Mullo Wullo BugTraq. I missed you. :) *Ahem* As described by Olmec in "Hacking in Switched Environments", an article published in issue 13 of the Forbidden Knowledge e-zine , should a TCP packet with the SYN flag set be sent to a broadcast address, 99% of the time Windows machines will respond with a RST/ACK. Oh dear. This is not only useful to locate Windows machines, but could prove to be quite a hefty DDoS attack, especially if the packets are sent to multiple broadcast addresses with a source address of the machine that is being targetted. I've attached some proof-of-concept code to this message (pestilence.c), which uses Libnet. The program will try to inject the packets at the link layer or at the network layer depending on wether you define LINKLAYER or RAWSOCK respectively. Obviously, use of the link layer API would make the packets harder to trace, but you may have to -DRAWSOCK if there's any reason why you can't spoof ethernet frames (bpf, lo, etc). I haven't actually tested the link layer code (I dont have an ethernet card or a network), but I'm pretty sure it works. If it doesn't, I dunno, shoot me. ;P In my code, I also set the URG flag, which makes my fBSD-4.2R box respond with 5 SYNACK's and a RST if the port is open. This has DoS potential as well. Also needless to say, the program doesn't have functionality to send to multiple broadcast addresses, because this isn't required of a proof-of-concept and because all but the most retarded script-kiddie can give it that functionality with a perl script or whatever. Shoutz to Aragon & Olmec for discovering this, and to Pneuma for lending me his PC so I could start getting back into this stuff. And now for something completely different. The ping and tracert CGI perl scripts for Windows NT by Gabor Szabo from www.tracert.com pass user input unchanged to a system call. Even when fixed, I'd say these scripts are fundamentally insecure - don't run them. :) Uuuuummm... yeap. Later, Andrew Lewis