OVERVIEW SpookyScan is a toolset for performing "spooky scanning at a distance." That is, it contains tools to infer (e.g.) packet filtering between two hosts or the MTU from one host to another, without running any software on either of the hosts or anywhere between them. The two high-level tools currently included in this bundle are censortcp4.py, a tool for detecting packet drops in the TCP 3-way handshake between two IPv4 hosts, and mtu6.py, a tool for inferring MTU between two IPv6 hosts. DEPENDENCIES This toolset currently only runs on linux, but implementing other *nix support may not be too difficult. Patches are welcome! This toolset bundles modified portions of dpkt, a python package for "fast, simple packet creation/parsing." The original source can be found here: http://code.google.com/p/dpkt/ This code requires recent versions of R, the 'forecast' R package, and the python-rpy2 R bindings for python. A script named 'dependencies-ubuntu.sh' is included to automatically install these dependencies on Ubuntu linux machines, but other linux users might use the script as a rough guide. (This R code will probably be rewritten in python in a future version, eventually eliminating this dependency.) These tools require an unfiltered Internet connection. That means no egress filtering on source addresses and certainly no stateful firewalls. If you don't know if you have an unfiltered Internet connection, then chances are you don't! See here for more information: http://spoofer.cmand.org/summary.php ASSUMPTIONS censortcp4.py requires that the chosen client have a globally-incrementing IP id, that the server doesn't rate-limit SYNACK's and that the client doesn't rate-limit RST's. For instance, unfirewalled Windows XP and FreeBSD machines meet this assumption. It also requires that you have an unused IP address on your subnet to ARP spoof. This address is used when we don't want the kernel responding to packets. mtu6.py requires that the 'from' host respond to and not rate-limit large ICMP echo requests. EXAMPLES To determine if users in Chengdu, China can connect to google.com on port 80, you might first go to http://www.shodanhq.com and search for os:freebsd city:"chengdu" You might first try the first result, say, 1.2.3.4. Then, assuming 5.6.7.8 is an unused address on your subnet, you would say # python censortcp4.py google.com 80 1.2.3.4 5.6.7.8 [...] No censorship If an error occurrs using the client, you might try the second shodan result. To infer the MTU from 2001:48e0:204:0:20f:35ff:feb1:9880 to 2607:f380:1::118:9a43:2c11 : # python mtu6.py 2001:48e0:204:0:20f:35ff:feb1:9880 2607:f380:1::118:9a43:2c11 [...] 9174 FUTURE We are working on tools to infer packet filtering on layer 3. We are also working on tools to infer MTU between two IPv4 hosts as well as additional ways to infer MTU between two IPv6 hosts. CONTACT You may harrass me (Jeffrey Knockel) by emailing me at the following address: jeffk cs unm edu