 Going on in place that's happened before so I find it amusing. I actually can't use wireless giving a talk in a wireless talk But anyway, so we're here to talk about TCP IP what we can do with it. What interesting things we can do with it One of the big deals there is actually more you can do with messed up packets then crash machines They're these incredibly intelligent people and all they're doing whoo-hoo. I broke that box. I got rude on it Okay, networks are they can actually let people communicate and that's kind of what I'm going to try to talk about here now When I'm coming from last year last fcon I talked about open SSH high-level protocol for doing really good secure interconnectivity Getting out through out of networks coming into networks passing through them I pretty much worked SSH about as hard as I could work it and realized If I'm going to go ahead and actually do something unique I'm going to have to ditch SSH and go a little lower So this talk is actually going to be a lot about layer 2 layer 3 MAC addresses IP addresses Dealing with these screw-ups in between them These are the interesting problems that I decided First of all that I could work on the second of all that I wanted fixed Problems instant board scanning is it possible to discover? Instantaneously what network services have been made available no matter how massive the network is Is it possible? Can I send one packet and no new networks? No new magic stuff in the middle of the net? Just somehow have it get to multiple destinations. Is that possible? Nat list that I do a lot of work with that and I was curious Is it possible to share a globally addressable IP address something that'll actually route and get somewhere? Without translating in the end to a private IP then that does all the 10 dots or 192 168 all the RFC 1918 IPs and that being said is it possible to get incoming connectivity into a net? Everyone's really happy with that when they first get it because they're like dude. This is cool I've got like this really great firewall has like no incoming connectivity. There's nothing that needs to be hacked in it Barely gets out. You're not even getting in Um Then you guys way. I want incoming connectivity I want to be able to do all these things that the internet was supposed to be able to do now How do I do it and this talk is going to try to address that and finally and most fun? Not deadlock resolution is it possible to establish a tcp connection between two hosts that are both behind nats and The answer should be interesting How we're doing this restraint free engineering This may not be practical. This is it probably isn't secure but right now these techniques are quite impossible and I want to fix that so Screw the rules. Let's have some fun Okay, now we're gonna begin by talking about theory. I know theory gets really annoying trust me It's only gonna go on for a few minutes It's for the people out there who might not know everything about the vagaries a tcp IP Now if you ever look at a sniffer and you're trying to learn this stuff It's really strange because you know you start off and the next host that went to and it comes where it's coming back And what protocol is using to hop to the next place and what protocols can you use to get all the way across the network? And now we're gonna go ahead and throw in a checksum and then where the packet came from originally We're gonna go back and forth. We're gonna have three checks and they're gonna be all over the place There's no order. It looks like Why not have it sorted at least why not have all the checksums together? Why not have it count where it came from together? Isn't this efficient? Isn't this redundant? Well, the first thing you should probably think who cares and that's actually the point Layering is not about what's being said. It's about who gives a damn about the actual message You have one medium one packet that is sent from host to host But you have many different contexts in which this message is understood Listeners reconstruct a little bit of meaning that they personally need and then the rest is random blob of data Now ethernet does this it doesn't understand IP IP stacks understand this it doesn't understand the nature of TCP TCP stacks understand that they don't understand SSH The idea is the less you need to understand the less code you need to write the less you need to worry about The more likely your code is actually going to do what it's supposed to do The way I the analogy I used to describe this the post office doesn't care what you put into your letter Well, hopefully I guess things have sort of changed The post office doesn't really care. They just want to see is there money? Is there an address? Is there a return address? If there's insufficient postage, it's gonna get sent back to the return address now I'm sure everyone here is familiar with the classic post office hack you Have someone you want to send mail to for free So you put their address in the return address and when you don't have sufficient postage Oh, it goes back to where it came from. Oh, that was where you want to descend it Now it turns out that there's all sorts of protections against this hack They you know, this is rather obvious in terms of well, where is this packet drop? Where is this letter dropped off? I'm not returning a something dropped off in San Francisco. I'm not returning it to dig booty. It's not gonna happen Arrow recovery error recovery is interesting Layer 2 layer 2 is the point-to-point layer. It's where I talked to the next guy on the wire Errors are really quickly recoverable on layer 2 because the guy's right there. You have a direct link to him but the problem is Your error checking your checksum your little value that you see if it's correct and if it's correct the message Got through okay Your checksums calculated at the same point that's actually creating the packet from scratch and this is problematic The example I used to explain this Anyone here familiar with the example of corporate fertilizer? so bad news happens really the nasty shit happens and Someone tells us someone else and the first thing they guys says is I can't say shit I'm in the same in your and then I got tells his boss. It's not manure anymore. It's fertilizer And then that guy tells his boss and it's not fertilizer. It's farming supplies And the next guy tells his boss is not farming supplies. It's the stuff that life is made out of so by the time I guess the CEO this original message shit becomes the stuff that life is made out of Each individual chain had correct messaging happening from point to point but from beginning to end the message was quite lost so You can't actually really depend on error checking at layer 2 Layer 4 is what cares layer 4 is the CEO wants to know what the guy in the field says The guy in the field said shit doesn't matter what happened in the middle at the end CEO needs to hear we're screwed Later 3 later 3 is the routes. It's all the people in the middle. These are people who just these are devices that just pass messages They're passing all tons of messages from all sorts of people. They don't give a damn what they're seeing now in the TCP IP stack they actually have a checksum But if you look at the actual Implementation of what's going on they say yeah, we got a checksum the only modification We're doing to this packet is a one decrement on the TTL value TTL time to live How many times these things allowed to hop across the network now? We have a TTL values that we make sure we don't get a routing loop a package Just goes around and around and around and never stops and the entire network falls over and dies This tends to suck so you have this TTL value It's decremented if it ever hits zero the packets dropped That's the only change most routers will do to a packet en route and since it's the only change they decrement the Checksum by the amount that would happen if the checksum was correct So if they have an incorrect checksum although decrement that too why because they don't care about the errors It's not personally relevant This slide intentionally left blank. Oh, um, I should I should mention questions You have a question write it down. I want your questions. I want your challenges. It's a good question You get a corona If it's a really good question And I got a 12 back Really good question. I wrote a book or part of it. You get one of them This is hack proofing your network. Thanks to singers. They pretty much funded a lot of this work to do read this research And if you stump me, I get a corona too because I'm thirsty All right, so we've gone up here a little bit of stuff about layers Let's look at what actually starts a TCP connection I know we got to do the damn three-way handshake can't talk about TCP at the without doing it really simple I send a sin that means I want to talk to you But I got a response back that's an act you want to talk to me if I get a reset act You don't want to talk to me and finally last phase an act cool. You want to talk to me? Okay, let's begin. That's all we need to do with that Ports ports are basically what app to what app port 80s web port 143 as I'm at port 443 as SSL It says hey, I went to this machine and I want this process on that machine IP handles Where we're going port handle what we want from them Sequence numbers sequence numbers are there for two purposes. First of all, they're really not What the bitch Jesus was that No sequence numbers are used for two things first of all they go ahead and actually let us keep track of How the data connections going let us find out eventually if we've dropped packets where we are in the stream and so on They're also really really useful to find out is this person who's returning to me Did I ever talk to him in the first place that he had the ability to respond to me? It's a security feature. It's not a great one, but it has 32 bits of entropy that has to be matched So they ain't too bad So connection some summary the fly determines the phase the port determines the process the sequence secures the session So with all that in mind let's begin on the nice applied useful soft Thank you for your patience instant port scanning Can I find out what the hell is going on now not later now and the answer is yes? Practically even securely. Let's check this out. So you go ahead and you have some app I actually wrote this this exists 100% done It'll be done as soon as I actually have net access you bastard to are destroying my net connection all right There's a fork in this thing first fork goes ahead sends a bunch of packets on the same local port That's what it does doesn't keep track doesn't remember doesn't store any values that say hey I talked to this guy it just sends packets The other thing goes ahead and it's sniffing for packets from that local port that the other process sent Because it's sniffing off a single local port we can use live p-cap kernel acceleration of the BPF if we get a Cinec back We go great. I got a Cinec some port was up. Here's the port. Here's the host. Yay They got a reset well the reset act well the host was down and the host was up But the port was down less, you know, you don't need to know it as much but it's useful to know Now the first thing that should come up with this stateless approach. I can spoof a response I send a message to someone he goes. Hey, this asshole's doing a uh, he's doing a stateless scam I'm gonna send about 800,000 responses. He never made a message sent He never sent a request to and because he's not keeping track of who he sent requests to no problem He's just gonna think you know, he's a god. I guess all these messages Maybe he's putting it into a database. Maybe he's storing it then after he gets the responses back Maybe I can overflow of them. Maybe I can just make a mess out of him. Now. There is a solution Anyone here familiar with the nice little things called sin cookies sin cookies were developed in 1996 by That classic DJ Bernstein when sin floods became common Well, I go ahead and I flood you with a whole bunch of connection requests You set up your colonel say, okay, I got a bunch of connection requests. I'm gonna do a bunch of responses and The responses go to nowhere Shut up for everyone All right, you up here now. I think we need a beer opener up here. I seem to have fucked up So someone observed for all the bitching everyone does about Microsoft you notice everyone's running fucking PowerPoint without exception Who's the speaker in here who's not running PowerPoint? Okay, meet me after all by your beers after So sin cookies sin cookies go ahead and so I send out a request and The colonel goes ahead and says well, I'm not gonna remember who sent me this request But on the SIN Act that goes out I'm gonna put a little cryptographic encrypt cryptographic signature that says I sent a SIN Act to this guy When the final phase the act comes back It's gonna get reflected back and when it gets reflected back I go. Hey, wait This guy got my SIN Act sent me back the act. I can decrypt the sequence number in the act I can figure out who talked to me. I can get the state back I can go ahead and actually talk to this person and even though I forgot about him earlier It's a very elegant very beautiful system, but you know the the aqua flex of value from the SIN Act But the SIN Act reflects a sequence number in the SIN So instead of tracking SIN Act reflections in the act, let's track SIN Reflections in the SIN Act Let's put a value in the SIN when we send it out That is cryptographically matched to the host that we sent the request to on the port that we sent the request to When we get the SIN Act or the reset act back we check the sequence number if it matches We talked to this guy. We sent a request to it. It's authenticated Now here's our implement. We got an implementation scan and 1.0 There's an element of what I'm calling the ba-ke-to-ka-de-su It is my package of really screwed up TCP IP hacks that will be growing over time This thing's really really trivial. It's like 380 lines of live net and live p-cap There's like a trivial MD4 include don't worry about it. No state sends out 53 byte packets add up 11 to 20 megabit And it's possibly even portable from platform to platform This is a screenshot of it in action I don't know if you can see the Delta's there But this is a scan of about 20,000 ports throughout my network The last packet came in about five seconds when I ran this in unnamed large multinational corporation Yeah, I was able to say hey, you got a class B. Nice class B. You got there. You have 8,303 web servers That took four seconds This is a really nice thing to have Implications user space is cool packet content can be overloaded and elegant solutions can be reapplied next up gorilla multi-cast Is it possible to send a single packet to multiple recipients using today's multicast free internet? Hell yes The methods fun you go ahead You'll make a unicast IP to a broadcast MAC address all responses that IP will be broadcast throughout the subnet Now let me explain this a little slowly All right There is redundancy in between the layers that are on your subnet that are on your land at layer to Broadcast packets that are sent to every port even on a switch Broadcasts are always sent to all F's if it hits all that's it's going to be sent everywhere Now it's not mentioned in this slide, but there's also a Ethernet range for multicast addresses. I don't know the prefix off the top of my head. I was supposed to get it But yeah, you send a packet to this MAC address. It will also get broadcast out to each port That's assuming IGNP snooping is not on don't worry about that Zero one zero five E With the next bit zero. Thank you much See you later Someone opened this form All right Later three operates a little differently later to doesn't matter your subnet same damn broadcast same damn multicast Later three the broadcast is actually linked to what subnet you happen to pick It's the last IP of your subnet. So if you're some this ten oh one zero with the two five five two five five two five zero zero mask Your broadcast I bees ten oh one two fifty five now once upon a time We had this nice thing called directed broadcast I could send a packet to this directed broadcast IP and we get to all the machines back there Then some idiots wrote this tool called smurf that got shut down really really quickly You sent one packet to a directed broadcast source address whoever you hate You send it to the broadcast all the machines on that subnet say, oh, hey, you pinged me. Oh, hey. Oh, hello. Hello. Yeah, that wasn't fun What kind of bringing this back only in in a different way? Anyone here know the legal fiction behind a corporation It's basically lots and lots of people One legal identity well, it turns out we can do something really cool with this concept of the corporation We apply it to IP addressing we go ahead We have a cloud of machines on a given subnet one of them requests an IP address They do it through DHCP even You know what Mac address we stick on that IP that we request we stick Broadcaster we stick multicast So you have a unicast IP address normal 10-0 120 and it's hardwood address on the land now That's broadcast. So when the packets goes comes back. It's going to everybody You end up issuing layer for requests against remote host gets comes back Unicast at layer three the responses are broadcasted at layer to ladies and gentlemen Elegance has left the building Firewall issues look mom multicast their nets um UDP no problem We don't need to do any responses once the state entries opened up in the UDP state table on that firewall packets can just keep on coming in on Broadcast and no problem now. I could have just stopped the UDP You know you get your data stream build your protocol build you out of band stuff all you want, but that's no fun That's your TCP with gorilla multicast Without any listeners the stream dies there's no one to respond and that's what you'd want If you got one listener you want the stream to operate normally, you know the one listener sends back the acknowledges as needed with many listeners Only one of these guys should actually acknowledge you don't want acknowledgments every sync from every single listener It's gonna flood on the way out and you know what the guy on the outside networks gonna find out Hey, I've got multiple listeners listeners here. We want to be completely normal outside our subnet We just all want to cooperate like you know theoretically a cool a corporation cooperates. You only have one point of contact ideally Solution to this is random delays now. This is elegant and has some other uses as well So I sniff a packet that theoretically I'm supposed to respond to I Cue the packet that I'm supposed to go ahead and respond with and I wait a random amount of time And I see if someone else sends the response first someone else sends a response first I go ahead and I see what response he's sent in case I need any state from it No one else sends a response. I send the response. You can have a hundred people doing this random delay approach One of them is gonna come first the other 99 are gonna hear the response now it turns out that you have to go ahead and send a broadcast out separate from your response Say hey everyone. I already took care of that acknowledgement. You guys get the next one, but it ends up working out pretty good So you're recontextualizing layer-to-layer three Question, you know right in with this we already we have one since we have a situation where one IP is standing in for many many Hosts, do we have any other situations where one IP stands in for many many hosts? Nat Nat does that exactly get your fucking beer That's the cheapest beer you will ever get in your fucking second beer Fucking drugs Max For fun and profit that multiplex is several hosts onto one IP address by splitting on the local port It is already mungen IPs We're already don't change in the IP value the host links to 10 dot that 10 dot is the outside world They fucking coming back. So we have to go ahead and put a real address that'll come back and To put on the firewall address when we split on local port now turns out when we get the packet back Comes to a local port we send it hopefully to resend to the machine that sent the original packet in the first place There's a thing called the birthday paradox. I'm skipping around a little but trust me this will make sense What happens when two machines behind your nat send out a packet with the same local port now? There's a range of 65,000 ports they could pick what are the odds that two hosts are gonna come up with the same local port When they hit that firewall will be onto pretty good actually Because every time they make a random selection There's another possibility for a collision. So it turns out you have two to the 16 that's 65k two to the 8256 One out of every 256 randomly selected local ports is going to have the exact same local port as some other one and this is What and they're not selected randomly because most implementations suck I have to stop listening to you guys No, you actually earned that one because you actually know a real actual trade here Now we actually would like to be able to maintain Same IP and same port because it gets closer to we would like to maintain port because it gets us closer To end-to-end packet integrity this being the huge problem in that you are always messing around with packets There are strategies to deal with if the ports are exactly the same you can check sequence numbers You can check the MTU and later on I'll tell you about a new really cool method that involves IP timestamps But check this out Is it possible to share a globally addressable IP address without translating the private IPs at all? I was just talking about end-to-end packet correctness How the hell can I do that if I'm changing around the IP address and the answer is what changing on the IP address? I don't need to because You know you look at a NAT state table a NAT state table lets you given layer 4 information derive layer 3 That same machine has an ARP state table the ARP state table is linking layer 3 given layer 3 information Find me layer 2 so this is MAC address translation Layer 4 information gives us the combination of layer 3 and layer 2 now turns out you can have a hundred hosts with the same IP address But they'll all have different MAC addresses and when the outgoing packet comes out We don't just remember the IP that it claimed We also remember the hardware address that it claimed and by that we can have tons and tons of machines share the same IP Your cable modem provider could give you an IP 1.2.3.4 You could have every single one of your machines in your house have that same IP address in Assuming the local port issue was done. You'd have end-to-end packet integrity So I actually have an implementation of this it may work, but I can't test it. Thank you network people It's another part of the Keto Kyretzu. It's called all new Translates arbitrary local IP addresses. I don't care. Maybe using RFC 1918 Maybe you're not into globally routable IP addresses and it does is by instead Just storing the IP source like a normal NAT table does it source the IP source the ethernet source and just for fun also What ethernet address you thought that the gateway was? It goes ahead and arps for whatever gateway you want it to ARP for If the IP source is the external IP nothing will probably need to be changed packets are going to retain their end-to-end packet integrity if the IP source is the RFC 1918 IP this is what you have in your networks right now most likely Just do the same thing. We're already translating on 10 dots will continue translating on 10 dots If your IP happens to match that of Microsoft or Yahoo, whoever the hell you want Just another IP that if I send it out and ain't coming back to me the machine will handle it now This actually has some implication for hosting providers who need to move IPs around all the time You can go ahead and you can say hey, I don't care what mission what IP your host thinks it is Tell me what the gateway is that you want I'll act like I'm it and I will get you next It's kind of nice Incoming connectivity. I call this the pizza protocol Pizza protocol is very simple guy shows up at your apartment. You got a couple people living in apartment You got one door Anyone order a pizza whoever responds and says yeah, I ordered it all pay for it It was probably that guy who ordered the damn pizza So you just ask everyone behind your net Really really easy if everyone has the same IP address Destination to the up to that one IP that's shared and you set it to broadcast Mac So every single instant inch instantiation of that IP address gets the packet one of them will respond For traditional that with RFC 1918 Well, we actually need to know all the IPs that we're serving for and the G We've got this state table that talks about all the outgoing connections that have been going on Maybe we can go ahead and use that to find out what IPs we're dealing with Or, you know, we had that system a few minutes ago for scanning a network really quickly Maybe we'll just scan every host on that subnet and see hey all you guys anyone hosting this packet Anyone who anyone want to listen to this? Your drop anyone who says no because they're irrelevant You pass everyone that says yes, that's kind of the stateless approach to it There are issues when multiple hosts have a web server up for example I got a web server. You got a web server incoming packet comes up and we both say oh, yeah We both ordered the pizza we both have the web server and there are various heuristics you can do you can give priority to the one who Actually had talked to this outgoing host first You can talk you can split it on port ranges connections on 1080. You'll go to this host 2080 You'll go to this house. There's all sorts of approaches. I haven't built them yet, but they're coming a Stateful approach is sort of necessary to do this right though you actually need to keep track of who ordered the pizza the last time and Continue to remember that particularly with the stream management. It turns out you get a lot of Nasty packet screw-ups if you try to do it completely statelessly, but you have a lot of fun if you say damn you security TCP splicing this is fun. It's just fun. It's impossible TCP not tonight can it be done a big question of PDP It was actually done because a bunch of PDP people really really wanted it and said it couldn't be done So hey, let's have some fun You can do it. It is possible It's ugly. It's dear god ugly is what you do You got to convince each firewall now in the in Nats Nats are really good for outgoing connections They don't like incoming so much You got to convince each firewall that the other one allowed the connection the other one has no problem with incoming connections You have to convince both of them of this at the same time and you do this by playing the layers against one another now This is sort of how I Do this as an analogy bill gates Larry Ellison nice guys. They will probably never speak to me Thanks, these guys call anyone they damn well, please. They're quite powerful in that nature Their secretaries aren't going to stop them, but I can't go ahead and call Bill Gates Secretary's gonna tell me to screw off and die It bill called me. You know what he wouldn't just have a one-way connection unless he was really antisocial which she's I'm sure not He'd actually be able to hear my voice back So once he actually called me we'd have a bi-directional communication going on even though I couldn't call him He could call me and we'd have a bi-directional communication the only asymmetry in telephone calls is in the initiation phase And it's actually the same way in TCP once you get past the handshake. It's both the same way So incoming is the same as outgoing. There's no way to differentiate the two. So you do a setup Allison Bob both behind the natting firewalls firewalls off the game allow all outgoing sessions They block anything coming in now they block with state now. This is sort of important There was a time we had stateless firewalls out there and the idea was we'll just block all sins coming in that way No one will be able to send a connection coming in because every packet that comes in that wants to be a connection has to be a sin And then people realize well wait I'll just start sending sin acts into a network because then it'll think it's a response to an outgoing sin It'll let it in and I can talk to my nice little remote show that I've shoved up in this machine. Thank you very much The equivalent in the real world will be me calling up Bill Gates secretary and saying oh, yeah bill talk to me Let me speak to him again and the secretary going well if you wouldn't say that if you did it Bill didn't actually ever call you in the past. So I'll let you talk to him See actually our state you have a secretary that remembers there was an outgoing connection It keeps track of all the details the ports have to be opposite to each other The sequence numbers have to be appropriate with the plus one offset and so on total outgoing trust zero incoming trust The attempt let's look really really slowly at what happens when Alice tries to talk to Bob First thing Alice is not directly connected to Bob Remember I was trying with the layers with you know hopping and jumping and whatnot the internet's big On average it's gonna take about 12 hops to get from here to wherever the heck you want First thing you do you send a pat Alice sends a packet to her firewall and says hey I want to talk to not Bob because Bob doesn't have a globally addressable IP address Bob Firewall has a globally addressable IP address. So Alice is hi I want to talk to oh IP address the Bob's firewall now this is Alice's firewall now Like well you've got a 10 dot here. I send this out with a 10 dot it ain't coming back to me So I'll go ahead and I'll change it into my globally addressable IP address Now this hops across the internet hop hop hop hop Hits Bob's firewall now Bob is listening for Alice Bob wants to talk to Alice Alice and Bob about their little affair going on What not? Bob's firewall ain't involved Bob's firewall is the warden in this little situation Bob's firewall says no I ain't talking to you reset act the reset act hop hops across the network hits Alice's firewall And that little entry that little thing that said hey Alice tried to talk to Bob's firewall. We had an entry here. It got shut down and Alice goes out and gets a message This is yeah, Bob doesn't actually want to talk to you Bob doesn't like you anymore And if Bob tries to talk to Alice Alice's firewall is similarly cruel Now if you look at this look at this really closely, what's good? What's good is yet an entry in the firewall stay table. I want a response from Bob's firewall Bob had an entry in his firewall I want a response from Alice's firewall So you have two machines that want to talk to each other and Till the packets cross each other hit each other's firewall come back dead So good entry in the state table waiting a reply bad the reply is screw off and die Can we get the former without the latter and the answer my friends is yes See Alice's firewall is a little closer on the network than Bob's firewall. It's a little closer in terms of hops So I always goes ahead sets her TTL time to live in hops to about four What does this do? Packet gets out of Alice's firewall and it says the entry state table gets into the middle of the internet and it dies and That's it. The state table entries left open Bob's firewall never gets the chance to send the reset act so Now well hang on wait a second. I'll do it after now both firewalls have a hole open for each other This ain't enough because neither of them can send that sin act to each other that connection response They can both send sins they can both send acts neither of them can send sin acts You've got a lot a pretty high bar. You've got a reach you got to agree on what ports You got to agree on what sequence numbers you got a time at right You got to know that this is going on at the other side is trying to do this is the same time And the answer is you have a handshake only connection broker All it does is do the session hit set up once it's out of the way. It's gone. It basically manages the two Alice and Bob conspire with the connection broker Say hey, I sent this packet with this information. I'm sending it to you. You see how the translation happens Bob I'm sending this to you connection broker. I said this is what I originally sent Compare what I originally sent with what the connection broker with what my firewall sent you Between this process the connection broker can go ahead and learn how the firewall is doing its munging Maybe it's doing the best effort. Maybe it's incrementing from a fixed counter. Maybe it's using random local ports and doing translation There's all sorts of different approaches that can be done on the packet layer munging Connection broker needs to find out because the connection broker needs to synchronize and cause Alice and Bob's firewalls to achieve port level Convergence and sequence the sequence level convergence This is the process to do it I can explain it in detail bug me later if you want the description, but it ends up actually working out Alice and Bob can conspire with the connection broker to determine the pattern by which their Individual firewalls are munging the port and sequence information Once that happens they can go ahead and counter the munging such that they achieve convergence in their ports and in their Information now I will actually accept the question now go ahead and come up here and speak into the mic Does this work even if it randomly selects the source port? source port Yes, as long as it depends on Okay, if one side at both sides absolutely cannot be controlled for it's problematic and Remember I was telling you about the birthday paradox. You have two hosts that are trying to make random selections Well, what you do is Alice makes 256 attempts to Bob Bob makes 256 attempts to Alice and even though They're both doing random local ports You're gonna have a collision by the birthday paradox and you go ahead you embed Which one had the collision because you have to know which session to continue you embed that in the IP ID field and the IP frame Firewalls don't mess with the IP ID because they have no reason to possibly do it until now Yes, both sides can do local random local ports Random I sequence numbers which a few firewalls do can't really be dealt with if both sides do it because now you have 32 bits of entropy instead of 16 and 2 to the 16 65 k You're not getting away with 65,000 packets in the regular basis Now I have to defend say this is really academic. There are such easier strategies to use You can source out through the connection broker. This cleans up so so very much You get absolute information on what's going on on the generic genuine connection And it turns out you don't even need to use any true packet layer stuff because you act Actually as soon as the connection is established both sides with normal socket options can drop the source route Most you've noticed probably games work right now. They're using UDP using a really simple and trivial method They just use opposite ports and they just fire them at each other and eventually The outgoing port from the other is perceived as a response to the outgoing port from the first Okay, let me actually explain this for a second. That's good So Alison Bob nighting they get their clocks perfectly synced up They both send a packet out to each other's firewalls first thing it does on the clock Is it hits each of their local firewalls their local firewalls? Hey, I've got an outgoing packet on UDP port 5000 waiting for a response on port 5000 They pass by each other on the net both sides hits each other firewall the other firewalls like well I was waiting for a response on port 5000 from port 5000. Hey, I got it Both sides perceive the other person's first packet as a response You can do this with UDP because UDP has like no complexity to it at all. This is far less fun than TTP splicing though New stuff this is nuisance block hat for those who are here who actually went to block hat TTL based firewall analysis I Amid a sin from my firewall. I admit this sin, and it has a TTP It hits my firewall and gets translated it gets its source address changed hops a little bit on the internet Guys now I said it died, but there's actually a packet that returns It's nice EMP time exceeded and this thing isn't just a time exceeded it contains a copy of the original packet That spawned the failure now the firewall when it sends the packet back to you It's going to contain the information that it gets from the source address and it's going to send the packet back to you You had you know, I'm ten dot and here's my information So the ICMP error is going to come back to the ten dot Ah, but the ICMP data the ICMP data is not going to be translated because who's looking at ICMP data So you can actually discover how your firewall is munging your data stream You can discover your internal IP and come up here and I love the fur Thank you. I don't believe that open BSD firewalls can be Probed with this because it rewrites the ICMP data This is because Theo is a paranoid motherfucker. All right God damn it Theo Check this out, so I hate stateful programming stateful programming sucks some buffers You gotta search them. You gotta allocate them. You gotta overflow them if your name's gobbles Gobbles rules gobbles. God damn That normally needs to be stateful. You got to remember when you get the packet back Who the hell am I supposed to return this packet to? Um In Matt not only do you know who the IP is you're returning it to you also You know the hardware address you're returning it to so you actually need to know something about 10 bytes Stateless Nat is this possible Jason Spence he's here. He's the guy in the red hat He actually proved to me that one of my though random theories was right. Yeah, it's called IP time stamps So anyone in this room who actually knows what IP time stamps are Okay, cool. You're awesome Check this out In mode three. I create an IP option. And yeah, I know some firewalls block them Screw you. All right So I create an IP option the IP option has a little has a 32 byte header that describe 30 bit header describes what it is Now you can go ahead Specify an IP specify a space for a time stamp specify another IP specify another space for a time stamp You knew this up to four times for up to 32 bytes of data now in normal usage if any Router along the path has this IP address It'll rewrite the value in the timestamp place with its actual Timestamp and if it's not it'll just forward it on to the next host. I'm molested assuming you know, maybe someone else already did It's rewrite This passes all the way through to the final destination the final destination gets this packet Well, my IP doesn't match any of this stuff in the IP options. I'm just gonna send the entire batch on back now If you look here, I Can go ahead and specify Arbitrary data in my IP option timestamp field up to 32 bytes worth per packet That will be returned with every single packet that comes back to me And when you look at that, um, I have 32 bytes. I only needed 10 So every single packet can contain the route back through my net into the actual Hardware machine that it needs to be on I have no lookups. I can build gigabit net now No state nothing to overflow screw you gobbles finally Wouldn't be a talk at Def Con if I didn't have at least some attack all this stuff's been useful things you can do to build connectivity You can actually do something sort of nasty with the TCP splicing stuff You can forge Arbitrary data streams into your network that appear to come from any IP that you want now. Here's how you do it You have Alice make a TCP connection make a TTL limited connection to quote-unquote Yahoo Not actually gonna reach Yahoo because it's TTL limited But Alice is gonna set the TTL low so there's an outgoing connection any IDS in the way Intrusion detection system or logger or whatnot. It's gonna see this and it's gonna say hey Alice here is trying to talk to Yahoo there and most likely isn't gonna go ahead and use the ICMP to say That connection died because that packet never actually got there In normal TCP splicing we stopped the TTL in after the initial packet in this case We don't every single packet between Alice and quote-unquote Yahoo is going to be TTL limited But Alice is going to give Charlie the connection broker from the early example Alice is gonna give Charlie all sorts of information about exactly how he she's talking to Yahoo and Charlie is going to reply with a spoofed packet as if he was Yahoo So Charlie can just throw in a stream of data on a stateful connection that looks Indistinguishable from a genuine connection from Yahoo and it can be any amount of data because every single time Alice responds with an act it's TTL limited and Charlie's kept in sync because there's a side channel over to Charlie It's really messy, but if you're logging system and your firewall is not logging ICMP There's no evidence So bottom line really interesting things are possible with ICMP with TCP with IP with Ethernet 802.3 And oh by the way 802.11 is coming soon. So Yeah, there's fun things to do everyone get up here get some beer Well first first what first thing you gotta impress me if you want the beer second thing If you really impressed me you get a book hack proofing your network plug plug plug plug plug plug Who's up first start walking up to set up a line right there and right there? Because I'd like everyone to actually hear what's going on Talk to crap Testing testing. All right with your multiplexed address translation You said that you had to basically split up connections on incoming ports like 2022 3022 so on so forth for multiple incoming connections to multiple hosts on the inside However, how do you get around the fact that SSH is constantly keeping certificates of hosts and constantly? Telling you that you've got a man in the middle attack Yes, the whole problem about the fact that SSH actually cares about hosts and not ports I can actually answer this because I know SSH quite well. I'm using a host alias You say what you never connect you never want to attach if you have multiple hosts at the same IP The IP address is no longer an analog to the host So when you make your SSH connection you say Dotto host alias whatever you're looking for and that will go ahead and say in this case I'm expecting the key for this back-end host, and I'm expecting the key for that back-end host so that'll work All right, you're up With open BST, I believe you can turn with open BST I believe you can turn off the option for rewriting all the ACMP stuff with Ctl as far as I remember there is a Ctl option for that if you can email to me. I would most appreciate it Thank you much Go ahead When you have your net a virtual net with it basically dining on layer two Yes, so all of your hosts are sharing a globally addressable IP. Yes, and windows will bitch How do you communicate between hosts inside of that? It seems like you're gonna need a layer to DNS. No, no, no This gets evil You can actually have them all have ten dot addresses, but The Mac product only would do it so in other words it would go ahead and say This 64 host also has an address to ten dot ten dots outside the subnet So it's going to go ahead and hit the machine in the middle the machine in the middle is going to say Well, ten dot goes ahead and apps to this 64 dots So the answer is they can bounce off the guy that would normally get them to the outside world And it actually can work could you could you it also instead just under Linux say Alism assign multiple IPs It depends on whether or not you want to mess with the host See there's a lot of situations where you are allowed to modify this machine, but not that one You are allowed to modify this network, but not that one. Yes an IP alias work perfectly as well But if you can't modify it on that level you can go ahead and modify it at the perspective of the gateway But good thinking Here why not thank you and a beer for the connection brokering Couldn't you have both Alice and Bob spoof as if they were the connection broker The problem is is that the connection broker is never supposed to actually be part of the session But he isn't after he says tells both Allison Bob your next sequence number is And then both Allison Bob take over Allison Bob can't spoof packets. They're behind stateful firewalls They're behind things that are really checking Alice and Bob have to have entirely legitimate traffic It's just they have to entirely legitimate streams of traffic one of them is going to One of them is going to the connection broker The other one's going to Bob's firewall and you know maybe not getting there and to low TTLs are legit in the traffic because of Trace routes, but good thinking though All right, you go ahead. Oh my apologies with IP address defense arps I'm boot up with multiple addresses the same you have a solution for that Um Windows will bitch and I think there's a registry hack that gets rid of that bitching if not. Oh, well, you can't do this with windows There's another option You do the same thing you do when doing layer for load balancing put a loop back I Forget the exact syntax, but you essentially put a loop back address in place mapping to that IP that Disables ARP responses to anybody making ARP requests on that IP and just do that on Yeah, yeah Now you definitely would have to have your 10 dot address for inter host communication because you wouldn't be able to communicate with anyone else On that I all right, but but the host would actually think it has the external IP Is what you're saying? Yeah, I just won't our response to it. Thank you Thank you drive-through All right, I'm sorry. I think I have two questions. Oh Now All right, I don't know Instead of doing a TTL die instead of doing a TTL Time to live that's gonna time out. All right Could you do an invalid TCP checksum to have the same packet die and get removed from the stream? Well, TCP's really over. Well, here's the deal the routers don't care about the checksums remember we wanted to Okay So you're saying that Bob's firewall we get the invalid TCP checksum and Once it got the invalid checksum it would send back a TCP air instead of the reset act And it was still drop the packet out of the session. Yeah. Yeah, that would suppress it. All right That's actually That's a really good thing to do if they're actually blocking low TTLs on sins, which will probably be a feature in a short while No, oh, you're right if Okay, so Alice's fire on Bob's firewall both This guy gets the last fucking beer It's another one of those situations where you have two firewalls with slightly different circumstances If you have a local firewall that doesn't care and a remote firewall that does care it works But the TTL solution is going to be more general, but it's still good thinking Question because I'm cocked All right, sweet. I have refills All right, do you have any other questions? This deal is obviously not paranoid because he's right. I Didn't say it is right. He works in security. He's supposed to be paranoid This is a great little thing in exchange. I had with this guy It's like a security is the only industry where paranoia is a compliment the response. I got back I was afraid somebody would say that And I personally have never set up a firewall this loud IP options in or out So I think that you're gonna run us in trouble with that. Okay, and in specific things are that Rachel. Are you in the crowd? Right there. Yeah, Rachel knows about this. There's TCP options Which don't get molested and TCP options actually will you have a TCP time stamp? That has a reply field inside of it that matches supposed to contain the time of your own machine Now it's 32 bits so you can only put in an IP address But it's enough for you to get the local IP Up for it and do what you need So how much you want to bet by the time we all get home next week that Theo will have patched open BSD to scrabble outbound TTL through Pf well, but then he's gonna break then he's going to break Here's the deal You've got the legitimate and the illegitimate. You have legitimate TCP trace routing that should not be messed with And you've got kind of some other stuff The legitimate is protecting the illegitimate I would be really pissed if it wasn't at least an option to allow the time stamping Micah, I want you here You'll need that for ICMP. So you could scrub TTL's on everything but ICMP and still effectively break this technique Well, I mean there's ICMP to ETL time stamp I mean You can you can teach you can trace route and do trace route on TCP on UDP and on ICMP There's different implementations that do all three because all three elicit a time exceeded message Thanks. All right What's up? two things first that you can close the Dynamic hole when you get a TTL a time exceeded So one thing that open BSD could do is when it gets the ICMP TTL it could close the open Oh, yeah, and the information sitting there in the ICMP data, and it's it's sitting everywhere It's really trivial, but to be blunt. There's been no reason to do so And no, no, let's talk about it from a purely theoretical security point of view Open BSD already trusts machines behind the firewall to determine what outgoing connections they're going to make Whether or not some remote host is able to do incoming or not is not something that is within the security domain of open BSD It can't know because if it was a security issue open BSD would be vulnerable every time some other guy opened up a hole in his firewall We're using a trait of the network to basically limit the statement I want to talk to this guy limit it to my local side The remote side is so far too dumb to know. Oh, you know, how do we resolve the Nat Nat issue? There's no knowledge know how to do that resolution yet So we're limp. We're telling only our local side I want to talk to the other guy and this is already a trusted message. The other comment was your stateless Nat would suffer from people Using that state in the packet. Oh, I'm the state. Yeah, you you encrypt encrypt against the key You certainly have enough space to do all that kind of stuff You encrypt against the key people have a choice either they drop the IP option and it doesn't get anywhere Or it gets to the one host it was supposed to That's how you use the crypto for that very good. And of course the code is there because we're using that with our sim scanner And we got next if you're gonna use a connection broker broker. Why don't just use a proxy? Oh, because the okay now last year I talked about using SSH for an end-to-end secure proxy So the proxy would just pass the crypto packs. I have no idea what it's doing. It's really expensive There's this like old story about used to be that it was illegal for phone calls to go between Jordan and Israel So the guy in Jordan would call some apartment United States and the guy in Israel would call some apartment in the United States And their connections would be linked against each other now The problem was for this to work the people who were running this had to rent departments They had to get phone lines. They had to buy phones. They had to buy hardware and you know how they got caught by the way They didn't actually pay for anything. They just shipped it all to the next place every time the rent was due but Yeah, I mean the handshake of the connection brokers handshake only all it does is facilitate the connection between Alice and Bob at the Asymmetric phase at the point of the handshake once the handshakes done You have two sides that think they're talking directly to each other a routing directly to each other and therefore Get a direct link the broker is out the broker exchanges a total of between five and fifteen packets depending on the convergence Algorithm and can pass that has facilitated an arbitrary amount of data So the broker just does the very beginning and he's out ding ding man got it Go ahead What a connection broker work in a situation like this you have two firewalls running that okay The server behind one of the firewalls and it's forwarding ports to that server Okay, this connection behind a firewall has no you know There's no ports being forwarded the user wants to connect to the server using the public IP address But the server responds on a different port like they want to come in at 149 and they come out You know it comes back on 400 you need to stay within the same TCP sessions It's going on just because the user makes an outgoing connection to the server The only thing the server can do is make a response on that individual TCP session now It is conceivable that this outgoing connection could be to SS to an SSH server on the server and Then using that it can do a remote port forward of its own SSH server or its own web server Effectively the server can tunneling back through that SSH system now that works well. I'll show you how to do it later Nice. Thank you. All right. You got anyone else you up All right With what he was saying could you set something up so that you could have one guy on one side one guy on the other and Allow somebody on this other side could open up so that he can get to his server in his own domain By using a packet say say that it's from this IP address, but it's not You got to operate within a really restrictive domain where the only entries you're able to open up on the firewall Are those from outgoing connections? This is so far the only method. I found to do it Well, if this guy sends a packet out from source port 80 It's if it's a sinner if it's not part of an establishment Okay, the only type of TCP packet that you can send out that will actually out of a stateful firewall That will actually reach the internet is a sin a Sin act is a response and act as a response after a sin and the raw data flag less Has to have started from a handshake. So the only thing you can get out is the sin. That's your restriction So this is some Theoretically works again. You'd use UDP. This is what the game guys do. It works quite well We got anything else Hey, yeah, who said that? Yes, I know this question. What if you don't have a default gateway pointing to your firewall now? This is beautiful The only thing the default gateway does your system after the default gateway Sends the packet with the final destination to that Gateway MAC address the gateway never actually needs to know what IP the Oh, okay, long story short the gateway response to the upper quest for the default gateway and says yeah, send them to my Mac Oh, you're shaking your head. Why can't you do that? Not on your network No, no, no, no, no, no, no, no come back here. I sense a little challenge here. Why can I not? Why can I not art for your gateway? because Because the IP address of the firewall is not in my routing table The IP address of the firewall is not in the routing table. I am talking about replacing your firewall, you know it's You know, it sits before your firewall. It's basically replacing the NAT implementation on your firewall Nobody can go out. They all use a proxy server It's you have a neighbor to this way you have a network specifically If you were to install my stuff, you'd be changing the architecture of your network It doesn't really make sense for me to talk about how this would work in your network as is because you know first of all I presume direct connectivity and This is not what you know, you have the only comment. I was making while I was sitting down You're assuming the direct activity. All right, then we both agree Okay, and there is actually a proxy system. Ask me about it later. Okay, I don't know if that's on my head But I've written down somewhere. I wouldn't talk about what I do on this microphone anyway Spot but anyway We got anything else any other challenges. That's actually a good question. He's got a point there I'm gonna give you a book for the balls Give me a beer. I want a beer. Where's my beer? Sweet. All righty everyone. Thanks for sticking it out. Thanks for coming. Welcome to DEF CON. Have a fucking party people