gps - ghost port scan
   
     Basic idea
   The aim of Ghost Port Scan is to provide administrators and
   pen-testers with a tool that allow them to easily test firewalls and
   get information from a remote host.
   GPS is a port scanner and a firewall rules disclosure (FWRD) tool,
   which uses IP spoofing, ARP poisoning and some other stratagems in
   order to perform a stealth and untrackable information collect.
   As far as GPS needs to sniff the responses from the target host, it
   requires to be run using a loopback or an ethernet interface
   (including cable modem).

     IP spoofing
   The IP addresses specified to GPS (see the [1]'usage' section) are
   used as spoofed source addresses. To be more explicit: the host been
   scanned thinks that the scan is performed by the hosts having the IPs
   you gived to GPS.
   Depending on the scan type chosen, the IPs are randomly or
   sequentially used.

     MAC spoofing
   To perform an _absolutely_ untrackable scan, IP spoofing is not
   enough, because the MAC/physical address in the ethernet trame header
   of the packets we send is our one.
   GPS is able to produce and inject trames with both MAC and IP
   addresses spoofed.

     ARP poisoning
   The trick that makes GPS works is ARP poisoning. When you scan a host
   with an IP belonging to the LAN but to no connected machine, the
   gateway or the target (if it is on the LAN) will ask for the physical
   address that matches with the spoofed IP. This is simply done with an
   ARP Request. As far as no machine has the IP in the ARP Request, none
   will answer, and no packets will be sent back, due to the fact that
   the gateway/target doesn't know which address has to been put in the
   trames.
   The solution is to send a fake ARP Reply with a random physical
   address when sniffing an ARP Request which hold the spoofed IP. Some
   problems may occur if you are using an IP belonging to a connected
   host, because this host will not be able to receive its legitimate
   trames from the host which issued the ARP Request.

     Sniffing
   GPS supports loopback and ethernet devices for packet sniffing.
   Tests have been done on both LAN and cable modem, and both worked.

     Scan modes
   Different scan modes are implemented in GPS, partly inspired from
   nmap:
	SYN scan: the most basic, the less stealth, but the most reliable
	because it works on all OSs, and requires just a few ressources. It
	consists in sending a SYN and sniffing back a SYN|ACK.
   
	FIN/Xmas Tree/Null: stealth, these port scans does not work with some
	OSs (such as Windows). Take a look to the nmap mailing list for a
	reliable list of these OSs. Sending a Null, FIN or Xmas Tree TCP
	segment will cause the target to send back a RST if the port is
	closed, and nothing if it is open

	Rand scan: the stealthest. It is a mix between FIN, Xmas Tree, Null
	and some other scans. When generating a packet, TCP flags are randomly
	set among: Null(0), FIN, URG, PSH, FIN|URG, FIN|PSH, URG|PSH and
	FIN|URG|PSH. Some IDS or loggers such as iplog suppose that a port
	scan is performed when they intercept n packets or more of the same
	type. For example, iplog detects a FIN scan only if it filters, say 20
	FIN packets or more. By randomizing the TCP flags, the detection risk
	is really reduced, especially if many source IPs have been specified
	to GPS.

	ACK scan: this scan is used to view filtered ports on a machine. If a
	RST is sent back when sending an ACK, the port is not filtered. If
	nothing comes back, the port is filtered.

	FWRD mode: the most advanced mode. The FireWall Rules Disclosure scan
	uses all IPs specified to GPS to scan the target host (with a ACK
	scan) and determines which IPs are allowed to send packets to
	specified ports through the firewall. This scan works exclusively if
	the target is on the same LAN, except in some very specific cases.

     Timeout handling
   Since version 0.6.0, GPS handles timeout smartly. It determines a
   timeout value by TCP pinging the remote host and calculate the time to
   get a response from the target.

     Fragmentation
   GPS-0.7.0 supports framentation in both injection and sniffing. You
   may now choose to not fragment the packets, to fragment them in tiny
   frags, or to cut them in order to perform a fragment overlapping (most
   of recent OSes drop these packets)

     Localhost scanning support
   Localhost scanning is now handled (involving sniffing and packet
   injection through the loopback device).

     Usable IPs auto-determination
   GPS-0.8.0 is able to find the IP addresses which are not in use on the
   LAN your workstation is connected to. This feature is used if no
   source IPs have been specified to GPS. The aim of such a function is
   to avoid the potential DoS which may be caused by ARP poisoning.

The gps homepage is located at:

	http://gps.sourceforge.net/

Cryptographic signatures and checksums may be provided by 
the developers at the URL(s) above.  Wiretapped recommends
that users check these before use of the software/information.