Scanning ANY internet host anonymously with grc.com

[Nicolas Gregoire <nicolas.gregoire () 7THZONE COM>]

Hi bugtraqers,

here's the description of a problem with the ShieldsUp! port scanner
available on-line from grc.com.

The story began with a post by Jason Sheffield (jsheffield at AXENT dot
COM) to the penetration testers mailing-list (pen-test at securityfocus
dot com) on Wednesday 23 :

-----------------------------------------------------------------------
Mark,
  I have actually had Gibson Research's  (www.grc.com) downloadable
client
used against me (Previous job with an International Telecom) to scan
hosts
visible to the Internet.  I was a lone PIX admin with the job of
tracking
down possible intrusion attempts.  All that it requires is that you have
a
dual NIC'ed (or modem and NIC) host and you assign one of your
interfaces
the IP of the box you are trying to scan.  The client will ask which IP
of
your "LOCAL" machine you would like to scan, and Viola, you have an
anonymous port scanner at your fingertips.  All sniffer traces point
right
back to GRC, and stop there.  Nice "feature" don't you think.
-----------------------------------------------------------------------

Trying it from my corporate LAN, I was able to reproduce it from a
machine with only one NIC and no modem by creating a false network
interface and setting the IP adress of the card to the address of the
internet host that I want to (anonymously) scan for open ports.

It works like a charm ....

So I exchange several mails with Steve Gibson and here is his last
answer :

-----------------------------------------------------------------------
No, you're right, I don't like that at all.  But at least the process
can not be easily automated.  Also, I'm about to start in on a MAJOR
revamping of the ShieldsUp scanner.  Here's the current planing page:

               http://grc.com/r&d/nextscanner.htm

As you'll see, this next-generation scan cannot be "faked out" in the
same fashion since it deliberately maintains open and active
connections to the user's target browser and penetrates NAT routers
and firewalls.
[cut ...]
-----------------------------------------------------------------------

So, while the ShieldsUp! port-scanner is online, it is possible to scan
any internet host with an originator IP address of 207.71.92.193 (aka
shieldsup.grc.com), but the process cannot be easily automated.

Sorry for the length of the post, but I want to give proper credits to
each person involved here.
So, I thank too Pascal Stoubenfolle (pascal at 7thzone dot com) for
helping me with this english text.