Jump to content

smb-flood.nse question


Quinnifer
 Share

Recommended Posts

Hmm. The sender IP can probably be spoofed, sure. I think you send it with "--source-ip=x.x.x.x" but read the help file or man page. 

Link to comment
Share on other sites

What about a zombie. Since I will not be expecting anything to return to me anyways. My thinking is .... if I want to flood an ip then zombie an ip then the flood should not be able to be traced back to me. Would this be safer than spoofing or is it about the same?

Link to comment
Share on other sites

Sending should still contain your MAC address in the frame and packets somewhere I would think, but not your sending IP. You could use macchanger to at least not use your real hardware ID as well. SMB attacks generally only work on the local LAN and shouldn't cross NAT either. You can't sit at home and then point across the internet at someones external IP expecting to have much effect other than leaving a trail of packets on your outbound side. Your ISP might even drop this traffic. If on the same LAN, and you know the subnet you're in, you can pick a different private subnet group as the sender, example: if your on 192.168.1.0/24, set the sender IP as 10.x.x.x something or 172.16.x.x so no one on the same LAN gets reflected at with any of the packets.

Link to comment
Share on other sites

macchanger -r should work or try using nmap with --spoof-mac, but read the help file for nmap and also the nse file - https://svn.nmap.org/nmap/scripts/smb-flood.nse

Nmap can spoof both the source IP and MAC address.

Link to comment
Share on other sites

I don't know of any tools that get past NAT in this manner. However, throw enough shit it any device, it's bound to DoS the damn thing though. Sending to the external IP would kill the gateway if it's not beefy enough to handle or have redundancy built into the network somewhere. This is also sounding more like malicious intent vs learning some tool options or how things work.

Unless stress testing your equipment, you're going into troubled waters there. I wouldn't recommend doing this to anyone but yourself and only in a closed network for testing, learning and understanding what is happening, or how to defend against. Get a few old routers on ebay or local thrift shop, classifieds, etc, then setup some home machines and hook them all up, set them up and have at it. Nothing wrong with understanding these things or learning them. Just don't point your laser at the world..

Link to comment
Share on other sites

The ISP probably won't send you anything without a formal complaint, but their network setup might just drop packets of certain kinds as well as traffic over port 445 in general just because it's a high vuln target port in general. 

Link to comment
Share on other sites

2 hours ago, Quinnifer said:

Well you have provided some good info. Doing a bit more research. Thanks

If you want to test 100% SMB relaated attacks on port 445 (TCP) or odler SMB 135, 137-139(like on XP) from the internet, have the neighbor, or yourself, port forward to a test box, preferably a VM bridged to the network on a junk host machine, or thrown in a DMZ. This way, if you get a drive by hit from the internet, it's on a single VM and junk host machine you can always wipe later. Just disconnect the rest of the boxes on the lan..lol. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...