At long last…Paketto 2.0!
I’m still calling it a prerelease, as only Scanrand’s been migrated to the new architecture (and the new tools are quite raw), not to mention docs…but whereas
people are already writing about this, I suppose I should get it out there :-)
Expect a new release next week (i.e. you’ll have much cooler stuff to blog about then)
A little present for the little hacker in all of us :-) New in this release:
- OpenBSD Support
- Solaris (and Big-Endian) Support
- “Distco” mode to Scanrand, for quickly discovering the distance to an arbitrary host. Fast RSTs don’t reset the TTL, so RST TTL / 2 = average distance. We use a barren segment of the TTL range to detect and evaluate TTL reflection.
- Many, many bug fixes
- Merry Christmas! Happy Holidays!
Now if you’ll excuse me, I’ll be spending the next couple of days with my family; we’re heading out to Reno where there are
much more interesting things to do than check one’s email :-) But I’ll post stories — and photos of Ireland — when I
Really, really fast port scanner, that can also trace network paths. Port scanning is simply the act of asking a machine if you can start up a conversation with a certain port of its, and marking down “yes” or “no” depending on the response. Normally, there’s lots of overhead as you keep track of who you sent requests to and thus who you’re expected responses from. Overhead, or “state”, makes things slow. So scanrand is stateless — right when you start up, it splits in two. One half asks everyone, “Heh! What are you hosting!” The other half picks up responses, “Hmmm, some guy just said he has a web server.”
Now, there’s a problem: If someone knows I’m not keeping track of who I’m scanning, they can just throw fake responses back at me. But TCP lets me embed a little signature with every connection request — the “Sequence Number”. This number will be returned to me when I get a valid response from a host that I scanned. So I take the IP and the port of the machine I scan, encrypt it into the sequence, and send off the request. When I get the response back, I look at the ACKnowledgement, compare it to the IP and port of the machine that’s talking to me, and immediately know whether I ever scanned this guy in the first place.
So, that’s why I get to scan really fast. Mind you, it’s the least impressive part of Paketto in raw technical terms — but it’s definitely useful as hell.
What if you could just run a program, and a router showed up on your network? I don’t mean physically, but I also don’t mean “having anything visibly related to the computer hosting it”. It’d be virtual, with its own separate IP addresses and it’s own MAC addresses too. It’d be portable to any machine on the LAN, maybe it’d be fast, but it’d definitely be amazingly flexible — no chips to make, no wires to crimp. Run this software, and there’s something new on your net.
That’s what minewt is — a new router that just shows up and works. Now, it happens to do some funky things — Guerilla Multicast involves taking what your local network sees as a broadcast or multicast address and attaches it to what the outside world sees as just another IP of a single host. So the single host communication goes out, but once the packet returns, it’s flooded to a host of happy listeners. (Such is the theory.) MAC Address Translation is also slightly cool — NAT is all about using a Layer 4 TCP/UDP port to figure out which Layer 3 IP address (the 10.*’s an 192.168.*’s all us Linksys folk live behind) an incoming packet from the internet is really supposed to be going to.
It ain’t your gateway that downloaded all those MP3’s, even if that’s the IP address on that flow of music.
Well, there’s also this tech called ARP — the Address Resolution Protocol. Your local network doesn’t have a clue about IP addresses — it just has these unique factory assigned bitstrings that uniquely identify everyone. ARP is used to translate the Layer 3 IP — 10.* or whatever — to the MAC address the factory assigned.
NAT goes from L4(Port) to L3(IP). ARP goes from L3(IP) to L2(MAC).
MAT — MAC Address Translation — just combines the two. L4(Port) leads to the combination L3(IP)/L2(MAC).
End result? Multiple hosts can share the same IP address. Cool.
I’ve got a wire. I want to talk on it — but I can’t, I’ve got all these sockets and programs and limitations in the way. Or at least, I had them.
1) Execute lc -m00 and start typing hex. Whatever hex bytes I type show up on the ether.
1) Execute lc -l00 and start watching everything on the network go by in hex. ANything I like, I can copy, then run lc -m00 and paste back onto the wire once again.
lc has a really interesting mode that’s based on the fact that you can actually put data in a frame *after* IP is done with it — it’s called an ethernet trailer, and happens all the time when you try to send a packet smaller than the minimum legal length for ethernet. Well, as long as we can throw data after our packet, lets put crypto in it — lets sign our frame! Basic support for SHA-1 HMAC’s is provided.
Alright, this is kinda neat. You’ve got a connection to some host, right? You want to know how your packets are getting there. But if you use normal traceroute, you’re gonna start up a whole new connection. Paratrace gets around that — you see, TCP lets you repeat packets; actually, by repeat, it’s more like “The network can break and accidentally cause packets that were assumed to have been dropped to mysteriously come back to life; we handle this screwup just fine.” So instead of spawning a whole new connection for our traces, we run our traceroute — which is entirely a Layer 3 IP hack — using a legitimate Layer 4 TCP packet. When the data eventually gets there, it’s mostly ignored — oh, the network screwed up again.
If there’s a stateful firewall in the way, well, it’s looking at Layer 4 data, which is 100% valid.
See a cloud? Might be random. See a bunch of triangles? That ain’t random. See the Borg Cube? Yeah, that’s the FreeBSD kernel. This is an extension of Michel Zalewski’s excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS. Those images render *fast*, folks. 15-45fps fast.
Terribly sorry I didn’t do a writeup like this to begin with; hopefully the Keiretsu makes a bit more sense now.
Test this. More later. Don’t link here…yet :-)
From Cyberian City, Singapore’s only cybercafe that fails to suck :-)
On networks, as in most things, there is that which is possible, and
there is that which is impossible. There is a line between the two, built
on assumptions, thoughts, and precious few truths.
It’s reasonable to argue that the definition of progress is in moving that
line…by whatever cracked-out means happen to be available, as the case
may be. Recently, I wrote significant portions of a book:
Hack Proofing Your Network: Second Edition, from Syngress Press. Beyond finally
documenting the massive hackery I’ve always been known to pull with
OpenSSH, Syngress gave me the opportunity to research useful implications
of spoofing techniques.
The result: On Saturday, August 3rd, 2002, I am delivering the following talk
at Defcon X, in Las Vegas:
- Black Ops of TCP/IP: Work NAT, Work. Good NAT. Woof
Communication under TCP/IP networks has become extraordinarily popular;
still, there remains significant problems that as of yet have remained
unsolved within its layered rules. So, lets break the rules, elegance
(and possibly security) be damned. Signficant new techniques and code
will be unveiled to answer the following questions:
A) Instant Portscan
- Is it possible to discover instantaneously what network services have
been made available, even on massive networks?
B) Guerrila Multicast
- Is it possible to send a single packet to multiple recipients, using today.s
C) “NATless NAT”
- Is it possible to share a globally addressable IP address without
translating private IP ranges a la NAT?
- Is it possible to allow
incoming connections to an IP multiplexed in this manner?
D) NAT Deadlock Resolution
- Is it possible to establish a TCP connection between two hosts, both
Various interesting uses of these new packet-level primitives should be
discussed, and OpenSSH will trotted out as the method of bringing some
degree of security unto the resulting chaos.
- Is it possible to discover instantaneously what network services have
This talk (actually, an extended variant of it) was just delivered at
the Black Hat Briefings USA 2002. In response to many requests for the
actual code used to answer those questions(hint: the answer, in every case, is
I hereby announce the impending release of the Paketto Keiretsu, a
flotilla of interesting tools and cross-linked techniques for achieving
new and useful functionality from existing IPV4 networks. Public
release will take place August 3rd, at 6PM, during the Defcon talk.
Slides will be made available immediately as well, along with papers.
What, you want details? Come to Black Hat next time :-)
This year’s Black Hat and Defcon slides!
Man, it’s nice to be playing with packets again!
People seem to be rather excited (Forbes, Dark Reading, Search Security) about the Neutrality Router I’ve been working on. It’s called N00ter, and in a nutshell, it normalizes your link such that any differences in performance can’t be coming from different servers taking different routes, and have to instead be caused at the ISP. Here’s a summary of what I posted to Slashdot, explaining more succinctly what N00ter is up to.
Say Google is 50ms slower than Bing. Is this because of the ISP, or the routers and myriad server and path differentials between the ISP and Google, vs. the ISP and Bing? Can’t tell, it’s all conflated. We have to normalize the connection between the two sites, to measure if the ISP is using policy to alter QoS. Here’s how we do this with n00ter.
Start with a VPN, that creates an encrypted link from a Client to a broker/concentrator. An IP at the Broker talks plaintext with Google and Bing, who replies to the Broker. The Broker now encrypts the traffic back to the Client.
Policy can’t differentiate Bing traffic from Google traffic, it’s all encrypted.
Now, lets change things up — let’s have the Broker push the response traffic from Google and Bing, completely in the open. In fact, lets have it go so far as to spoof traffic from the original sources, making it look like there isn’t even a Broker in place. There’s just nice clean streams from Google and Bing.
If traffic from the same host, being sent over the same network path, but looking like Google, arrives faster (or slower) than traffic that looks like it came from Bing, then there’s policy differentiating Google from Bing.
Now, what if the policy is only applied to full flows, and not half flows? Well, in this case, we have one session that’s a straight normal download from Bing. Then we have another, where the entire client->server path is tunneled as before, but the Broker immediately emits the tunneled packets to Bing *spoofing the Client’s IP address*. So basically we’re now comparing the speed of a full legitimate flow to Bing, with a half flow. If QoS differs — as it would, if policy is only applied to full flows, then once again the policy is detected.
I call this client->server spoofing mode Roto-N00ter.
There’s more tricks, but this is what N00ter’s up to in a nutshell. It should work for anything IP based — if you want to know if XBox360 traffic routes faster than PS3 traffic, this’ll tell you.
Also, I’ve been doing some interesting things with BitCoin. (Len, we’ll miss you.) A few weeks ago, I gave a talk at Toorcon Seattle on the subject. Here are those slides as well.
Where’s the code? Well, two things are slowing down Paketto Keiretsu 3.0 (do people even remember scanrand?). First, I could use a release manager. I swear, packing stuff up for release is actually harder in many ways than writing the code! I do admit to know TCP rather better than Autoconf.
Secondly, and I know this is going to sound strange — I’m really not out to bust anyone with N00ter. Yes, I know it’s inevitable. But if a noxious filter is quietly removed with the knowledge that it’s presence is going to be provable in a court of law, well, all’s well that ends well, right?
So, give me a week or two. I have to get back from Germany anyway (the Black Ops talk will indeed be presented in a nuke hardened air bunker, overlooking MiG’s on the front lawn. LOL.)
The problem with packet slinging is that it’s just far too entertaining.
Every time I sit down to hack on something, I have this list of genuinely
amusing projects to spend cycles on. (Real world — its not that there aren’t
plenty of “gruntwork” tasks that simply must be accomplished, just that it’s
hard to use the hacker energy to execute them.)
Autoconf is not amusing. Neither is content management. At least to me. And, yikes, both
are suffering over here at Doxpara.
So here’s the deal — Paketto needs someone to take over making the code
build on modern systems. There’s some underlying code to patch; I’ll manage
that, no problem. But this complex build tree I have now isn’t easily
scaling to new distros, and that’s really limiting what are actually some
genuinely useful tools. You an Autoconf junkie? Got some interesting stuff
on Sourceforge? Want to flat out move Paketto into Sourceforge?
Then there’s this place. Dave Weekly,
my preternaturally insightful former roommate, assembled this particular
XML and PHP based site design, and I’m much appreciative. But it’s 2004, and
I need the ability to update things more flexibily and more often. I know
enough about web work to know it’s far more difficult than it gets credit
for, at least if you want something with a shred of technical class. There’s
a huge amount of work I’ve done that isn’t showing up on these pages –
my Slashdot and
Metafilter stuff, the
semi-secret but rather popular Apps Page (if Internet
Explorer has to be insecure, we can at least make it useful), and even
the Angel Project w/ Volsuite is nowhere to be found.
It’s getting kind of ridiculous :-) So, want to help contribute to my
calvacade of amusing hacks, but aren’t yet up to par when it comes to the
obscure advantages to (say) disabling the authoritative bit in an experimental
DNS server? White Hacker Needs Web Help Badly! Mail me too.
Not dead, not unemployed. Just been in stealth mode for a little while.
The big news is — I’m working for Avaya now, and have been for a couple
months. Yeah. Like I wasn’t travelling enough, I had to go and join a
massive company with a
consulting practice that spans the country :-) Not that I’m complaining.
These guys are looking at security in ways I had only imagined…convergence
is alot bigger than I had thought.
That being said…yes, Paketto lives on, and come Black Hat 2003, a major
new release will hit the streets. I’ll hold onto the details a little longer,
but here’s the abstract from Stack Black Ops (my BH talk):
What can your network do? You might be surprised. Layer by layer, this talk will examine previously undocumented and unrealized potential within modern data networks. We will discuss aspects of the newest versions of scanrand, a very high speed port scanner, and the rest of the Paketto Keiretsu. Interesting new techniques will also discussed, including:
- Bandwidth Brokering – a technique that allows market-based load balancing across administrative boundries using existing TCP protocols
- DHCP-less Bootstrapping – a sub-optimal but effective strategy for bootstrapping network access for hosts that cannot directly acquire a DHCP lease
- State Reconstruction – a design model that allows stateless network scanners (such as scanrand) to acquire deep knowledge about scanned hosts
- Multihomed Node Detection – a simple set of techniques that expose firewalled hosts with alternate paths to an unfirewalled network link.
- Generic ActiveX Encapsulation – a step-by-step methodology for safely launching arbitrary win32 tools (such as putty or a Cygwin OpenSSH environment) from a web page
We will also be discussing significant advances in data visualization, made necessary by the sometimes daunting amount of raw information these sorts of tools can expose one to.
Between you and me…this is going to be a wild talk :-) And yes, that’s a new book. Maybe now I can forget Swordfish.
I’ve addressed some of the more pressing issues in scanrand — the tool
plays nice in scripts now (timeouts actually work), can log sent packets,
and some other nice things. Plus packet2sql actually works now. Enjoy!
Paketto2 Prebuild 3
Whew! Running through the prerelease audit, last 24 to 48 hours before I
stamp this 1.0 and move onto more interesting things, like 1.1 and 1.2.
Just stamped out an ugly but incredible obscure ICMP parsing bug, and in
doing so almost completely removed that annoying Ethernet dependancy
permeating even my L3 port scanner. Hopefully I’ll be able to sneak
some NAT2NAT code in under the buzzer, given that it’s even more useful
and bizarre than Yet Another Port Scanner.
I may just wait until after Paketto comes out, just so I’ll have access
to a real development environment. Yes folks, my code is finally
stranger than my home network, and that’s saying something.
But that’s not the purpose of this post: Are you an administrator at
a large school or company that tracks computer models and MAC addresses
en masse, and has for several years? Mail me