Update

This month I'm trying to wrap up design work on d3k, and start working on the warhol projects. Sorry for being inactive. Life sucks that way.

-Chris

 Releases

BruteDNS
Handy tool when you can't do a zone transfer.

Siphon
Remixed Remade Remodeled.

Papers

Layer 2 Probing Techniques

Development

Summary Page
Releases
CVS Tree

Project Members
Maetrics
D1sfunct
Deathcubek
Team Violating

Links
  • Violating Networks
  • Gomisquad

    Other Projects

  • Freedom of Information Hack
  • Warhol Project
  • Delicious and Malicious Code Analysis
  • Bait & Switch Honeypot
  • BigEye Honeypot

    • All your base Are belong to us

    π
    Project Focus

    D3K
    For the detection of hardware address filters

    by Chris "Gomi Maetrics" Gragsone

    Purpose

    D3K is a utility that attempts to probe the local network searching for hosts with layer 2 firewalls. Layer 2 firewalls are like a regular firewalls, with the main difference being the type of host addresses they block. A regular firewall block hosts based on their IP (Internet Protocol) addresses. A layer 2 firewall blocks hosts based on their MAC (Machine Address Code) addresses, which can make them invisible to traditional ping sweeps. By finding hosts with layer 2 firewalls, we may uncover compromised hosts or hosts with an unauthorized network connection. In either cases it is likely possible that the administrator (legitmate or not) is trying to cloak the box from a traditional scan.

    Probing Technique

    It is our hopes that a host with layer 2 firewalls will need to communicate with another host on the network and not with us. To find hosts with this configuration, D3K will query the network with arp requests and record any replies. D3K will then query the nonresponsive hosts using spoofed source addresses from responsive hosts. New hosts that are detected with this probe will then be added to a lists of suspected firewalled hosts.

    To remove false positives, D3K will query the suspected box with a genuine arp request as a confirmation probe. If the suspected box fails to return an arp reply, the host will be reported as a firewalled host. False positives could be generated by a machine that was recently connected to the network, or a host with momentary connection lose. Administrators may still want to pay attention to these machines as they may be experiencing other performance issues.

    Switch Safe Mode

    These layer 2 scans may cause network problems and false readings on more advanced network topologies. It is possible D3K may not work well with Arp Proxies, flat routed networks, multicast groups, or VPNs. To accomodate the networks, D3K will have an optional swtich safe mode. In this mode D3K will daemon itself, and passively listen to the network for arp requests and replies that don't belong to the host. Everytime D3K detects an arp message, it will generate an arp request to the sender. This method will take longer, and has the possiblity for not detecting a firewalled hosts. However, in this mode D3K would only probe hosts known to "exist" and would not need to rely on any spoofing.

    Appendix 1: Function Designs

    arprequest() - Handles Arp queries
    cidr2net() - Creates an ip address and netmask from cidr notation (Already Completed)
    getroute() - Return route structure for specified destination network
    hostlist() - Interface for placing host data into the list
    myip() - Obtains the interface address for a specifc network
    netlist() - Creates a list of ip addresses on the network
    passv() - libpcap function for finding hosts passively (and actively probes them)
    results() - Print the list of responcive hosts
    scan() - Scan the network looking for responcive hosts
    setoptflags() - Set options based from commandline arguments
    spoof_scan() - Scan the network looking for responcive hosts using