HBGary planned to BLOW THE BALLS OFF OF NMAP!

[Fyodor <fyodor () insecure org>]

Fellow Nmap Developers:

A serious competitive threat to Nmap's has emerged :).  You may recall
the leaked HB Gary emails which received a lot of press lately due to
alleged plots to attack and subvert unions, Wikileaks, journalists,
etc.  Well, I've just been alerted to a leaked email showing that Nmap
was in their crosshairs too!

At least their Nmap attack wasn't deceptive and shady.  They simply
planned to write a better scanner, modestly named the
"B.E.S.T. Scanner".  Greg Hoglund concluded that "this scanner would
not take us very long to write, and it would BLOW THE BALLS OFF OF
NMAP."

Of course it has taken us more than 13 years to take Nmap where it is
today.  So even Greg had to acknowledge that he and one employee
couldn't outdo us in a day.  So he proposes that they "take a couple
of days" to write their Nmap killer :).

I like Greg and all, but this email is too amusing not to pass on:

[from http://hbgary.anonleaks.ch/greg_hbgary_com/13401.html]

From: Greg Hoglund <greg () hbgary com>
To: shawn () hbgary com
Date: Thu, 9 Apr 2009 05:27:55 -0700
Subject: Another project I want to IRAD / Skunk

Shawn,

Now that you are Mr. Kernel I want to suggest that you and I take a
couple of days and write a very kick ass port scanner. This isn't
HBGary's core business, but if we release it for free it would drive
people to our site.

I would like to call it "B.E.S.T. Scanner" so people kind of get stuck
calling it "the best scanner". We can figure out what BEST means
later.

Here is what it does:

DLL for the scanner, so we can make GUI and cmd line versions.  DLL
decompresses device driver and loads it on the fly for the scan.
Device driver does the actual scan using NDIS layer functions.  Goal
is SPEED SPEED SPEED.
We try to scan an entire CLASS-B network in 30 minutes.

Algorithm:

We use something called a Linear Feedback Shift Register (LFSR). This
is a mathy thing, but it's very cool. We can find source code for such
things on the net to help us write it. It's just a few lines of
code. What it does is generate a psuedo-random number sequence, but it
never repeats the same number twice. For example, we could use it to
choose the IP address or Port for a SYN packet, and it would walk the
entire range we are scanning, but it would randomize the IP/Port
combinations so we don't overload a single IP at once. It would NOT
REPEAT any IP/Port combination as it scanned. It's perfect for LOAD
BALANCING the scan over a large IP range.

The device driver uses a LFSR to scatter / load balance the scan over
an entire class B and we collect the responses as they come back. It
should be FAST AS SHIT.

For the GUI version of the tool, I will purchase another YWorks
license, and we can use YWorks to graph the 'net topology around the
scan.

For any traceroute functionality, we can send all TTL packets in one
microsecond, instead of waiting for each one to come back before
sending the next. This means we can almost instantly tracerooute to
any IP - it takes microseconds for each trace. (I did this back at
cenzic not sure if you remember)

We can also do extremely fast DNS resolutions by hand coding the query
without wait states.

This scanner would not take us very long to write, and it would BLOW
THE BALLS OFF OF NMAP.

-Greg
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/