@ECHO OFFREM *****************************************************************

1. @ECHO OFF
2. REM **************************************************************************
3. REM     Name: BlackHole.bat
4. REM  Version: 1.0 (24.Aug.2005)
5. REM   Author: Jason Fossen (http://www.sans.org/windows-security)
6. REM  Purpose: Manages "blackholed" IP address routes in the route table.  Such
7. REM           routes point to a non-existent gateway, thus preventing access
8. REM           to the blackholed IP address from or through the local machine.
9. REM           Requires Windows XP or later.
10. REM     Note: None of the routes added are persistent.  You must edit the
11. REM           variable named BLACKHOLE below to make the script work.
12. REM    Legal: SCRIPT PROVIDED "AS IS" WITHOUT WARRANTIES OR GUARANTEES OF ANY
13. REM           KIND. USE AT YOUR OWN RISK.  Public domain.  No rights reserved.
14. REM **************************************************************************
15. SETLOCAL
16.  
17.  
18. REM **************************************************************************
19. REM The BLACKHOLE variable is the bogus gateway to which blackholed packets will
20. REM be unsuccessfully sent, thus making those packets just disappear.
21.  
22. SET BLACKHOLE=172.16.218.99
23.  
24. REM You must change it to an IP address which is not in use on your network and
25. REM which is on the same subnet as one of the interfaces of the computer.  For
26. REM example, if the computer has an internal IP address and subnet mask of
27. REM 10.82.0.1/255.255.0.0 then you could choose 10.82.99.1, assuming that this IP
28. REM address is not in use and will not be leased out through DHCP/BOOTP.  If you
29. REM find that your selected IP address has become active, just run the script with
30. REM the /removeall switch first, then modify the BLACKHOLE variable with the new IP
31. REM address and add the entries backagain.  Note that a bogus ARP entry will be
32. REM created for the blackhole IP address, but the /removeall switch will remove it.
33. REM **************************************************************************
34.  
35.  
36.  
37.  
38.  
39.  
40.  
41.  
42.  
43. IF "%1" == "/l"              GOTO LISTROUTES
44. IF "%1" == "/list"           GOTO LISTROUTES
45. IF "%1" == "/LIST"           GOTO LISTROUTES
46. IF "%1" == "list"            GOTO LISTROUTES
47.  
48. IF "%1" == "/a"              CALL :ADDROUTE %2 %3
49. IF "%1" == "/add"            CALL :ADDROUTE %2 %3
50. IF "%1" == "/ADD"            CALL :ADDROUTE %2 %3
51. IF "%1" == "add"             CALL :ADDROUTE %2 %3
52.  
53. IF "%1" == "/r"              CALL :REMOVEROUTE %2 %3
54. IF "%1" == "/remove"         CALL :REMOVEROUTE %2 %3
55. IF "%1" == "/REMOVE"         CALL :REMOVEROUTE %2 %3
56. IF "%1" == "remove"          CALL :REMOVEROUTE %2 %3
57.  
58. IF "%1" == "/fileadd"        GOTO FILEADD
59. IF "%1" == "/FILEADD"        GOTO FILEADD
60. IF "%1" == "fileadd"         GOTO FILEADD
61.  
62. IF "%1" == "/fileremove"     GOTO FILEREMOVE
63. IF "%1" == "/FILEREMOVE"     GOTO FILEREMOVE
64. IF "%1" == "fileremove"      GOTO FILEREMOVE
65.  
66. IF "%1" == "/removeall"      GOTO REMOVEALL
67. IF "%1" == "/REMOVEALL"      GOTO REMOVEALL
68. IF "%1" == "removeall"       GOTO REMOVEALL
69.  
70. IF "%1" == "/?"              GOTO SHOWHELPANDQUIT
71. IF "%1" == "/h"              GOTO SHOWHELPANDQUIT
72. IF "%1" == "-h"              GOTO SHOWHELPANDQUIT
73. IF "%1" == "/help"           GOTO SHOWHELPANDQUIT
74. IF "%1" == "-help"           GOTO SHOWHELPANDQUIT
75. IF "%1" == "--help"          GOTO SHOWHELPANDQUIT
76.  
77. GOTO QUIT
78.  
79.  
80.  
81. REM **************************************************************************
82. :LISTROUTES
83. ECHO.
84. ECHO The following IP addresses are currently being blackholed (list may be empty):
85. ECHO. > %TEMP%\tmp-safetodelete-1.txt
86. ECHO. > %TEMP%\tmp-safetodelete-2.txt
87. route.exe print|find.exe "%BLACKHOLE%" >> %TEMP%\tmp-safetodelete-1.txt
88. FOR /F "tokens=1,2" %%i IN (%TEMP%\tmp-safetodelete-1.txt) DO ECHO %%i %%j >> %TEMP%\tmp-safetodelete-2.txt
89. sort.exe %TEMP%\tmp-safetodelete-2.txt
90. ECHO.
91. ECHO The BLACKHOLE variable in this script is set to %BLACKHOLE%
92. arp.exe -a | find.exe "%BLACKHOLE%"
93. ping.exe -n 1 -w 50 %BLACKHOLE% 1>nul 2>nul
94. IF %ERRORLEVEL% == 0 ECHO. && ECHO WARNING! Your blackhole IP address is PINGable!! && ECHO This is NOT how you should use this script. && ECHO Change the BLACKHOLE variable to an inactive IP address!
95. DEL /F %TEMP%\tmp-safetodelete-1.txt 1>nul 2>nul
96. DEL /F %TEMP%\tmp-safetodelete-2.txt 1>nul 2>nul
97. GOTO QUIT
98.  
99.  
100.  
101. REM **************************************************************************
102. :FILEADD
103. FOR /F "eol=# tokens=1,2 delims=/ " %%i IN (%2) DO CALL :ADDROUTE %%i %%j
104. GOTO QUIT
105.  
106.  
107.  
108. REM **************************************************************************
109. :FILEREMOVE
110. FOR /F "eol=# tokens=1,2 delims=/ " %%i IN (%2) DO CALL :REMOVEROUTE %%i %%j
111. GOTO QUIT
112.  
113.  
114.  
115. REM **************************************************************************
116. REM ADDROUTE is only called as a procedure, hence, %1 is the first argument passed in.
117. REM **************************************************************************
118. :ADDROUTE
119. SET IP=%1
120. SET MASK=%2
121. IF "%MASK%" == " " SET MASK=255.255.255.255
122. REM  Add/update a static ARP entry for the blackhole IP address where the hardware address couldn't
123. REM  exist based on the list of vendors from http://standards.ieee.org/regauth/oui/oui.txt
124. arp.exe -s %BLACKHOLE% e9-f2-9b-12-c3-77 1>nul 2>nul
125. REM  Check that the route doesn't already exist.
126. route.exe print | find.exe "%IP%" | find.exe "%MASK%" 1>nul 2>nul
127. IF %ERRORLEVEL% == 0 ECHO. && ECHO %IP% %MASK% already exists in the route table. Nothing changed. && GOTO QUIT
128. route.exe add %IP% mask %MASK% %BLACKHOLE% 1>nul 2>%TEMP%\tmp-safetodelete-3.txt
129. FOR /F %%i IN (%TEMP%\tmp-safetodelete-3.txt) DO ECHO. && ECHO Problem adding the blackhole route. && TYPE %TEMP%\tmp-safetodelete-3.txt && SET DUDE=x
130. IF NOT DEFINED DUDE ECHO. && ECHO %IP% %MASK% successfully blackholed in the route table.
131. SET DUDE=
132. DEL /F %TEMP%\tmp-safetodelete-3.txt
133. GOTO QUIT
134.  
135.  
136.  
137. REM **************************************************************************
138. REM REMOVEROUTE is only called as a procedure, hence, %1 is the argument passed in.
139. REM **************************************************************************
140. :REMOVEROUTE
141. SET IP=%1
142. SET MASK=%2
143. IF "%MASK%" == " " SET MASK=255.255.255.255
144. REM  Check that the route exists first.
145. route.exe print | find.exe "%IP%" | find.exe "%MASK%" | find.exe "%BLACKHOLE%" 1>nul 2>nul
146. IF NOT %ERRORLEVEL% == 0 ECHO. && ECHO %IP% %MASK% does not appear to be blackholed. Nothing changed. && GOTO QUIT
147. route.exe delete %IP% mask %MASK% %BLACKHOLE%
148. IF %ERRORLEVEL% == 0 ECHO. && ECHO %IP% %MASK% successfully un-blackholed from the route table.
149. GOTO QUIT
150.  
151.  
152.  
153. REM **************************************************************************
154. :REMOVEALL
155. ECHO. > %TEMP%\tmp-safetodelete-1.txt
156. route.exe print | find.exe "%BLACKHOLE%" >> %TEMP%\tmp-safetodelete-1.txt
157. FOR /F "eol=# tokens=1,2" %%i IN (%TEMP%\tmp-safetodelete-1.txt) DO CALL :REMOVEROUTE %%i %%j
158. arp.exe -d "%BLACKHOLE%" 1>nul 2>nul
159. del /F %TEMP%\tmp-safetodelete-1.txt 1>nul 2>nul
160. GOTO QUIT
161.  
162.  
163.  
164. REM **************************************************************************
165. :SHOWHELPANDQUIT
166. REM First try to ping BLACKHOLE and complain if it is pingable, then show help.
167. ping.exe -n 1 -w 200 %BLACKHOLE% 1>nul 2>nul
168. IF %ERRORLEVEL% == 0 ECHO. && ECHO NOTICE! The blackhole IP address configured in this script is PINGable! && ECHO Change it to an inactive IP address before using. Open this script in && ECHO a text editor to change the BLACKHOLE variable. && ECHO.
169.  
170. ECHO.
171. ECHO BLACKHOLE.BAT /list
172. ECHO BLACKHOLE.BAT /add ipaddress
173. ECHO BLACKHOLE.BAT /add ipaddress netmask  
174. ECHO BLACKHOLE.BAT /remove ipaddress
175. ECHO BLACKHOLE.BAT /remove ipaddress netmask
176. ECHO BLACKHOLE.BAT /fileadd file.txt
177. ECHO BLACKHOLE.BAT /fileremove file.txt
178. ECHO BLACKHOLE.BAT /removeall
179. ECHO BLACKHOLE.BAT /?
180. ECHO.
181. ECHO Purpose: Manages "blackholed" IP addresses in the route table. Blackholed IP
182. ECHO          addresses are routed to a non-existent gateway, hence, packets
183. ECHO          sent to these addresses do not reach their destination.  Blackholing
184. ECHO          an address is a quick, easy and temporary way to stop communication
185. ECHO          to an unwanted internal or external host.  It is easily reversible
186. ECHO          and does not disrupt any other on-going communications.  None of the
187. ECHO          routes added by this script are persistent.  
188. ECHO.          
189. ECHO    Note: You must edit the BLACKHOLE variable at the top of the script to set
190. ECHO          the IP address for your non-existent gateway.  Just choose any IP
191. ECHO          address that is not in use, will not be used, and appears to be on
192. ECHO          the same subnet as one of the interfaces of the local machine.  If
193. ECHO          you don't know how to examine your IP addresses and subnet masks in
194. ECHO          order to do this, you probably should not use this script.
195. ECHO.          
196. ECHO    Args: /LIST -- Lists all currently blackholed IP address routes.
197. ECHO.    
198. ECHO          /ADD ipaddress -- Adds ipaddress to the list of blackholed routes with
199. ECHO                            a netmask of 255.255.255.255 (i.e., single IP) or
200. ECHO                            specify a different netmask, e.g., 255.255.0.0.
201. ECHO.    
202. ECHO          /REMOVE ipaddress -- Removes ipaddress from list of blackholed routes
203. ECHO                               with a netmask of 255.255.255.255, or specify a
204. ECHO                               different netmask as the third argument.
205. ECHO.          
206. ECHO          /FILEADD file.txt -- Parses file.txt and adds each IP address in it
207. ECHO                               to the list of blackholed routes.  Any blank
208. ECHO                               and commented lines (#) are ignored. If no  
209. ECHO.                              netmask is specified, 255.255.255.255 is
210. ECHO                               assumed. Specify a netmask by separating it from
211. ECHO                               the IP address with a space or forward slash,
212. ECHO                               e.g., 10.0.0.0 255.0.0.0, or, 10.0.0.0/255.0.0.0
213. ECHO.
214. ECHO          /FILEREMOVE file.txt -- Parses file.txt and removes each IP address
215. ECHO                                  found from the list of blackholed routes.
216. ECHO                                  Blank and commented lines (#) are ignored.
217. ECHO                                  If no netmask is specified, 255.255.255.255
218. ECHO                                  is assumed. Specify a different netmask by
219. ECHO                                  separating it from the IP address with a
220. ECHO                                  space or forwardslash.
221. ECHO.                                      
222. ECHO          /REMOVEALL -- Removes all blackholed routes and removes the static
223. ECHO                        arp.exe entry for the bogus BLACKHOLE IP address. Use
224. ECHO                        this before changing the BLACKHOLE variable again.
225. ECHO.          
226. ECHO   Legal: SCRIPT PROVIDED "AS IS" AND WITHOUT WARRANTIES OR GUARANTEES OF ANY
227. ECHO          KIND. USE AT YOUR OWN RISK. Public domain. No rights reserved.      
228. ECHO          ( www.sans.org )
229. GOTO QUIT  
230.  
231. REM **************************************************************************
232. :QUIT
233. ENDLOCAL
234. ECHO.