmit your 64K 'SYN' packets. (Hope your routers don't drop any due to congestion
Now wait some reasonable time for the last of the responses to trickle in: ~200ms.
8300 responses: ~0.006s.
So the time would be:
0.044+0.200+0.006 = ~250ms.
Now, assume you have 100T. This is x10 for the send/receive time, the same for the latency, so ~700ms.
So the network in question had ~30Mbps of bandwidth available.
seems possible.
"8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds.."
God damnit. It doesn't take an ISS consultant to figure out that the above stats + a slapper/scalper worm = Oh shit some monday morning when one arrives at work. Above stats + asiapacific spammers = Useless mailboxi
Seriously, if these stats hold true it could streamline the whole process of scanning for exploitable hosts to a degree that if you're service is exploitable it will be exploited. Kinda scary to me..
Everyone is entitled to their own opinion. It's just that yours is stupid.
A frightening proposition
Life sucks, but death doesn't put out at all....
--Thomas J. Kopp
I remember my first checksum.
His "router" seems pointless, unless it's attached to someone else's LAN. Yes, you can write a single-port NAT router that allows multiple machines on the same LAN to have the same IP address. But then they can't talk to each other. (They can talk to the "router" and perhaps, via it, the outside world.) Apparently he did this to get around some restriction on his dorm LAN in college.
TCP Traceroute is useful enough that it's already been implemented by somebody else. GPL, and for Linux, with an RPM available, even.
+1 Insightful
I don't care why you're posting AC
Well, maybe not that fast.
It may take 4 seconds to scan 2^16 hosts, but to check for exploits and install itself? Maybe a minute or two.
I do agree, that it would probably be minutes. Maybe even faster than the Morris worm.
Hey thanks for that. most informative... alas no mod points...
i don't read slashdot anymore.
He who sendith the Ping of Death must answer thee these packets three. Ere the other router he see...
"Dancing is the vertical expression of a horizontal desire" --Robert Frost
People interested in this might also be interested in, "Covert Channels in the TCP/IP Protocol Suite".
I haven't tried them so I'm probably missing things.The tools are;
1) a _very_ fast portscanner. It lets you find computers and services on a given network.
2) a virtual router. Lets multiple hosts share the same IP address.
3) a pipe to ethernet thingy, lets you type directly out onto the network. You'ld be quite the 31337 hacker if you used this one regulary.
4) a silent traceroute that'll let you probe behind a NAT firewall. wow. That's kinda nasty.
5) and the coolest one of the bunch, a program that renders the randomness of a remote-machines packets into 3D space. Cool.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
There is no Class B. It's called a /16.
Warning: Serious TCP/IP territory here!
p roduct/1,4096, 0201776316,00.html
Of limits for ye olde slashdotters.
Let me fist get the Crab-Book (http://www.oreilly.com/catalog/tcp3/) and read it. And then post this thing again a half a year later, so I can add my smartass remark.
Here's for the ones who like pictures (Hehehe...):
http://www.aw.com/catalog/academic/
Geez, I really have to get my TCP/IP sorted out. This stuff sounds to cool to miss out.
We suffer more in our imagination than in reality. - Seneca
This, sir, was genius. After reading your presentation at 5AM and not having my head explode, seeing this made me laugh out loud. I'd love to see the look on some webmaster's face trying to figure out why their obscure online store got so much traffic in a 4 hour window their server crashed.
"Linkcat? Whats that? Is Radio Shack giving away useless toys again? Who are all these geeks and why did they crash my store? Hey Lloyd, we better quadruple our stock of scissors - don't ask!"
Top Most Bizarre/Disturbing Error Messages
The latter is understandable - a whole lot of /. folks just realized they need to brush up on TCP/IP theory - and that's a good thing. I know I pulled out my cheat sheets while reading his presentation.
But the former is just plain annoying. Dan has done some really impressive work, using a very mature system in innovative ways. What did you expect? That he wrote some killer app that would make you rich during the IPO? This is great stuff - some of which doesn't have real world applicability (right now anyway), but so what? He's doing research into what CAN be done. I work in IT at a large research university and it really brings home the importance of research for research's sake. Others will come up with commercial applications where appropriate. But research is pushing the boundaries of existing knowledge or delving into completely new areas. For the sake of knowledge and learning.
That said, for all of you saying 'this isn't new' or 'it's no big deal till they write scripts for the script kiddies' what crack are you on? In addition to making my head spin this early in the morning, Dan's presentation and ideas sent a shiver down my spine. I administer an academic network which means no firewall. Dan's ideas, which I could use for good, can also be used for evil. Easily. This kind of stuff is scary.
Think about how much time, bandwidth and effort CodeRed wasted trying to spread itself probing systems that were not web servers. Imagine using this scanning technology as an opening salvo to a new exploit attack via port 80. BANG! Your network security folks sit up with a start as your Class B just got hammered hard. But it was over in 10 seconds. You look into it, but aren't really sure what it was. But now the attacker knows EVERY SINGLE HOST on your network running something on port 80. You (and the rest of the network) just got infected that much faster. Yes, previous papers already theorized this was possible (Warhol Worm, etc) But this makes it even scarier. A two stage worm could really blow things away. The first stage uses ultra fast scanning to build hosts responding to a given port. These first stage hosts develop into a network gathering available hosts to hit based on these ultra quick scans and then fire off stage two infections with pre-seeded network lists most likely to be vulnerable or offer the most targets.
Hell, the second stage would be WELL underway by the time most network security admin's pagers went off.
I tip my hat to Dan - this is great stuff with many useful applications, even if some are less than savory.
Top Most Bizarre/Disturbing Error Messages
Personally, I regard paranoia as a necessity.
Best Slashdot Co
I don't get it :-) It's the least impressive work I've done, but it's what everyone talks about, and then everyone says it's not so technically impressive... well duh :-)
If it didn't support stateless tracerouting w/ passive hopcount detection and split mode operation, I'd almost be too embarassed to release it.
--Dan
I'll have to play with this some. Then I'll have to figure out how the hell to write Firewall-1 rules to mess with anyone using it to scan my network..
You can be as secure as you want to be.
P.
Paul "Say no to feeping creaturism"
"Yeah, and a cellphone is just like two cans and some string, only slightly more useful."
And without the string, of course.
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
that will be the challenge. Remember, these are completely legitimate uses of the IP protocol. It's not like we could (probably) detect any of these techniques.
The traceroute bit offers some interesting MITM possibilities. Yes, it requires a connection to be established, which assumes that the client is legitimate, but what about someone upstream that's messing with the IP packet before passing it on?
All in all these are incredibly clever hacks. My compliments to the chef.
From the quality of the work here you should get some recognition. There really should be an award for stuff like this. It's first class and thourougly deserves the score 5, it's a great pitty you at the UANC don't believe in karma.
Very effective stuff!I applaud your work wholeheartedly!
--
And bigger trolls have lesser trolls and so ad-infinitum.
I officially agree -- both with the fact that I wrote it marketroid style (I was petrified of "l33t new hax0r tools, he's gonna destroy the web!"; the concept that people would think I didn't do anything at all never occurred to me) and that I'm no god...just someone who plays with TCP/IP :-)
--Dan
nmap's much more mature and reliable -- but perhaps it's reliability starts too early...
Read the fucking article. It used standard unicast, but in a very clever way. (the part that sends out checks is not the part that listens for responses back.)
Cool. I hope that you didn't take my comment to mean that the tools weren't neat, or useful, because they are. Have you ever read Gibson Research's 'nanoprobe' papers? Goto grc.com and see why some people are sensitive to that kind of vague, buzzword laden, hype generating writing :)
I said "probably", implying to everyone but you that I don't KNOW what it used, because I haven't read the article yet.
Next time, be more fucking polite.
Okay, Okay -- I admit it. You didn't change that program that worked
just a little while ago; I inserted some random characters into the
executable. Please forgive me. You can recover the file by typing in
the code over again, since I also removed the source.
- this post brought to you by the Automated Last Post Generator...