Paketto Keiretsu 1.0

From: Dan Kaminsky (
Date: 11/18/02

  • Next message: Arab VieruZ: "XSS bug in phpBB"
    Date: Mon, 18 Nov 2002 04:03:22 -0800 (PST)
    From: "Dan Kaminsky" <>
    To: <>

    DoxPara Research is proud to announce the release of the Paketto Keiretsu,
    Version 1.0, for general use. Paketto presently implements many of the
    techniques described during recent "Black Ops of TCP/IP" presentations.
    Feedback is intensely sought, and we are working to maximize portability
    across all platforms. Your assistance is greatly appreciated, and your
    enjoyment is humbly hoped for.

    Paketto may be acquired at the following address: .

    The following is its full manifest:

    Scanrand is a proof of concept, investigating stateless manipulation of
    the TCP Finite State Machine. It implements extremely fast and efficient
    port, host, and network trace scanning, and does so with two completely
    separate and disconnected processes -- one that sends queries, the other
    that receives responses and reconstructs the original message from the
    returned content. Security is maintained, in the sense that false results
    are difficult to forge, by embeddeding a cryptographic signature in the
    outgoing requests which must be detected in any received response.
    HMAC-SHA1, truncated to 32 bits, is used for this "Inverse SYN Cookie".

    Minewt is a minimal "testbed" implementation of a stateful address
    translation gateway, rendered so entirely in userspace that not even the
    hardware addresses of the gateway correspond to what the kernel is
    operating against. Minewt implements what is common referred to as NAT, as
    well as a Doxpara-developed technique known as MAT. MAT, or MAC Address
    Translation, allows several backend hosts to share the same IP address, by
    dropping the static ARP cache and merging Layer 2 information into the NAT
    state table. Minewt's ability to manipulate MAC addresses also allows it
    to demonstrate Guerilla Multicast, which allows multiple hosts on the same
    subnet to receive a unicasted TCP/UDP datastream from the outside world.
    Minewt is not a firewall, and should not be treated as such.

    Linkcat(lc) attempts to do to Layer 2 (Ethernet) what Netcat(nc) does for
    Layer 4-7(TCP/UDP): Provide direct, bidirectional, streaming access to the
    network. Lib­ cap/tcpdump syntax filters may be specified in either
    direction, but no filtering is enabled by default. Two separate syntaxes
    are supported; one accepts and emits libpcap dump format(raw binary w/ a
    fixed size file header and a fixed size packet header), the other accepts
    and emits simple hex w/ backslash line continuation. Several other
    features are also implemented; specifically, early work involving the
    embedding of cryptographic shared- secret signatures in the Ethernet
    Trailer is demonstrated.

    Phentropy plots an arbitrarily large data source (of arbitrary data) onto
    a three dimensional volumetric matrix, which may then be parsed by
    OpenQVIS. Data mapping is accomplished by interpreting the file as a one
    dimensional stream of integers and progressively mapping quads in phase
    space. This process is reasonably straightforward: Take four numbers. Make
    X equal to the second number minus the first number. Make Y equal to the
    third number minus the second number. Then make Z equal to the last number
    minus the third number. Given the XYZ coordinate, draw a point. It turns
    out that many, many non-random datasets will have extraordinarily apparent
    regions in 3-space with increased density, reflecting common rates of
    change of the apparently random dataset. These regions are referred to as
    Strange Attractors, and can be used to predict future values from an
    otherwise random system.

    Paratrace traces the path between a client and a server, much like
    "traceroute", but with a major twist: Rather than iterate the TTLs of UDP,
    ICMP, or even TCP SYN packets, paratrace attaches itself to an existing,
    stateful- firewall-approved TCP flow, statelessly releasing as many TCP
    Keepalive messages as the software estimates the remote host is
    hop-distant. The resultant ICMP Time Exceeded replies are analyzed, with
    their original hopcount "tattooed" in the IPID field copied into the
    returned packets by so many helpful routers. Through this process,
    paratrace can trace a route without modulating a single byte of TCP/Layer
    4, and thus delivers fully valid (if occasionally redundant) segments at
    Layer 4 -- segments generated by another process entirely.



    Yours Truly,

       Dan Kaminsky
       DoxPara Research

    Relevant Pages

    • Re: problems with wvdial
      ... its client's IP address in its DHCP server a kernel routing problem? ... When the application layer hands off a payload to ... If host A has a different address for itself than the address ... This is no less true for a dial-up ISP than a broadband ISP. ...
    • RE: CSMA/CD
      ... I though that CSMA/CD only operated at the MAC ... layer of Layer 2 in the OSI model. ... Physical only interprets the signals ... >> someone tryes to send at the same time, the sending host sends the ...
    • Re: making a machine non pingable
      ... > layer three stuff will protect you from most probes, so the host ...
    • Re: can telnet but not ping
      ... configured to accept connection from this host to a server. ... telnet to the server from the host but not ping!! ... How can layer 3 test ...