From 40a2af0a8478b9e0d2078ed6f3898954d36a41ab Mon Sep 17 00:00:00 2001 From: david Date: Sun, 23 Sep 2012 21:15:22 +0000 Subject: [PATCH] Description and timeout argument for ipv6-ra-flood. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Adam Števko. --- scripts/ipv6-ra-flood.nse | 43 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/scripts/ipv6-ra-flood.nse b/scripts/ipv6-ra-flood.nse index 3eb526af2..3971c6760 100644 --- a/scripts/ipv6-ra-flood.nse +++ b/scripts/ipv6-ra-flood.nse @@ -5,16 +5,35 @@ local math = require "math" local string = require "string" local os = require "os" -description = [[ Generates a flood of Router Adverisments (RA) with randomized source MAC address and annouced IPv6 prefixes causing machines to be DoSed. +description = [[ Generates a flood of Router Adverisments (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), +will start to compute IPv6 suffix and update their routing table to reflect the accepted annoucement. This will cause 100% CPU usage, thus preventing to process other application requests. + +Vulnerable platforms: + * All Cisco IOS ASA with firmware < November 2010 + * All Netscreen versions supporting IPv6 + * Windows 2000/XP/2003/Vista/7/2008/8/2012 + * All FreeBSD versions + * All NetBSD versions + * All Solaris/Illumos versions + +Security advisory: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt + +WARNING: This script is dangerous and is very likely to bring down a server or network appliance. +It should not be run in a production environment unless you (and, more importantly, +the business) understand the risks! + +Additional documents: https://tools.ietf.org/rfc/rfc6104.txt ]] --- -- @args -- ipv6-ra-flood.interface defines interface we should broadcast on +-- ipv6-ra-flood.timeout runs the script until the timeout (in seconds) is reached (default: 30s). If timeout is zero, the script will run forever. -- -- @usage -- nmap -6 --script ipv6-ra-flood.nse -- nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=' +-- nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=,timeout=10' author = "Adam Števko" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" @@ -46,7 +65,7 @@ end local function get_interface() local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. ".interface") - local if_table = try(nmap.get_interface_info(arg_interface)) + local if_table = nmap.get_interface_info(arg_interface) if if_table and packet.ip6tobin(if_table.address) and if_table.link == "ethernet" then return if_table.device @@ -108,7 +127,12 @@ end --- Broadcasting on the selected interface -- @param iface table containing interface information local function broadcast_on_interface(iface) - stdnse.print_verbose("Starting " .. SCRIPT_NAME .. " on interface" .. iface) + stdnse.print_verbose("Starting " .. SCRIPT_NAME .. " on interface " .. iface) + + -- packet counter + local counter = 0 + + local arg_timeout = tonumber(stdnse.get_script_args(SCRIPT_NAME..".timeout")) or 30 local dnet = nmap.new_dnet() @@ -125,6 +149,8 @@ local function broadcast_on_interface(iface) local mtu = 1500 + local start, stop = os.time() + while true do local src_mac = packet.mactobin(random_mac()) @@ -145,6 +171,17 @@ local function broadcast_on_interface(iface) packet:build_ether_frame() try(dnet:ethernet_send(packet.frame_buf)) + + counter = counter + 1 + + if arg_timeout and arg_timeout > 0 and arg_timeout <= os.time() - start then + stop = os.time() + break + end + end + + if counter > 0 then + stdnse.print_debug("%s generated %d packets in %d seconds.", SCRIPT_NAME, counter, stop - start) end end