Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Worlds 1st remote OS detection tool from spoofed source

From: Ste Jones <root () networkpenetration com>
Date: Wed, 11 Jun 2003 01:42:36 +0100
Network Penetration
www.networkpenetration.com

The Gobbler - Worlds 1st Spoofed remote OS detection tool
Ste Jones root () networkpenetration com
(c) copyright 2003
7th June 2003
 
 
Any of you familiar with Fyodor's NMap will want to get your hands on the Gobbler, a new tool from 
networkpenetration.com. The Gobbler 2.0 Alpha allows remote 
OS detection from spoofed source.... how? You will find out over the course of this paper.
 
 
 
Exploiting Ethernet, Honeypot technology and DHCP
 
There are two phases to performing OS detection from a spoofed source, first creating a host and second performing a 
scan.
 
To create a host we have to exploit a well known vulnerability within Ethernet, MAC address spoofing. By spoofing a MAC 
address, a host can be created on the 
network. If the MAC address replies to ARP requests with a valid IP address the spoofed machine can be contacted over a 
network. This is the same method as 
how a virtual honeypot is created. A program selects a MAC address and spoofs a TCP/IP stack accordingly.
 
 
To perform a scan, packets need to be sent from the spoofed machine created in the first phase. This is done by 
spoofing the entire frame, e.g. MAC address, 
IP address, and TCP / UDP / ICMP packet headers. By sending packets from packets from this spoofed source and by also 
spoofing the TCP/IP stack we can 
effectively scan a machine from a spoofed source. The remote OS tests are the same ones as what nmap performs, with the 
added bonus of scanning from a spoofed 
MAC address.
 
Where does DHCP come into play? DHCP aids the attack by allowing spoofed machines to be created simply. By spoofing the 
DHCP packet exchange to assign a MAC 
address an IP address spoofed machines can be created. 200 machines can be created via DHCP and from there a target 
host may be port scanned and OS detection 
performed.
 
In addition to OS detection and port scanning, the gobbler can also perform trace route and ping functions from 
multiple spoofed sources
 
 
I am looking for a job
Any london pen testing companies hiring please get in contact
 
 
 
The Gobbler can be downloaded from either
http://www.networkpenetration.com
http://sourceforge.net/projects/gobbler/
http://gobbler.sourceforge.net/ 
For more information please read
http://www.networkpenetration.com/dhcp_flaws.html
http://www.networkpenetration.com/gobbler.html
 
For OS detection techniques please read
http://www.insecure.org/nmap/nmap-fingerprinting-article.html



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: