Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @ECHO OFF
- REM **************************************************************************
- REM Name: BlackHole.bat
- REM Version: 1.0 (24.Aug.2005)
- REM Author: Jason Fossen (http://www.sans.org/windows-security)
- REM Purpose: Manages "blackholed" IP address routes in the route table. Such
- REM routes point to a non-existent gateway, thus preventing access
- REM to the blackholed IP address from or through the local machine.
- REM Requires Windows XP or later.
- REM Note: None of the routes added are persistent. You must edit the
- REM variable named BLACKHOLE below to make the script work.
- REM Legal: SCRIPT PROVIDED "AS IS" WITHOUT WARRANTIES OR GUARANTEES OF ANY
- REM KIND. USE AT YOUR OWN RISK. Public domain. No rights reserved.
- REM **************************************************************************
- SETLOCAL
- REM **************************************************************************
- REM The BLACKHOLE variable is the bogus gateway to which blackholed packets will
- REM be unsuccessfully sent, thus making those packets just disappear.
- SET BLACKHOLE=172.16.218.99
- REM You must change it to an IP address which is not in use on your network and
- REM which is on the same subnet as one of the interfaces of the computer. For
- REM example, if the computer has an internal IP address and subnet mask of
- REM 10.82.0.1/255.255.0.0 then you could choose 10.82.99.1, assuming that this IP
- REM address is not in use and will not be leased out through DHCP/BOOTP. If you
- REM find that your selected IP address has become active, just run the script with
- REM the /removeall switch first, then modify the BLACKHOLE variable with the new IP
- REM address and add the entries backagain. Note that a bogus ARP entry will be
- REM created for the blackhole IP address, but the /removeall switch will remove it.
- REM **************************************************************************
- IF "%1" == "/l" GOTO LISTROUTES
- IF "%1" == "/list" GOTO LISTROUTES
- IF "%1" == "/LIST" GOTO LISTROUTES
- IF "%1" == "list" GOTO LISTROUTES
- IF "%1" == "/a" CALL :ADDROUTE %2 %3
- IF "%1" == "/add" CALL :ADDROUTE %2 %3
- IF "%1" == "/ADD" CALL :ADDROUTE %2 %3
- IF "%1" == "add" CALL :ADDROUTE %2 %3
- IF "%1" == "/r" CALL :REMOVEROUTE %2 %3
- IF "%1" == "/remove" CALL :REMOVEROUTE %2 %3
- IF "%1" == "/REMOVE" CALL :REMOVEROUTE %2 %3
- IF "%1" == "remove" CALL :REMOVEROUTE %2 %3
- IF "%1" == "/fileadd" GOTO FILEADD
- IF "%1" == "/FILEADD" GOTO FILEADD
- IF "%1" == "fileadd" GOTO FILEADD
- IF "%1" == "/fileremove" GOTO FILEREMOVE
- IF "%1" == "/FILEREMOVE" GOTO FILEREMOVE
- IF "%1" == "fileremove" GOTO FILEREMOVE
- IF "%1" == "/removeall" GOTO REMOVEALL
- IF "%1" == "/REMOVEALL" GOTO REMOVEALL
- IF "%1" == "removeall" GOTO REMOVEALL
- IF "%1" == "/?" GOTO SHOWHELPANDQUIT
- IF "%1" == "/h" GOTO SHOWHELPANDQUIT
- IF "%1" == "-h" GOTO SHOWHELPANDQUIT
- IF "%1" == "/help" GOTO SHOWHELPANDQUIT
- IF "%1" == "-help" GOTO SHOWHELPANDQUIT
- IF "%1" == "--help" GOTO SHOWHELPANDQUIT
- GOTO QUIT
- REM **************************************************************************
- :LISTROUTES
- ECHO.
- ECHO The following IP addresses are currently being blackholed (list may be empty):
- ECHO. > %TEMP%\tmp-safetodelete-1.txt
- ECHO. > %TEMP%\tmp-safetodelete-2.txt
- route.exe print|find.exe "%BLACKHOLE%" >> %TEMP%\tmp-safetodelete-1.txt
- FOR /F "tokens=1,2" %%i IN (%TEMP%\tmp-safetodelete-1.txt) DO ECHO %%i %%j >> %TEMP%\tmp-safetodelete-2.txt
- sort.exe %TEMP%\tmp-safetodelete-2.txt
- ECHO.
- ECHO The BLACKHOLE variable in this script is set to %BLACKHOLE%
- arp.exe -a | find.exe "%BLACKHOLE%"
- ping.exe -n 1 -w 50 %BLACKHOLE% 1>nul 2>nul
- IF %ERRORLEVEL% == 0 ECHO. && ECHO WARNING! Your blackhole IP address is PINGable!! && ECHO This is NOT how you should use this script. && ECHO Change the BLACKHOLE variable to an inactive IP address!
- DEL /F %TEMP%\tmp-safetodelete-1.txt 1>nul 2>nul
- DEL /F %TEMP%\tmp-safetodelete-2.txt 1>nul 2>nul
- GOTO QUIT
- REM **************************************************************************
- :FILEADD
- FOR /F "eol=# tokens=1,2 delims=/ " %%i IN (%2) DO CALL :ADDROUTE %%i %%j
- GOTO QUIT
- REM **************************************************************************
- :FILEREMOVE
- FOR /F "eol=# tokens=1,2 delims=/ " %%i IN (%2) DO CALL :REMOVEROUTE %%i %%j
- GOTO QUIT
- REM **************************************************************************
- REM ADDROUTE is only called as a procedure, hence, %1 is the first argument passed in.
- REM **************************************************************************
- :ADDROUTE
- SET IP=%1
- SET MASK=%2
- IF "%MASK%" == " " SET MASK=255.255.255.255
- REM Add/update a static ARP entry for the blackhole IP address where the hardware address couldn't
- REM exist based on the list of vendors from http://standards.ieee.org/regauth/oui/oui.txt
- arp.exe -s %BLACKHOLE% e9-f2-9b-12-c3-77 1>nul 2>nul
- REM Check that the route doesn't already exist.
- route.exe print | find.exe "%IP%" | find.exe "%MASK%" 1>nul 2>nul
- IF %ERRORLEVEL% == 0 ECHO. && ECHO %IP% %MASK% already exists in the route table. Nothing changed. && GOTO QUIT
- route.exe add %IP% mask %MASK% %BLACKHOLE% 1>nul 2>%TEMP%\tmp-safetodelete-3.txt
- FOR /F %%i IN (%TEMP%\tmp-safetodelete-3.txt) DO ECHO. && ECHO Problem adding the blackhole route. && TYPE %TEMP%\tmp-safetodelete-3.txt && SET DUDE=x
- IF NOT DEFINED DUDE ECHO. && ECHO %IP% %MASK% successfully blackholed in the route table.
- SET DUDE=
- DEL /F %TEMP%\tmp-safetodelete-3.txt
- GOTO QUIT
- REM **************************************************************************
- REM REMOVEROUTE is only called as a procedure, hence, %1 is the argument passed in.
- REM **************************************************************************
- :REMOVEROUTE
- SET IP=%1
- SET MASK=%2
- IF "%MASK%" == " " SET MASK=255.255.255.255
- REM Check that the route exists first.
- route.exe print | find.exe "%IP%" | find.exe "%MASK%" | find.exe "%BLACKHOLE%" 1>nul 2>nul
- IF NOT %ERRORLEVEL% == 0 ECHO. && ECHO %IP% %MASK% does not appear to be blackholed. Nothing changed. && GOTO QUIT
- route.exe delete %IP% mask %MASK% %BLACKHOLE%
- IF %ERRORLEVEL% == 0 ECHO. && ECHO %IP% %MASK% successfully un-blackholed from the route table.
- GOTO QUIT
- REM **************************************************************************
- :REMOVEALL
- ECHO. > %TEMP%\tmp-safetodelete-1.txt
- route.exe print | find.exe "%BLACKHOLE%" >> %TEMP%\tmp-safetodelete-1.txt
- FOR /F "eol=# tokens=1,2" %%i IN (%TEMP%\tmp-safetodelete-1.txt) DO CALL :REMOVEROUTE %%i %%j
- arp.exe -d "%BLACKHOLE%" 1>nul 2>nul
- del /F %TEMP%\tmp-safetodelete-1.txt 1>nul 2>nul
- GOTO QUIT
- REM **************************************************************************
- :SHOWHELPANDQUIT
- REM First try to ping BLACKHOLE and complain if it is pingable, then show help.
- ping.exe -n 1 -w 200 %BLACKHOLE% 1>nul 2>nul
- IF %ERRORLEVEL% == 0 ECHO. && ECHO NOTICE! The blackhole IP address configured in this script is PINGable! && ECHO Change it to an inactive IP address before using. Open this script in && ECHO a text editor to change the BLACKHOLE variable. && ECHO.
- ECHO.
- ECHO BLACKHOLE.BAT /list
- ECHO BLACKHOLE.BAT /add ipaddress
- ECHO BLACKHOLE.BAT /add ipaddress netmask
- ECHO BLACKHOLE.BAT /remove ipaddress
- ECHO BLACKHOLE.BAT /remove ipaddress netmask
- ECHO BLACKHOLE.BAT /fileadd file.txt
- ECHO BLACKHOLE.BAT /fileremove file.txt
- ECHO BLACKHOLE.BAT /removeall
- ECHO BLACKHOLE.BAT /?
- ECHO.
- ECHO Purpose: Manages "blackholed" IP addresses in the route table. Blackholed IP
- ECHO addresses are routed to a non-existent gateway, hence, packets
- ECHO sent to these addresses do not reach their destination. Blackholing
- ECHO an address is a quick, easy and temporary way to stop communication
- ECHO to an unwanted internal or external host. It is easily reversible
- ECHO and does not disrupt any other on-going communications. None of the
- ECHO routes added by this script are persistent.
- ECHO.
- ECHO Note: You must edit the BLACKHOLE variable at the top of the script to set
- ECHO the IP address for your non-existent gateway. Just choose any IP
- ECHO address that is not in use, will not be used, and appears to be on
- ECHO the same subnet as one of the interfaces of the local machine. If
- ECHO you don't know how to examine your IP addresses and subnet masks in
- ECHO order to do this, you probably should not use this script.
- ECHO.
- ECHO Args: /LIST -- Lists all currently blackholed IP address routes.
- ECHO.
- ECHO /ADD ipaddress -- Adds ipaddress to the list of blackholed routes with
- ECHO a netmask of 255.255.255.255 (i.e., single IP) or
- ECHO specify a different netmask, e.g., 255.255.0.0.
- ECHO.
- ECHO /REMOVE ipaddress -- Removes ipaddress from list of blackholed routes
- ECHO with a netmask of 255.255.255.255, or specify a
- ECHO different netmask as the third argument.
- ECHO.
- ECHO /FILEADD file.txt -- Parses file.txt and adds each IP address in it
- ECHO to the list of blackholed routes. Any blank
- ECHO and commented lines (#) are ignored. If no
- ECHO. netmask is specified, 255.255.255.255 is
- ECHO assumed. Specify a netmask by separating it from
- ECHO the IP address with a space or forward slash,
- ECHO e.g., 10.0.0.0 255.0.0.0, or, 10.0.0.0/255.0.0.0
- ECHO.
- ECHO /FILEREMOVE file.txt -- Parses file.txt and removes each IP address
- ECHO found from the list of blackholed routes.
- ECHO Blank and commented lines (#) are ignored.
- ECHO If no netmask is specified, 255.255.255.255
- ECHO is assumed. Specify a different netmask by
- ECHO separating it from the IP address with a
- ECHO space or forwardslash.
- ECHO.
- ECHO /REMOVEALL -- Removes all blackholed routes and removes the static
- ECHO arp.exe entry for the bogus BLACKHOLE IP address. Use
- ECHO this before changing the BLACKHOLE variable again.
- ECHO.
- ECHO Legal: SCRIPT PROVIDED "AS IS" AND WITHOUT WARRANTIES OR GUARANTEES OF ANY
- ECHO KIND. USE AT YOUR OWN RISK. Public domain. No rights reserved.
- ECHO ( www.sans.org )
- GOTO QUIT
- REM **************************************************************************
- :QUIT
- ENDLOCAL
- ECHO.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement