MAC Flooding

MAC Flooding

It is a technique used to compromise the security of network switches that connect network segments or network devices. These switches map individual MAC addresses on the network to the physical ports on the switch through the means of a CAM table. Unlike a hub, which broadcasts the data across the network, the switch sends data only to the intended recipient. Thus, a switched network is more secure when compared to hub  Network. But, it can still be compromised by the fact that switches have limited memory to store MAC address tables and turn into hubs when flooded with MAC address beyond their storage. The technique used to compromise a switched network based on limited storage is called MAC flooding.
Typical MAC flooding involves flooding a switch with numerous requests with different fake source MAC address. No problem occurs until the MAC address table is full. Once the MAC address table is full, any further requests may force the switch to enter "failopen mode" A switch in failopen mode acts like a hub and broadcasts data to all machines on the network.

Make a simple Worm program

[Inter Worm Maker Thing]

Internet Worm Maker Thing(IWMT) is a tool specifically designed for generating a worm. These generated Internet worms try to spread over networks that are basically preset invasion proxy attacks that target the host technically, poison it, and make a base and plans to launch the attack in future. The worms work independently. An internet worm sends copies of itself via vulnerable computers on the Internet.

Make a simple virus program

1. TeraBit Virus Maker

TeraBit virus maker is a virus that is mostly detected by all antivirus software when scanned. This virus mostly doesn't harm the PC, but it can disable the antivirus that is installed on the system for a short time.


2. JPS Virus maker and DELmE's Batch Virus Maker

JPS Virus maker is a tool to create viruses. It also has a feature to convert a virus into a worm and can be used to disable the normal hardware of the system.

Macro Viruses

Macro Viruses
Microsoft Word or similar applications can be infected through a computer virus called macro virus, which automatically performs a sequence of actions when the application is triggered or something else. Most macro viruses are written using the macro language Visual Basic for Applications(VBA) and they infect templates or convert infected documents into template files, while maintaining their appearance of ordinary document files. Macro viruses are somwhat less harmful than other types. They are usually spread via an email. Pure data files do not allow the spread of viruses, but sometimes the line between a data file and an executable file is easily overlooked by the average user due to the extensive macro languages in some programs. In most cases, just to make things easy for users, the line between a data file and a program starts to blur only in cases where the default macros are set to run automatically every time the data file is loaded. Virus writers can exploit common programs with macro capability such as Microcode. In addition, the latest exploited macrocode exists in the full version of the Acrobat program that reads and writes PDF files.

Hping most used commands

ICMP ping :

hping3 -1 192.168.0.1


ACK scan on port 80 :

hping3 -A 192.168.0.1 -p 80


UDP scan on port 80 :

hping3 -2 192.168.0.1 -p 80


Collecting initial sequence number :

hping3 192.168.0.1 -Q -p 139 -s


Firewalls and time stamps :

hping3 -S 192.168.0.1 -p 80 --tcp-timestamp


SYN scan on port 20~80 :

hping3 -8 20-80 -S 192.168.0.1 -V


FIN, PUSH and URG scan on port 80 :

hping3 -F -p -U  192.168.0.1 -p 80


Scan entire subnet for live host :

hping3 -1 192.168.0.x --rand-dest -I eth0


intercept all traffic containing HTTP signature :

hping3 -9 HTTP -I eth0


SYN flooding a victim :

hping3 -S 192.168.0.1 -a 192.168.1.254 -p 22 --flood

Three-Way handshake

The three-way handshake process goes as follows :
to launch a TCP connection, the source(192.168.0.2:8080) sends a SYN packet to the destination(192.168.0.8:21).

the destination, on receiving the SYN packet, i.e, sent by the source, responds by sending a SYN/ACK packet back to the source.

This ACK packet confirms the arrival of the first SYN packet to the source.

In conclusion, the source sends an ACK packet for the ACK/SYN packet sent by the destination.

This triggers an "OPEN" connection allowing communication between the source and the destination, until either of them issues a "FIN" packet or a "RST" packet to close the connection.

Why do I need HTTP Tunneling?

HTTP Tunneling allows you to use the Internet despite having firewall restrictions such as blocking specific firewall ports to restrict specific protocol communication. HTTP tunneling helps you to overcome this firewall restriction by sending specific protocol communication through HTTP protocol.
The attacker may use this technique for the following reasons:

• It assures the attacker that no one will monitor him or her while browsing.
• It helps the attacker to bypass firewall restrictions.
• It ensures secure browsing.
• The attacker can hide his or her IP address from being trapped.
• It assures that it is highly impossible for others to identify attacker online.

tools : HTTP-Tunnel(http://http-tunnel.sourceforge.net)
          GNU http-tunnel(http://www.nocrew.org/software/httptunnel.html)