 Video equipment rental costs paid for by peep code screencasts. All right, so this is a packet foo, ninja style, mid-level packet manipulation for Ruby. I, hello. I'm Todd Beardsley. I'm a security researcher most of the time, which means I do a lot of attack and defense research and application at breaking point. We make test equipment for routers and security devices mainly, things like IDS, IPS. How many people here have ever administered an IDS device? A couple. IDS is intrusion detection. It's a thing that tells you that you just got owned. IPS is intrusion prevention. It's the thing that tells you that you almost got out. And so I work a lot in testing those guys. And I'm a Ruby newbie. I've been doing Ruby for under a year. I started doing it because it seemed like all the cool kids were doing it. So as soon as I started, I noticed that there was no reasonable way to do packet manipulation in Ruby, network packets. So I'll get to that in just a second. You may be asking yourselves why forge packets when you have perfectly wonderful OS stacks that do all your packet handling for you. Well, like I said, I test network equipment, so often I have to make crazy packets that don't make any sense. You never find in the real world. To see how security devices interact with them, to see how routers interact with them, do they fall over if you send them things with ridiculously large or small or lots of them or all that. Same deal with security equipment. Security equipment is supposed to prevent attacks. So if I can do weird TCP reordering, do I screw up your IDS? And you also may want to do packet captures and sanitize your packets by massively rewriting IP addresses or MAC addresses or something, because you want to share it, but you don't want to share who you are with whomever you're sharing it. Which is kind of common in the security community. By the way, this is my first language conference and certainly my first Ruby conference, and it's very different from security conferences. I see a lot of like open notebooks. You don't usually see that very much at security conferences, because people are paranoid that you're on an untrusted network around a bunch of strangers. They're going to totally jack your stuff. Apparently you guys don't mind though. Not DEF CON. Yes, and much more forgible. So why would you want to snip packets on the wire and not trust your applications to do it for you? Well, you may have connectivity issues and you might want to see what's going on out of packet layer. This is my favorite thing to do with packets. At this level is device fingerprinting. I want to know you may be saying, I want to know like how many Macs are in the room, or I want to know what your web server really is. I mean you may have an IS banner, or you may have an Apache banner, but you may be lying and the packets will give you away in almost all cases. And finally, for application reversing, if I'm dealing with an application that maybe doesn't have an RFC, like all of Oracle stuff, and I want to know how it works and how it looks on the wire, so I can re-implement it, which is mainly what I do when I'm not doing security work. I need to look at the packets as they appear on the wire. And so why Ruby? Well, like I said, I just picked up Ruby. It's super rad. So all the usual reasons. Ruby is tray object oriented, blah blah blah. You guys all know this. The threading is easy. It may not be the greatest, but it's super easy. And Ruby is cross-platform for reals. And so is my stuff. Cross-platform is one of the things I care about, which is Linux and Windows. Sorry, Matt Guy. But of course Ruby is very cross-platform on Mac as well. But there is nothing sort of for doing this kind of thing in Ruby, which is a bummer, because Python has Scappy. Anybody use Scappy at all in Python? Zero. Perl has raw IP, which is kind of similar. C has libnet, which is kind of the standard for packet forgery. But there's nothing for Ruby. But wait, there is. Did I just re-emit the wheel this last couple months? There is Screwbee. Screwbee was released in April of 2007. It's a port of Scappy for Python. So if you're super happy with Scappy, then you may like Screwbee. The syntax is the same and very alien and bizarre. There's Racket, which just got released this last March. The guys at Matasano Security use Racket for their protocol debugger. They use a thing called Bramble, and it's built on Racket, but it's just brand spanking new. It's great. I love it a lot. It's bitstruck based. Which can be kind of a bummer for some applications. Also, Racket's syntax is a little verbose, but it's good. They released as I was writing it, so we'll duel to the death, I guess. This goes to the there are 18 zillion different implementations of the same thing in Ruby. So I wrote Packet Foo. I wrote it in September of 2008. I did check-ins yesterday for some bug fixes. I started this back in early March. I posted to the local Ruby users group ArcTan, said, hey, is Screwbee really the state-of-the-art for packet manipulation in Ruby? Cricket noises on the mailing list. Then I replied a couple of days later and I'm like, okay, well, that's great. That's good for me, because then I can write this and learn this Ruby stuff. There's that, and Packet Foo is Bindata based. Anybody here use Bitstruct or Bindata for anything exciting? Yes. Bitstruct has a superior interface, I think, but Bindata is more robust for the things I needed to do, so that's why I went with it. So we'll talk a little bit about the design. In its guts, I use Peacaprub because Peacaprub uses LibPeacap. It's ubiquitous. If you're doing this kind of thing, LibPeacap is what drives things like Wireshark and TCP Dump and TCP Replay and all that jazz. I did not use RubyPeacap. Don't ever use RubyPeacap. If you ever want to copy this stuff or re-implement some other crazy packet stuff, don't use RubyPeacap. You will Google around for Ruby LibPeacap for that interface and you will find it immediately. It's like the first two pages, but it hasn't been updated since 2001. So it doesn't use LibPeacap's packet injection stuff, for example. The threading model it uses is blocking. It kind of sucks. It's a good first effort. Peacaprub is the best kept secret in RubyPacket manipulation. You won't find it on your first couple pages of Google and it's actively maintained as part of the Metasploit project now. Yay, Metasploit! So I went... I needed to build some binary structs in PacketFoo. So I wrote my own as everybody does. When they first learn languages, I'll write my own. I wrote PacketFactory. It's my factory methods. I had also just bought a book on Ruby object-oriented designs so I'm like, oh great, I can use like 16,000 different designs in this thing. It's a huge mistake and it will not see the light of day. I quickly abandoned it around April. Then I went to BitStruct because lots of people use BitStruct and the interface is really rad. But unfortunately with BitStruct, if you have things like variable data lengths or you have things like optional headers and data, optional tokens, BitStruct you have to do a lot of crazy stuff to get around that. BitNata does all that natively, however. It has the array type, it has read until the end of the file, stuff like that. It's very featureful. It's a struct meta language and it's actively maintained at Rubyforge. And the guy is really nice. He takes patches very quickly. So this is kind of what BitStruct headers look like. This is from the PacketFactory documentation. It's all our-dog-ified. So we can see here we have things, this is a TCP header as seen by BitStruct or I'm sorry, BitNata, not BitStruct. We have things like TCP source address which is a UN16, desk address, sequence numbers, acts. These are all fairly typical data types. This is a 4-bit field. This is an 8-bit field. The ability to just easily do bit widths is hugely useful when doing things with networks. But then you can also have custom ones too in BitNata. I have this TCP flags right here. TCP flags, that's not a fairly normal data type. TCP flags are one bit each. So in BitNata you get to define your own data type which is Bit1, Bit2, Bit3 and this is the order that all your flags show up. And so this makes it really easy to implement this kind of application. I strongly urge you to take a look at BitNata if you're doing anything binary wise. If you're parsing files, BitNata is great. Alright, where am I at here? Okay, so PacketFoo creates these packet headers using BitNata stuff. I collect them up into packets which are mostly normal Ruby objects. And that's pretty much how PacketFoo does its magic. There's a lot of smarts in there about what packet types look like there. I have a bunch of basic ones and I'll have lots more soon. But I notice that not a lot of hands went up when I asked who does IDS. Anybody used Barshark lately? Yes? Okay, about half. I won't bore you with the OSI layer model besides it's wrong. So it's wrong for me, at least. So this is a very quick diagram of how PacketFoo deals with packets. Think of all these as objects, all these boxes. This is an Ethernet header. It has things like source, a desk, a proto, and a payload. The big blank spot there is payload. Pardon me. In the payload we have things like IP headers. IP headers themselves have things like version, header length, time to live, stuff like that. They also have payloads. Bodies really is how I call them. And on that TCP header we have a TCP header which has things like source, desk, sequence numbers, act numbers, flags, junk like that. And that tiny little box is the body of TCP headers where you'll see things like the SSH header. And then you'll see data. I don't go that deep generally. I don't really care too much about application level protocols. I care a lot about this 1 through 3 in this model. You can do application protocols in PacketFoo. It's not too hard, but I'll get to that in a bit. All this is encapsulated in a packet. And so that's kind of the outermost object of this design. Packets have things like namely headers. Stores headers in array, header zero, is eth header, header one, is IP header, header two, is TCP header. So you can access those and read and write them and all that jazz. Packets also have payloads. This payload is really the body of the TCP header. This is almost always what you want when you're talking about giving me this packet's payload. It's giving me the outermost payload. So that's built in. Damn it, now I gotta go through my hole. Hang on. I see you have TCP headers there. Can you also work with UDP packets as well? Absolutely. Right now I have implemented TCP UDP, ICMP, ARP, IPv6 kind of. I think that's it for now. That's gonna be most of what you're gonna see on the internet anyway. One thing to talk about is this little star packet. This packet gets its identity from this guy in here. Whatever is the innermost header determines the nature of this packet. So when you're making things in packet foo it will take the it will take its type from the data. So here I'm getting a little bit ahead, but it's kind of important. I have this file, ICMP packets in this file so I chuck those all into an array. This is just a binary array. It's not very exciting. Packet array so this is the first one. This is what packets look like, but that's not very useful. I can say ICMP packet equals well, we'll say unknown packet because I don't really know what it is. It gives you that. You can say things like unknown packet inspect, which is what the I've overloaded inspect. I might change it, I don't know yet. That may irritate some people but you can also say things like what class is it, and it knows. You can go through the data and it figures out it's like oh well this 14 bytes, it looks like ethernet and where do we have it here and I know it's IP because of this guy and I know it's ICMP because of this guy right here. So once it's ICMP. That's how packet generation, where I take binary arbitrary binary data from the wire and turn it into these handy little packets that you can do all kind of cool stuff with. Do-do-do-do-do-do Yeah. Are you using other library that has kind of a layout like that? I just wrote my own method to do it. It's called a Hexify, and that works for any binary data. So, oh, good. So the typical packet interfaces you'll see are things like 2S. Can I do this? Yes, no, yes. OK, so I'll do things like 2S. 2S just gives you the binary, because maybe you want that. Payload, we'll give you just the outermost payload. Like I talked about, this is the ICMP payload. See, this is a ping, probably, because this guy right here kind of gives it away. Inspect, we already showed. It gives a hex readable packet dump. So if you're used to working with things like wire shark, TCP dump, and you're a giant nerd like me, then you can read that really easily. And peak, every packet type that ICMP packet class carries along with it is its own peak method, which gives you summary data. It tells you kind of what's going on in a very basic way. This tells you that it's C for ICMP, because I was already taken by IP. It's 98 bytes long. It's from this guy. Ping is talking to this dude, and the IP ID, which in this case is 0. That works great for lots of stuff. You can do something like, whatever, say packet equals. Come on, give it to me. Packet new. So he tells you what that is. What's kind of neat? How you talk to the network is through pcaprub. You can transmit and receive through a network interface. This requires root privileges, because only people who know the root password are allowed to shoot things over the network arbitrarily. You can read and write files using a standard libpcap format. And so I handle the libpcap file format, so you can say things like, packet 2f, and there's a default set already for out and open up. So here it is. This is why I haven't done a whole lot of work on the presentation, because I use Wireshark constantly. And so if I want to spot check things, I can just write everything into a file and let Wireshark do all the parsing. This tells you how it all looks. So if you take those Wireshark packets, save those out in PN and build in? Yes. Yeah. That was step one on getting those ICMP packets. I was reading back in some ICMP packets that were, those packets were captured live from Wireshark, saved to a file, then read in with pcaprub. So they're pretty rad. Where's my thing? Here we go. So that's kind of a requirement. So creating packets. We already kind of touched on this. But generally the idea was is that I wanted something simple. I wanted something hash driven rather than positional arguments, like hash arguments a lot, because they tell you what exactly what you're doing. And it should be readable by someone who can read Ruby or Python or Perl or something like that. As far as I can tell, there's nothing else out there that kind of fulfills these three requirements. Racket is fine. Play with a racket. This is kind of the sequence of events and how to build a TCP packet. TCP packet, it was packed blue and new, blah, blah. You can set things like source address in a human readable sort of way. Deskport, you set flags by turning it on with one. You can set options with human readable options there. This is a nop, nop, saco k, and the line. And that gets translated into the binary equivalent of nopster01. Saco ks are 0202 because it carries along a length. And EOL is 0. And then recalc, this is something that if you're going to be sending packets on the wire, you're going to have to do a lot right before you send them. This is what your stack does. Recalc fixes up checksums, header lengths, stuff like that. And then 2f sends it to a file. The default is temp out. I assume you're on Linux when you're doing this. But you can override that easily. But that's just a one argument 2f file name. I have utility functions, just a couple. I have, there are singleton methods. I like singletons. I don't care what Eric Phoenix is. So I have the who-am-i function. It turns out, when I started doing this, I couldn't figure out how in Ruby to get return address information. Things like, what's my IP address? What's my MAC address? Without having to do some shelling out and looking at files and all that jazz. So I wrote my own. What who-am-i does is, let's see if we can demo that. I hate giving it away this early. Let's see if I know one. Do I know one running? No. Damn it. All right. All right. Do-do-do-do-do. Pack a voo. What-who-am-not. So that's the squash game for the Pack a voo shell. I'm sorry. Unless you have ASCII-art, network security people are not going to pay attention to this at all. They'll think, hey, it's in Ruby. It must be Rails. No, I use ASCII-art. I don't have any cool Mac-y things. Let's see here. Oh, worked you mofo. That's right. I got to be root. Oh, no, you saw my password. It's all dots. That's right. Get to owning me. First person who makes. Yep, there you go. That's me. All right. So this is what wire truck looks like. I've never seen it. Yeah, look at that. So what we can do is do. Damn it. It's not working nearly as well as I wanted. OK, so it would be. So god damn it. There's way too much GDP on this network. Who am I? I'm very bizarre. No, I got some. So when Packet Boost starts, it launches that who am I utility. And what who am I does, he says, all he does is he sends out a packet here, this guy right here. Let's stop. This is my who am I packet. And you can see. Hey, get bigger. OK. This sends a fake UDP packet over the real socket. So when you're doing things with the real UDP socket, obviously you have to know things like the DOS knows things about my Mac and my IP. So he sends it out to this address. This is a non-rattable address. It's an INA reserve, so no one will hear it. Then he says, pack food, who am I? And it sends a little salt thing to avoid getting poisoned. So he sends that out, and then I set up a capture device. I capture this packet, and I read it. And I'm like, oh, well, it must be me because it matches. So that's kind of how I get around it. But you've got to be rude, unfortunately, to do it. A little bit of a bummer. I also have ARP because I don't want to rely on BOS in a lot of cases. So I'll do my own arping. And I've re-implemented ARP in this way. So you can do things like ARP table equals bracket, center A, and then you just ARP everybody, and you can keep an ARP table that way. I use a lot of monomic functions, monomic, nemolymic. I don't know. It's a cool comic, though. You send a packet via a pack food inject, or you can just use the 2W. 2W will pick up your default interface. If you know that your default interface is wrong, which is often the case when you're on wireless, then you just say 2W interface. It's easy. 2W is for wire, by the way. Pack food right. And those 2F for 2 file. We talked about that a little bit earlier. Is there a framework? This packet food makes packet dissection really easily. You can say things like new UDP packet payload equals old TCP packet payload. So presto change-o. Your data's now UDP-ified. That's cool. It's very cool. In racket, hang on. I like racket. I like my Osama guys. In racket, this is about 20 lines, minus 1. I also have this notion of packet flavors. I haven't really filled this out too much yet. I expect to fairly early on, probably by, I don't know, it'll take forever. If any of you've used Nmap or PoF, that kind of knowledge is always evolving. But it allows you for things like realistic defaults. So we can say things like packet equals TCP packet, new flavor windows. And this looks like a Windows packet. Believe me, it does. The next, let me say, I'll packet equals. No, they're different. OK. So this will let you do things like impersonate other OSs that you might not be. You can do really nonsense kind of combinations. You can put flavors on TCP, IP, ethernet. So I can say, I'm Mac hardware, and I'm sending out Windows packets. I'm crazy, or running Bootcamp or whatever it is. How hard is it to create it? Right now, it's very hard. Not hard for me. I need to work on that a lot. This is something I just kind of threw in in the last minute. And this is actually part of the reason why I wanted to start this in the beginning was to be able to determine, I want to be able to create and fingerprint remote devices. So I may end up ripping off what PoF does, which is passive OS fingerprinting. I may be able to get away with just parsing out how they think things are, and then I don't have to do any work, which is great. Nmap has a file. It's got a big, big file, and people contribute to it all the time, and it's kind of sort of OK. Yeah, the details in it are great. The format is a little bit annoying to work with, but that's coming soon. By the way, this is version 0.0 pretty, I think. So this stuff is not filled out too much. No, absolutely. It's downloadable right here. Go download it right now, and attack everybody. Don't, don't, don't attack anybody. So you can do this on all these different headers. Because these flavors are important because you'll have devices like Nessus that scans your network to look for hosts, and then you may have some kind of overarching framework that says, like, I detected this attack on this host, but it was an Apache attack on an IS server. And so that's kind of why security devices care about who people are, so I need to care too who people are. It's also really handy doing that kind of, well, I'll talk about that later. All right, pack manipulation. I've mentioned Scappie a couple of times. Scappie is a great library for writing packets in Python. If you don't mind, they're like weird Byzantine syntax of IP header slash TCP header. I don't really like it very much, which is why I wrote this. But it was written by this guy named Philippe Biondi, and he says it best in his slide. This is his slide. Decoding is when your device says, I got this particular kind of packet from this particular port. Interpreting is port 80 is closed. This pretty much sums it up. I don't want to do too, too much in the way of interpreting, at least on the library level. That's for whatever application happens to use packet foo. That's their job. If you want to say that reset means that the port is closed, or you might want to say that reset from port 80 means that you have a machine there. I mean, who knows? I don't know what you're doing with it. I don't care. So I have some decoding options in packet foo. I think we covered this already a little bit. You can present the data as a binary string. You can detail the ICMP fields. So you can say things like, I still have my ICMP packet? No. So you can say things like, ICMP equals, you can say, I'm going to do that this way. Yes. So this tells you every field, what the value is, usually numerically, so you can make decisions on it. And that's all straight bin data stuff. And you can detail all the fields since the ether field contains everything. So you can say, well, I really want to know everything about this packet in this hash of hashes format. And so that tells you what it is. I got really crazy with the ethernet stuff because I like ethernet. I don't know why. I wrote a chat and wares program using ARV. So you can chat with your coworkers. Or you can figure it all out. We already went over this whole parsing business. Parsing really just takes some binary string and tries to figure it out. If there's failbacks on every level, so if I get some packet I've never seen before, then I just call it a question mark and give you the data. That's it. Packet injection can happen one at a time with the 2W that we talked about. Or you can regenerate a whole array of packets and then dump them all. You can do this quickly. Or you can do it slowly if you want. It's all this is non-blocking. I'm not waiting for responses or anything like that. So this packet array is some array of packets that I generated earlier or something. And then I'm going to send them out on this interface. And I'm going to be nice. I'm going to wait one second in between. But I'm not required to be nice. Packet sniffing lets you do it's all non-blocking. You can filter things with the Berkeley packet filter syntax. Again, if you've used Warshark or Snorrid or TSPDump, that's all going to be pretty standard for you. Comes with the capture objects. So you'd set up capture objects and you can save the strings that you get over the network into an array for later. You can save them forever if you want. You write them in a file. Do whatever you want with them. So you can keep a history going that way. Can you look at the capture array while it's continuing to capture? Yes. Yeah. Specifically, I implemented a show live function, which is similar to pcaprub show live. pcaprub show live really does just show you live. And it'll screw up your terminal if you use it. Mind does a little bit of interpretative. Show live basically uses that peak method. So it's all line by line. We'll see you in a minute. And then we saw the packet foo shell. It provides easy interaction via IRB. I live in IRB. I love IRB. I don't care what anybody says. It's great. Python had a really nice shell. IRB is nicer, I think. Screwbee, which is the Ruby port of Scappy, he cams up with his own shell, which is great, good for him. But I don't know why, because you have this wonderful shell right here, and you can do all kind of crazy stuff with it like histories. And you can do real-time network hacking via IRB, just like in the movies. So you can totally swordfish whatever database you want. And so now we have demos. Hurry up for demos. When you say real-time, how many packets per second will it park, fall apart? Parsing is slow. Sending is fast. This is mostly my fault, because my code is awful. It's all up there here. You can read it and say, you have no idea what you're talking about. Parsing will get faster when I get smarter about parsing, making better decisions. I'm not going to answer that question quite yet, though, because we're going to get to that in the demo. So these are some example applications that ship with it. I'm going to ARP the hood. This ARPs the local neighborhood. I'm not attacking you, promise. Don't turn off your machine. It makes my joke less funny. It matches up OUIs, which is the first three bytes of your Mac address to a vendor list. So now we can guess. Guess how many Macs are at RubyConf? And we can take as a percentage. 60%? 260. 260. Wow. So we all have our guesses. We'll do this right here. So this is what it looks like. So we do Ruby, ARP hood, and this is my OUI reference file. You don't need to have your own OUI. You can download the one from IE. If you want it, you just leave it off. But it takes forever, because it's like 100k. Oh, my password is on everything. Man, I'm so secure. So I'm going to be arping around here. This takes a minute, because I don't do anything fancy like threading. Can you lie to the ARP, to the poisoning ARP cache? Oh, yeah. I'm not right now. Lying about your ARP, especially if you're going to say, hi, I'm the router. I get all your Gmail's, then, which kind of goes back to what I said at the beginning. This conference is really bizarre for somebody who comes from a security conference history, because nobody checks their Gmail during talks there. So hey, look at that. Tons of apples here. This is one network. Networks changed yesterday to today, by the way. There used to be 255. There used to be Class Cs, now we're Class Bs. So I only picked the one, because it's kind of gets a little bit pokey if you do more than that. In this local network, we have a craploads of Apple. We have a gem tech guy. You won't see me on here, because you can't really ARP yourself. We have this dude, Han Hai, precision blah, blah, blah. I don't know what that is. But yeah, and the cool part is that I added this note. This is the iPhone OUI. So if I have cool iPhone O-days, there's a lot of iPhones. And they tend to be. There's a lot of iPhones, anyway. So there's all the, and then we can see everybody else is arping. That's great. So everybody else is arping around. It's wonderful. Everybody's getting to know each other. I just got to know everybody, so. So that's ARPood. And like I said earlier, this is all native Ruby. I don't have to shell out for any of this stuff. I don't have to use the ARP utility that comes on everything. I mean, you could do the same thing, which is like normal command line stuff. But why is it fun in that? I mean, it's hard to make, you know, railsy things for your command line. IDS-RB is something I wrote. This was another reason to write it, was to see how short I can write an IDS intrusion detection system. I wrote it in four lines. And I just put Snort out of business. Sorry, Marty, and Marty's friends here. So this is the IDS, and it's right. So we'll demo that. What did I want to do? OK, so this is the IDS one. So I already have it in my, there we go. Well, first, let's see. So we do work count, IDS, saying nothing up my sleeve, four lines. Actually, I don't like this one too much. So I re-read it to version two, which is six lines. I didn't do it in five lines at last, like I promised. But four lines and six lines, they both work. If you really want, you can show them both. But I'm just going to show the one, unless there's like a big hue and cry, then I'm a big liar. So for this, I'm going to remember what the hell my syntax was on this. This is my, this is the four line one. Let's see. And yeah, I had to cheat a little bit, make it like totally unreadable to fit in four lines. I don't do anything silly like semicolons or anything like that, I don't do that. So this guy, he looks for these attack patterns in network traffic. Any packet that starts with gotcha is evil. Any packet that ends with owned in a bunch of exclamation points is evil. And anything that starts with a hex four, followed by a bunch of not nulls, is evil. That last one is actually a real ish signature that detects SQL slammer, which maybe we all remember. I don't know. Super role Sunday, right? I look through, do, do, do, do, do, do, do, do, do. So that's great. If I find the sake, I'd talk about it. So do I have any configuration in this? Yes, I have to tell you what my interface is. Oh, yeah, password's cached. So there's that. So I got my IDS running here. Let's shove this up a little bit. And there's my slammer attack. I also wrote slammer in Ruby, just for this purpose. It's somewhat neutered. It won't kill anybody, probably. But if you're running IDS right now, hopefully you fire. I'm going to attack 1020 to 3040 on WLAN. Oh, and I need to give my password such a number. There we go. And oh, hey, look at that. This guy attacked this guy. This kind of demonstrates also some problems with IDS, because I faked my IP address, because with slammer, you don't need any callback. It's a one-packet attack. So you don't know who I am. So that's pretty neat. And it gives you a date and tells you what signature it hit. So this is IDS. This is basic IDS. Snored is hundreds and hundreds and hundreds of lines of C lines not. Snored is a better IDS, by the way. That has more than one three signatures. It does things like tcb reassembly and all that. And I also wrote xcan for this. So xcan is super quick. I can scan remote class C in six milliseconds last night, three milliseconds during the last talk. And I don't use the odds to do it. So it's pretty neat. And we'll demo that. That's the most exciting one. So an xcan is basically when you send out fake AK packets. So tcb three-way handshake. I want to talk to you, SIN. You say, cool, SINAC. I say, great, let's go, AK. Well, if I send out an AK without the SIN and SINAC part, the other guy's going to say, I don't know who you're talking about. Reset, boom, and he'll send you a reset packet. This is a great way to find out if machines are online or not. If they're not filtering, if they don't have some firewall that says, I'm not expecting this act, so I'm not going to say anything. People who do that are naughty, by the way. Really should send out resets. So that's what that does. And so this is a great way to figure out who's alive. It does. And if you can do it in six milliseconds, I mean, the entire internet is within reach. I have a friend of mine who's interested in this. He's writing this distributed scanner using this, which is something I'll talk about in a minute after my demo. So this takes a little bit of time to set up, if you don't mind. All right, so I say capules. Capture new. This is what the show live does. I'm not doing anything right now. I'm just looking at traffic. There's all the packets. And it's all made of Ruby. This is all getting stored in an internal array. So you can do things like cap, save, cap. I want to see what the third packet was. There it is white. All right, so we're... Oh, you can try. What, Ruby doesn't have good memory management? No, we can still update it. You could, but I can clear it out. OK, so I'm going to set up a filter here. Oh, this is the sending right side of it. So I'm going to say... It's perfect for cat. Good. Glad you guys have a U-Sport. And then I'm going to do the same thing over here. I know watching me type is very exciting. Oh, god damn it. N-W. N-W? It's not a... My shift key is kind of winding up. I'm sorry? So you can turn promiscuous on and off. You can turn promiscuous on and off with some wireless cards. Promiscuous really means turn off all my sniffing, which is irritating because some of the earlier older wireless cards, they disallow promiscuous, but they still love the bit. So they're trying to stop you from doing that. My card, it doesn't really make that much of a difference. You can do promiscuous. That's mostly useful for, I don't know, shared media where other weird things are in place. It's pretty uncommon to set it anymore anyway, because of that whole problem there. OK, so this dude is Desport, and so this guy's going to be Sourceport. Yeah, stop. Don't do that. Yeah. All right. So these guys are rocking their waiting for packets, and, ah, man, I totally forgot. This sucks on this network. So what I got to do, this is the big coup de gras. So we have these LSRC networks. They're great, but they filter a lot. So I'm going to go over to this Lynxus network because that's mine, right? I mean, I have that at home, don't you? Yeah, this is, I don't know why cities put in all this money for metro area networks, because we have the de facto one, it's the Lynxus network. And a free public Wi-Fi, don't forget about that one. Yeah, that one looked a little sketchy, though. That was a peer-to-peer one. I don't recommend that one. What does that do? Let's see that ad read where. I'm sorry, what? So then you free public Wi-Fi, you can set up one under that. I mean, that is this idea. Free public Wi-Fi. Isn't that an fault? Because I don't know. Yeah, you can't do anything with it. All right. All right. So now I'm on a more reasonable network. It'll let me do this. And, yeah. See, I even wrote a note to myself. Switch the Lynxus for AXCAN. So here's the AXCAN. Oh, yeah, yeah. I got to set up this guy too soon, believe me. This guy, he'll send. OK, so here's Wireshark. He's looking at the same traffic. He's boring because he's all in C. All right. So these guys are going send, receive. OK, receive is really what we care about. So let's move this little bad boy over so we can see what's going on. Come on. Oh, yeah. I brought my awesome notes. Nothing's happening. I'm pre-generating all my packets. And so I can dump them all at once. You'll see that this presentation is slower than what's really happening. And so AXCAN, this is one of Google's networks. So they don't mind. They'll still give me ads or something. There's 2N9 and 85, 165 class seats. It's out there. They don't really have any machines listening on port 81. Who knew? So you send craploads of resets, which is what this is. So they send bunches of resets to all my AX. I don't know why, because it's clear I'm being evil, because I have different source ports, same desk port, and I have the same sequence ID. So that's unusual. And I have the same IP ID. So clearly, this is generated traffic. Why are they responding to me? Well, Google, they don't care. So that's it. So that's awesome. Just to talk about the speed thing. One of my big failures right now is I don't have any really good time stamping, because I don't want to rely on Ruby's clock. I'm still trying to figure out how to deal with that. But here's all my AX that I sent out. I start at, you know, time zero. And we go down to... That's been ticked forever. Where's the end? Oh, there we go. So that's 256 addresses in 30 milliseconds. So I'm pretty pleased with that. It takes longer to get the replies back, of course. The first reply doesn't come back until, you know, 120 milliseconds later, because he's got to go all the way out to Mountain View and come back and get a cappuccino because he's from Mountain View. And then the last one is like a second and a half, almost a second and a half later, but a second and a third, I guess. So if you were going to do this with, like, Nmap and stuff, Nmap will tend to keep track of this thing. The cool thing about this kind of distributed model where I have, you know, I send things and then I receive things over here is that there's no reason that these three windows here have to be on the same machine. I can send my... I can forge my source IP over here. And as, you know, machine two, machine two will then pick up the resets. And as long as he knows, like, what they'll look for, like, hey, my static IP ID, he'll pick up the right resets. And so you can do, like, distributed port scanning, which is right. So let's get back to my dumb presentation. Here we go. So, yeah, Ruby's super quick at this kind of thing. But the presentation is still kind of pokey. The unknowable future for PCAP, or I'm sorry, Pack of Food. It's very likely to be incorporated in Metasploit. I know HD fairly well. And neither one of us are terribly happy with SCRUBY and the usefulness of it in Metasploit. So this is almost certain to replace it. So if you use Metasploit, you'll get it anyway. Other things, I need to be able to send a packet and then wait for a response. Distributed is great, but some people, when they send us in, they expect, you know, a SNAC back. I don't know. So I need to be able to implement that easily. Like, I don't know, I got to come up with some other verb, like, I don't know, poke or something. And that's leading me down this road of a more complete TCP reassembly. I've avoided this so far because, you know, I don't want to be snort. It may be up to, I've kind of considered this part to be the application developer's problem, not my library writer's problem, but I imagine after a couple months I will cave and do it. SCRUBY, the Honeypot de-masker. This is on the Lonestar RubyConf website. I really wanted to demo this. I didn't get it done, sorry. But it's cool, conceptually. You know, like how Old Man Withers is really the fandom of the carnival. Let me rip off the mask. Well, this does that, but for Honeypots. They're like, ah, we thought you were an IIS. But, haha, you're really a Honeypot trying to catch my awesome Odeys. So I don't want that. This kind of thing is also really useful for things like asset management in a network that you may control the network, but you don't control the devices on the network. So you might want to actually know, like, well, how many apples do I have? Do I really have to care about this latest iPhone Odey? Get a good idea of what your real infrastructure looks like. Right, of course, I have to re-factor it for the rest of my life. Write some reasonable test cases, because like I said, I live in IRB, so my test cases are, does it work? Yes, it works that time. Must work forever. And all that other jazz. So that's all going to happen after RubyConf. Not now. Again, you can get it here at codegoogle.com. I don't have it on RubyForget. It's just a way to get good hits on Google, and then I'll move it. Yeah, I'm done. Any questions or comments about how rad I am? So, I mean, the application for it is, I mean, I'm a security guy, so I only think about it in security terms. I'm sure there are other applications for it. You can do event-driven stuff this way, kind of, you can just like have your fake stack and say, okay, well, he wants to talk to me, so I'm going to go ahead and, you know, talk to him from this guy over here. Ha-ha. Oh, yeah? So, I do, I don't do any really, like, high-level protocols yet. You know, these are the ones I do. I absolutely, it's very high on the list, is get, like, the damn protocol, you know, writing part really easy. All I want to be, like, all you should have to do is drop your, you know, sit.rb in, in, you know, your externals, your live externals or something, and it should just work, right? So, that doesn't work that way right now. I have to do a bunch of, like, flat-of-hand in order to figure out, like, the flavor and all that jazz, so. But this is what I support today. And that's my website, planbeadssecurity.net. And so, that's it. So, my pleasure. Anybody else? Don't go yet. But wait, there's more. We're out of time. We have, no, you're lying. We have four minutes. I'm amazed. Cool. Well, thanks very much. And see you around.