features
| Basic idea |
|
The aim of Ghost Port Scan is to provide administrators and pen-testers with a tool that allow them to easily test firewalls and get information from a remote host. GPS is a port scanner and a firewall rules disclosure (FWRD) tool, which uses IP spoofing, ARP poisoning and some other technics in order to perform a stealth and untrackable information collect. As far as GPS needs to sniff the responses from the target host, it requires to be run using a loopback or an ethernet interface (including cable modem). |
| IP spoofing |
|
The IP addresses specified to GPS (see the 'usage' section) are used as spoofed source addresses.
To be more explicit: the host being scanned thinks that the scan is performed by the hosts having the IPs you gived to GPS. Depending on the scan type chosen, the IPs are randomly or sequentially used. |
| MAC spoofing |
|
To perform an _absolutely_ untrackable scan, IP spoofing is not enough, because the MAC/physical address in the ethernet trame header of the packets we send is our one. GPS is able to produce and inject trames with both MAC and IP addresses spoofed. |
| ARP poisoning |
|
The trick that makes GPS works is ARP poisoning. When you scan a host with an IP belonging to the LAN but to not connected machine,
the gateway or the target (if it is on the LAN) will ask for the physical address that matches with the spoofed IP.
This is simply done with an ARP Request. As far as no machine has the IP in the ARP Request, none will answer, and no packets will be sent back,
due to the fact that the gateway/target doesn't know which address has to been put in the trames. The solution is to send a fake ARP Reply with a random physical address when sniffing an ARP Request which contains the spoofed IP. Some problems may occur if you are using an IP belonging to a connected host, because this host will not be able to receive its legitimate trames from the host which issued the ARP Request. |
| Sniffing |
|
GPS supports loopback and ethernet devices for packet sniffing. Tests have been done on both LAN and cable modem, and both worked. |
| Scan modes |
|
Different scan modes are implemented in GPS, partly inspired from nmap: SYN scan: the most basic, the less stealth, but the most reliable, because it works on all OSs, and requires just a few ressources. It consists in sending a SYN and sniffing back a SYN|ACK. FIN/Xmas Tree/Null: stealth, these port scans does not work with some OSs (such as Windows). Take a look to the nmap mailing list for a reliable list of these OSs. Sending a Null, FIN or Xmas Tree TCP segment will cause the target to send back a RST if the port is closed, and nothing if it is open Rand scan: the stealthest. It is a mix between FIN, Xmas Tree, Null and some other scans. When generating a packet, TCP flags are randomly set among: Null(0), FIN, URG, PSH, FIN|URG, FIN|PSH, URG|PSH and FIN|URG|PSH. Some IDS or loggers such as iplog suppose that a port scan is performed when they intercept n packets or more of the same type. For example, iplog detects a FIN scan only if it filters, say 20 FIN packets or more. By randomizing the TCP flags, the detection risk is really reduced, especially if many source IPs have been specified to GPS. ACK scan: this scan is used to view filtered ports on a machine. If a RST is sent back when sending an ACK, the port is not filtered. If nothing comes back, the port is filtered. FWRD mode: the most advanced mode. The FireWall Rules Disclosure scan uses all IPs specified to GPS to scan the target host (with a ACK scan) and determines which IPs are allowed to send packets to specified ports through the firewall. This scan works exclusively if the target is on the same LAN, except in some very specific cases. UDP scan: this scan consists in sending UDP datagrams to the target. If the UDP port is closed, the victim sends an "ICMP Port Unreachable" message, and nothing if the port is open. |
| Timeout handling |
|
Since version 0.6.0, GPS handles timeout smartly. It determines a timeout value by TCP pinging the remote host and calculate the time to get a response from the target.
GPS-0.9.0 implements dynamic timeout management, resulting in a increased speed and reliability. |
| Emission window |
| The new architecture of GPS-0.9.0 implements a dynamic emission window. It becomes necessary to limit the number of packets being sent to avoid target overload. |
| Fragmentation |
| GPS-0.7.0 supports framentation in both injection and sniffing. You may now choose to not fragment the packets, to fragment them in tiny frags, or to cut them in order to perform a fragment overlapping (most of recent OSes drop these packets) |
| Localhost scanning support |
| Localhost scanning is now handled (involving sniffing and packet injection through the loopback device). |
| Usable IPs auto-determination |
| GPS-0.8.0 is able to find the IP addresses which are not in use on the LAN your workstation is connected to. This feature is used if no source IPs have been specified to GPS. The aim of such a function is to avoid the potential DoS which may be caused by ARP poisoning. |