1THC-RUT - http://www.thc.org/thc-rut - anonymous@segfault.net
2
3 'When your mind is going hither
4 and thither, discrimiation will
5 never be brought to a conclustion.
6 With an intense, fresh and
7 underlaying spirit, one will make
8 his judgments within the space of
9 seven breaths.
10 It is a matter of being determined
11 and having the spirit to break
12 right through to the other side.'
13 ...Hagakure, the way of the samurai
14 ...by Yamamoto Tsunetomo
15
16
17[0x01] What is THC-RUT:
18
19 RUT (aRe yoU There, pronouced as 'root') is your first knife on foreign
20 network. It gathers informations from local and remote networks.
21
22 It offers a wide range of network discovery tools: arp lookup on
23 an IP range, spoofed DHCP request, RARP, BOOTP, ICMP-ping, ICMP
24 address mask request, OS fingerprintings, high-speed host discovery, ...
25
26 THC-RUT now comes with a new OS Fingerprint implementation. It gathers
27 tcp stack informations, banners, open/closed port characteristics and
28 timing values and tosses them through a perl regular expression matrix to
29 determine the OS with high accuracy.
30
31 The tool is capable of discovering a Class B network within 10 minutes.
32 Banner information are taken from (amoung others) SNMP replies,
33 telnetd (NVT) negotiation options, generic Banner Matching, HTTP-Server
34 version, DCE request and tcp options.
35
36 The homepage can be found at http://www.thc.org/thc-rut.
37
38[0x02] History of THC-RUT
39
40 THCrut has been rewritten and changed into a general local network
41 discovery tool.
42
43 It comes with a new OS Fingerprinting technique and facilates in addition
44 to this nmap fingerprinting methods. The implementation requires less
45 memory and is faster on large networks (speaking of Class B or larger).
46
47 The first THC-RUT release has been written when the first wavelan AP'es
48 popped up. It's purpose was to brute force wvlan (IEEE 802.11b) access
49 points that used mac authentication. Time has passed since the early days
50 of wvlan hacking. Extensive research has been conducted and more
51 sophisticated tools are now available.
52
53[0x03] How to use
54
55 I dont feel like explaining how to use the tool. It's pretty much
56 straightforwards. Anyone with half a brain should be able to use
57 it - others dont have to.
58
59 Just the basics:
60
61 An IP range looks like this:
62
63 192.168.0.1-192.168.255.254 # 2^16-2 hosts (Class B)
64 192.168.0.0/24 # 2^8-2 hosts (192.168.0.1 - 192.168.0.254)
65 192.168.0.50-30 # 192.168.0.50 - 192.168.0.80
66
67 Scanning on local network is citical. Some devices can not
68 handle the arp request storm and will drop packets. You should
69 not scan faster than 100 hosts in parallel on a local network.
70 If you scan a remote network you can go up until
71 5000 hosts in parallel without any problems.
72
73 The fingerprinter appears to be slow against a single host. Some devices
74 only support one tcp connection at the same time (some printers, routers)
75 and we thus are very carefull to not miss a banner.
76 The connect timeout is set to 5 seconds and the read timeout
77 to 35 seconds. Again, we have to consider stupid setups that try
78 to resolve our IP before (timeout of 30 seconds) before they
79 show us the banner.
80
81[0x04] Comments
82
83 Recently there was a media hype when some monkey.org guy released his
84 'new syncookie driven mega fast best of best' paketto scanner 'which
85 he already demonstrated at blackhat' (Hossa! _must_ be the shit if it
86 has been presented at blackhat :>.).
87
88 In 1998 an israeli group released a paper on bugtraq which documented
89 their development and use of a high speed TCP port scanner. The tool
90 was capable of scanning the entire internet. The tool was very well
91 written but did not support states and had some other difficulites.
92 (I lost the URL to that posting. mail me if you have it.).
93
94 In 1999 an unknown group developed bscan which was used in a counterstrike
95 operation to take down several 10.000 node strong flood networks which
96 threatened the internet during that period (I call it 'the kid period' of
97 the internet. Any halfgrown kid with the small penis syndrome thougth that
98 DDoS is be the ultimate art of hacking. Fools.). Bscan was the first
99 tool which scanned the internet serveral times on specific ports (the
100 ports used by the DDoS agents) within a single month. The SANS institute
101 categorized it as a 'ddos tool' itself after they found it in the wild.
102 In their opinion is everything that sends out syn packets at a rate of
103 10.000 / sec a DDoS tool :>. Bscan had a modular design and came with a
104 bind module, httpd_verson module, snmp modules, .. and was capable to
105 establish a full spoofed tcp connection using raw socket (and like the
106 israeli tool used the syncookie method).
107 Also Bscan was not perfect. It missed state support and an enhanced logging
108 facility.
109
110 So this paketto with his (quote) "reverse syncookie technique" is a very
111 old idea. Paketto does not address the real problems of high speed network
112 scanning (no, it's not done with putting a sendto() call into a while
113 loop :> see below).
114
115 THC-RUT is by far not perfect - it does not intend to be. It also
116 does not intend to replace bscan or the israeli tool. It's an
117 add-on, not a replacement.
118
119 THC-RUT comes with a state table and retransmit lost packets. THC RUT
120 started as a simple arp sending packet which spoofed mac's, turned into a
121 usefull local network discovery tool and became a OS fingerprinter and
122 host discovery tool for large networks in its last release.
123
124
125[0x05] The real problem of High-speed network scanning
126
127 The real problems are mac resolving problems, router that send broken
128 tcp packets as answer, devices that can only handle one connection at a
129 time, MAC table overflow of remote routers, BGP routers that go
130 spinnlooping when hit by the scan stream, Half NAT'ed routers (send a
131 sync to 1.2.3.4 and get the sync/ack from 4.3.2.1), pseudo intelligent
132 firewalls which block the stream and retransmitting packets (You have
133 packetlost by scanning a Class A network - at one router or the other.).
134
135 FIXME: write more about why spread-scan mode is mandatory and not
136 optional. talk about volatile routes etc.
137
138 FIXME: Talk about routers that only accept one TCP connection.
139
140[0x06] OS fingerprinting
141
142 Let me define some words that I will use throughout this lame README:
143
144 An information is a single entity of data.
145
146 OS fingerprinting is the technique to identify the OS by information
147 which is unique for every OS.
148
149 The maximum number of different OS types that can be detected
150 is less or equal to the number of permutations over all informations.
151
152 NMAP for examples uses (among others) the TCP OPTION's to
153 distinguish between OSes. The number of TCP OPTIONS is limited which
154 makes the number of permutations finite also. The result is that only
155 a limited number (e.g. the number of different permutations) can
156 be distinguished by NMAP.
157
158 OS Fingerprinting results can be cathegorized into 3 parts:
159
160 - low precission: Type of the device (Firewall, printer, switch, ...)
161 - middle precission: OS or architecture
162 - high precission: Type, Hotfix number, build version, ...
163
164 Several tools for remote OS Fingerprinting exist. Among them are state
165 of the art tools like nmap or xprobe2. Other tools like queso and passiv
166 OS Fingerprinting tools are either outdated or lag a large database of
167 fingerprints.
168
169 Recently the Intranode Research Team came up with a new idea called
170 'temporal response analysis'. FIXME.
171
172 Papers have been written en-mass (FIXME) about different
173
174 All presented solution fit some specific requirements and work under
175 certain circumstances. Most of them (nmap) rely on static pattern matching
176 and others (xprobe2) do not work reliable on the internet or through
177 firewalls or suffer from a well tested database.
178
179 Xprobe2 and nmap give good results with middle precission. Nmap fails
180 far to often in the low precission field and detects a Baynet router
181 where a Win2k with some patches is in place. The high precission can not
182 be achieved by any of the existing tools as the TCP/IP stack does not
183 change for every hotfix or patch that is used.
184
185 THC-RUT is different. I do not believe in OS fingerprinting
186 masturbation but in working code and good results.
187
188 THC-RUT OS Fingerprinting identified the remote OS by matching the
189 following 'informations':
190
191 - Banner (snmp, web, telnet, ftp, smtp, ..)
192 - Open Port characterisitc (certain router have certain ports open
193 by default)
194 - NMAP like OS fingerprinting technqiues (TCP options + ICMP + TTL).
195
196 THC-RUT gives results after a 'fits best' method without relying on
197 static pattern matching.
198
199 THC-RUT enumerates the OS which makes it easier to use the output
200 in third party applications.
201
202 THC-RUT cathegorizes the findings into classes, type of host, os, arch,
203 version etc. If the OS can not be determined then at least the
204 genre (firewall, host, printer, router, switch, ..) can be determined.
205
206 THC-RUT is fast on large networks and 'slow' (well, compare it to
207 nmap if you like) on single hosts.
208
209
210Yours sincerely,
211
212The Hacker's Choice
213http://www.thc.org
214
215