lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 24 May 2013 01:45:25 +0200
From: Jann Horn <jann@...jh.net>
To: full-disclosure@...ts.grok.org.uk
Subject: little proof-of-concept for remote traffic
 statistics using the IP ID field

Hello,
I built a small C helper for remotely generating traffic statistics using the
IP ID field. Well, hping3 does all the interesting stuff. This program will
just, every five minutes, send 20 SYN packets in intervals of 100ms to port 80
of the target machine, then sum up the ID differences and output a line with
the current unix time and the number of packets the remote machine seems to
have sent during the two seconds of measuring.

Basically, this program samples a remote machine's packet sending rate using
short bursts of SYNs. Only if the other machine uses one global incrementing
IP ID counter, of course.

This is meant to be an educational tool, which is also why it just uses SYN
packets, making this seem to the other side as if someone's stealth-scanning
their port 80 over and over again. Not exactly the stealthiest way to do this,
but sufficient for demonstration purposes.

Usage:
 - install hping3 (or install hping2 and change hping3 in the source to hping2)
 - compile
 - run for some period of time (maybe 24h?) like this:
       ./rg <IP> > traffic_stats
 - plot output using gnuplot or so (start gnuplot, then do
       plot "traffic_stats" using 1:2

Well, not exactly rocket science and I'm pretty sure most people here already know
the principle and could write something like this in a few minutes, but I thought
I'd share it anyway. Probably useful for demonstrating why IP ID flags are
something you might not want to be globally sequential unless you don't care about
giving your traffic stats to the whole world. Because graphs are good at
demonstrating stuff. :)

The code is attached and also at <http://git.thejh.net/?p=roguegraph.git;a=tree>.
I'm not responsible for whatever you do with this or whatever effects it has.

View attachment "rg.c" of type "text/x-csrc" (1920 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ