Remember my last post, when I wrote about the new port scanner PortBunny? Well, I know I’m a little bit late, but on Sunday Fyodor from nmap sent a reply to the nmap mailing list. It contains a few interesting bits of information.
What is great is that they are thinking of ways to use the research by FX and Fabs to make nmap faster. Also, they mention a couple of drawbacks in PortBunny. I always find this kind of thing interesting, because when you see the information presented at 24c3, you think “wow, this is amazing”. However the truth is, that you are lacking information to see the full picture and potential problems.
The problems that Fyodor mentions are
- While nmap sends out every probe twice, PortBunny does not do so. This might result in less accuracy in the results of Oryctolagus cuniculus.
- nmap sends out triggers too, however by far not as often as the Bunny, in order to avoid SYN-flooding the ports used as triggers (every 3 seconds, but they are thinking about increasing this to once per second)
- Of cause another issue is that PortBunny runs as kernel module. Fyodor spells out what I was thinking right away: They wanted PortBunny to run in the kernel and thought about reasons for that later 😉
There’s one thing that everyone agrees about: It’s great that there’s research being performed in the area of port scanning. Also I learned a couple of things about this very basic foundation of my job.
Picture of hanging bunny by Immagina