Gobbler 1.8 Alpha

From: <root(at)networkpenetration.com>
Date: Mon Feb 17 2003 - 20:24:59 EST

('binary' encoding is not supported, stored as-is)

just thought i would let u know about a tool i am workin on..... use's libnet to do some stuff..... u will have to read to see what it does :)

The latest version 1.8 alpha is available from http://gobbler.sourceforge.net

big thanks to Mike Schiffman for writing libnet..... i dunno where i would of started coding this without libnet :)

Network Penetration

The Gobbler - A tool to audit DHCP networks Copyright (C) 2003
Steven Jones root@networkpenetration.com www.networkpenetration.com

1 Introduction
The Gobbler is a tool designed to audit various aspects of DHCP networks, from detecting if DHCP is running on a network to performing a denial of service attack. The Gobbler also exploits DHCP and ethernet, to allow distributed spoofed port scanning with the added bonus of being able to sniff the reply from a spoofed host. This tool is based on proof of concept code "DHCP Gobbler" available from networkpenetration.com.

1.1 What is DHCP a acronym for?
The common term is Dynamic Host Configuration Protocol, but it should be known as the Domain Hijack and Control Protocol as it is seriously flawed. Deploying DHCP on a network is a security risk, please consider alternative designs such as secure DHCP or statically assigned IP addresses.

1.2 Why write this program?
As stated in the DHCP rfc 2131 a rogue DHCP server can cause serious problems on a DHCP network. What it doesn't state is rogue clients can also cause serious problems, so to aid a penetration tester show how vulnerable a network maybe I decided to write this tool. Another motivation is for a job... if anyone wants to give me a job and is based in London UK please contact me on the email address above.

2 Install Instructions
Tested on Linux Mandrake 8 (Kernel 2.4.3-20mdk)

Libraries required:

Libpcap 0.7.1 http://freshmeat.net/projects/libpcap/ Libnet 1.1.1-PRERELEASE http://www.packetfactory.net Libdnet 1.5 http://libdnet.sourceforge.net

Once libraries are installed, compile using: ./Compile.sh You may have to edit the Compile.sh file to point to the right places for the above libraries. I have also heard about problems with libnet-config, you may need to copy the libnet-config from the directory where u compiled it, to /usr/bin.

3 How it works
Please read "Flaws within the DHCP protocol" http://www.networkpenetration.com/dhcp_flaws.html for an overview. The program mentioned in the paper has been be rewritten , with this version of the gobbler as the result.

3.1 Dynamically Assigned Distributed Spoofed Stateless Port Scanning ***WARNING***
At the moment, each time a dynamically assigned portscan is started the gobbler is assigned an IP address from the DHCP server thus a denial of service attack could be accidentally performed if you scan many hosts, use a large number of spoofed hosts or the network is using a small DHCP scope.

1. Create a spoofed machine (Gobbled IP address) on the network via a DHCP gobble (Spoof the packet exchange so that a random MAC address is assigned an IP address from the DHCP server).
2. Issue arp request for either target IP (if on subnet) or gateway (if not on subnet)
3. Initiate a portscan with the source mac + source IP of the gobbled host
4. Reply to any arp requests from target IP or gateway (by doing this you have effectively created a new machine on the network that does not exist)
5. Sniff the reply's and output which ports are open

3.2 Non Dynamically Assigned Distributed Spoofed Stateless Port Scanning ***WARNING***
Do not spoof from IP addresses that are present on the network, as chaos will follow. If you do spoof from IP on the network, there is a high chance that messages will appear on user desktops indicating that another machine is using the same IP address.

Non dynamic portscanning is basically the same as above but from step 3 onwards. Also the source IP and MAC are the ones specified on the command line, opposed to the gobbled addresses.

3.3 Distributed scanning howto
By creating numerous machines on the network via either dhcp or defined at run time, the portscanner can swap between ip's for each packet sent, thus the scan looks like it is distributed when it isn't. The beauty of it is that no packets are sent from your real MAC or IP address(This includes both during the portscan and also when gobbling).

The source IP's needs to reply to arp requests as the target needs to know where to return the packets. If the target is on the local subnet, the target will send the arp request otherwise the default gateway will issue the request. Either is not a problem as it is just replying to a packet :)

A couple of other things, if the gobbler needs to do a arp request for the target MAC it does so from a spoofed host (incase you were wondering). And also at the moment there is no support for DNS lookups... still need to write the code to do the lookups from spoofed sources (all in good time)

3.3 Why stateless?
A normal portscan maintains state.... eg the kernel creates a PCB (process control block) for each connection. This PCB keeps track of the connection, eg a SYN packet has been sent, expect a SYN/ACK

Stateless is slightly different the kernel doesn't know that a SYN packet has been sent and in turn relies on the sniffer to notify that a port is open (SYN/ACK). The advantage of this method is that the program can send packets at high speed without the need to maintain a process control block for that connection. Thus reducing overheads within the kernel and speeding up the scan.

This scanning method of using a gobbled IP address could be used for gobbled and that range of IP's could then be used to scan a host. One advantage could be bypassing IDS's, as many keep state of what is being scanned by the source IP address. If multiple IP addresses are used the IDS might not pick up the scan.

Check out paketto on www.doxpara.com by Dan Kaminsky for more info on stateless portscanning.

3.5 OSSTM
The OSSTM port range option is from the Open Source Security Testing Methodology (www.ideahampster.org).

4 Other misc info

4.1 ARP scan
If a wrong ARP scan (-a w) is performed and there is a openBSD 3.2 machine on the network, a message will appear on the BSD console and in the kernel log something along the lines of:

"/BSD: Arp: ether address is broadcast IP address 255.255.255.255".

This is because the mac address for arp broadcasts is 00:00:00:00:00:00 and not ff:ff:ff:ff:ff:ff thus a error is detected and logged A openBSD box will not reply to this type of scanning, where as a windows machine will. (one method of possibly fingerprinting targets?)

4.2 Bugs
If you get errors such as:
-buildtcp: libnet_pblock_append(): memcpy would over flow buffer
-write_error: libnet_pblock_coalesce(): cannot allocate memory

they are not my fault.... problems in libnet and the gobbler not giving the kernel enough time to free a list inside libnet. I have tried to slow the gobbler down as much as possible to ensure these errors do not occur.

The program does crash during a dhcp gobble, A class C network would be easy to DoS but when it comes to class B the program crashes (still in alpha testing)

4.3
Results for various things

Detecting filtered ports results
If a firewall drops every packet apart from port 80, a scan to detect both open and filtered ports can take a while.

For example:
nmap -sS -P0 a.b.c.d approx 330 seconds to detect open and filtered ports Gobbler -N a.b.c.d -Q.e.f.g.h-r -Pn approx 40 seconds (with rechecking filtered ports) Gobbler -j -N a.b.c.d -Q.e.f.g.h-r -Pn approx 16 seconds (without rechecking)

Sniffer results
nmap scan -sS over 100mb ethernet lan

tested on p3 1g 128mb laptop running Mandrake 8 tcpdump drops on average 2950 packets
tethereal (text version of ethereal) dropped on average 2900 packets gobbler -s -v drops on average 2450 packets

Any packets dropped are apparently done so by the kernel and the limitations of tcpdump..... check out Martin Roesch's presentation on snort (www.blackhat.com) for more info on the limitations of tcpdump. The gobbler is not designed to be a sniffer but has a sniffer core do i decided to add a switch to output data. As it is not designed to be a sniffer the output will be all over the place especially since it is multithreaded..... and the randomness of context switching ensures that the output will not match up... and i did not want to slow down the sniffing just to ensuring a correct packet dump.

e.g. the contents of the ip packets could be printed followed by the the contents the tcp header of a different packet. This would be due to a context switch between the packet headers being printed on the screen.

nmap by fydor is available from www.insecure.org.nmap tcpdump is available from www.tcpdump.org tethereal is the text version of ethereal available from www.ethereal.com

4.5
Some DHCP servers send a ICMP ping request once the address has been assigned to the interface, I am guessing this is to confirm that there were no problems with assignment. If the server does send a ping the Gobbler will in turn reply, but only as long as the ping packet is not fragmented (Haven't got around to packet reassembly just yet). If the server pings the gobbled host ensure not to use the -r flag (don;t reply to ping requests). From the limited number of DHCP servers tested (Windows 2000 advanced server default DHCP server, Winroute DHCP and dhcpd from www.isc.org) only dhcpd sent ping requests. Further investigation is required to start fingerprinting DHCP servers. Another difference windows 2000 DHCP servers send vendor specific infomation, this could further help identify the server.

www.networkpenetration.com
gobbler.sourceforge.net

ChangeLog

Alpha 1.8

Added multiple methods for arp scan (from broadcast address, from gobbled host, from specified host). Slowed down arp scan.... increased chance of getting replies. Added dont reply to icmp echo request switch (-r). Fixed arp scan again.... message on bsd boxes now doesn;t appear... changed broadcast src mac from ff:ff:ff:ff:ff:ff to 00:00:00:00:00:00 Moved startlibnet() to b4 parsing args as if random mac was selected the same MAC addressess were used (not seeding random until after so moved it) Changed results (fixed minor timing bugs and removed irrelevant info). added reply to udp scans with ICMP port unavailable (-O command line opens a specified UDP port). added reply to half open syn scans and tcp connects. Send RST or if port specified -o open send SYN ACK. added create single host option for testing gobblers broken TCP/IP stack. Changed portscan timings... now sleep 750 000 00 nanosecs every X ports scanned (increased portscan reliabilty 10 fold). Reduced default endwait time from 5 to 2 seconds... as the scan is slower we don;t have to wait aslong Fixed major bug in scanning routine..... OSSTM was scanning both OSSTM ports and NMAP ports Added filtered port detection and rescan..... if port doesn;t reply retry, if still no reply port = filtered added subnet mitm attack (gobble 4 ip's dhcp server, dns server, default gw and client addr, and send to client when requested) default portscans (osstm and nmap services) now take around 20 to 40 seconds depending on how filtered scanning filtered ports slower than initial scanning phase Added start portscan signal (after portscan threads initialized signal it to start) Added real nmap ports (-Pr) opposed to just nmap services (real = 1605, services = 1153, OSSTM = 1233)

Alpha 1.5

Distributed port scanning using either DHCP to decide on the source or source specified on command line Display MAC address of DHCP servers to detect rogue dhcp servers (unless rogue server is spoofing its mac address) Added NMAP service ports (array)
Added Non gobbled spoofed syn flood
Added print ports at end of scan
Added send reset packet if port open
Open ports added to linked list
Fixed arp scan from subnets other than 255.255.0.0 Added non spoofed mac address in non gobbled portscan Added specify mac address in non gobbled portscan 1a:2b:3c:4d:5e:6f format Moved targets arp address from kernel to userland (eg there will be no change to your kernel's cache) The gobbler now does a lookup from the kernel arp cache... if fail a arp request is issued and reply and put in linked list Cleaned up number of threads started (compare port range, subnet count and threadnumbermax start lowest) Added setrlimit on core dumps (might not help if you are planning on debugging) Fixed arp lookup so only done once from the 1st spoofed address (opposed to once by everythread) Increase stability (the scans are now slower than before but the gobbler is less likely to crash) Added check to dynamically assigned ip address to ensure that each address is in a fully assigned address e.g. not waiting for ACK from server

Alpha 1
Multithreaded dynamically assigned spoofed stateless SYN portscanner (what a mouthful... soon to have distributed added to it)

Multithreaded pthread_mutex_locking around pcap_next sniffer (another mouthful... good job its the gobbler were talking about)

Multithreaded ARP scanner

portscanner - decide on route and issue arp request
- 3 types of port lists

*All (simple count increment)
*OSSTM (array of ports)
*libnet port list - had to be converted

to a linked list for thread concurrency issues

gobbled IP-reply to arp request
-reply to ICMP echo requests if from local segment

DoS DHCP server
MAC tagging to identify gobbled IP addresses on subnet Various packet sleep gaps
Count number of possible address from netmask

Packet stats + various timers displayed on exit

Sniffer decodes-Ethernet frame
-ARP packet - request + reply
-IP packet
-UDP packet
-TCP packet
-DHCP packet
-ICMP packet - echo request + reply

---

To unsubscribe, e-mail: libnet-unsubscribe@securityfocus.com For additional commands, e-mail: libnet-help@securityfocus.com Received on Mon Feb 17 20:25:32 2003