mailing list archives
HBGary planned to BLOW THE BALLS OFF OF NMAP!
From: Fyodor <fyodor () insecure org>
Date: Fri, 11 Mar 2011 13:45:31 -0800
Fellow Nmap Developers:
A serious competitive threat to Nmap's has emerged :). You may recall
the leaked HB Gary emails which received a lot of press lately due to
alleged plots to attack and subvert unions, Wikileaks, journalists,
etc. Well, I've just been alerted to a leaked email showing that Nmap
was in their crosshairs too!
At least their Nmap attack wasn't deceptive and shady. They simply
planned to write a better scanner, modestly named the
"B.E.S.T. Scanner". Greg Hoglund concluded that "this scanner would
not take us very long to write, and it would BLOW THE BALLS OFF OF
Of course it has taken us more than 13 years to take Nmap where it is
today. So even Greg had to acknowledge that he and one employee
couldn't outdo us in a day. So he proposes that they "take a couple
of days" to write their Nmap killer :).
I like Greg and all, but this email is too amusing not to pass on:
From: Greg Hoglund <greg () hbgary com>
To: shawn () hbgary com
Date: Thu, 9 Apr 2009 05:27:55 -0700
Subject: Another project I want to IRAD / Skunk
Now that you are Mr. Kernel I want to suggest that you and I take a
couple of days and write a very kick ass port scanner. This isn't
HBGary's core business, but if we release it for free it would drive
people to our site.
I would like to call it "B.E.S.T. Scanner" so people kind of get stuck
calling it "the best scanner". We can figure out what BEST means
Here is what it does:
DLL for the scanner, so we can make GUI and cmd line versions. DLL
decompresses device driver and loads it on the fly for the scan.
Device driver does the actual scan using NDIS layer functions. Goal
is SPEED SPEED SPEED.
We try to scan an entire CLASS-B network in 30 minutes.
We use something called a Linear Feedback Shift Register (LFSR). This
is a mathy thing, but it's very cool. We can find source code for such
things on the net to help us write it. It's just a few lines of
code. What it does is generate a psuedo-random number sequence, but it
never repeats the same number twice. For example, we could use it to
choose the IP address or Port for a SYN packet, and it would walk the
entire range we are scanning, but it would randomize the IP/Port
combinations so we don't overload a single IP at once. It would NOT
REPEAT any IP/Port combination as it scanned. It's perfect for LOAD
BALANCING the scan over a large IP range.
The device driver uses a LFSR to scatter / load balance the scan over
an entire class B and we collect the responses as they come back. It
should be FAST AS SHIT.
For the GUI version of the tool, I will purchase another YWorks
license, and we can use YWorks to graph the 'net topology around the
For any traceroute functionality, we can send all TTL packets in one
microsecond, instead of waiting for each one to come back before
sending the next. This means we can almost instantly tracerooute to
any IP - it takes microseconds for each trace. (I did this back at
cenzic not sure if you remember)
We can also do extremely fast DNS resolutions by hand coding the query
without wait states.
This scanner would not take us very long to write, and it would BLOW
THE BALLS OFF OF NMAP.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
- HBGary planned to BLOW THE BALLS OFF OF NMAP! Fyodor (Mar 11)