• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

Libnet-1.0.2a/H03-May-2022-29,33022,230

config/H07-May-2022-8,3266,830

pcre-3.9/H29-May-2003-27,14020,394

src/H29-May-2003-22,14618,492

ChangeLogH A D29-May-2003791 3728

FAQH A D25-May-20031.3 KiB4227

INSTALLH A D22-Dec-2002280 1710

LICENSEH A D25-May-2003434 149

Makefile.amH A D23-May-2003114 32

Makefile.inH A D29-May-200310.9 KiB360284

READMEH A D25-May-20039.8 KiB215159

TODOH A D25-May-2003732 2417

VERSIONH A D29-May-20036 21

aclocal.m4H A D25-May-20034.3 KiB128113

bootstrapH A D19-May-2003921 5640

config.h.inH A D25-May-20031.6 KiB7247

configureH A D03-May-202282.1 KiB2,7482,204

configure.inH A D25-May-20036.8 KiB217190

stamp-h.inH A D25-May-200310 21

README

1THC-RUT - http://www.thc.org/thc-rut - anonymous@segfault.net
2
3                                            'When your mind is going hither
4                                            and thither, discrimiation will
5                                            never be brought to a conclustion.
6                                            With an intense, fresh and
7                                            underlaying spirit, one will make
8                                            his judgments within the space of
9                                            seven breaths.
10                                            It is a matter of being determined
11                                            and having the spirit to break
12                                            right through to the other side.'
13                                            ...Hagakure, the way of the samurai
14                                            ...by Yamamoto Tsunetomo
15
16
17[0x01] What is THC-RUT:
18
19    RUT (aRe yoU There, pronouced as 'root') is your first knife on foreign
20    network. It gathers informations from local and remote networks.
21
22    It offers a wide range of network discovery tools: arp lookup on
23    an IP range, spoofed DHCP request, RARP, BOOTP, ICMP-ping, ICMP
24    address mask request, OS fingerprintings, high-speed host discovery, ...
25
26    THC-RUT now comes with a new OS Fingerprint implementation. It gathers
27    tcp stack informations, banners, open/closed port characteristics and
28    timing values and tosses them through a perl regular expression matrix to
29    determine the OS with high accuracy.
30
31    The tool is capable of discovering a Class B network within 10 minutes.
32    Banner information are taken from (amoung others) SNMP replies,
33    telnetd (NVT) negotiation options, generic Banner Matching, HTTP-Server
34    version, DCE request and tcp options.
35
36    The homepage can be found at http://www.thc.org/thc-rut.
37
38[0x02] History of THC-RUT
39
40    THCrut has been rewritten and changed into a general local network
41    discovery tool.
42
43    It comes with a new OS Fingerprinting technique and facilates in addition
44    to this nmap fingerprinting methods. The implementation requires less
45    memory and is faster on large networks (speaking of Class B or larger).
46
47    The first THC-RUT release has been written when the first wavelan AP'es
48    popped up. It's purpose was to brute force wvlan (IEEE 802.11b) access
49    points that used mac authentication. Time has passed since the early days
50    of wvlan hacking. Extensive research has been conducted and more
51    sophisticated tools are now available.
52
53[0x03] How to use
54
55    I dont feel like explaining how to use the tool. It's pretty much
56    straightforwards. Anyone with half a brain should be able to use
57    it - others dont have to.
58
59    Just the basics:
60
61    An IP range looks like this:
62
63    192.168.0.1-192.168.255.254      # 2^16-2 hosts (Class B)
64    192.168.0.0/24                   # 2^8-2 hosts (192.168.0.1 - 192.168.0.254)
65    192.168.0.50-30                  # 192.168.0.50 - 192.168.0.80
66
67    Scanning on local network is citical. Some devices can not
68    handle the arp request storm and will drop packets. You should
69    not scan faster than 100 hosts in parallel on a local network.
70    If you scan a remote network you can go up until
71    5000 hosts in parallel without any problems.
72
73    The fingerprinter appears to be slow against a single host. Some devices
74    only support one tcp connection at the same time (some printers, routers)
75    and we thus are very carefull to not miss a banner.
76    The connect timeout is set to 5 seconds and the read timeout
77    to 35 seconds. Again, we have to consider stupid setups that try
78    to resolve our IP before (timeout of 30 seconds) before they
79    show us the banner.
80
81[0x04] Comments
82
83    Recently there was a media hype when some monkey.org guy released his
84    'new syncookie driven mega fast best of best' paketto scanner 'which
85    he already demonstrated at blackhat' (Hossa! _must_ be the shit if it
86    has been presented at blackhat :>.).
87
88    In 1998 an israeli group released a paper on bugtraq which documented
89    their development and use of a high speed TCP port scanner. The tool
90    was capable of scanning the entire internet. The tool was very well
91    written but did not support states and had some other difficulites.
92    (I lost the URL to that posting. mail me if you have it.).
93
94    In 1999 an unknown group developed bscan which was used in a counterstrike
95    operation to take down several 10.000 node strong flood networks which
96    threatened the internet during that period (I call it 'the kid period' of
97    the internet. Any halfgrown kid with the small penis syndrome thougth that
98    DDoS is be the ultimate art of hacking. Fools.). Bscan was the first
99    tool which scanned the internet serveral times on specific ports (the
100    ports used by the DDoS agents) within a single month. The SANS institute
101    categorized it as a 'ddos tool' itself after they found it in the wild.
102    In their opinion is everything that sends out syn packets at a rate of
103    10.000 / sec a DDoS tool :>. Bscan had a modular design and came with a
104    bind module, httpd_verson module, snmp modules, .. and was capable to
105    establish a full spoofed tcp connection using raw socket (and like the
106    israeli tool used the syncookie method).
107    Also Bscan was not perfect. It missed state support and an enhanced logging
108    facility.
109
110    So this paketto with his (quote) "reverse syncookie technique" is a very
111    old idea. Paketto does not address the real problems of high speed network
112    scanning (no, it's not done with putting a sendto() call into a while
113    loop :> see below).
114
115    THC-RUT is by far not perfect - it does not intend to be. It also
116    does not intend to replace bscan or the israeli tool. It's an
117    add-on, not a replacement.
118
119    THC-RUT comes with a state table and retransmit lost packets. THC RUT
120    started as a simple arp sending packet which spoofed mac's, turned into a
121    usefull local network discovery tool and became a OS fingerprinter and
122    host discovery tool for large networks in its last release.
123
124
125[0x05] The real problem of High-speed network scanning
126
127    The real problems are mac resolving problems, router that send broken
128    tcp packets as answer, devices that can only handle one connection at a
129    time, MAC table overflow of remote routers, BGP routers that go
130    spinnlooping when hit by the scan stream, Half NAT'ed routers (send a
131    sync to 1.2.3.4 and get the sync/ack from 4.3.2.1), pseudo intelligent
132    firewalls which block the stream and retransmitting packets (You have
133    packetlost by scanning a Class A network - at one router or the other.).
134
135    FIXME: write more about why spread-scan mode is mandatory and not
136    optional. talk about volatile routes etc.
137
138    FIXME: Talk about routers that only accept one TCP connection.
139
140[0x06] OS fingerprinting
141
142    Let me define some words that I will use throughout this lame README:
143
144    An information is a single entity of data.
145
146    OS fingerprinting is the technique to identify the OS by information
147    which is unique for every OS.
148
149    The maximum number of different OS types that can be detected
150    is less or equal to the number of permutations over all informations.
151
152    NMAP for examples uses (among others) the TCP OPTION's to
153    distinguish between OSes. The number of TCP OPTIONS is limited which
154    makes the number of permutations finite also. The result is that only
155    a limited number (e.g. the number of different permutations) can
156    be distinguished by NMAP.
157
158    OS Fingerprinting results can be cathegorized into 3 parts:
159
160    - low precission: Type of the device (Firewall, printer, switch, ...)
161    - middle precission: OS or architecture
162    - high precission: Type, Hotfix number, build version, ...
163
164    Several tools for remote OS Fingerprinting exist. Among them are state
165    of the art tools like nmap or xprobe2. Other tools like queso and passiv
166    OS Fingerprinting tools are either outdated or lag a large database of
167    fingerprints.
168
169    Recently the Intranode Research Team came up with a new idea called
170    'temporal response analysis'. FIXME.
171
172    Papers have been written en-mass (FIXME) about different
173
174    All presented solution fit some specific requirements and work under
175    certain circumstances. Most of them (nmap) rely on static pattern matching
176    and others (xprobe2) do not work reliable on the internet or through
177    firewalls or suffer from a well tested database.
178
179    Xprobe2 and nmap give good results with middle precission. Nmap fails
180    far to often in the low precission field and detects a Baynet router
181    where a Win2k with some patches is in place. The high precission can not
182    be achieved by any of the existing tools as the TCP/IP stack does not
183    change for every hotfix or patch that is used.
184
185    THC-RUT is different. I do not believe in OS fingerprinting
186    masturbation but in working code and good results.
187
188    THC-RUT OS Fingerprinting identified the remote OS by matching the
189    following 'informations':
190
191    - Banner (snmp, web, telnet, ftp, smtp, ..)
192    - Open Port characterisitc (certain router have certain ports open
193      by default)
194    - NMAP like OS fingerprinting technqiues (TCP options + ICMP + TTL).
195
196    THC-RUT gives results after a 'fits best' method without relying on
197    static pattern matching.
198
199    THC-RUT enumerates the OS which makes it easier to use the output
200    in third party applications.
201
202    THC-RUT cathegorizes the findings into classes, type of host, os, arch,
203    version etc. If the OS can not be determined then at least the
204    genre (firewall, host, printer, router, switch, ..) can be determined.
205
206    THC-RUT is fast on large networks and 'slow' (well, compare it to
207    nmap if you like) on single hosts.
208
209
210Yours sincerely,
211
212The Hacker's Choice
213http://www.thc.org
214
215