Network Penetration



The Gobbler - Worlds 1st Spoofed remote OS detection tool

Ste Jones

(c) copyright 2003

7th June 2003



Update - 27 July 2003 - Port zero fingerprinting paper can be found here

Any of you familiar with Fyodor's NMap will want to get your hands on the Gobbler, a new tool from The Gobbler 2.0 Alpha allows remote OS detection from spoofed source.... how? You will find out over the course of this paper.




Exploiting Ethernet, Honeypot technology and DHCP


There are two phases to performing OS detection from a spoofed source, first creating a host and second performing a scan.


To create a host we have to exploit a well known vulnerability within Ethernet, MAC address spoofing. By spoofing a MAC address, a host can be created on the network. If the MAC address replies to ARP requests with a valid IP address the spoofed machine can be contacted over a network. This is the same method as how a virtual honeypot is created. A program selects a MAC address and spoofs a TCP/IP stack accordingly.



To perform a scan, packets need to be sent from the spoofed machine created in the first phase. This is done by spoofing the entire frame, e.g. MAC address, IP address, and TCP / UDP / ICMP packet headers. By sending packets from packets from this spoofed source and by also spoofing the TCP/IP stack we can effectively scan a machine from a spoofed source. The remote OS tests are the same ones as what nmap performs, with the added bonus of scanning from a spoofed MAC address.


Where does DHCP come into play? DHCP aids the attack by allowing spoofed machines to be created simply. By spoofing the DHCP packet exchange to assign a MAC address an IP address spoofed machines can be created. 200 machines can be created via DHCP and from there a target host may be port scanned and OS detection performed.


In addition to OS detection and port scanning, the gobbler can also perform trace route and ping functions from multiple spoofed sources



I am looking for a job

Any london pen testing companies hiring please get in contact




The Gobbler can be downloaded from either


For more information please read


For OS detection techniques please read Logo