features
| Basic idea |
|
The aim of Ghost Port Scan is to provide administrators and pen-testers with a tool that allow them to easily test firewalls and get information from a remote host. GPS is a port scanner and a firewall rules disclosure (FWRD) tool, which uses IP spoofing, ARP poisoning and some other stratagems in order to perform a stealth and untracable information collect. As far as GPS needs to sniff the responses from the target host, it requires to be run using an ethernet interface (including cable modem). |
| IP spoofing |
|
The IP addresses specified to GPS (see the 'usage' section) are used as spoofed source addresses.
To be more explicit: the host been scanned thinks that the scan is performed by the hosts having the IPs you gived to GPS. Depending on the scan type chosen, the IPs are randomly or sequentially used. |
| ARP poisoning |
|
The trick that makes GPS works is ARP poisoning. When you scan a host with an IP belonging to the LAN but to no connected machine,
the gateway or the target (if it is on the LAN) will ask for the physical address that matches with the spoofed IP.
This is simply done with an ARP Request. As far as no machine has the IP in the ARP Request, none will answer, and no packets will be sent back,
due to the fact that the gateway/target doesn't know which address has to been put in the trames. The solution is to send a fake ARP Reply with a random physical address when sniffing an ARP Request which hold the spoofed IP. Some problems may occur if you are using an IP belonging to a connected host, because this host will not be able to receive its legitimate trames from the host which issued the ARP Request. |
| Sniffing |
|
GPS requires an ethernet interface to sniff packets.
Tests have been done on both LAN and cable modem, and both worked. Note that packet fragmentation is abolutely not handled. |
| Scan modes |
|
Different scan modes are implemented in GPS, partly inspired from nmap: SYN scan: the most basic, the less stealth, but the most reliable, because it works on all OSs, and requires just a few ressources. It consists in sending a SYN and sniffing back a SYN|ACK. FIN/Xmas Tree/Null: stealth, these port scans does not work with some OSs (such as Windows). Take a look to the nmap mailing list for a reliable list of these OSs. Sending a Null, FIN or Xmas Tree TCP segment will cause the target to send back a RST if the port is closed, and nothing if it is open Rand scan: the stealthest. It is a mix between FIN, Xmas Tree, Null and some other scans. When generating a packet, TCP flags are randomly set among: Null(0), FIN, URG, PSH, FIN|URG, FIN|PSH, URG|PSH and FIN|URG|PSH. Some IDS or loggers such as iplog suppose that a port scan is performed when they intercept n packets or more of the same type. For example, iplog detects a FIN scan only if it filters, say 20 FIN packets or more. By randomizing the TCP flags, the detection risk is really reduced, especially if many source IPs have been specified to GPS. ACK scan: this scan is used to view filtered ports on a machine. If a RST is sent back when sending an ACK, the port is not filtered. If nothing comes back, the port is filtered. FWRD mode: the most advanced mode. The FireWall Rules Disclosure scan uses all IPs specified to GPS to scan the target host (with a ACK scan) and determines which IPs are allowed to send packets to specified ports through the firewall. This scan works exclusively if the target is on the same LAN, except in some very specific cases. |