How to use nmap to scan for DDOS reflectors

Before we get into this here is the standard disclaimer. Do not scan any devices that you do not have explicit permission to scan. If you do not own the devices I strongly recommend you get that permission in writing. Also, port scanning may cause instability or failure of some devices and/or applications. Just ask anyone who lost ILOs to heartbleed. So be careful!

As we have seen in past diaries about reflective DDOS attacks they are certainly the flavor of the day. US-CERT claims there are several UDP based protocols that are potential attack vectors. In my experience the most prevalent ones are DNS, NTP, SNMP, and CharGEN. Assuming you have permission; Is there an easy way to do good data gathering for these ports on your network? Yes, as a matter of a fact it can be done in one simple nmap command.


nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr <target>


Let’s break this down:

-sU –perform a UDP scan. Since all the services above are UDP I only need to scan for the UDP ports.

-A -perform operating system and application version detection. This will attempt to give you more information about what applications are running on the open ports. The -A option also includes operating system detection, but it is unlikely that operating system detection will work when scanning this few ports.

-PN –scan even if you can’t contact the IP. By default nmap will not scan any device it can’t contact. Unfortunately if a device is hidden behind a firewall nmap will not usually be able to detect the device and will omit it from the detailed scan. A downside of using –PN is that nmap will complete the detailed scan against the IP even if it doesn’t exist or no ports are open. If you are scanning a large number of IPs the scan will take a long time.

-n –don’t do a DNS resolution. By default nmap performs a DNS resolution. Not doing that resolution will speed up the scan somewhat.

-pU:19,53,123,161 –scan UDP ports specified. In nmap ‘–p’ is used to indicate which ports to scan. The ‘U’ tells nmap that the ports that follow are UDP ports. Since this scan is only scanning UDP ports (–sU) the ‘U’ is redundant. However over the years I have gotten into the habit of explicitly specifying which type of ports I want to scan unless I want to add some TCP ports (-pT:) to the scan at a later time.

The ports specified in this scan are:

19 – CharGEN
53 – DNS
123 – NTP
161 - SNMP

–script=ntp-monlist,dns-recursion,snmp-sysdescr – the –script= option enables the nmap scripting engine (NSE) and runs scripts when they make sense to run. In other words, the ntp-monlist script will only be run when the NTP port is found to be open. nmap has many scripts available which can be used to extend nmaps basic functionality.

The scripts specified on this scan are:

ntp-monlist – while any open NTP service can be used in a reflective DDOS attack the maximum amplification is achieved with NTP services that permit the monlist command to be executed. This script will do a check to see if monlist can be executed against an open NTP port.
Normally an open NTP service will look similar to:

123/udp open ntp NTP v4

If the monlist command is enabled on the ntp server, the ntp-monlist script will give you more information:

123/udp open ntp NTP v4

| ntp-monlist:

| Target is synchronised with 206.108.0.131

| Alternative Target Interfaces:

| XXX.16.1.71

| Public Servers (4)

| XXX.87.64.125 XXX.75.12.11 XXX.108.0.131

| Other Associations (596)

…etc…

dns-recursion – Normally public DNS servers will only answer DNS queries for which they are authoritative. A DNS server that permits and processes queries for names it is not authoritative are called recursive DNS servers and recursive DNS servers in most cases are misconfigured. The output for an open DNS port with recursion enabled will be similar to :

53/udp open domain Microsoft DNS 6.1.7600 (1DB04228)

| dns-nsid:

|_ bind.version: Microsoft DNS 6.1.7600 (1DB04228)

|_dns-recursion: Recursion appears to be enabled

snmp-sysdescr – attempts to extract more information from the SNMP service. An open SNMP service will look similar to:

161/udp open snmp SNMPv1 server (public)

With the snmp-sysdescr script it will usually display more information which may tell you more about the device you are scanning:

161/udp open|filtered snmp

|_snmp-hh3c-logins: TIMEOUT

|_snmp-win32-shares: TIMEOUT

Or

161/udp open snmp SNMPv1 server (public)

| snmp-sysdescr: Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.

|_ System uptime: 9 days, 20:15:36.56 (85053656 timeticks)

Want to take a guess at what these devices are?

As you can see nmap provides a simple and effective way of scanning for the common ports used in reflective DDOS attacks. This diary has barely scratched the surface of nmap’s capabilities.

A simple tutorial on how to set up your own web booter and an extra to go with it: shell checker

Disclaimer:

This article is for educational purposes only. This website or it's author shall not be hell liable for any damages (tangible or intangible) caused from this article. Use your own judgement to not get into trouble with the law. Remember, nothing is above the law.

How To Setup Your Own Shell Booter

Okay, so a lot of people don't want to mess around with bots and such, and want to start DDoSing, so I'm making this guide on how to get free shells, and setup a shell booter. This is great for xbox live booter and such, please note you may need a lot of shells to hit someone off, or it will take a long time. My best suggestion would be to buy dedicated private shells.

What Is a Shell Booter?

A shell booter uses a series of shells with a flood to send packets to someones router, and the router cannot handle that much packets, and simple no longer allows you to access websites for a short while. A booter can use slowloris POST, and a GET shells. GET are the best shells to use, these are the ones that are green and only have IP and time.

Credits

Natha  For creating the whole tutorial, images, etc.
Natha  For adding the mass shell adder to prodigies source.
Prodigy - For his source

Downloads:

Prodigy Source (Mass shell adder): 

Shell Checker - This will be used later on in the tutorial:


How to Setup a Shell Booter:

Creating a MySQL Database

I am now going to walk you through on how to make a MySQL database, this is required for the booter to function, as it saves the users, passwords, shells, and so on. In the following demonstration I will be using cPanel.

Locate something relating to Databases, in this case mine looks like the following, this will look like this in all cPanels

Now, once you are here, make a name for the database, in the demonstration I will be using "desired" for the sake of this tutorial, I did change it to test after the screenshot, once again this is using cPanel, a host panel could be different.

Now scroll down, and you will see another part, this time username, and password of the database, I used test for this tutorial, and a password of test, you can use anything you desire.

Now, a bit down select the two you made, and click add, this will add them together.

Once you've proceeded with that, you will be prompted with a menu of privledges, click all privledges like shown below, that's MySQL done for now.

Uploading and Editing your MySQL Database Information

Once downloaded the source, zip the folder called source and upload it to your desired host, booters are blocked on hosts such as 000webhost, I personally use offshore web hosting which can be found here: http://www.onebesthosting.com.

Once uploaded extract the source.zip and enter the folder. Find and locate dbc.php, now edit it like I have shown below, click the spoiler to locate the image. Replace the information with your MySQL information you have just created as shown above, make the user and name the same for less confusion.

Importing the SQL Database / Configuring It.

Now go to your host panel or cPanel, in this case I am using cpanel, and locate PhpMyAdmin, and open it.

Now, click your database on the side, and click the SQL tab above.

Now, the file you downloaded, go into the folder (On your desktop, not host) and locate dbprepare, and open it, Control + a (select all) and then Control + c (Copy), now go back to MySQL and paste it in the SQL box, scroll up and scroll down a little bit, replace the name with your DB name. Click go. Done!

Now, we're up to the last part of setting up the booter, go to http://yoursite.com/source/register.php obviously replace yoursite, with your own domain, and register yourself a new account. Once completed go back to PhpMyAdmin, and go to the users table. Like shown below.

Now find approval on the side, and find user_level, change user_level to 5, this puts you as administrator, and approval to 1, this makes it so your account is approved, like shown below.

Complete! Now login to your booter at http://yoursite.com/source/ you've successfully setup your booter! Now to get free shells.

Getting Free Shells From Pastebin!

Open ShellChecker.exe, the link I have provided above, that you downloaded before, and go to pastebin.com, or pastie.org. Or other pastebin sites that allow search.

In the search box type one of these in, open them until you get a big list.

Code:

/x32.php

/greenshell.php

/shell.php

/webdav/

Once you've found a list, go to the bottom, and copy it all, from the little box, and paste it into the first collum of your shell checker like shown below.

Once that's done, click start, after the scan has started it will supply you will 100% working shells! This program is great! You will need a lot of these though, as some shells may be weak, I still recommend buying or asking for private dedicated shells for the booter to work best.

TCP are POST shells, UDP are GET shells.