Ste Jones firstname.lastname@example.org
(c) copyright 2003
7th June 2003
Update - 27 July 2003 - Port zero fingerprinting paper can be found here
Any of you familiar with Fyodor's NMap will want to get your hands on the Gobbler, a new tool from networkpenetration.com. The Gobbler 2.0 Alpha allows remote OS detection from spoofed source.... how? You will find out over the course of this paper.
There are two phases to performing OS detection from a spoofed source, first creating a host and second performing a scan.
To create a host we have to exploit a well known vulnerability within Ethernet, MAC address spoofing. By spoofing a MAC address, a host can be created on the network. If the MAC address replies to ARP requests with a valid IP address the spoofed machine can be contacted over a network. This is the same method as how a virtual honeypot is created. A program selects a MAC address and spoofs a TCP/IP stack accordingly.
To perform a scan, packets need to be sent from the spoofed machine created in the first phase. This is done by spoofing the entire frame, e.g. MAC address, IP address, and TCP / UDP / ICMP packet headers. By sending packets from packets from this spoofed source and by also spoofing the TCP/IP stack we can effectively scan a machine from a spoofed source. The remote OS tests are the same ones as what nmap performs, with the added bonus of scanning from a spoofed MAC address.
Where does DHCP come into play? DHCP aids the attack by allowing spoofed machines to be created simply. By spoofing the DHCP packet exchange to assign a MAC address an IP address spoofed machines can be created. 200 machines can be created via DHCP and from there a target host may be port scanned and OS detection performed.
In addition to OS detection and port scanning, the gobbler can also perform trace route and ping functions from multiple spoofed sources
I am looking for a job
Any london pen testing companies hiring please get in contact
The Gobbler can be downloaded from either
For more information please read
For OS detection techniques please read