Dan Kaminsky's Blog

SCANRAND

========

Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down “yes” or “no” depending on the response. Normally, there’s lots of overhead as you keep track of who you sent requests to and thus who you’re expected responses from. Overhead, or “state”, makes things slow. So scanrand is stateless — right when you start up, it splits in two. One half asks everyone, “Heh! What are you hosting!” The other half picks up responses, “Hmmm, some guy just said he has a web server.”

Now, there’s a problem: If someone knows I’m not keeping track of who I’m scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request — the “Sequence Number”. This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that’s talking to me, and immediately know whether I ever scanned this guy in the first place.

So, that’s why I get to scan really fast. Mind you, it’s the least impressive part of Paketto in raw technical terms — but it’s definitely useful as hell.

MINEWT

======

What if you could just run a program, and a router showed up on your network? I don’t mean physically, but I also don’t mean “having anything visibly related to the computer hosting it”. It’d be virtual, with its own separate IP addresses and it’s own MAC addresses too. It’d be portable to any machine on the LAN, maybe it’d be fast, but it’d definitely be amazingly flexible — no chips to make, no wires to crimp. Run this software, and there’s something new on your net.

That’s what minewt is — a new router that just shows up and works. Now, it happens to do some funky things — Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it’s flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool — NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*’s an 192.168.*’s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.

It ain’t your gateway that downloaded all those MP3’s, even if that’s the IP address on that flow of music.

Well, there’s also this tech called ARP — the Address Resolution Protocol. Your local network doesn’t have a clue about IP addresses — it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP — 10.* or whatever — to the MAC address the factory assigned.

NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).

MAT — MAC Address Translation — just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).

End result? Multiple hosts can share the same IP address. Cool.

LC [LINKCAT]

============

I’ve got a wire. I want to talk on it — but I can’t, I’ve got all these sockets and programs and limitations in the way. Or at least, I had them.

1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.

3) Profit.

Or,

1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.

3) Profit.

lc has a really interesting mode that’s based on the fact that you can actually put data in a frame *after* IP is done with it — it’s called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it — lets sign our frame! Basic support for SHA-1 HMAC’s is provided.

PARATRACE

=========

Alright, this is kinda neat. You’ve got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you’re gonna start up a whole new connection. Paratrace gets around that — you see, TCP lets you repeat packets; actually, by repeat, it’s more like “The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine.” So instead of spawning a whole new connection for our traces, we run our traceroute — which is entirely a Layer 3 IP hack — using a legitimate Layer 4 TCP packet. When the data eventually gets there, it’s mostly ignored — oh, the network screwed up again.

If there’s a stateful firewall in the way, well, it’s looking at Layer 4 data, which is 100% valid.

PHENTROPY

=========

See a cloud? Might be random. See a bunch of triangles? That ain’t random. See the Borg Cube? Yeah, that’s the FreeBSD kernel. This is an extension of Michel Zalewski’s excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.

Terribly sorry I didn’t do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.