usage

How to compile ?

GPS requires libnet and libpcap (take a look at the 'links' section for further information). To compile it with 'make': sh$ tar zxf gps-XXX.tar.gz sh$ cd gps-XXX sh$ ./configure sh$ make sh# make install (be careful if you already have a binary named 'gps')

Options:

basic:

-s hostname1[,xxx.xxx.xxx.xxx[,hostname3/hostname4..]] This option is required if you want to scan your localhost. If no IP list is given, GPS will determine the IPs which are usable without breaking things. The list of IP addresses specified here is used by GPS as spoofed source addresses (the host been scanned will think that the packets come from these IPs). For example: -s 192.168.1.4,192.168.1.7/192.168.1.10,192.168.1.25 tells GPS to use 192.168.1.4/7/8/9/10/25 as spoofed source IP. Important: if you are scanning a host through the Internet and if you want to get some packets back, you need to specify source IP addresses which belong to your LAN, in order to make the responses to come back on a wire you may sniff.

-d xxx.xxx.xxx.xxx or hostname This option is simply used to specify the targets'name or IP address.

optional:

-t scan_type scan_type is the scan mode to use. The default mode is 'syn', which is the most reliable. The other types are: udp, fin, null, xmas, rand, ack and fwrd. Take a look to the 'features' section for details.

-r packets_flow packets_flow influes on the time between each packet injection. The available packets flows are: insane (default), aggressive, normal, polite and paranoid (deja vu ?).

-p first_port-last_port first_port and last_port are used to specify a port range (I am sure you didn't guess :). The default port range is 1-1024. The port scan order is hopefully randomized.

-k 0|1 This option is used to scan 'well-known' ports (if 1 is specified). These ports are listed in the services.c file.

-e ping_port This option determines the port on which the TCP pings will be sent, in order to evaluate a timeout value.

-v Verbose. Use twice or more for better results.

-f t|o Fragmentation. 't' stands for tiny frags, and 'o' for 'frag overlapping'. Fragmentation is usually used to make the work of an IDS harder. Default is no framentation.

-i device This option is used to specify the network device to use for packet injection and sniffing. Use it if GPS does not choose the suitable device for the scan.

-S mac|ip This option is used to specify the spoofing level: 'ip' for IP spoofing, 'mac' for both IP and MAC spoofing. Default is MAC spoofing.

-w window_size This option is used to specify manually the size of the emission window. Note that this size is dynamicaly modified during scaning.

Examples:

bash# gps -s 192.168.1.56 -d 192.168.1.1

This is the most basic command line. GPS will perform a SYN scan against 192.168.1.1 using the spoofed IP 192.168.1.56.

bash# gps -s 192.168.1.10/192.168.1.20,192.168.1.25 -d 192.168.1.1 -t fin

GPS will scan 192.168.1.1 using randomly chosen IPs from 192.168.1.10 to 192.168.1.20 and 192.168.1.25. The scan is a FIN scan.

bash# gps -s 192.168.1.100/192.168.1.200 -d 192.168.1.1 -t rand -p 1-200

Here is the stealthest scan you may perform with GPS. The IPs are chosen randomly from 192.168.1.100 to 192.168.1.200 and the TCP flags are randomly set (see -t option comment for more details). GPS will scan ports from 1 to 200.

bash# gps -s 192.168.1.100/host200 -d 192.168.1.1 -t fwrd -p 23

The FireWall Rules Disclosure mode will test the settings of 192.168.1.1's firewall on port 23. GPS will use sequentially IPs from 192.168.1.100 to 192.168.1.200 (host200) to send ACKs on target's port 23, and determine which IPs are allowed to pass through.

bash# gps -d host254 -Sip -ft -e 23 -vvv -i eth1

This command will perform a SYN scan against 'host254', using spoofing at IP level. The interface the packets will be routed through is 'eth1'. The timeout value will be evaluated by TCP pinging the port 23, and the TCP segments will be cut in tiny fragments. To have more information, the verbose option is used three times.