Nmap Development mailing list archives

Re: HBGary planned to BLOW THE BALLS OFF OF NMAP!

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 11 Mar 2011 21:59:38 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 11 Mar 2011 13:45:31 -0800
Fyodor <fyodor () insecure org> wrote:

Fellow Nmap Developers:

A serious competitive threat to Nmap's has emerged :).


[...]

From: Greg Hoglund <greg () hbgary com>


[...]

Algorithm:

We use something called a Linear Feedback Shift Register (LFSR). This
is a mathy thing, but it's very cool. We can find source code for such
things on the net to help us write it. It's just a few lines of
code. What it does is generate a psuedo-random number sequence, but it
never repeats the same number twice. For example, we could use it to
choose the IP address or Port for a SYN packet, and it would walk the
entire range we are scanning, but it would randomize the IP/Port
combinations so we don't overload a single IP at once. It would NOT
REPEAT any IP/Port combination as it scanned. It's perfect for LOAD
BALANCING the scan over a large IP range.

The device driver uses a LFSR to scatter / load balance the scan over
an entire class B and we collect the responses as they come back. It
should be FAST AS SHIT.



This is somewhat entertaining.  My modification to -iR to produce no
duplicates is the same thing but instead of using a LFSR I use a LCG +
2-round block-cipher. Somebody forgot to tell Greg that in software a
LCG is way faster than an LFSR ;-)

While I was implementing the non-repeating -iR I thought of a way to do
it for any arbitrary range of IPs efficiently, not just power-of-two
ranges like a /16.

Of course, Nmap uses a congestion-control inspired algorithm to measure
the maximum rate a host can be scanned at which should work better (in
theory) rather than just relying on statistical multiplexing.

Anyways, it's always good to get ideas from others and it might be
worthwhile to revisit the --randomize-hosts and the random port
ordering a bit to exploit PRNG tricks to get no duplicates to help
balance across hosts.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAk16m1AACgkQqaGPzAsl94Ic9ACggnl3n5fwORIQ03Fyzc/jZJeA
LC0AnjaWQbk4u5ypzJQ7Lz53chkw36af
=6u7y
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

HBGary planned to BLOW THE BALLS OFF OF NMAP! Fyodor (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Brandon Enright (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Gutek (Mar 11)
  - Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Max (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Fyodor (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Luis MartinGarcia. (Mar 12)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Christian Heinrich (Mar 12)
- <Possible follow-ups>
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Dug Song (Mar 12)