SpookyScan Source Code

Jeffrey Knockel

This page contains resources for running SpookyScan on your own machine. Unless you're a hacker, you probably want the SpookyScan Web interface instead!

From the README:

OVERVIEW

SpookyScan is a toolset for performing "spooky scanning at a distance."  That
is, it contains tools to infer (e.g.) packet filtering between two hosts or the
MTU from one host to another, without running any software on either of the
hosts or anywhere between them.

The two high-level tools currently included in this bundle are censortcp4.py,
a tool for detecting packet drops in the TCP 3-way handshake between two IPv4
hosts, and mtu6.py, a tool for inferring MTU between two IPv6 hosts.

DEPENDENCIES

This toolset currently only runs on linux, but implementing other *nix support
may not be too difficult.  Patches are welcome!

This toolset bundles modified portions of dpkt, a python package for "fast,
simple packet creation/parsing."  The original source can be found here:

http://code.google.com/p/dpkt/

This code requires recent versions of R, the 'forecast' R package, and the
python-rpy2 R bindings for python.  A script named 'dependencies-ubuntu.sh'
is included to automatically install these dependencies on Ubuntu linux
machines, but other linux users might use the script as a rough guide.  (This
R code will probably be rewritten in python in a future version, eventually
eliminating this dependency.)

These tools require an unfiltered Internet connection.  That means no egress
filtering on source addresses and certainly no stateful firewalls.  If you
don't know if you have an unfiltered Internet connection, then chances are
you don't!  See here for more information:

http://spoofer.cmand.org/summary.php

ASSUMPTIONS

censortcp4.py requires that the chosen client have a globally-incrementing IP
id, that the server doesn't rate-limit SYNACK's and that the client doesn't
rate-limit RST's.  For instance, unfirewalled Windows XP and FreeBSD machines
meet this assumption.  It also requires that you have an unused IP address on
your subnet to ARP spoof.  This address is used when we don't want the kernel
responding to packets.

mtu6.py requires that the 'from' host respond to and not rate-limit large
ICMP echo requests.

EXAMPLES

To determine if users in Chengdu, China can connect to google.com on port 80,
you might first go to http://www.shodanhq.com and search for

os:freebsd city:"chengdu"

You might first try the first result, say, 1.2.3.4.  Then, assuming 5.6.7.8 is
an unused address on your subnet, you would say

# python censortcp4.py google.com 80 1.2.3.4 5.6.7.8
[...]
No censorship

If an error occurrs using the client, you might try the second shodan result.

To infer the MTU from 2001:48e0:204:0:20f:35ff:feb1:9880 to
2607:f380:1::118:9a43:2c11 :

# python mtu6.py 2001:48e0:204:0:20f:35ff:feb1:9880 2607:f380:1::118:9a43:2c11
[...]
9174

FUTURE

We are working on tools to infer packet filtering on layer 3.

We are also working on tools to infer MTU between two IPv4 hosts as well as
additional ways to infer MTU between two IPv6 hosts.

Source code


This material is based upon work supported by the National Science Foundation under Grant No. 0844880. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.