These posts republish content from the now defunct grcsucks.com site. The following one is a very good one, by somebody who knows networking: Martin Roesch, the author and lead developer of Snort.
Dissecting GRC's NanoProbes
by martin.roesch http://www.snort.orgComments refer to : http://grc.com/np/np.htm
Ok, so in the "broken out" packet dump at the bottom of the page, he's got several errors.
- The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.
- The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort).
- The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?
Beyond that, this is a standard SYN packet, hardly revolutionary.
The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway. That's why a response has "never been received"... Ooh, spooky!
The other claims are so much fluff. Temporal density? Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.
These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data. What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.
Let's look at the other claims:
"While you
wait, real-time operation"
Explanation: When you execute the program, it runs and
reports back to you.
"Continuous
host-presence verification"
Explanation: When you run the scan, it pings the target
to make sure it's up. Contrary to the claims on the web
page, every other scanner under the sun that's used for any large
scale application (like nmap, CyberCop, ISS, etc) does this.
"Comprehensive
host IP address determination"
Explanation: Resolves DNS names, can make other DNS queries.
"Host stealth
technology detection, penetration, and appraisal"
Explanation: If the host is discovered, it will be scanned!
If the host can be reached through the firewall, it'll also
be scanned. If the firewall is filtering the traffic, the
program will attempt to get through but probably won't unless
some well known vulnerability can be exploited.
"True firewall,
versus simple packet filter, discrimination"
Explanation: They see if their packets are rejected outright
or if some sort of connection establishment is allowed.
"Special
"Half-Open" TCP connection "SYN" probing"
Explanation: This was special about four years ago, but
now it's just called a SYN scan. This is different than
a full SYN scan in that the connection is dropped after
receiving the returned SYN-ACK packet instead of letting the connection
complete. This is different from a free port scanner like
nmap in exactly 0 ways.
"Advanced
TCP non-connection "ACK" probing"
Explanation: They can do ACK scans as well. This
is completely revoloutionary unless you've used almost any other
free scanner in the past four years.
"Fragmented
and reordered packet filtering vulnerability assessment
Explanation: nmap + fragrouter = this capability, plus
more!
"UDP/ICMP
reflection response probing"
Explanation: If you send a properly formatted UDP packet
to port 137 on MS boxen that allow it, you'll get a response back.
If it's not available, you'll get an ICMP UNREACHABLE. My
god, the amazing powers of this software aren't to be believed!!
"Differential
source IP analysis"
Explanation: IP spoofing! Revolutionary! Nmap has only
had this capability for (at least) four years, but these guys
have made it revolutionary by sticking it in their product to
jack with badly misconfigured firewalls. Amazing!
"Personal
Router vulnerability assessment"
Explanation: If you're behind a NAT, there's a chance that
the nanoprobe may notice!
"Last-Hop
Router vulnerability assessment"
Explanation: If your router/NAT is badly misconfigured,
a nanoprobe may be able to see some of the other addresses that
the thing is configured to talk to.
"Active
protocol testing"
Explanation: Application layer testing, such as trying
to brute force passwords on SMB shares. This has never been
done before, unless of course you count the NetBIOS Auditing Tool
(nat) program from the mid 90s...
"Packet
round trip time (RTT) profiling"
Explanation: This is useful if you're trying to see if
there's any time based elements to see if you're talking to a
firewall or directly to the host. Righteous.
"Absolutely
spoof proof"
Explanation: "We can't be spoofed because we make our own
packets!" What about man in the middle attacks guys? Are
you talking IPv6 or over an encrypted tunnel? No? Oops,
you can be spoofed.
Anybody remember the FreeVeracity BS from a few weeks back? I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.
No comments:
Post a Comment