DoxPara Research is proud to announce the release of the Paketto Keiretsu, Version 1.0, for general use. Paketto presently implements many of the techniques described during recent "Black Ops of TCP/IP" presentations. Feedback is intensely sought, and we are working to maximize portability across all platforms. Your assistance is greatly appreciated, and your enjoyment is humbly hoped for. Paketto should be of particular note to the vuln-dev community, due to the presence of lc (linkcat). If you've ever wanted to be able to cut and paste raw packets and have them show up on the wire -- even if that wire is being remotely accessed over an SSH pipe -- lc will be of interest to you. The full manifest is as follows: === scanrand Scanrand is a proof of concept, investigating stateless manipulation of the TCP Finite State Machine. It implements extremely fast and efficient port, host, and network trace scanning, and does so with two completely separate and disconnected processes -- one that sends queries, the other that receives responses and reconstructs the original message from the returned content. Security is maintained, in the sense that false results are difficult to forge, by embeddeding a cryptographic signature in the outgoing requests which must be detected in any received response. HMAC-SHA1, truncated to 32 bits, is used for this "Inverse SYN Cookie". minewt Minewt is a minimal "testbed" implementation of a stateful address translation gateway, rendered so entirely in userspace that not even the hardware addresses of the gateway correspond to what the kernel is operating against. Minewt implements what is common referred to as NAT, as well as a Doxpara-developed technique known as MAT. MAT, or MAC Address Translation, allows several backend hosts to share the same IP address, by dropping the static ARP cache and merging Layer 2 information into the NAT state table. Minewt's ability to manipulate MAC addresses also allows it to demonstrate Guerilla Multicast, which allows multiple hosts on the same subnet to receive a unicasted TCP/UDP datastream from the outside world. Minewt is not a firewall, and should not be treated as such. lc Linkcat(lc) attempts to do to Layer 2 (Ethernet) what Netcat(nc) does for Layer 4-7(TCP/UDP): Provide direct, bidirectional, streaming access to the network. Lib cap/tcpdump syntax filters may be specified in either direction, but no filtering is enabled by default. Two separate syntaxes are supported; one accepts and emits libpcap dump format(raw binary w/ a fixed size file header and a fixed size packet header), the other accepts and emits simple hex w/ backslash line continuation. Several other features are also implemented; specifically, early work involving the embedding of cryptographic shared- secret signatures in the Ethernet Trailer is demonstrated. phentropy Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space. This process is reasonably straightforward: Take four numbers. Make X equal to the second number minus the first number. Make Y equal to the third number minus the second number. Then make Z equal to the last number minus the third number. Given the XYZ coordinate, draw a point. It turns out that many, many non-random datasets will have extraordinarily apparent regions in 3-space with increased density, reflecting common rates of change of the apparently random dataset. These regions are referred to as Strange Attractors, and can be used to predict future values from an otherwise random system. paratrace Paratrace traces the path between a client and a server, much like "traceroute", but with a major twist: Rather than iterate the TTLs of UDP, ICMP, or even TCP SYN packets, paratrace attaches itself to an existing, stateful- firewall-approved TCP flow, statelessly releasing as many TCP Keepalive messages as the software estimates the remote host is hop-distant. The resultant ICMP Time Exceeded replies are analyzed, with their original hopcount "tattooed" in the IPID field copied into the returned packets by so many helpful routers. Through this process, paratrace can trace a route without modulating a single byte of TCP/Layer 4, and thus delivers fully valid (if occasionally redundant) segments at Layer 4 -- segments generated by another process entirely. === Enjoy! Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com
This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 08:52:25 PST