Nmap Development mailing list archives



HBGary planned to BLOW THE BALLS OFF OF NMAP!

Fellow Nmap Developers: A serious competitive threat to Nmap's has emerged :). You may recall the leaked HB Gary emails which received a lot of press lately due to alleged plots to attack and subvert unions, Wikileaks, journalists, etc. Well, I've just been alerted to a leaked email showing that Nmap was in their crosshairs too! At least their Nmap attack wasn't deceptive and shady. They simply planned to write a better scanner, modestly named the "B.E.S.T. Scanner". Greg Hoglund concluded that "this scanner would not take us very long to write, and it would BLOW THE BALLS OFF OF NMAP." Of course it has taken us more than 13 years to take Nmap where it is today. So even Greg had to acknowledge that he and one employee couldn't outdo us in a day. So he proposes that they "take a couple of days" to write their Nmap killer :). I like Greg and all, but this email is too amusing not to pass on: [from http://hbgary.anonleaks.ch/greg_hbgary_com/13401.html] From: Greg Hoglund <greg () hbgary com> To: shawn () hbgary com Date: Thu, 9 Apr 2009 05:27:55 -0700 Subject: Another project I want to IRAD / Skunk Shawn, Now that you are Mr. Kernel I want to suggest that you and I take a couple of days and write a very kick ass port scanner. This isn't HBGary's core business, but if we release it for free it would drive people to our site. I would like to call it "B.E.S.T. Scanner" so people kind of get stuck calling it "the best scanner". We can figure out what BEST means later. Here is what it does: DLL for the scanner, so we can make GUI and cmd line versions. DLL decompresses device driver and loads it on the fly for the scan. Device driver does the actual scan using NDIS layer functions. Goal is SPEED SPEED SPEED. We try to scan an entire CLASS-B network in 30 minutes. Algorithm: We use something called a Linear Feedback Shift Register (LFSR). This is a mathy thing, but it's very cool. We can find source code for such things on the net to help us write it. It's just a few lines of code. What it does is generate a psuedo-random number sequence, but it never repeats the same number twice. For example, we could use it to choose the IP address or Port for a SYN packet, and it would walk the entire range we are scanning, but it would randomize the IP/Port combinations so we don't overload a single IP at once. It would NOT REPEAT any IP/Port combination as it scanned. It's perfect for LOAD BALANCING the scan over a large IP range. The device driver uses a LFSR to scatter / load balance the scan over an entire class B and we collect the responses as they come back. It should be FAST AS SHIT. For the GUI version of the tool, I will purchase another YWorks license, and we can use YWorks to graph the 'net topology around the scan. For any traceroute functionality, we can send all TTL packets in one microsecond, instead of waiting for each one to come back before sending the next. This means we can almost instantly tracerooute to any IP - it takes microseconds for each trace. (I did this back at cenzic not sure if you remember) We can also do extremely fast DNS resolutions by hand coding the query without wait states. This scanner would not take us very long to write, and it would BLOW THE BALLS OFF OF NMAP. -Greg _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/

By Date By Thread

Current thread: