Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release

timothy posted more than 11 years ago | from the read-among-the-lines dept.

Security 319

Effugas writes "After pushing OpenSSH to perform feats of secure tunneling far beyond what I ever expected it could do, it became clear that some genuinely useful modes of network operation were simply inaccessable without either replacing or manipulating core network protocols. Since the basic infrastructure of the Internet isn't likely to change any time soon, that left...creative manipulation and reconstruction of the Lingua Reseaux: TCP/IP. Taking advantage of expectations, pitting layers against eachother, finding new uses for old options and data fields -- instead of simply unleashing the latest incarnation of some "Ping of Death", could such work unveil hidden functionality within existing networks? As I discussed at Black Hat 2002 and the inimitable Defcon X, the answer is yes. And now, proof of this is ready. BSD Licensed (in deference to the very source of TCP/IP), The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4. The five -- scanrand, minewt, lc ( linkcat ), paratrace, and the OpenQVIS cross-disciplinary-a-go-go phentropy -- demonstrate Stateless TCP Scanning, Inverse SYN Cookies, Guerrila Multicast, Parasitic Tracerouting, Ethernet Trailer Cryptography, and quite a bit more. (For details, stop by DoxPara Research or check out the latest slides. The academic paper is coming "soon".) In terms of actual usefulness, scanrand is no nmap, but it's still interesting: During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

cancel ×

319 comments

Sorry! There are no comments related to the filter you selected.

krbgwsktrljb (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4702068)

erjbhkj ejbkjb u6ujkybukjb htehe

Ok, I'll bite (0, Offtopic)

myowntrueself (607117) | more than 11 years ago | (#4702112)

Was that ROT13 or Dutch?

Re:Ok, I'll bite (0)

Anonymous Coward | more than 11 years ago | (#4702392)

Hey! Dutch looks _nothing_ like ROT-13!

Dit is gewoon Nederlands, niets aan de hand, hoor. (Or, as the Babelfish would say: 'This is plain Dutch, nothing fancy going on').

Doeg!
(Bye!)

That's Great (0, Troll)

cscx (541332) | more than 11 years ago | (#4702087)

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

Re:That's Great (2, Insightful)

fliplap (113705) | more than 11 years ago | (#4702149)

Yeah, because if it takes em all night to scan the network they're less likely to get in right?

Re:That's Great (4, Insightful)

Bastian (66383) | more than 11 years ago | (#4702190)

Do you even know what this stuff does?

Most of it has little direct cracking application that I can see. We have a fancy traceroute, a system allowing multiple hosts to share an IP address and still get the correct data through MAC address translation.
I can see where scanrand could be abused, but it won't be until someone writes a script for the script kiddies to use.

As for the idea of security through not telling anyone, read The Cuckoo's Egg and study up on the Internet Worm to figure out why that idea is completely idiotic.

Re:That's Great (1)

Sarin (112173) | more than 11 years ago | (#4702236)

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

great idea, finally someone get's it :)

It sure is great. (4, Insightful)

Inoshiro (71693) | more than 11 years ago | (#4702307)

Because most people won't lift a finger when someone says "theoretical" or "possible" or "probable" -- but watch those deadlines jump up when you have an actual break in!

Because insurance companies don't require an authorized audit of computer security (yet), most places are wide-open. Think of this as the example of how to start fires, and why the government should have laws about the fire protection that public theatres (ecommerce sites) should have. Most companies are happy to let a room full of patrons burn to death -- that's why we need examples and government intervention. Besides, I'd rather that fellows like this release what they've been working on, so I know what to look out for, and can apply their methods against my systems at leisure in order to find problems and address them.

Re:It sure is great. (1)

LordofEntropy (250334) | more than 11 years ago | (#4702359)

Oh yay, just what we need, more laws.

Re:That's Great (0)

Anonymous Coward | more than 11 years ago | (#4702308)

Let's make sure that the script kiddies get a pressed CD-ROM copy mailed to their houses too, while we're at it.

No need. They can just download it.

Attention Slashdorks (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4702092)

Nobody on their death bed ever said "I wish I had spent more time alone in front of my computer".

Re:Attention Slashdorks (2)

Drunken Coward (574991) | more than 11 years ago | (#4702164)

Nobody on their death bed ever said "I wish I had spent more time alone in front of my computer".

I imagine this guy [slashdot.org] would have said something along those lines.

Re:Attention Slashdorks (-1, Troll)

frankmanowar (583879) | more than 11 years ago | (#4702191)

WOW d00Z!!! and i wuz just about to leave wurk and go höm3!!!!! An unrelated thought: - homies (the plastic ones) - 25 cents - friends you paid for - $300 a semester (dumbass) - the lifelong loneliness - priceless

...wha? (3, Funny)

Anonymous Coward | more than 11 years ago | (#4702093)

...how I wish Babel Fish would have a Geek->English translation option...

Anyone here want to sum it up IN PLAIN ENGLISH, without involving beowulf clusters or "Profit!"?

Re:...wha? (4, Funny)

Anonymous Coward | more than 11 years ago | (#4702199)

1. Set up a Beowulf cluster of secure tunnelers.
2. Detect thousands of networks in seconds.
3. ?????
4. Profit!

Re:...wha? (4, Funny)

unicron (20286) | more than 11 years ago | (#4702278)

Roughly translated it means they have all 3 CCIE's and get money thrown at them.

My new business (1)

enos (627034) | more than 11 years ago | (#4702446)

1. Make a Geek/English translator 2. ... 3. Profit!

4 Sec? (0, Redundant)

ProtoStar (575347) | more than 11 years ago | (#4702096)

4 seconds for 65k address is damn fast.

Hi-yo Captain Obvious! (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#4702208)

We Salute Thee!!

Re:Hi-yo Captain Obvious! (0)

Anonymous Coward | more than 11 years ago | (#4702228)

Yeah, but that's still two seconds slower than he finishes with his girlfriend.

Re:Hi-yo Captain Obvious! (0)

Anonymous Coward | more than 11 years ago | (#4702261)

Word.

Re:Hi-yo Captain Obvious! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4702266)

Yeah, but that's still two seconds slower than he finishes with his girlfriend.

You mean his imaginary girlfriend.

Re:Hi-yo Captain Obvious! (0)

Anonymous Coward | more than 11 years ago | (#4702294)

You are so mean, making fun of a man who lost his right hand in a terrible accident.

Re:4 Sec? (0)

Anonymous Coward | more than 11 years ago | (#4702257)

Whoever modded up ProtoStar's post as insightful is my hero!

All I want to know is. ... (1)

frodo from middle ea (602941) | more than 11 years ago | (#4702388)

which *@#$ing multinational would allow their Class B network to be used for "proof of Concept" work by some BlackHats ?
Authorise my a$$.

Re:4 Sec? (2, Interesting)

Istealmymusic (573079) | more than 11 years ago | (#4702494)

4 seconds for 2^16 is very fast. That's only 4(2^16) = 262,140 seconds = 4,396 minutes = 72 hours = 3 days for a sweep of the entire Internet. The viruses spreading possibilities are immense, in a mere three days a single virus could discover all exploitable hosts, though of course the time would be cut drastically due to the distributed nature of viruses. This isn't as fast as 15 minutes the Warhol Worm [berkeley.edu] offers, but is faster than than most admins will be able to patch their boxes, assuming the exploit is discovered and published beforehand. The possibilities of an underground vulnerability circulating without a patch are very real, and it could easily take 3 days for a vendor to fix the problem.

"Black Ops of TCP/IP", Indeed.

Go Dan! =) (2, Interesting)

dew (3680) | more than 11 years ago | (#4702099)

I roomed with the guy and can attest to the year or so he spent cobbling this stuff together. Go Dan!!

-david

maybe you can calrify (3, Interesting)

ryochiji (453715) | more than 11 years ago | (#4702154)

What's up with the pseudo-Japanese name?

Re:maybe you can calrify (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4702264)

I'd be more interesting in hearing a Japanese person explain what's up with Engrish [engrish.com] .

Clarification (5, Informative)

dew (3680) | more than 11 years ago | (#4702465)

Dan enjoys being witty with words. A "keiretsu" is a conglomeration of not-100%-related business units under a single roof. Mitsubishi makes cars and huge boats, Yamaha makes motorcycles and electronic synthesizers, etc.

The Paketto Keirestu is a conglomeration of program units that do really bastardized and interesting things with packet manipulation and flow. It's a catchy little title, I thought, but that's MHO. ;) Dan, for those curious, is (AFAIK) not proficient in Japanese. =)

-david

Re:Clarification (3, Interesting)

ryochiji (453715) | more than 11 years ago | (#4702519)

>A "keiretsu" is a conglomeration of not-100%-related business units under a single roof

I happen to be Japanese, so I just thought it was rather...odd. Maybe it's because I've never seen the word "keiretsu" used in a context other than the one you described.

Re:Go Dan! =) (5, Funny)

Karamchand (607798) | more than 11 years ago | (#4702158)

I was the girlfriend oft this guy for three years and can attest he spent neglecting me and only fooling around with his computer thingies.

Re:Go Dan! =) (1, Troll)

unicron (20286) | more than 11 years ago | (#4702298)

You weren't exactly his girlfriend, you were more of that thing that stood on that bridge and wouldn't let people cross until they answered riddles.

Re:Go Dan! =) (3, Funny)

susano_otter (123650) | more than 11 years ago | (#4702333)

that thing that stood on that bridge and wouldn't let people cross until they answered riddles

A Monty Python nerd?

Re:Go Dan! =) (0, Funny)

Anonymous Coward | more than 11 years ago | (#4702423)

I'm this guy's cock. Still am (duh).

I can attest that he didn't touch me ONCE that entire year.

He's touching me now, though. Thanks slashdot!

DOG Re:Go Dan! =) (0)

Anonymous Coward | more than 11 years ago | (#4702516)

I was the Dog of the guy and can attest to nothing 'cause I don't understand this. But I had to pee on the floor way too much

scissors & glue (1)

brondsem (553348) | more than 11 years ago | (#4702101)

linkcat, scissors and glue. is there a hidden meaning?

hey (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4702103)

kould som1 pleeze summarize tis news post
its a little long... teh icon of a lock helps tho, I no its about security maybe
thx

Re:hey (0, Informative)

Second_Derivative (257815) | more than 11 years ago | (#4702131)

Buzzwords mainly, but basically some bloke picked over the specs for TCP/IP, put together some tools that do really pathological things with packets and take advantage of what various TCP/IP implementations expect and use that to agressively map networks.

Uh... in other words, nothing new whatsoever. NMAP's been doing this for ages, this is just more of the same. At least that's what it looks like, the submitter did an absolutely lousy job of actually getting to the point (what the fuck does "Paketto Keiretsu" actually DO!?)

Re:hey (2)

ChazeFroy (51595) | more than 11 years ago | (#4702205)

He should have spent more time writing decent error pages for his website, ones that don't reveal the absolute path directory structure to his stuff. Try clicking on the "paratrace" link [doxpara.com] from the slashdot story and you'll see this URL in your browser's bar:

http://www.doxpara.com/404.php?f=/home/effugas/d ox para/writings/docs/paratrace.xml

That's insane! (3, Interesting)

DJayC (595440) | more than 11 years ago | (#4702107)

"During an authorized test inside a multinational corporation's class B, scanrand detected 8300 web servers across 65,536 addresses. Time elapsed: approximately 4 seconds."

That is crazy! Does anyone have information, for comparison, on what a scan like that would take using other tools?

Re:That's insane! (4, Interesting)

Anonymous Coward | more than 11 years ago | (#4702201)

Um, not that I would know anything about scanning that many addresses, but most of the portscanners out now can only handle 20 or so simultaneous connections and have a 2-3 second timeout. So it would depend how fast the hosts respond and what % have servers. I imagine it would be in the realm of 30 minutes or so for this network.

great (-1, Troll)

enos (627034) | more than 11 years ago | (#4702108)

A faster way to find porn

Please be nice (5, Informative)

thalakan (14668) | more than 11 years ago | (#4702110)

Hi - www.doxpara.com is temporarily pointed at shaitan.lightconsulting.com, a quad Xeon hosted at Via.net in Palo Alto. Please be nice to my server so I don't have to drive over there and fix it...

What language? (0, Troll)

StillAnonymous (595680) | more than 11 years ago | (#4702119)

Lingua Reseaux? The Paketto Keiretsu? What's this guy been smoking? I'm not sure what's worse, pretentious techno-Latin babble, or "lol, k thx bye" MSN-speak.

Re:What language? (4, Informative)

jlittle (122165) | more than 11 years ago | (#4702144)

keiretsu = corportation/firm in japanese
packetto = loan worn (usually in katakana) meaning packet.

ie.. Packet Company in Japanese

Re:What language? (1)

jlittle (122165) | more than 11 years ago | (#4702197)

loan word.. loan word..

sheesh!

Re:What language? (1)

amaterasu (562571) | more than 11 years ago | (#4702485)

Keiretsu means series or groups. Kaisha is the Japanese word for corporations, and keiretsu gaisha (often shortened to just "keiretsu") refers to subsidiaries and affiliated companies.

That said, packet series may be one translation, but who knows.

Re:What language? (0)

Anonymous Coward | more than 11 years ago | (#4702575)

and keiretsu gaisha (often shortened to just "keiretsu") refers to subsidiaries and affiliated companies.

Presumably then keiretsu geisha refers to a group of business "ladies"...?

Re:What language? (0)

Anonymous Coward | more than 11 years ago | (#4702194)

Paketto Keiretsu is Japanese. I'm no Japanese speaker, but I believe that it roughly would translate as something like "the principle of interlocking operating relationships of packets." I could be way off, though.

I am dumb (1, Offtopic)

cygnus (17101) | more than 11 years ago | (#4702126)

What'd he say?

What'd he say?

time to go back to TCP/IP Network Administration to learn how to decode this Slashdot article...

Joy... (0)

Anonymous Coward | more than 11 years ago | (#4702128)

Let loose the hounds.

whoa, imagine how many IIS boxen (0)

Anonymous Coward | more than 11 years ago | (#4702132)

we could exploit now... muahahahah
KRS [www.krs.ca]

I'm soo dumb (5, Funny)

hemingwaynet (206789) | more than 11 years ago | (#4702137)

How come I go through my day feeling my little code is soo smart until I log in to Slasdot and read about C-level hacking of the core infrastructure of the internet by gods on human thrones and feel like a little 1st grader who has to deliver a note to a sixth grade teacher and marvels at the complex stuff on the chalk board....

*sigh*... I'm important! I swear...

+1 Funny (-1)

Anonymous Coward | more than 11 years ago | (#4702222)

I'm meta-moderating!

Re:I'm soo dumb (1)

IlluminatedOne (621945) | more than 11 years ago | (#4702231)

I think that summed up my thoughts after reading this post about as precisely as possible. Kudos!

Re:I'm soo dumb (0)

pumpkinescobarsof2 (602825) | more than 11 years ago | (#4702347)

well put

to much to read (0)

Anonymous Coward | more than 11 years ago | (#4702143)

This is waaaaay to much to read while written in italics

scary as hell (1)

w1r3sp33d (593084) | more than 11 years ago | (#4702151)

Long ago, when I was first thinking of network security as a career field, I thought "in a few years there might not be enough work to go around..." It looks like it could be another record year.

Re:scary as hell (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4702272)

you're a fucking retard. shut the hell up.

Greek (2, Insightful)

andyring (100627) | more than 11 years ago | (#4702155)

Granted, most of that post was Greek to me, it's still interesting in that I think in any technology or practically any invention, people will find ways to make them do things never even conceived of by the originator. Coming up with new uses for obscure parts of the TCP/IP stack isn't really any different than other inventive uses for common, everyday items. In all actuality, I think it's all about the oft-used phrase, "thinking outside the box."

Re:Greek (1)

Angry White Guy (521337) | more than 11 years ago | (#4702274)

We could sue him under the DMCA and make the world safe again.

Yes, that was sarcasm...

Still Reading... (2)

airrage (514164) | more than 11 years ago | (#4702157)

I will post a comment here when I'm done reading the main abstract and supplementaries. I'm also hoping to earn a PhD by proxy. Anyone got a text to speech adapter, it might be nice to hear this in my sleep. Seriously, this d00d got skillz.

Reminds me a lot of work done at USANC in the '90s (2, Troll)

Anonymous Coward | more than 11 years ago | (#4702159)

This is similar to the work we did at UANC in the 1996 era. We did a lot of thing with source fragmenting of ethernet moduli, so to speak. This person's research is eerily similar, but clearly his own. I am not posting to claim copyright, blah blah. Just to point out the respect I have for someone who made it "this far!"

One of the things we did was design an ethernet hashing system that would function sort of like a dynamic roulette wheel of SYN types and packet sequence numbers. Using differing protocol sweeps, we could monitor different states without creating state ourselves! The ultimate goal was to provide inverse cascade across multiple routers and switches, allowing an attack to be sourced directly to a particular ethernet interface without the attacker's spoofing even mattering. By rotating state in real-time, using different queueing techniques, we could esentially traverse the entire network, sort of a big de-randomized traceroute, and virtually re-route all attack traffic back into the ethernet "netherworld", in a nutshell.

Very advanced stuff! I applaud your work wholeheartedly!

Re:Reminds me a lot of work done at USANC in the ' (0)

Anonymous Coward | more than 11 years ago | (#4702186)

ah yea, now that you say I can remember working at USANC! Woa, it was a cool time with you guys :-) Designing a ethernet hashing system at 2 in the morning and ordering a new pizza.. very cute. Actually I really miss these times.
I'd be glad to see you again guys!

huh? (2, Insightful)

circletimessquare (444983) | more than 11 years ago | (#4702162)

i don't know a damn thing about what this story is talking about, but i've never been more scared in my life

Makes me happy I just got laid off (3, Funny)

jakedata (585566) | more than 11 years ago | (#4702176)

1. I have plenty of time to play with it.

2. I don't have to worry about someone doing it to me.

Is anyone working on SNORT signatures for this stuff?

So what is it? (5, Funny)

Sarin (112173) | more than 11 years ago | (#4702204)

The Paketto Keiretsu, Version 1.0, is a collection of five interwoven "proof of concepts" that explore, extract, and expose previously untapped capacities embedded deep within networks and their stacks, at Layers 2 through 4.

Hmm let me guess you have to compile this as root, after that it will give "proof of concept" to the black hat 2002 people that indeed there are previously untapped capacities deep within my server, somewhere remotely hidden on the outer reaches of my port range? ;)

J00 1337 h4x0r j00. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4702215)

ph0r 0h ph0r

whoops.

Couldn't find that one, man.

Looks like '' isn't around.

SHORTEST AND LONGEST BOOKS (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4702227)

SHORTEST BOOKS EVER WRITTEN

"A Guide To Arab Democracies"
"A Hiker's Guide To The Ho Chi Minh Trail"
"Advanced Linux User's Guide"
"Blacks I Met While Yachting"
"Career Opportunities for Liberal Arts Majors"
"Excellence In The CFL"
"Fast And Efficient Windows Applications"
"How To Be A Good Sport", by Tonya Harding
"How To Win The Super Bowl", by Jim Kelly
"Keebler Elves That Touch Themselves"
"My Life As A Woman", by Martina Navratilova
"The Engineer's Guide to Fashion"
"Young, Single Males Speak Out Against Masturbation"
"How to be Normal" and "How to be Polite" both by RMS
"Easy to use Linux"
A Canadian telephone book
"My Social Life" by ESR
"Correct Spelling and Grammar in English" by Rob "CmdrTaco" Malda
"Business Ethics" by William Gates III (with foreword by Ken Lay)
"Heterosexuality among the Slashdot crew"
"Truths I have told" by Al Gore
"How to Speak Clearly and Correctly" by George W. Bush
"How Canadians Stand Up for Themselves"
"How to Get a Date with a Woman" by your local LUG
"How to Tell the Truth" by William J. Clinton
"The Names of Women Interested in Linux Geeks"
"Successful Business Plans Using Linux"
"What I Wouldn't Do For Money" by Jon Katz
"How to Write Software People Would Want to Buy" by Linus Torvalds
"Addresses of Houses in Canada that aren't Igloos"

LONGEST BOOKS EVER WRITTEN

"Loneliness, Buttplugs, Linux and You" by ESR
"Why your name should have 'GNU/' in Front of It" by RMS
"Being Rude to Foriegners" by the French Government
"How to Sexually Abuse Penguins" by Linus Torvalds
"Homosexuality among the Slashdot crew"

Re:SHORTEST AND LONGEST BOOKS (0, Offtopic)

rocketfairy (16253) | more than 11 years ago | (#4702508)

French gov't not nice to foreigners? Bollocks! The Vichy state was perfectly friendly to the Nazis.

Note to the editors: (0, Flamebait)

perrin5 (38802) | more than 11 years ago | (#4702252)

When choosing to post articles, some quick things to bear in mind:
1) What the hell is he talking about?
2) No Really, I got layer 2-4 networking, I even got "TCP/IP", but what, precisely has he done that is worthy of note here?
3) Besides which, to whom is this software suite useful? Does it have exploit probing, does it simply tell you what stuff lives where? Is it something faster than normal scanning procedures?
4) Background?

All of these things could be (if you were so inclined) attached to the end of our user's posts so that those of us who are interested, but completely lost by the pure amount of jargon flying about to understand, can figure out what is going on...

On a side note,

What the hell is the general purpose of these tools, indivdually or as a group?

Re:Note to the editors: (0, Troll)

ProtonMotiveForce (267027) | more than 11 years ago | (#4702324)

The purpose is obvious - win at Bullshit Bingo!

Looks like a lot of big words thrown about so it looks a lot more important than it is. We've revolutionized.. something or other.

Why, look at all these cool (i.e. standard, well known) things we've done with OpenSSH!

My Grandma's done most of those things with SSH, I don't see her publishing a PDF on it.

Re:Note to the editors: (5, Insightful)

CounterZer0 (199086) | more than 11 years ago | (#4702354)

Welcome to the dumbing down of /.
This is News for Nerds - if it was something joe-shmoe Wallstreet journal reader could understand, then it would be in the Wallstreet Journal. If you don't understand it, LOOK IT UP.

Re:Note to the editors: (5, Insightful)

EllF (205050) | more than 11 years ago | (#4702568)

I'm going to burn some karma.

Somebody needs to moderate the parent comment up. This article is not merely masturbation for some geek - these are fundamentally cooler tools than what we've had before. Why? Because they do what they do - port scanning, routing, etc. - in new and more flexible ways.

One of the problems with releasing a powerful tool is that you need to *train* people to use it. Even moreso than in meatspace, virtual tools like these require you to grok both the code and the environment in which the code runs. In this case, you need to understand how TCP/IP works, what the OSI layers are and how they interrelate, how existing implementations have been done, and how these tools are different.

It's really disappointing to see comments disparaging what is really impressive work - especially for reasons such as "this isn't new!" or "I don't get it!"

*sigh*

Re:Note to the editors: (1, Flamebait)

ealar dlanvuli (523604) | more than 11 years ago | (#4702507)

I know it's a really strange concept, but if you will note some of the words are underlined in his post.

READ THE FUCKING ARTICLES.

I think this is huge... (1)

TerryAtWork (598364) | more than 11 years ago | (#4702258)

I just wish I understood half of it.

translation (0, Flamebait)

frenetic3 (166950) | more than 11 years ago | (#4702265)

"the protocols the internet uses today are not conducive to certain types of networking tasks. however, tcp/ip, one of the internet's framework protocols, has a bunch of obscure parameters and fields that can be exploited to do new things [this isn't a very new concept.] i wrote a network scanner, fake NAT client, packet sniffer, traceroute utility, and some odd visualization tool. i like big words."

basically he wrote some new tools that are like the tools we already have but implemented in a slightly different way, except these tools were heralded by an obtuse 500-word self-aggrandizing technobabbling post on slashdot.

-fren

Re:translation (1)

frenetic3 (166950) | more than 11 years ago | (#4702320)

admittedly, he uses some cool techniques and goes pretty low level to achieve many of these things (and the tracing, sniffing, and broadcasting techniques are probably not logged by most firewalls/routers and/or can slip detection).

and that's a pretty fast scan utility. however, esoteric tools like this exist all over the place, and though interesting, this is nothing revolutionary. well, compared to the intel pentium iii processor which lets me not just get onto the internet, but get into it.

-fren

Re:translation (5, Funny)

schon (31600) | more than 11 years ago | (#4702384)

he wrote some new tools that are like the tools we already have but implemented in a slightly different way

Slightly different?

Yeah, and a cellphone is just like two cans and some string, only slightly more useful.

There are some seriously funky tools in there - check them out.

Re:translation (2)

belloc (37430) | more than 11 years ago | (#4702584)

translation...basically he wrote some new tools that are like the tools we already have but implemented in a slightly different way, except these tools were heralded by an obtuse 500-word self-aggrandizing technobabbling post on slashdot.

Can someone translate this for us?

Belloc

Alex, I can scan that net in 30ms. (4, Funny)

Anonymous Coward | more than 11 years ago | (#4702267)

Let's see...

ping 160.1.255.255

Duck and cover, here comes the smurf...

scanrand and paratrace (5, Informative)

Wanker (17907) | more than 11 years ago | (#4702285)

I don't quite follow what scanrand does that a normal SYN-based scanner does not except that it is broken into two parts so that potentially a different system could be used to receive the packets sent by the first system. Why would this be useful?

I guess he refers to embedding a code in each packet sent out to validate that only "real" packets are accepted by the receiver as "Inverse SYN Cookie". I don't understand why this is important, tho.

The "paratrace" program is quite interesting-- from the README:

paratrace

Paratrace traces the path between a client and a server, much like "traceroute", but with a major twist: Rather than iterate the TTLs of UDP, ICMP, or even TCP SYN packets, paratrace attaches itself to an existing, stateful-firewall-approved TCP flow, statelessly releasing as many TCP Keepalive messages as the software estimates the remote host is hop-distant. The resultant ICMP Time Exceeded replies are analyzed, with their original hop count "tattooed" in the IPID field copied into the returned packets by so many helpful routers. Through this process, paratrace can trace a route without modulating a single byte of TCP/Layer 4, and thus delivers fully valid (if occasionally redundant) segments at Layer 4 -- segments generated by another processe ntirely.


Nutshell summary: this uses an existing open TCP connection to run a traceroute through a firewall that would otherwise tell you to take off. I could certainly see this being useful.

Some good background reading on O'Reilly's Safari online books site if your TCP/IP internals are a bit rusty:

Internet Core Protocols: The Definitive Guide [oreilly.com]

TCP/IP Illustrated, Volume 1: The Protocols [oreilly.com]

okay, this guy is smarter than me (0)

Anonymous Coward | more than 11 years ago | (#4702287)

but i'm better looking and get laid more.

Slashdot Comment Plot (0)

Anonymous Coward | more than 11 years ago | (#4702289)

Proof that reply's to your comment be taken with a grain of salt:

http://www.doxpara.com/pics/index.php?album=phen tropy%2F&pic=slashdot_comments1.jpg

8300 web servers...? (0)

Anonymous Coward | more than 11 years ago | (#4702291)

> scanrand detected 8300 web servers across 65,536
> addresses. Time elapsed: approximately 4 seconds.

I was a little curious how much detections I would get, so I started scanrad on this 256*256*256*256 adresses network. Time it will take: approximately 3 days. Stay tuned for the results...

Why is God's name (0)

Anonymous Coward | more than 11 years ago | (#4702302)

Are the parentheses around LinkCat hyperlinks to glue and scissors??

Re:Why is God's name (0)

Anonymous Coward | more than 11 years ago | (#4702402)

Yeah, good question!

and what's this all about:

Ideal for all paper crafts. Does not sour or spoil. In plastic jars.

Who cares if GLUE goes sour or spoils??

Or do kids really eat the paste? I thought that was a joke.

Re:Why is God's name (0)

Anonymous Coward | more than 11 years ago | (#4702435)

Ya know, looking at the subject it looks like you got cut off right before you could reveal to us God's true name. That's funny.

Oh, so what up with the scissors and paste links? (2)

JungleBoy (7578) | more than 11 years ago | (#4702369)

Um, I'm so confused about the scissors and paste that I need to sit down. Note the links attributed to the open and close parens around 'linkcat'

( [wholesaled...supply.com] linkcat) [allartsupplies.com]

Would someone please call me dumb and tell me the answer?

Re:Oh, so what up with the scissors and paste link (1)

handsomepete (561396) | more than 11 years ago | (#4702418)

It's quite simple. Either the submitter or /. have resorted to not-so-well disguised subliminal advertising within submissions. Look how many people have questioned why those links exist - hell, the links are nearly slashdotted. Someone is making traffic revenue off that, I reckon... or maybe I need a bigger tinfoil hat. Whatever.

Re:Oh, so what up with the scissors and paste link (5, Interesting)

Effugas (2378) | more than 11 years ago | (#4702523)

Cut and Paste. Linkcat lets you do that with packets :-)

--Dan

I applaud him (0)

Anonymous Coward | more than 11 years ago | (#4702371)

Even if all he did was manage to do the same thing nmap does but in a diffrent manner. I still thing being able to scan a class B in 4 seconds is nothing to laugh about. I think we should not forget this simply a repackaging of some proof of point software.

This winter will truly be the season of the lanjacker.

So with this utility program (3, Funny)

kensai (139597) | more than 11 years ago | (#4702372)

I can haxor the Gibson and become 3l33t

I want to be a troll now (5, Insightful)

meshko (413657) | more than 11 years ago | (#4702381)

OK, this pretty much pushes me over. I've been considering becoming a slashdot troll for some time and I think this article finishes it. First interesting story in a week or two. It gets more moronic posts than anything I've ever seen on slashdot. The best posts here are of the type "this is way over my head". If this is over your head, but you think it's interesting stfu and don't post anything. I don't even want to talk about others.
The compost bin story got a more meaningful discussion that this.
90% of people here think that case mods are cool
99% of people here look at a program which allows you to traceroute without icmp or udp (just to name one thing) and say "yeah, but what's the use"?
WTF?

I shall go and troll in the story about case with 6 neon lights attached to it now. See ya.

Re:I want to be a troll now (-1)

The Bungi (221687) | more than 11 years ago | (#4702542)

Join the club. Between this and the 24x7 'M$' bashing, I had it with this place.

I went from 'Excellent' karma (+50) to 'Terrible' in about three days, with a subnet block to boot due to "excessive negative moderation" or some such.

no, no, this IS revolutionary! (3, Funny)

Anonymous Coward | more than 11 years ago | (#4702394)


basically, this guy found a way to say "i will die alone" in over five hundred words, including the words "link layer" and "phentropy".

What Paketto Is (In Simpler Terms) (5, Informative)

Effugas (2378) | more than 11 years ago | (#4702410)

SCANRAND
========
Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down "yes" or "no" depending on the response. Normally, there's lots of overhead as you keep track of who you sent requests to and thus who you're expected responses from. Overhead, or "state", makes things slow. So scanrand is stateless -- right when you start up, it splits in two. One half asks everyone, "Heh! What are you hosting!" The other half picks up responses, "Hmmm, some guy just said he has a web server."

Now, there's a problem: If someone knows I'm not keeping track of who I'm scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request -- the "Sequence Number". This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that's talking to me, and immediately know whether I ever scanned this guy in the first place.

So, that's why I get to scan really fast. Mind you, it's the least impressive part of Paketto in raw technical terms -- but it's definitely useful as hell.

MINEWT
======
What if you could just run a program, and a router showed up on your network? I don't mean physically, but I also don't mean "having anything visibly related to the computer hosting it". It'd be virtual, with its own separate IP addresses and it's own MAC addresses too. It'd be portable to any machine on the LAN, maybe it'd be fast, but it'd definitely be amazingly flexible -- no chips to make, no wires to crimp. Run this software, and there's something new on your net.

That's what minewt is -- a new router that just shows up and works. Now, it happens to do some funky things -- Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it's flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool -- NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*'s an 192.168.*'s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.

It ain't your gateway that downloaded all those MP3's, even if that's the IP address on that flow of music.

Well, there's also this tech called ARP -- the Address Resolution Protocol. Your local network doesn't have a clue about IP addresses -- it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP -- 10.* or whatever -- to the MAC address the factory assigned.

NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).

MAT -- MAC Address Translation -- just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).

End result? Multiple hosts can share the same IP address. Cool.

LC [LINKCAT]
============
I've got a wire. I want to talk on it -- but I can't, I've got all these sockets and programs and limitations in the way. Or at least, I had them.

1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.
3) Profit.

Or,

1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.
3) Profit.

lc has a really interesting mode that's based on the fact that you can actually put data in a frame *after* IP is done with it -- it's called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it -- lets sign our frame! Basic support for SHA-1 HMAC's is provided.

PARATRACE
=========
Alright, this is kinda neat. You've got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you're gonna start up a whole new connection. Paratrace gets around that -- you see, TCP lets you repeat packets; actually, by repeat, it's more like "The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine." So instead of spawning a whole new connection for our traces, we run our traceroute -- which is entirely a Layer 3 IP hack -- using a legitimate Layer 4 TCP packet. When the data eventually gets there, it's mostly ignored -- oh, the network screwed up again.

If there's a stateful firewall in the way, well, it's looking at Layer 4 data, which is 100% valid.

PHENTROPY
=========
See a cloud? Might be random. See a bunch of triangles? That ain't random. See the Borg Cube? Yeah, that's the FreeBSD kernel. This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.

Terribly sorry I didn't do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.

Interesting (1)

motox (312416) | more than 11 years ago | (#4702413)

But too much techno babbling, such as in statements like "Userspace manipulation of packets can lead to less overhead" because "Kernels are optimized to talk to other hosts, not to scan them". Ok so you invented raw sockets, not to mention the fact that it's possible to send arbitrary packets from the kernel too, although from userspace it's for sure a more portable way. And MAC based networking , i can mention at least 3 commercial products that do that ( and in a much more flexible way). ( i maintain one of them :) Anyway, some stuff is really interesting, a few new toys to play with i guess ;)

not possible (0)

Anonymous Coward | more than 11 years ago | (#4702560)

Bandwith MATH:
1) assume that each scan probe is a byte and a reply is a byte.
2) 65000 scans mean that 65000x2=130000 bytes
were exchanged in 4 seconds, or in bps, we
multiply by 8 to arrive at
1040000 bps or 1040kbps all accross the organizations......

Socket MATH:
the scan requires at least 65535 sockets initiated, if sequential and each socket takes 4/60000 of a second to do, than this will happen in 4 seconds, not counting processing the replies.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?