Black Ops Of TCP/IP: Advanced Network Disconstruction presented at BlackHatAsia 2002

by Dan Kaminsky,

Summary : There's more to your network then you might have assumed. Intelligent, active devices litter the paths between hosts that themselves have unexplored and underutilized code paths. You know this from the number of flat out attacks that use mangled packets to destroy; what is becoming apparent however is that there's an entire class of functionality used when specially constructed packets are employed *not* to destroy, but to create. As the author of the recently released Paketto Keiretsu, I will be discussing and unveiling work relating to the following:
Methods for multicasting into subnets behind NAT firewalls
Alternative strategies for multiplexing globally addressable IP addresses, with end-to-end packet integrity if need be.
Useful and academic methods of establishing connection streams between two NATted hosts
Secure and immediate strategies for large scale service scanning of IP networks
Integration of OpenSSH into packet-level engineering
Implications of newly found capacity for data reflection and metadata tunneling in existing network protocols
The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. They tap functionality within existing infrastructure and stretch protocols beyond what they were originally intended for. It includes Scanrand, an unusually fast network service and topology discovery system, Minewt, a user space NAT/MAT router, linkcat, which presents a Ethernet link to stdio, Paratrace, which traces network paths without spawning new connections, and Phentropy, which uses OpenQVIS to render arbitrary amounts of entropy from data sources in three dimensional phase space.