Quinnifer Posted July 21, 2017 Share Posted July 21, 2017 Can you spoof or zombie an ip using smb-flood.nse in nmap. Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 Hmm. The sender IP can probably be spoofed, sure. I think you send it with "--source-ip=x.x.x.x" but read the help file or man page. Quote Link to comment Share on other sites More sharing options...
Quinnifer Posted July 21, 2017 Author Share Posted July 21, 2017 What about a zombie. Since I will not be expecting anything to return to me anyways. My thinking is .... if I want to flood an ip then zombie an ip then the flood should not be able to be traced back to me. Would this be safer than spoofing or is it about the same? Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 Sending should still contain your MAC address in the frame and packets somewhere I would think, but not your sending IP. You could use macchanger to at least not use your real hardware ID as well. SMB attacks generally only work on the local LAN and shouldn't cross NAT either. You can't sit at home and then point across the internet at someones external IP expecting to have much effect other than leaving a trail of packets on your outbound side. Your ISP might even drop this traffic. If on the same LAN, and you know the subnet you're in, you can pick a different private subnet group as the sender, example: if your on 192.168.1.0/24, set the sender IP as 10.x.x.x something or 172.16.x.x so no one on the same LAN gets reflected at with any of the packets. Quote Link to comment Share on other sites More sharing options...
Quinnifer Posted July 21, 2017 Author Share Posted July 21, 2017 I can spoof the mac (-e) correct? Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 macchanger -r should work or try using nmap with --spoof-mac, but read the help file for nmap and also the nse file - https://svn.nmap.org/nmap/scripts/smb-flood.nse Nmap can spoof both the source IP and MAC address. Quote Link to comment Share on other sites More sharing options...
Quinnifer Posted July 21, 2017 Author Share Posted July 21, 2017 If not using smb-flood.nse, does nmap have a single command for flooding a machine over nat? Would I be better off using another tool like hping3 or something else? Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 I don't know of any tools that get past NAT in this manner. However, throw enough shit it any device, it's bound to DoS the damn thing though. Sending to the external IP would kill the gateway if it's not beefy enough to handle or have redundancy built into the network somewhere. This is also sounding more like malicious intent vs learning some tool options or how things work. Unless stress testing your equipment, you're going into troubled waters there. I wouldn't recommend doing this to anyone but yourself and only in a closed network for testing, learning and understanding what is happening, or how to defend against. Get a few old routers on ebay or local thrift shop, classifieds, etc, then setup some home machines and hook them all up, set them up and have at it. Nothing wrong with understanding these things or learning them. Just don't point your laser at the world.. Quote Link to comment Share on other sites More sharing options...
Quinnifer Posted July 21, 2017 Author Share Posted July 21, 2017 It's something a next door neighbor and I are playing with. We have set up a machine and excluded anything like high orbit ion cannon type tools and are going to see what we can do to those machines. May get an isp complaint. Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2017 Share Posted July 21, 2017 The ISP probably won't send you anything without a formal complaint, but their network setup might just drop packets of certain kinds as well as traffic over port 445 in general just because it's a high vuln target port in general. Quote Link to comment Share on other sites More sharing options...
Quinnifer Posted July 21, 2017 Author Share Posted July 21, 2017 Well you have provided some good info. Doing a bit more research. Thanks Quote Link to comment Share on other sites More sharing options...
digip Posted July 22, 2017 Share Posted July 22, 2017 2 hours ago, Quinnifer said: Well you have provided some good info. Doing a bit more research. Thanks If you want to test 100% SMB relaated attacks on port 445 (TCP) or odler SMB 135, 137-139(like on XP) from the internet, have the neighbor, or yourself, port forward to a test box, preferably a VM bridged to the network on a junk host machine, or thrown in a DMZ. This way, if you get a drive by hit from the internet, it's on a single VM and junk host machine you can always wipe later. Just disconnect the rest of the boxes on the lan..lol. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.