Back to Top

Tuesday, January 13, 2009 revival - #2

These posts republish content from the now defunct site. The following one is a very good one, by somebody who knows networking: Martin Roesch, the author and lead developer of Snort.

Dissecting GRC's NanoProbes

by martin.roesch

Comments refer to :

Ok, so in the "broken out" packet dump at the bottom of the page, he's got several errors.

  1. The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.
  2. The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort).
  3. The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?

Beyond that, this is a standard SYN packet, hardly revolutionary.

The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway.  That's why a response has "never been received"... Ooh, spooky!

The other claims are so much fluff.  Temporal density?  Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.

These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data.  What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.

Let's look at the other claims:

"While you wait, real-time operation"
Explanation: When you execute the program, it runs and reports back to you.

"Continuous host-presence verification"
Explanation: When you run the scan, it pings the target to make sure it's up.  Contrary to the claims on the web page, every other scanner under the sun that's used for any large scale application (like nmap, CyberCop, ISS, etc) does this.

"Comprehensive host IP address determination"
Explanation: Resolves DNS names, can make other DNS queries.

"Host stealth technology detection, penetration, and appraisal"
Explanation: If the host is discovered, it will be scanned!  If the host can be reached through the firewall, it'll also be scanned.  If the firewall is filtering the traffic, the program will attempt to get through but probably won't unless some well known vulnerability can be exploited.

"True firewall, versus simple packet filter, discrimination"
Explanation: They see if their packets are rejected outright or if some sort of connection establishment is allowed.

"Special "Half-Open" TCP connection "SYN" probing"
Explanation: This was special about four years ago, but now it's just called a SYN scan.  This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete.  This is different from a free port scanner like nmap in exactly 0 ways.

"Advanced TCP non-connection "ACK" probing"
Explanation: They can do ACK scans as well.   This is completely revoloutionary unless you've used almost any other free scanner in the past four years.

"Fragmented and reordered packet filtering vulnerability assessment
Explanation: nmap + fragrouter = this capability, plus more!

"UDP/ICMP reflection response probing"
Explanation: If you send a properly formatted UDP packet to port 137 on MS boxen that allow it, you'll get a response back.  If it's not available, you'll get an ICMP UNREACHABLE.  My god, the amazing powers of this software aren't to be believed!!

"Differential source IP analysis"
Explanation: IP spoofing! Revolutionary! Nmap has only had this capability for (at least) four years, but these guys have made it revolutionary by sticking it in their product to jack with badly misconfigured firewalls.  Amazing!

"Personal Router vulnerability assessment"
Explanation: If you're behind a NAT, there's a chance that the nanoprobe may notice!

"Last-Hop Router vulnerability assessment"
Explanation: If your router/NAT is badly misconfigured, a nanoprobe may be able to see some of the other addresses that the thing is configured to talk to.

"Active protocol testing"
Explanation: Application layer testing, such as trying to brute force passwords on SMB shares.  This has never been done before, unless of course you count the NetBIOS Auditing Tool (nat) program from the mid 90s...

"Packet round trip time (RTT) profiling"
Explanation: This is useful if you're trying to see if there's any time based elements to see if you're talking to a firewall or directly to the host.  Righteous.

"Absolutely spoof proof"
Explanation: "We can't be spoofed because we make our own packets!"   What about man in the middle attacks guys?  Are you talking IPv6 or over an encrypted tunnel?  No?  Oops, you can be spoofed.

Anybody remember the FreeVeracity BS from a few weeks back?  I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.