Say RST to PortBunny

Remember my last post, when I wrote about the new port scanner PortBunny? Well, I know I’m a little bit late, but on Sunday Fyodor from nmap sent a reply to the nmap mailing list. It contains a few interesting bits of information.

What is great is that they are thinking of ways to use the research by FX and Fabs to make nmap faster. Also, they mention a couple of drawbacks in PortBunny. I always find this kind of thing interesting, because when you see the information presented at 24c3, you think “wow, this is amazing”. However the truth is, that you are lacking information to see the full picture and potential problems.

The problems that Fyodor mentions are

• While nmap sends out every probe twice, PortBunny does not do so. This might result in less accuracy in the results of Oryctolagus cuniculus.
• nmap sends out triggers too, however by far not as often as the Bunny, in order to avoid SYN-flooding the ports used as triggers (every 3 seconds, but they are thinking about increasing this to once per second)
• Of cause another issue is that PortBunny runs as kernel module. Fyodor spells out what I was thinking right away: They wanted PortBunny to run in the kernel and thought about reasons for that later 😉

There’s one thing that everyone agrees about: It’s great that there’s research being performed in the area of port scanning. Also I learned a couple of things about this very basic foundation of my job.

Picture of hanging bunny by Immagina

Say ACK to Portbunny

It’s really amazing: There’s some things you use every day without even thinking about them. Thankfully, there’re other people who do think about those things and how to improve them.

For me, nmap was always the state-of-the-art port scanner. Ok, so scanning large networks with many filtered ports takes long, but that’s just the time it needs, isn’t it?

Apparently it’s not for FX and Fabian Yamaguchi from Recurity Labs. At the 24c3 they presented their new tcp syn port scanner PortBunny. The amazing thing about the scanner is its speed. It runs as kernel module and sends out triggers to which it knows will be a response in order to identify network congestion. Due to the triggers it can adjust the speed at which it sends out its probes to as close to the optimum as possible. Have a look at their slides to see how it works in detail. They also have a comparison between nmap and PortBunny.

I’m curious how long it will take for Fyodor from insecure.org to update his nmap accordingly 🙂

Video Recordings of 24C3

After missing the 24th CCC hacker conference (24C3) I’m glad to see that the video recorded talks are available now. Their wiki has a page that lists all sources from where they can be downloaded. That’s over 9 gig of video material and 4 days worth of security talks (each day having three parallel tracks). Find the schedule of the conference here.

Don’t expect me to post to this page for the next couple of days. I’ll be watching videos 🙂

Photo of crowd at 24C3 by bicyclemark