ScanRand - A very fast stateless port scanner which can also trace routes to machines. Stateless, in this case, means that the scanner does not maintain state between sending out a packet and listening for the return from that packet. Rather, the sending portion of the program screams out query packets as fast as it can and there's a separate listener (which can be run on a different machine entirely) which records any responses and reports to the user.
Amongst the tools, this is the one that I've gotten the most use out of. Because it is much faster than nmap, it's good for initial queries across a large range of IP's.
It does have it's shortcomings though. It takes a bit of experimenting to figure out a useful setting for the timer that the listener uses. Improperly configured switches (which abound) causes reporting failures. Some NIC's cannot handle the high counter turnover if you're repeatedly scanning all 65,535 ports on a large number of IP's.
MineWT - A very odd tool to have (unless you're trying to hide something). Allows multiple hosts on the same network to share an IP address. Why would you want to do this? How about: you want to download GIG's of MP3's using your employers network but you don't want the download to be traced to your machine. MineWT effectively maps multipe MAC addresses to the same IP address and routes traffic between them.
Dan Kaminsky explains it this way: Network Address Translation maps IP's. Arp maps MAC's. MAC Address Translation (DK's term for it) combines the two.
I still haven't found time to experiment with this but will update this document when I do.
LinkCat - (lc) is to network protocols as NetCat is to network connections. You can use it to view traffic in Hex or to capture and play it back.
ParaTrace - Another traceroute utility. However, this one is "passive" in that it does not set up a TCP connection of it's own. Rather, it "replays" (slightly modified) recent packets. Shortcoming: this only works for existing paths to remote machines (you have to have a connection to the remote IP)(i.e., this is path detection rather than path discovery). The author states that this is able to get past stateful firewalls (If the firewall allows a connection to an internal machine, it'll also allow the paratrace traffic.).
Phentropy - Makes interesting looking pictures of TCP/IP sequence numbers. Quoting Dan Kaminsky: "This is an extension of Michel Zalewski's excellent Phase Space Analysis of TCP/IP Sequence Numbers, done with an incredibly interesting tool called OpenQVIS." Only useful to those people who like to analyze TCP/IP stack implementations, I guess.
These tools have been out for almost a year now. I haven't seen widespread use of them probably because of their "niche uses" and/or other, more robust, tools already exist for legitimate uses. Very interesting code though.
No comments:
Post a Comment