Nmap Development mailing list archives
Re: HBGary planned to BLOW THE BALLS OFF OF NMAP!
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 11 Mar 2011 21:59:38 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 11 Mar 2011 13:45:31 -0800 Fyodor <fyodor () insecure org> wrote:
Fellow Nmap Developers: A serious competitive threat to Nmap's has emerged :).
[...]
From: Greg Hoglund <greg () hbgary com>
[...]
Algorithm: We use something called a Linear Feedback Shift Register (LFSR). This is a mathy thing, but it's very cool. We can find source code for such things on the net to help us write it. It's just a few lines of code. What it does is generate a psuedo-random number sequence, but it never repeats the same number twice. For example, we could use it to choose the IP address or Port for a SYN packet, and it would walk the entire range we are scanning, but it would randomize the IP/Port combinations so we don't overload a single IP at once. It would NOT REPEAT any IP/Port combination as it scanned. It's perfect for LOAD BALANCING the scan over a large IP range. The device driver uses a LFSR to scatter / load balance the scan over an entire class B and we collect the responses as they come back. It should be FAST AS SHIT.
This is somewhat entertaining. My modification to -iR to produce no duplicates is the same thing but instead of using a LFSR I use a LCG + 2-round block-cipher. Somebody forgot to tell Greg that in software a LCG is way faster than an LFSR ;-) While I was implementing the non-repeating -iR I thought of a way to do it for any arbitrary range of IPs efficiently, not just power-of-two ranges like a /16. Of course, Nmap uses a congestion-control inspired algorithm to measure the maximum rate a host can be scanned at which should work better (in theory) rather than just relying on statistical multiplexing. Anyways, it's always good to get ideas from others and it might be worthwhile to revisit the --randomize-hosts and the random port ordering a bit to exploit PRNG tricks to get no duplicates to help balance across hosts. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk16m1AACgkQqaGPzAsl94Ic9ACggnl3n5fwORIQ03Fyzc/jZJeA LC0AnjaWQbk4u5ypzJQ7Lz53chkw36af =6u7y -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- HBGary planned to BLOW THE BALLS OFF OF NMAP! Fyodor (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Brandon Enright (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Gutek (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Max (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Fyodor (Mar 11)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Luis MartinGarcia. (Mar 12)
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Christian Heinrich (Mar 12)
- <Possible follow-ups>
- Re: HBGary planned to BLOW THE BALLS OFF OF NMAP! Dug Song (Mar 12)