Paketto Keiretsu 1.0 Released

["Dan Kaminsky" <dan () doxpara com>]

DoxPara Research is proud to announce the release of the Paketto Keiretsu,
Version 1.0, for general use. Paketto presently implements many of the
techniques described during recent "Black Ops of TCP/IP" presentations.
Feedback is intensely sought, and we are working to maximize portability
across all platforms. Your assistance is greatly appreciated, and your
enjoyment is humbly hoped for.

Paketto should be of particular note to the vuln-dev community, due to the
presence of lc (linkcat).  If you've ever wanted to be able to cut and
paste raw packets and have them show up on the wire -- even if that wire
is being remotely accessed over an SSH pipe -- lc will be of interest to
you.  The full manifest is as follows:

===

scanrand
Scanrand is a proof of concept, investigating stateless manipulation of
the TCP Finite State Machine. It implements extremely fast and efficient
port, host, and network trace scanning, and does so with two completely
separate and disconnected processes -- one that sends queries, the other
that receives responses and reconstructs the original message from the
returned content. Security is maintained, in the sense that false results
are difficult to forge, by embeddeding a cryptographic signature in the
outgoing requests which must be detected in any received response.
HMAC-SHA1, truncated to 32 bits, is used for this "Inverse SYN Cookie".

minewt
Minewt is a minimal "testbed" implementation of a stateful address
translation gateway, rendered so entirely in userspace that not even the
hardware addresses of the gateway correspond to what the kernel is
operating against. Minewt implements what is common referred to as NAT, as
well as a Doxpara-developed technique known as MAT. MAT, or MAC Address
Translation, allows several backend hosts to share the same IP address, by
dropping the static ARP cache and merging Layer 2 information into the NAT
state table. Minewt's ability to manipulate MAC addresses also allows it
to demonstrate Guerilla Multicast, which allows multiple hosts on the same
subnet to receive a unicasted TCP/UDP datastream from the outside world.
Minewt is not a firewall, and should not be treated as such.

lc
Linkcat(lc) attempts to do to Layer 2 (Ethernet) what Netcat(nc) does for
Layer 4-7(TCP/UDP): Provide direct, bidirectional, streaming access to the
network. Lib­ cap/tcpdump syntax filters may be specified in either
direction, but no filtering is enabled by default. Two separate syntaxes
are supported; one accepts and emits libpcap dump format(raw binary w/ a
fixed size file header and a fixed size packet header), the other accepts
and emits simple hex w/ backslash line continuation. Several other
features are also implemented; specifically, early work involving the
embedding of cryptographic shared- secret signatures in the Ethernet
Trailer is demonstrated.

phentropy
Phentropy plots an arbitrarily large data source (of arbitrary data) onto
a three dimensional volumetric matrix, which may then be parsed by
OpenQVIS. Data mapping is accomplished by interpreting the file as a one
dimensional stream of integers and progressively mapping quads in phase
space. This process is reasonably straightforward: Take four numbers. Make
X equal to the second number minus the first number. Make Y equal to the
third number minus the second number. Then make Z equal to the last number
minus the third number. Given the XYZ coordinate, draw a point. It turns
out that many, many non-random datasets will have extraordinarily apparent
regions in 3-space with increased density, reflecting common rates of
change of the apparently random dataset. These regions are referred to as
Strange Attractors, and can be used to predict future values from an
otherwise random system.

paratrace
Paratrace traces the path between a client and a server, much like
"traceroute", but with a major twist: Rather than iterate the TTLs of UDP,
ICMP, or even TCP SYN packets, paratrace attaches itself to an existing,
stateful- firewall-approved TCP flow, statelessly releasing as many TCP
Keepalive messages as the software estimates the remote host is
hop-distant. The resultant ICMP Time Exceeded replies are analyzed, with
their original hopcount "tattooed" in the IPID field copied into the
returned packets by so many helpful routers. Through this process,
paratrace can trace a route without modulating a single byte of TCP/Layer
4, and thus delivers fully valid (if occasionally redundant) segments at
Layer 4 -- segments generated by another process entirely.

===

Enjoy!

Yours Truly,

   Dan Kaminsky
   DoxPara Research
   http://www.doxpara.com