Saturday, September 27, 2003

Broken Packets and Espionage

I came across a very interesting site today: The Museum of Broken Packets. For TCP/IP geeks like me, this is fascinating stuff. But what was most interesting was Exhibit 3, titled 'Espionage'. This is a very interesting packet, as it shows a really cool new sort of tracert program!

The original tracert program used to send packets to a random UDP port while varying the TTL. This worked as long as the receiver did not actually use this port - if it did, random things could hapen. Later versions of tracert send IPMP echo requests to the target host, which was a bit safer. But then came pings of death attacks, and many administrators would close ICMP off.

But the attack documented here is interesting in that it is effectively a tracert 'inside' an otherwise legitimate session. Using this approach, just about every stateful firewall and NAT devlce in existance would allow/pass the packet (since in theory the packet is valid within the session). Most sensible firewall administrators might close off traditional tracer-ing, but would be pretty powerless to stop this sort, assuming they even noticed it in the first place!

This is an entire new class of espionage tools for internal espionage. An employee could run a tool build to do this and pretty much blueprint the entire network in a matter of a few minutes. This is also open to attach from an "RJ45 hoover - a device brought in by the cleaners. They could just plug a device into the network, hit go and within a few minutes your entire network could be analyzed and blueprinted. Makes good food for thought.

No comments: