Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PortBunny - FX and Fabs at 24C3

From: "Tyler Reguly" <ht () computerdefense org>
Date: Sun, 13 Jan 2008 23:42:21 -0500
Interesting to see this thread here... I actually spent this evening doing a
comparison between Unicornscan, PortBunny and nmap.

The results can be found here: http://www.computerdefense.org/?p=440

On 1/13/08, bensonk () acm wwu edu <bensonk () acm wwu edu> wrote:


Then, if somebody finds an exploit on your port scanner, it becomes a
kernel-level exploit.  Yeah, that sounds like a fantastic idea.

In response to the question about bloat:  I think nmap is a perfect
size.  I *really* like the version scanning and the OS scanning.
Generally when I'm port scanning something I want to know what it is,
and what versions of things are running, so I generally use those
options every time I scan.

Benson

On Sun, Jan 13, 2008 at 02:22:59PM -0800, doug () hcsw org wrote:

On Sun, Jan 13, 2008 at 11:30:50AM +0000 or thereabouts, Brandon Enright

wrote:

o Fabs declares that "the kernel is a good place for a port

scanner",

  and indeed PortBunny is a Linux-only kernel module.  They suggest
  that you use a dedicated box and not run other Internet

applications

  such as web browsers at the same time.


This is a terrible idea.  I think they did it in the kernel because
they wanted to and went looking for excuses why it was a good idea
later.  If speed is all you're looking for, the Unicornscan guys sure
seem to be doing well with their user-land distribute TCP/IP stack.
There is absolutely no good reason to stuff a portscanner in the

kernel.


I agree, I think this is an astoundingly bad design decision. Not
only is it linux kernel X.Y.Z specific, but also likely to bring
down your entire system in the event of a bug. I read through the
slides because I was curious why they felt a kernel module was
warranted but found no good explanation. They say that running
in the kernel means that "Timing is as precise as it can get".
I would be interested in the specifics of this (if there are any).
On most systems (except windows and amigaOS), Nmap gets its packet
arrival times from pcap which should mean it was measured in kernel
anyways.

I will be sticking with Nmap for the foreseeable future. :)

Doug






_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: