These posts republish content from the now defunct grcsucks.com site. The following one is a very good one, by somebody who knows networking: Martin Roesch, the author and lead developer of Snort.
Dissecting GRC's NanoProbesby martin.roesch http://www.snort.org
Comments refer to : http://grc.com/np/np.htm
Ok, so in the "broken out" packet dump at the bottom of the page, he's got several errors.
- The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.
- The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort).
- The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?
Beyond that, this is a standard SYN packet, hardly revolutionary.
The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway. That's why a response has "never been received"... Ooh, spooky!
The other claims are so much fluff. Temporal density? Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.
These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data. What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.
Let's look at the other claims:
wait, real-time operation"
Explanation: When you execute the program, it runs and reports back to you.
Explanation: When you run the scan, it pings the target to make sure it's up. Contrary to the claims on the web page, every other scanner under the sun that's used for any large scale application (like nmap, CyberCop, ISS, etc) does this.
host IP address determination"
Explanation: Resolves DNS names, can make other DNS queries.
technology detection, penetration, and appraisal"
Explanation: If the host is discovered, it will be scanned! If the host can be reached through the firewall, it'll also be scanned. If the firewall is filtering the traffic, the program will attempt to get through but probably won't unless some well known vulnerability can be exploited.
versus simple packet filter, discrimination"
Explanation: They see if their packets are rejected outright or if some sort of connection establishment is allowed.
"Half-Open" TCP connection "SYN" probing"
Explanation: This was special about four years ago, but now it's just called a SYN scan. This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete. This is different from a free port scanner like nmap in exactly 0 ways.
TCP non-connection "ACK" probing"
Explanation: They can do ACK scans as well. This is completely revoloutionary unless you've used almost any other free scanner in the past four years.
and reordered packet filtering vulnerability assessment
Explanation: nmap + fragrouter = this capability, plus more!
reflection response probing"
Explanation: If you send a properly formatted UDP packet to port 137 on MS boxen that allow it, you'll get a response back. If it's not available, you'll get an ICMP UNREACHABLE. My god, the amazing powers of this software aren't to be believed!!
source IP analysis"
Explanation: IP spoofing! Revolutionary! Nmap has only had this capability for (at least) four years, but these guys have made it revolutionary by sticking it in their product to jack with badly misconfigured firewalls. Amazing!
Router vulnerability assessment"
Explanation: If you're behind a NAT, there's a chance that the nanoprobe may notice!
Router vulnerability assessment"
Explanation: If your router/NAT is badly misconfigured, a nanoprobe may be able to see some of the other addresses that the thing is configured to talk to.
Explanation: Application layer testing, such as trying to brute force passwords on SMB shares. This has never been done before, unless of course you count the NetBIOS Auditing Tool (nat) program from the mid 90s...
round trip time (RTT) profiling"
Explanation: This is useful if you're trying to see if there's any time based elements to see if you're talking to a firewall or directly to the host. Righteous.
Explanation: "We can't be spoofed because we make our own packets!" What about man in the middle attacks guys? Are you talking IPv6 or over an encrypted tunnel? No? Oops, you can be spoofed.
Anybody remember the FreeVeracity BS from a few weeks back? I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.