THC-RUT - http://www.thehackerschoice.com/thc-rut - anonymous@segfault.net

                                            'When your mind is going hither
                                            and thither, discrimiation will
                                            never be brought to a conclustion.
                                            With an intense, fresh and 
                                            underlaying spirit, one will make
                                            his judgments within the space of
                                            seven breaths.
                                            It is a matter of being determined
                                            and having the spirit to break
                                            right through to the other side.'
                                            ...Hagakure, the way of the samurai
                                            ...by Yamamoto Tsunetomo


[0x01] What is THC-RUT:

    RUT (aRe yoU There, pronouced as 'root') is your first knife in foreign
    network. It gathers informations from local and remote networks.

    It offers a wide range of network discovery utilities like arp lookup on
    an IP range, spoofed DHCP request, RARP, BOOTP, ICMP-ping, ICMP
    address mask request, OS fingerprinting, high-speed host discovery, ...
    
    THC-RUT comes with a OS host Fingerprinter which determines the remote
    OS by open/closed port characteristics, banner matching and nmap
    fingerprinting techniques (T1, tcpoptions).

    The fingerprinter has been developerd to quickly (10mins)
    categorize hosts on a Class B network. Information sources are
    (amoung others) SNMP replies, telnetd (NVT) negotiation options,
    generic Banner Matching, HTTP-Server version, DCE request and
    tcp options. It is compatible to the nmap-os-fingerprints database and
    comes in addition to this with his own perl regex capable fingerprinting
    database (thcrut-os-fingerprints).

    The homepage can be found at http://www.thehackerschoice.com/thc-rut.

[0x02] History of THC-RUT

    THCrut has been rewritten and changed into a general local network
    discovery tool.
    
    It comes with a new OS Fingerprinting technique and facilates in addition
    to this nmap fingerprinting methods. The implementation requires less
    memory and is faster on large networks (speaking of Class B or larger).

    The first THC-RUT release has been written when the first wavelan AP'es
    popped up. It's purpose was to brute force wvlan (IEEE 802.11b) access
    points that used mac authentication. Time has passed since the early days
    of wvlan hacking. Extensive research has been conducted and more
    sophisticated tools are now available.

[0x03] How to use

    I dont feel like explaining how to use the tool. It's pretty much
    straightforwards. Anyone with half a brain should be able to use
    it - others dont have to.

    Just the basics:

    An IP range looks like this: 192.168.0.1-192.168.255.254
    (class B network).

    Scanning on local network is citical. Some devices can not
    handle the arp request storm and will drop packets. You should
    not scan faster than 100 hosts in parallel on a local network.
    If you scan a remote network you can go up until
    5000 hosts in parallel without any problems.

    The fingerprinter appears to be slow against a single host. Some devices
    only support one tcp connection at the same time (some printers, routers)
    and we thus are very carefull to not miss a banner.
    The connect timeout is set to 5 seconds and the read timeout
    to 35 seconds. Again, we have to consider stupid setups that try
    to resolve our IP before (timeout of 30 seconds) before they
    show us the banner.

[0x04] Comments

    Recently there was a media hype when some monkey.org release his
    'new syncookie driven mega fast best of best' paketto scanner 'which
    he already demonstrated at blackhat' (Hossa! THAT paketto _must_ be
    the shit if it has been presented at blackhat.).

    Let me get this straight:

    In 1998 a israeli group released a paper on bugtraq which documented
    their development and use of a high speed TCP port scanner. The tool
    was capable of scanning the entire internet. The tool was very well
    written but did not support states and had some other difficulites.
    (I lost the URL to that posting. mail me.).

    In 1999 an unknown group developed bscan which was used in a counterstrike
    operation to take down several 10.000 node strong flood networks which
    threatened the internet during that period (I call it 'the kid period' of
    the internet. Any halfgrown kid with the small penis syndrome thought that
    DDoS would be the ultimate art of hacking. Fools.). Bscan was the first
    tool which scanned the internet serveral times on specific ports (the
    ports used by the DDoS agents) withint a single month. When the SANS
    institute found a copy of bscan in the wild they categorized it as 'ddos'
    tool itself. In there opinion is everything that sends out syn packets
    at a rate of 10.000 / sec a DDoS tool :>. Bscan was modular and
    came with a band module, httpd_verson module and was capable to establish
    a full spoofed tcp connection using raw socket. Also bscan missed a state
    table...

    In 2002 that monkey.org guy came up with paketto. His (so he says)
    self-invented new technique that he named 'reverse syncookie technique'
    used the seq number to recognize inbound TCP packets. The same technique
    has already been used by bscan and the israeli tool. That whitehat
    pussy completly failed to address the real problem of high speed
    network scanning. It's not done with a while() loop around send() :>
    The real problems are mac resolving problems, router that send broken
    tcp packets as answer, devices that can only handle one connection at a
    time, MAC table overflow of remote routers, BGP routers that go
    spinnlooping when hit by the scan stream, Half NAT'ed routers (send a
    sync to 1.2.3.4 and get the sync/ack from 4.3.2.1), pseudo intelligent
    firewalls which block the stream and retransmitting packets (You have
    packetlost by scanning a Class A network - at one router or the other.).

    THC-RUT is by far not perfect - it does not intend to be. It also
    does not intend to replace bscan or the israeli tool. It's an
    add-on, not a replacement. This version comes with a state table
    to retransmit lost packets. THC RUT started as a simple arp sending
    packet which spoofed mac's, turned into a usefull local network
    discovery tool and became a OS fingerprinter and host discovery
    tool for large networks in its last release.


anonymous@segfault.net

