Home page logo

bugtraq logo Bugtraq mailing list archives

Scanning ANY internet host anonymously with grc.com
From: Nicolas Gregoire <nicolas.gregoire () 7THZONE COM>
Date: Fri, 1 Sep 2000 10:06:10 +0200

Hi bugtraqers,

here's the description of a problem with the ShieldsUp! port scanner
available on-line from grc.com.

The story began with a post by Jason Sheffield (jsheffield at AXENT dot
COM) to the penetration testers mailing-list (pen-test at securityfocus
dot com) on Wednesday 23 :

  I have actually had Gibson Research's  (www.grc.com) downloadable
used against me (Previous job with an International Telecom) to scan
visible to the Internet.  I was a lone PIX admin with the job of
down possible intrusion attempts.  All that it requires is that you have
dual NIC'ed (or modem and NIC) host and you assign one of your
the IP of the box you are trying to scan.  The client will ask which IP
your "LOCAL" machine you would like to scan, and Viola, you have an
anonymous port scanner at your fingertips.  All sniffer traces point
back to GRC, and stop there.  Nice "feature" don't you think.

Trying it from my corporate LAN, I was able to reproduce it from a
machine with only one NIC and no modem by creating a false network
interface and setting the IP adress of the card to the address of the
internet host that I want to (anonymously) scan for open ports.

It works like a charm ....

So I exchange several mails with Steve Gibson and here is his last
answer :

No, you're right, I don't like that at all.  But at least the process
can not be easily automated.  Also, I'm about to start in on a MAJOR
revamping of the ShieldsUp scanner.  Here's the current planing page:


As you'll see, this next-generation scan cannot be "faked out" in the
same fashion since it deliberately maintains open and active
connections to the user's target browser and penetrates NAT routers
and firewalls.
[cut ...]

So, while the ShieldsUp! port-scanner is online, it is possible to scan
any internet host with an originator IP address of (aka
shieldsup.grc.com), but the process cannot be easily automated.

Sorry for the length of the post, but I want to give proper credits to
each person involved here.
So, I thank too Pascal Stoubenfolle (pascal at 7thzone dot com) for
helping me with this english text.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]