Net Security With "NanoProbes"

An anonymous reader writes that "Steve Gibson is working on something called NanoProbe technology. He describes it as advanced remote Internet security testing. " Lots of interesting stuff to think about in there (despite the fact that he says its designed for windows). Its quite technical, and apparently moving fairly quickly forward.

Re:ICMP?

It's funnier than that. Packets which are source routed are dropped by all sane TCP/IP implementations. Ditto for any with blank sequence numbers. Don't worry about some stupid sites blocking ICMP (ahemslashdotahem) as a form of "Security" .. nmap and other sane scanners just go ahead and try to TCP connect to a WellKnown port to get an ACK or an RST packet back. No big deal.

Life is not like Gibson Sci-Fi because people are not that ignorant of technology! Though there are certainly enough that try to prove me wrong :-/
--

Re:What a fck'ing joke

Does that mean you sit there tapping out the packet contents with your space bar?

No, it means each packet is carved from only the finest oak by third-generation master craftsmen in rural Vermont and comes with a signed certificate of authenticity.

Bruce

temporal density

Er- I love how he says that packets can move at twice the temporal density. Ignoring the units mismatch (does this mean I can now read slashdot at twice the pressure, or get in my car and do 0-60 at twice the volume?), isn't this just a marketroid way of saying twice as fast?

The whole thing strikes me as self-congradulatory drivel. He may have found a way to do something useful/cool, but it's hard to see through all the bull splattered on the page.

The Point, Temporal Density, etc.

This was definitely a somewhat silly annoucement; it sounds early. Basically though, proving that windows blows is an honorable goal.

Temporal Density is a perfectly fine unit. If you can get twice as many of these packets through the same bandwidth in a given time, you have twice the temporal density. What he's saying about nanopackets is really that he's done lowlevel work by hand to get the packets as small as possible. This is how beautifully efficient things are done.

NP is not his primarly technology. His primary technology is the methodology of the floods. He's simply claiming they are twice as fast and possibly more capable, because he's using the best possible substructure for his floods, nanopackets.

Then what he does after that is give out a bunch of things it can do, without saying HOW, either because it's proprietary or because he doesn't know yet. This is why /. eats him alive, since anything ever done without full disclosure at any time is naturally the root of all evil. (actually, antibacterial soap in the home is the root of all (some) evil. www.cdc.gov)

He did not say it couldn't be blocked, he said it worked on stealthed computers. Certainly, if a secure router routes no outside packets, ever, then there can be no TCP/IP vulnerability (except in router security, or in there being another router or takeable machine on the internal network) But a stealthed machine which at some times has some interaction with the outside world has to respond to some kind of packet sometime, by definition. It would certainly ignore ping. Whether he succeeds at this I don't know, but it certainly is theoretically possible to succeed, at least in any specific case. (and a sufficiently long list of specific cases...)

I have at least 1 issue with GENESIS, which I should probably mail to him. In principle, he seems to have found the theoretical limit of this type of security inspection (@ packet level only) and if it all works as planned, it'll be great.

But he basically needs to provide more details, or not have a press release, or at least have a higher fact/buzzword ratio.

Re:Probe me...

There must be a killing to be made by selling network tools that caress, fondle, grope, kiss, lick, and suck.

"Our potent NetGrope Technology can unhook the access control on the back of most firewalls, thereby letting you caress the bouncing packets beyond."

---

Probe me...

Let's see, they probe, crack, hack, sniff...

What kind of pervert thinks all this stuff up?!

--

Hmm... This is sort of interesting, I suppose.

From the web site:

"Aren't NanoProbes just IP packets?

Of course they are."

I think that just about sums this up. They've put a fancy name on an existing technology, and claimed "innovation and invention." 'nmap' uses this sort of thing every day, it seems. Sure, they may have tweaked the packets to elicit specific responses from the target, but how is that any different than existing fingerprinting techniques? I don't think it is(although, I'm don't really know a whole heck of a lot about this stuff).

I used to really respect GRC. Their "ShieldUp!" was pretty darned cool, but these announcements all sound like bloddy half-baked press releases. I could be proven wrong, but this sounds really lame.

Dave
'Round the firewall,
Out the modem,
Through the router,
Down the wire,

WTF is the marketing nonsense?

That page is so full of marketroid(tm) rubbish, I can't make any sense out of it. It seems like an implementation of tcp/ip fingerprinting, but enhanced with drug abuse by the author.

I suppose you can't underestimate the power of catch buzzwords. Transmeta couldn't raise any finance until they renamed their tech to CodeMorphing. The BDU's will probably fall for it.

nmap on steroids?

So what we have here is somebody who has taken the idea of portscanning, promisc detection, tcp fingerprinting, etc... and then injected it with many many drugs...

Wonder if this is any relation to _THE_ Gibson? Would be fitting wouldn't it...

has Steve been smokin' crack again?

http://grc.com/steve.htm#project-x

Could this nano-probe technology be Steve's fabled project x?

PROJECT-X's display will expose crucial information that's been hidden inside your computer by people who have their best interests in mind, not yours.

It automatically finds easter eggs?

I DO know how bizarre this sounds. "Hidden truths?" "Other people in control?" "Unnerving secrets buried in our computers?" I wouldn't blame you for thinking that I'm being deliberately over-dramatic, and you might wonder what I've been smoking out here in Southern California. Or whether, perhaps, I've become a little too involved with the X-Files TV show.

Currently I'm thinking about dolphin sex.. but that's what happens when you read /. posts :-(

I don't yet know for sure that I can even do what PROJECT-X requires..

This is the line I like the most.. it sounds like the guy is trying to write the all-in-one point-and-click hacking tool or something. 'Yeah.. just type in the IP address and click go.. you'll automatically be placed in a shell account as root.. or if it's windows.. NetBus will automatically be installed for you.. ??'

Has anyone joined the mailing list to 'apprised of my progress'?

..I couldn't find any links to the nano-project on the main site ..but I didn't look that hard.. maybe this initial article was describing it?

Idi

- I don't have a .sig .. I type this in by hand each time!

Too bad his example packets are wrong...

Ok, so in the "broken out" packet dump at the bottom of the page, he's got several errors.

1) The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.

2) The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort [snort.org]).

3) The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?

Beyond that, this is a standard SYN packet, hardly revolutionary.

The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway. That's why a response has "never been received"... Ooh, spooky!

The other claims are so much fluff. Temporal density? Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.

These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data. What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.

Let's look at the other claims:

"While you wait, real-time operation"
Explanation: When you execute the program, it runs and reports back to you.

"Continuous host-presence verification"
Explanation: When you run the scan, it pings the target to make sure it's up. Contrary to the claims on the web page, every other scanner under the sun that's used for any large scale application (like nmap, CyberCop, ISS, etc) does this.

"Comprehensive host IP address determination"
Explanation: Resolves DNS names, can make other DNS queries.

"Host stealth technology detection, penetration, and appraisal"
Explanation: If the host is discovered, it will be scanned! If the host can be reached through the firewall, it'll also be scanned. If the firewall is filtering the traffic, the program will attempt to get through but probably won't unless some well known vulnerability can be exploited.

"True firewall, versus simple packet filter, discrimination"
Explanation: They see if their packets are rejected outright or if some sort of connection establishment is allowed.

"Special "Half-Open" TCP connection "SYN" probing"
Explanation: This was special about four years ago, but now it's just called a SYN scan. This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete. This is different from a free port scanner like nmap in exactly 0 ways.

"Advanced TCP non-connection "ACK" probing"
Explanation: They can do ACK scans as well. This is completely revoloutionary unless you've used almost any other free scanner in the past four years.

"Fragmented and reordered packet filtering vulnerability assessment
Explanation: nmap + fragrouter = this capability, plus more!

"UDP/ICMP reflection response probing"
Explanation: If you send a properly formatted UDP packet to port 137 on MS boxen that allow it, you'll get a response back. If it's not available, you'll get an ICMP UNREACHABLE. My god, the amazing powers of this software aren't to be believed!!

"Differential source IP analysis"
Explanation: IP spoofing! Revolutionary! Nmap has only had this capability for (at least) four years, but these guys have made it revolutionary by sticking it in their product to jack with badly misconfigured firewalls. Amazing!

"Personal Router vulnerability assessment"
Explanation: If you're behind a NAT, there's a chance that the nanoprobe may notice!

"Last-Hop Router vulnerability assessment"
Explanation: If your router/NAT is badly misconfigured, a nanoprobe may be able to see some of the other addresses that the thing is configured to talk to.

"Active protocol testing"
Explanation: Application layer testing, such as trying to brute force passwords on SMB shares. This has never been done before, unless of course you count the NetBIOS Auditing Tool (nat) program from the mid 90s...

"Packet round trip time (RTT) profiling"
Explanation: This is useful if you're trying to see if there's any time based elements to see if you're talking to a firewall or directly to the host. Righteous.

"Absolutely spoof proof"
Explanation: "We can't be spoofed because we make our own packets!" What about man in the middle attacks guys? Are you talking IPv6 or over an encrypted tunnel? No? Oops, you can be spoofed.

Anybody remember the FreeVeracity BS from a few weeks back? I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.

Folks, it's Steve Gibson

I don't understand why people are making so many bitter and sarcastic comments about this. This is Steve Gibson being Steve Gibson, and it isn't any big deal.

Why is it only for Windows? Because Steve Gibson wrote it. He likes to write "hand-crafted" assembly language, for x86 platforms. So he wrote it for Windows.

Maybe it reads like a press release. But don't forget... when he finally has something to release, he is going to give it away free (like beer). He isn't spamming this page out by email, he isn't trying to trick anyone out of their money, so why are people so worked up?

He wrote, and gave away, a cool utility [grc.com] for Zip disk owners. He also wrote and gave away some other stuff, and let's not forget how cool his Shields Up! page has always been.

Even if we moderate his latest web page (-1, marketdroid-speak) he has plenty of karma left over.

steveha

Whee!

"By utilizing specially hand-crafted phrases, I can get my marketing baloney past the engineers in your corporation who actually know anything and slip these content-free fluff pages right through your middle management directly to the top level of PHB's, who of course will, when they realize the incredible quantity of technological gibberish and understand the amazing new level of buzzword-compatibility these hand-crafted phrases exhibit, want to give me bundles and bundles of money for a product that does essentially what 'nmap' already does and has done for many many years. Only mine only works under Windows, is all made out of hand-crafted bits-n-bytes (none of those 'compiled' bits-n-bytes for me!) and has an eight-hundred page manual that's so confusing that hopefully those PHB's will never figure out enough about my software to realize it doesn't really do anything new or unique or possibly even useful."

What crap.

-=-=-=-=-

Lots of buzzwords, not much content

These 'nanoprobes' are just minimalist valid packets, headers with zero data.

The page is full of anthropomorphism and redundant quasi-technical terms just thrown in to make it look impressive. When you actually look for some hard facts, they're fairly lacking.

So what that they're less than half the size of the ping packets produced by MS ping, which always sends 32 bytes of data. Can we say ping -s 1 host? Sends 232-bit packets (224 header + 8 bits data). (It gets 9-byte replies = 224 + 9*8 = 296-bit replies... still not far off the 224-bit of the minimalist packets).

There's no actual evidence presented that the lack of data in the packet causes them to be processed in such a radically different way as is suggested, bypassing any and all firewalls, NAT and proxies.

Looks like sensationalist hype so far. They may have some use in highlighting exception cases in software (who'd expect zero length data anyway), and his customised TCP/IP suite will probably just be used to send more pings per second.

Re:Does not look that thrilling to me...

You know how he gets past the NAT/firewall? A *client-side program*. He's just sending packets to that program that the user installed, and the program is getting the data, and sending it back out. He's not "bypassing" the firewall, he's written a bloody server so he can read people's machine's information. Good lord, that's an ugly hack if I've ever seend one.

Dave
'Round the firewall,
Out the modem,
Through the router,
Down the wire,