Nmap Development mailing list archives
Worlds 1st remote OS detection tool from spoofed source
From: Ste Jones <root () networkpenetration com>
Date: Wed, 11 Jun 2003 01:42:36 +0100
Network Penetration www.networkpenetration.com The Gobbler - Worlds 1st Spoofed remote OS detection tool Ste Jones root () networkpenetration com (c) copyright 2003 7th June 2003 Any of you familiar with Fyodor's NMap will want to get your hands on the Gobbler, a new tool from networkpenetration.com. The Gobbler 2.0 Alpha allows remote OS detection from spoofed source.... how? You will find out over the course of this paper. Exploiting Ethernet, Honeypot technology and DHCP There are two phases to performing OS detection from a spoofed source, first creating a host and second performing a scan. To create a host we have to exploit a well known vulnerability within Ethernet, MAC address spoofing. By spoofing a MAC address, a host can be created on the network. If the MAC address replies to ARP requests with a valid IP address the spoofed machine can be contacted over a network. This is the same method as how a virtual honeypot is created. A program selects a MAC address and spoofs a TCP/IP stack accordingly. To perform a scan, packets need to be sent from the spoofed machine created in the first phase. This is done by spoofing the entire frame, e.g. MAC address, IP address, and TCP / UDP / ICMP packet headers. By sending packets from packets from this spoofed source and by also spoofing the TCP/IP stack we can effectively scan a machine from a spoofed source. The remote OS tests are the same ones as what nmap performs, with the added bonus of scanning from a spoofed MAC address. Where does DHCP come into play? DHCP aids the attack by allowing spoofed machines to be created simply. By spoofing the DHCP packet exchange to assign a MAC address an IP address spoofed machines can be created. 200 machines can be created via DHCP and from there a target host may be port scanned and OS detection performed. In addition to OS detection and port scanning, the gobbler can also perform trace route and ping functions from multiple spoofed sources I am looking for a job Any london pen testing companies hiring please get in contact The Gobbler can be downloaded from either http://www.networkpenetration.com http://sourceforge.net/projects/gobbler/ http://gobbler.sourceforge.net/ For more information please read http://www.networkpenetration.com/dhcp_flaws.html http://www.networkpenetration.com/gobbler.html For OS detection techniques please read http://www.insecure.org/nmap/nmap-fingerprinting-article.html --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Worlds 1st remote OS detection tool from spoofed source Ste Jones (Jun 10)