Metasploitable/TorsHammer: Difference between revisions
From charlesreid1
(Created page with "=Tor's Hammer Slow Body DoS Attack= Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a d...") |
(Redirected page to Tors Hammer) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
#REDIRECT [[Tors Hammer]] | |||
<!-- | |||
=Tor's Hammer Slow Body DoS Attack= | =Tor's Hammer Slow Body DoS Attack= | ||
Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service (DoS). It does this by sending a POST request with a large declared content-length, then | Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service (DoS). It does this by sending a POST request with a large declared content-length (like 1000 MB), then performing the following, ad infinitum: send one letter through the open connection; take a nap. | ||
Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers. | Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers. | ||
We'll test this tool out on the [[Metasploitable]] machine, which is running Apache 2.2.8, and see if it is vulnerable to the Tor's Hammer DoS attack. If so, we'll mount the attack. | We'll test this tool out on the [[Metasploitable]] machine, which is running Apache 2.2.8, and see if it is vulnerable to the Tor's Hammer DoS attack. If so, we'll mount the attack. | ||
<font size="+3">NOTE: This will completely knock out the target server.</font> The web server will run out of memory and will begin to drop packets from the device. It must be rebooted to fix. Use wisely. | |||
==Python Script== | ==Python Script== | ||
| Line 30: | Line 36: | ||
</pre> | </pre> | ||
Run this agains the IP address of the Metasploitable machine, 10.0.0.27 | Run this agains the IP address of the Metasploitable machine, 10.0.0.27: | ||
<pre> | |||
# python torshammer.py -t 10.0.0.27 | |||
</pre> | |||
This will run with the default number of threads (256). | |||
==Results== | |||
This works like a charm, bringing the target 10.0.0.27 to its knees: | |||
[[Image:TorsHammer.png|500px]] | [[Image:TorsHammer.png|500px]] | ||
Bingo! | |||
Note that there are a large number of errors printed, | Note that there are a large number of errors printed, | ||
| Line 65: | Line 83: | ||
However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out. | However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out. | ||
==Bringing Down The Server== | |||
===Ping Down=== | |||
At some point during the attack, the machine stopped responding to ping: | |||
<pre> | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 874 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 875 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 876 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 877 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 878 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 879 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 880 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 881 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 882 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 883 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 884 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 885 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 886 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 887 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 888 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 889 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 890 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 891 | |||
ping: sendto: Host is down | |||
Request timeout for icmp_seq 892 | |||
Request timeout for icmp_seq 893 | |||
Request timeout for icmp_seq 894 | |||
Request timeout for icmp_seq 895 | |||
Request timeout for icmp_seq 896 | |||
Request timeout for icmp_seq 897 | |||
Request timeout for icmp_seq 898 | |||
Request timeout for icmp_seq 899 | |||
Request timeout for icmp_seq 900 | |||
Request timeout for icmp_seq 901 | |||
Request timeout for icmp_seq 902 | |||
Request timeout for icmp_seq 903 | |||
Request timeout for icmp_seq 904 | |||
Request timeout for icmp_seq 905 | |||
Request timeout for icmp_seq 906 | |||
Request timeout for icmp_seq 907 | |||
</pre> | |||
===Memory Squeeze=== | |||
Turns out, the machine ran out of memory, and the network device began dropping packets: | |||
This attack '''completely''' knocked the server offline, and it had to be rebooted. | |||
[[Image:TorsHammer_OfflineMemSqueeze.png|500px]] | |||
=pwn= | |||
To be sure: this attack can pwn a server. | |||
=Flags= | =Flags= | ||
==DoS== | |||
{{DoSFlag}} | |||
==Metasploitable== | |||
{{MSFlag}} | {{MSFlag}} | ||
--> | |||
Latest revision as of 04:40, 29 August 2016
Redirect to: