#!/usr/bin/perl -Tw ################################# # Not the xmas scan in the nmap sense, # but in the "lets light 'em up" sense. # Actually, its not even a scan, just a # crap generator. # # Send packets with random settings from # any apparent source/port to any source/port. # # Requires: Net::RawIP (www.cpan.org) # root # # Notes: # Be careful. Aside from the obvious amount # of blatantly bogus traffic you'll generate, # I've seen this thing happily eat a p3-750 while # sending traffic on dummy0. On average, it'll # send 10k packets in ~15 seconds. Regardless of # the validity of the packets, I think thats more # than enough crap you'll wanna see pouring into # your machine. # # Bugs: # 1) It was crashing when the source address was a # multicast address, but for some reason this # problem disappeared. :shrug: # 2) Doesn't check for properly formatted source/destination # hosts. If you can't give it proper arguments, then # thats your own damn fault. # # (jhart@ccs.neu.edu) work/school # and/or # (warchild@spoofed.org) home/play ################################# use strict; use diagnostics; use locale; use Socket; use Net::RawIP; use Getopt::Long; $ENV{'PATH'} = "/usr/bin:/bin"; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; my $saddr; # source address my $daddr; # destination address my $sport; # source port my $dport; # destination port my $num; # number of packets to send my $delay; # delay between each packet (seconds) my $flags; # flags to set my $data; # data to send with packet my $debug; # get our options in place GetOptions( "src=s" => \(my $opt_saddr), "dest=s" => \(my $opt_daddr), "srcp=i" => \(my $opt_sport), "destp=i" => \(my $opt_dport), "num=i" => \(my $opt_num), "delay=i" => \(my $opt_delay), "flags=s" => \(my $opt_flags), "data=s" => \(my $opt_data), "help" => \(my $opt_help), "debug" => \(my $opt_debug)) or die "$!\n"; # setup defaults if not given any options if (defined($opt_help)) { print << "EOF" ; Send empty tcp packets to a desired host using random tcp headers. Optionally spoof the source address. REQUIRED: --dest OPTIONS: --src (default: random) --srcp (default: random) --destp (default: random) --num (defualt: 5) --delay (default: 2) --flags (default: random) --data (default: none) --debug (Print constructed packet) --help (This message) Example: ./xmas --dest 12.10.116.200 --destp 22 --num 1000 --delay 0 --data "foo" Captured by snort: 06/23-08:49:27.625471 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x39 120.81.114.73:57760 -> 12.10.116.200:22 TCP TTL:162 TOS:0x5B ID:36828 IpLen:20 DgmLen:43 DF **U*P*S* Seq: 0xBF330583 Ack: 0x1197D019 Win: 0x21DB TcpLen: 20 UrgPtr: 0x0 foo EOF exit; } # parse the options and set defaults if needed if (!defined($opt_num)) { $num = 5; } else { $num = $opt_num; } if (!defined($opt_delay)) { $delay = 2; } else { $delay = $opt_delay; } if (!defined($opt_data)) { $data = ""; } else { $data = $opt_data; } if (defined($opt_debug)) { $debug = $opt_debug; } if (!defined($opt_daddr)) { print "Try 'xmas --help for options'\n"; } else { # sanity check the destination host first, resolve if needed. if ($opt_daddr =~ /^([\d.]+)$/) { if ($opt_debug) { print "Not resolving $1\n"; } $daddr = $1; } elsif ($opt_daddr =~ /^([\d.\w-]+)$/) { if ($opt_debug) { print "Resolving $1\n"; } my $packedip = gethostbyname($1) or die "Couldn't resolve $1: $!\n"; $daddr = inet_ntoa($packedip); } else { die "Couldn't determine destination host format, wtf!\n"; } # now check the source host, resolve if needed. if (defined($opt_saddr)) { if ($opt_saddr =~ /^([\d.]+)$/) { $saddr = $1; } elsif ($opt_saddr =~ /^([\d.\w-]+)$/) { my $packedip = gethostbyname($1) or die "Coulding resolve $1: $!\n"; $saddr = inet_ntoa($packedip); } else { die "Couldn't determine source host format, wtf!\n"; } } # pick out the flags #if (defined($opt_flags) && ($opt_flags =~ /[a]|[f]|[p]|[s]|[u]/i)) { # my %flag_hash; # foreach (split(//, $opt_flags)) { # print "\l$_\n"; # unless (exists($flag_hash{$_})) { # $flag_hash{$_} = 1; # $flags .= $_; # } # } #} else { $flags = ""; } if (defined($opt_flags)) { my %seen; $opt_flags =~ tr/afprsu//dsc; my @uniq_flags = grep { ! $seen{$_} ++ } split(//, $opt_flags); foreach (@uniq_flags) { $flags .= $_; } } else { $flags = ""; } for(my $i = 0; $i < $num; $i++) { if (!defined($opt_saddr)) { $saddr = (int rand(256)).".".(int rand(256)).".".(int rand(256)).".".(int rand(256)); } else { $saddr = $opt_saddr; } if (!defined($opt_sport)) { $sport = int rand(65536); } else { $sport = $opt_sport; } if (!defined($opt_dport)) { $dport = int rand(65536); } else { $dport = $opt_dport; } &xmas($saddr, $daddr, $sport, $dport, $data, $flags); sleep($delay); } } sub xmas { my $source = shift; # apparent source address my $dest = shift; # desired destination address my $sport = shift; # source port my $dport = shift; # destination port my $data = shift; # data, if any my $flags = shift; # flags, if any print "Flags: $flags\n"; ############################# # IP header # version ihl tos tot_len id frag_off ttl protocol check saddr daddr # only version 4 is valid (IPv4), but uncomment if you like my $version = 4; # hack a TOS field my $precedence = substr(unpack("B32", pack("N", int rand(8))), -3); my $delay = substr(unpack("B32", pack("N", int rand(2))), -1); my $thruput = substr(unpack("B32", pack("N", int rand(2))), -1); my $reliability = substr(unpack("B32", pack("N", int rand(2))), -1); my $reserved = substr(unpack("B32", pack("N", int rand(4))), -2); my $bin_tos = $precedence . $delay . $thruput . $reliability . $reserved; my $tos = unpack("N", pack("B32", substr("0" x 32 . $bin_tos,-32))); my $tos_hex = substr(unpack("H32", pack("N", $tos)), -2); my $id = int rand(65536); my $ttl = int rand(256); #################### # TCP header # source dest seq ack_seq doff res1 res2 urg ack psh rst syn # fin window check urg_ptr data my ($ack, $fin, $psh, $rst, $syn, $urg); $urg = ($flags =~ /u/) || int rand(2); $ack = ($flags =~ /a/) || int rand(2); $psh = ($flags =~ /p/) || int rand(2); $rst = ($flags =~ /r/) || int rand(2); $syn = ($flags =~ /s/) || int rand(2); $fin = ($flags =~ /f/) || int rand(2); # a 32 bit numbers my $src_isn = int rand(4294967296); my $src_ack = int rand(4294967296); # 16-bit my $window = int rand(65536); if (defined($debug)) { print "#################################\n"; print " OUTGOING\n"; print "Source = $source $sport\n"; print "Destination = $dest $dport\n"; print "Seq = $src_isn\n"; print "Ack = $src_ack\n"; print "Window = $window\n"; print "AFPRSU = $ack$fin$psh$rst$syn$urg\n"; print "#################################\n"; } my $xmas_pack = new Net::RawIP({ ip => { id => $id, tos => $tos, ttl => $ttl, daddr => $dest, saddr => $source }, tcp => { source => $sport, dest => $dport, seq => $src_isn, ack_seq => $src_ack, window => $window, ack => $ack, syn => $syn, rst => $rst, psh => $psh, fin => $fin, urg => $urg, data => $data } }); $xmas_pack->send; }