Slashdot Mirror
Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release
Effugas writes "After pushing OpenSSH
to perform feats of secure tunneling far beyond what I ever expected it could
do, it became clear that some genuinely useful modes of network operation were
simply inaccessable without either replacing or manipulating core network protocols.
Since the basic infrastructure of the Internet isn't likely to change any time
soon, that left...creative manipulation and reconstruction of the Lingua Reseaux:
TCP/IP. Taking advantage of expectations,
pitting layers against eachother, finding new uses for old options and data fields -- instead of simply
unleashing the latest incarnation of some "Ping of Death", could such work
unveil hidden functionality within existing networks? As I discussed at
Black Hat 2002 and the inimitable
Defcon X, the answer is yes. And now,
proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP),
The Paketto Keiretsu, Version 1.0,
is a collection of five interwoven
"proof of concepts" that explore, extract, and expose previously
untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
The five --
scanrand,
minewt,
lc
(
linkcat
),
paratrace,
and the OpenQVIS
cross-disciplinary-a-go-go phentropy --
demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer
Cryptography, and quite a bit more. (For details, stop by DoxPara Research
or check out the latest slides. The academic paper is coming "soon".)
In terms of actual usefulness, scanrand is no
nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B,
scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
...how I wish Babel Fish would have a Geek->English translation option...
Anyone here want to sum it up IN PLAIN ENGLISH, without involving beowulf clusters or "Profit!"?
"During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."
That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?
Hi - www.doxpara.com is temporarily pointed at shaitan.lightconsulting.com, a quad Xeon hosted at Via.net in Palo Alto. Please be nice to my server so I don't have to drive over there and fix it...
-- thalakan
How come I go through my day feeling my little code is soo smart until I log in to Slasdot and read about C-level hacking of the core infrastructure of the internet by gods on human thrones and feel like a little 1st grader who has to deliver a note to a sixth grade teacher and marvels at the complex stuff on the chalk board....
*sigh*... I'm important! I swear...
Bruce Werner http://www.kidventus.com
keiretsu = corportation/firm in japanese
packetto = loan worn (usually in katakana) meaning packet.
ie.. Packet Company in Japanese
What's up with the pseudo-Japanese name?
---
Open Source Shirts
I was the girlfriend oft this guy for three years and can attest he spent neglecting me and only fooling around with his computer thingies.
1. I have plenty of time to play with it.
2. I don't have to worry about someone doing it to me.
Is anyone working on SNORT signatures for this stuff?
Do you even know what this stuff does?
Most of it has little direct cracking application that I can see. We have a fancy traceroute, a system allowing multiple hosts to share an IP address and still get the correct data through MAC address translation.
I can see where scanrand could be abused, but it won't be until someone writes a script for the script kiddies to use.
As for the idea of security through not telling anyone, read The Cuckoo's Egg and study up on the Internet Worm to figure out why that idea is completely idiotic.
The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.
;)
Hmm let me guess you have to compile this as root, after that it will give "proof of concept" to the black hat 2002 people that indeed there are previously untapped capacities deep within my server, somewhere remotely hidden on the outer reaches of my port range?
Let's see...
ping 160.1.255.255
Duck and cover, here comes the smurf...
I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.
The "paratrace" program is quite interesting-- from the README:
Nutshell summary: this uses an existing open TCP connection to run a traceroute through a firewall that would otherwise tell you to take off. I could certainly see this being useful.
Some good background reading on O'Reilly's Safari online books site if your TCP/IP internals are a bit rusty:
Internet Core Protocols: The Definitive Guide
TCP/IP Illustrated, Volume 1: The Protocols
Because most people won't lift a finger when someone says "theoretical" or "possible" or "probable" -- but watch those deadlines jump up when you have an actual break in!
Because insurance companies don't require an authorized audit of computer security (yet), most places are wide-open. Think of this as the example of how to start fires, and why the government should have laws about the fire protection that public theatres (ecommerce sites) should have. Most companies are happy to let a room full of patrons burn to death -- that's why we need examples and government intervention. Besides, I'd rather that fellows like this release what they've been working on, so I know what to look out for, and can apply their methods against my systems at leisure in order to find problems and address them.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
A Monty Python nerd?
Any sufficiently well-organized community is indistinguishable from Government.
Welcome to the dumbing down of /.
This is News for Nerds - if it was something joe-shmoe Wallstreet journal reader could understand, then it would be in the Wallstreet Journal. If you don't understand it, LOOK IT UP.
I can haxor the Gibson and become 3l33t
OK, this pretty much pushes me over. I've been considering becoming a slashdot troll for some time and I think this article finishes it. First interesting story in a week or two. It gets more moronic posts than anything I've ever seen on slashdot. The best posts here are of the type "this is way over my head". If this is over your head, but you think it's interesting stfu and don't post anything. I don't even want to talk about others.
The compost bin story got a more meaningful discussion that this.
90% of people here think that case mods are cool
99% of people here look at a program which allows you to traceroute without icmp or udp (just to name one thing) and say "yeah, but what's the use"?
WTF?
I shall go and troll in the story about case with 6 neon lights attached to it now. See ya.
I passed the Turing test.
he wrote some new tools that are like the tools we already have but implemented in a slightly different way
Slightly different?
Yeah, and a cellphone is just like two cans and some string, only slightly more useful.
There are some seriously funky tools in there - check them out.
basically, this guy found a way to say "i will die alone" in over five hundred words, including the words "link layer" and "phentropy".
SCANRAND
========
Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down "yes" or "no" depending on the response. Normally, there's lots of overhead as you keep track of who you sent requests to and thus who you're expected responses from. Overhead, or "state", makes things slow. So scanrand is stateless -- right when you start up, it splits in two. One half asks everyone, "Heh! What are you hosting!" The other half picks up responses, "Hmmm, some guy just said he has a web server."
Now, there's a problem: If someone knows I'm not keeping track of who I'm scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request -- the "Sequence Number". This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that's talking to me, and immediately know whether I ever scanned this guy in the first place.
So, that's why I get to scan really fast. Mind you, it's the least impressive part of Paketto in raw technical terms -- but it's definitely useful as hell.
MINEWT
======
What if you could just run a program, and a router showed up on your network? I don't mean physically, but I also don't mean "having anything visibly related to the computer hosting it". It'd be virtual, with its own separate IP addresses and it's own MAC addresses too. It'd be portable to any machine on the LAN, maybe it'd be fast, but it'd definitely be amazingly flexible -- no chips to make, no wires to crimp. Run this software, and there's something new on your net.
That's what minewt is -- a new router that just shows up and works. Now, it happens to do some funky things -- Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it's flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool -- NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*'s an 192.168.*'s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.
It ain't your gateway that downloaded all those MP3's, even if that's the IP address on that flow of music.
Well, there's also this tech called ARP -- the Address Resolution Protocol. Your local network doesn't have a clue about IP addresses -- it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP -- 10.* or whatever -- to the MAC address the factory assigned.
NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).
MAT -- MAC Address Translation -- just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).
End result? Multiple hosts can share the same IP address. Cool.
LC [LINKCAT]
============
I've got a wire. I want to talk on it -- but I can't, I've got all these sockets and programs and limitations in the way. Or at least, I had them.
1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.
3) Profit.
Or,
1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.
3) Profit.
lc has a really interesting mode that's based on the fact that you can actually put data in a frame *after* IP is done with it -- it's called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it -- lets sign our frame! Basic support for SHA-1 HMAC's is provided.
PARATRACE
=========
Alright, this is kinda neat. You've got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you're gonna start up a whole new connection. Paratrace gets around that -- you see, TCP lets you repeat packets; actually, by repeat, it's more like "The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine." So instead of spawning a whole new connection for our traces, we run our traceroute -- which is entirely a Layer 3 IP hack -- using a legitimate Layer 4 TCP packet. When the data eventually gets there, it's mostly ignored -- oh, the network screwed up again.
If there's a stateful firewall in the way, well, it's looking at Layer 4 data, which is 100% valid.
PHENTROPY
=========
See a cloud? Might be random. See a bunch of triangles? That ain't random. See the Borg Cube? Yeah, that's the FreeBSD kernel. This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.
Terribly sorry I didn't do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.
Dan enjoys being witty with words. A "keiretsu" is a conglomeration of not-100%-related business units under a single roof. Mitsubishi makes cars and huge boats, Yamaha makes motorcycles and electronic synthesizers, etc.
;) Dan, for those curious, is (AFAIK) not proficient in Japanese. =)
The Paketto Keirestu is a conglomeration of program units that do really bastardized and interesting things with packet manipulation and flow. It's a catchy little title, I thought, but that's MHO.
-david
David E. Weekly
Code / Think / Teach / Learn
h4x0r for
Cut and Paste. Linkcat lets you do that with packets :-)
--Dan
I'm going to burn some karma.
Somebody needs to moderate the parent comment up. This article is not merely masturbation for some geek - these are fundamentally cooler tools than what we've had before. Why? Because they do what they do - port scanning, routing, etc. - in new and more flexible ways.
One of the problems with releasing a powerful tool is that you need to *train* people to use it. Even moreso than in meatspace, virtual tools like these require you to grok both the code and the environment in which the code runs. In this case, you need to understand how TCP/IP works, what the OSI layers are and how they interrelate, how existing implementations have been done, and how these tools are different.
It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"
*sigh*
We who were living are now dying
With a little patience
They're just a little bit more than slightly different. Try them out, you might be surprised.
Oh, and that's Dan's normal speaking and writing style. I've heard him speak several times, and he wrote a couple of chapters for me for Hack Proofing Your Network, 2nd Edition. Really good stuff. Dan's writing has a lot of really good stuff in it, but you have to be paying attention.
Scan requires one socket.
Kernel has no idea what's going on, it RSTs anything it gets (which is fine by me).
--Dan
Yeah, here goes: I never really understood the article, but I'm going to try to make everyone feel dumb by grossly overgeneralizing and hoping nobody calls my bluff!
Hey pal, anyone can break an internet protocol, but it takes skill to bend the hell out of it. This guy dumps more braincells everytime his girlfriend spits after oral sex then you could ever hope to have. This guy speaks in TCP/IP, you just speak in condescending technocratic bullshit. You're the reason information is not free-as-in-beer free.
Hey Slashdot, we're going to get a big group of us together and go beat the fuck outta Stephen Hawking! Who the fuck does he think he is looking at the universe in a slightly diiferent way, except those views were heralded by an obtuse 500 page self-aggrandizing technobabbling hardcover!
I'll post at +1, I've got karma to burn....
AWG
You think that I'm crazy, you should see this guy!
Maybe it's too early for anybody to make sense of this thing... but here's what I've got so far: It seems that the great advance here is based on using the IP protocol all by itself in situations where conventionally we use TCP wrapping IP. (Remember class, we had a discussion on leaky abstractions recently where we remembered that TCP is what we use when we want to forget that IP exists.) By taking advantage of obscure parts of the IP protocol that we don't usually concern ourselves with, he's been able to use intentionally wayward packets to learn about the network. For example, sending an IP packet with a hopelessly short time to live to take advantage of the fact that whomever has the packet when it when it times out is supposed to send back a packet indicating that error. Turns out most routers do, so he collects that information and gets a traceroute that can go into places where a traditonal traceroute meets with a firewall. And that brings up the potentially dangerous side of things. This flies below our radars, it stays below our firewalls. His packets never go higher than the IP layer of our OSI model stack. (Remember that 7-layer thing that we all had to memorize in networking classes...) I'm not quite sure yet what poking around there gets them other than network topology info, but I kinda get the feeling that if there is something destructive that can be done, we're gonna get blindsided with it.
A friend of mine wrote an LSR scanner and an LSR tunnel tool which you probably won't understand either. Go get them, play with them, and then think about what it means. Here's his short paper on LSR.
;-)
While I'm here, let me just bitch for a second. I "love" slashdot. I can sort of understand the people who complain when a non-geeky story gets posted, but I just can't understand someone who complains when a technical story gets posted. "News for Nerds" dude! You can't get a whole lot nerdier than this. Stop complaining and go read some FMs. If you can't handle it, go read Wired or something instead. I'm happy to have a story posted here that my 7 year old doesn't understand yet...it gives us something new to talk about.
IMHO,
Michael
Okay first off let me say I am not a TCP/IP expert by any means however this does present some interesting points.
Firstly as a poster has noted before, by going under the radar by directly using the IP layer, this is going to open up a whole new rash of attack methods which we would be much better investigating and defending against.
Secondly, I think its cool, it renews my faith in the basic tenet of geekdom - play with it until you break it, then learn to fix it again.
Who said anything about Black Hats?
Breaking into networks, crashing people's systems...unnecessary and boring, in that order.
You don't need to be a Black Hat to play with protocols. Not in the slightest.
--Dan
safety scissors - Cut
Elmer's glue - Paste
His "router" seems pointless, unless it's attached to someone else's LAN. Yes, you can write a single-port NAT router that allows multiple machines on the same LAN to have the same IP address. But then they can't talk to each other. (They can talk to the "router" and perhaps, via it, the outside world.) Apparently he did this to get around some restriction on his dorm LAN in college.
TCP Traceroute is useful enough that it's already been implemented by somebody else. GPL, and for Linux, with an RPM available, even.
I haven't tried them so I'm probably missing things.The tools are;
1) a _very_ fast portscanner. It lets you find computers and services on a given network.
2) a virtual router. Lets multiple hosts share the same IP address.
3) a pipe to ethernet thingy, lets you type directly out onto the network. You'ld be quite the 31337 hacker if you used this one regulary.
4) a silent traceroute that'll let you probe behind a NAT firewall. wow. That's kinda nasty.
5) and the coolest one of the bunch, a program that renders the randomness of a remote-machines packets into 3D space. Cool.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
The latter is understandable - a whole lot of /. folks just realized they need to brush up on TCP/IP theory - and that's a good thing. I know I pulled out my cheat sheets while reading his presentation.
But the former is just plain annoying. Dan has done some really impressive work, using a very mature system in innovative ways. What did you expect? That he wrote some killer app that would make you rich during the IPO? This is great stuff - some of which doesn't have real world applicability (right now anyway), but so what? He's doing research into what CAN be done. I work in IT at a large research university and it really brings home the importance of research for research's sake. Others will come up with commercial applications where appropriate. But research is pushing the boundaries of existing knowledge or delving into completely new areas. For the sake of knowledge and learning.
That said, for all of you saying 'this isn't new' or 'it's no big deal till they write scripts for the script kiddies' what crack are you on? In addition to making my head spin this early in the morning, Dan's presentation and ideas sent a shiver down my spine. I administer an academic network which means no firewall. Dan's ideas, which I could use for good, can also be used for evil. Easily. This kind of stuff is scary.
Think about how much time, bandwidth and effort CodeRed wasted trying to spread itself probing systems that were not web servers. Imagine using this scanning technology as an opening salvo to a new exploit attack via port 80. BANG! Your network security folks sit up with a start as your Class B just got hammered hard. But it was over in 10 seconds. You look into it, but aren't really sure what it was. But now the attacker knows EVERY SINGLE HOST on your network running something on port 80. You (and the rest of the network) just got infected that much faster. Yes, previous papers already theorized this was possible (Warhol Worm, etc) But this makes it even scarier. A two stage worm could really blow things away. The first stage uses ultra fast scanning to build hosts responding to a given port. These first stage hosts develop into a network gathering available hosts to hit based on these ultra quick scans and then fire off stage two infections with pre-seeded network lists most likely to be vulnerable or offer the most targets.
Hell, the second stage would be WELL underway by the time most network security admin's pagers went off.
I tip my hat to Dan - this is great stuff with many useful applications, even if some are less than savory.
Top Most Bizarre/Disturbing Error Messages
Well, it's a bit more complex than that. Scanrand was branched to form Paratrace. Linkcat's -f/-F flags output integers suitable for graphing by Phentropy. Minewt gets its ass kicked by scanrand, and will eventually support the ethernet crypto of linkcat.
--Dan
I don't get it :-) It's the least impressive work I've done, but it's what everyone talks about, and then everyone says it's not so technically impressive... well duh :-)
If it didn't support stateless tracerouting w/ passive hopcount detection and split mode operation, I'd almost be too embarassed to release it.
--Dan