Kali Linux Tutorials

John The Ripper – One Stop Password Audit Tool

John The Ripper – A one stop password audit tool for various formats

John is a state of the art offline password cracking tool. John was better known as John The Ripper(JTR) combines many forms of password crackers into one single tool. It automatically detects the type of password & tries to crack them with either bruteforceing the encrypted hash or by using a dictionary attack on it.

JTR supports It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash.

Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

Pentesters use JTR to check the password complexity assuring a dictionary attack is not possible on the system under test. As JTR is an offline tool, one has to get(steal) the password containing files from the target system. Johnny is the GUI mode of JTR.

Options

The file menu is used for opening hash-dumped or the encrypted password file & to change sessions.

Attack menu deals with attack options(Start/Stop/Pause)

On the left pane, 4 options are there.

Passwords tab shows the currently loaded users & their encryption details from the file loaded.
Options tab helps you to tune how john works to crack the password. (Default, Incremental, Wordlist mode etc)
Statistics tab shows the current statistics once the attack has started.
Settings allow you to edit the main settings for the john engine like the path to the binaries, timing etc.
Output tab shows the result of the attack once passwords get cracked.

John Homepage: http://www.openwall.com/john/

Lab 1: Break Weak Unix password

In this lab, we’ll look at breaking a week Unix password. For that first, we have to understand the files containing the authentication information. In unix/linux “passwd” file located at /etc/passwd contains all user information. “shadow” file located at /etc/shadow contains the SHA encrypted password of each of the users found in passwd file.

For this lab, we have a passwd & shadow file from a remote system stolen with other tools (explained within this series) located in the Desktop folder.

Step 1: Combine the passwd & shadow file to one file named crack

Command : cat /etc/passwd > Desktop/crack && cat /etc/shadow >> Desktop/crack

Then try reading the files individually with any text editor you like(leafpad, nano, vim, or simply cat it). The above command reads the content of passwd file into a new file named crack and then reads & appends the contents of the shadow file into the crack file.

In the above image, the highlighted section indicates the end of passwd file & beginning of shadow file.

Step 3: Load it to Johnny

Step 4: Click start attack to start the attack!

Step 5: Return to the Passwords tab and see the password

Note: Sometimes the auto detect option in the options tab doesn’t work. If so use the exact type of format. In Unix it is a SHA512 crypt. So use Crypt format. Also the time it takes to crack the password hashes depends on its complexity.

So don’t hesitate to make your passwords as complex as possible!

Windows NTLM Comming Soon…!

Continue reading “John The Ripper – One Stop Password Audit Tool”

Dnsenum – Tool for DNS enumeration to find DNS Servers

Dnsenum is a tool for DNS enumeration, which is the process of locating all DNS servers and DNS entries for an organization.

DNS enumeration will allow us to gather critical information about the organization such as usernames, computer names, IP addresses, and so on.

DNSENUM OPTIONS

--dnsserver     <server> Use this DNS server for A, NS and MX queries.

--enum          Shortcut option equivalent to --threads 5 -s 15 -w.

-h, --help      Print this help message.

--noreverse          Skip the reverse lookup operations.

--nocolor       Disable ANSIColor output.

--private       Show and save private ips at the end of the file domain_ips.txt.

--subfile <file>     Write all valid subdomains to this file.

-t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).

--threads <value>    The number of threads that will perform different queries.

-v, --verbose        Be verbose: show all the progress and all the error messages.

 

GOOGLE SCRAPING OPTIONS:

-p, --pages <value>  The number of google search pages to process when scraping names, the default is 5 pages, the -s switch must be specified.

-s, --scrap <value>  The maximum number of subdomains that will be scraped from Google (default 15).

 

BRUTE FORCE OPTIONS:

-f, --file <file>    Read subdomains from this file to perform brute force.

-u, --update    <a|g|r|z> Update the file specified with the -f switch with valid subdomains.


a (all)    Update using all results.
g          Update using only google scraping results.
r          Update using only reverse lookup results.
z          Update using only zonetransfer results.

-r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.

WHOIS NETRANGE OPTIONS:

-d, --delay <value>  The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s. 
-w, --whois          Perform the whois queries on c class network ranges.

REVERSE LOOKUP OPTIONS:

-e, --exclude   <regexp> Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.

OUTPUT OPTIONS:

-o --output <file>   Output in XML format. Can be imported in MagicTree

DNSENUM Homepage: https://github.com/fwaeytens/dnsenum

Lab 1: Enumeration With Default Settings

When you run this command with options it automatically takes the defaults –threads 5 –s 15 –w

Syntax : dnsenum -enum <url>

Command : dnsenum -enum google.com

dnsenum1 lab1 — Enumerated DNS Information from google.com

LAB 2: ENUMERATION OF SUBDOMAIN USING BRUTEFORCE AND FROM FILE

When you run this command, it with perform brute force search on subdomains along with the custom file passed as an attribute.

Syntax : dnsenum –f <file> -r <url>

Command : dnsenum –f subdomain.txt –r hacker.com

dsnenumlab 2 — Finding Subdomains using a text file

Penetration Testing Resources For Simulated Attacks

Penetration testing, all the more usually called pentesting, is the act of discovering openings that could be abused in an application, system or framework with the objective of identifying security vulnerabilities that a programmer could use against it. In this article we will list out some penetration testing resources.

Also Read BurpBounty – Active and Passive Scan Check Builder

Metasploit Unleashed

The Metasploit Unleashed (MSFU) course is sans given free by Offensive Security with a specific end goal to bring issues to light for underprivileged kids in East Africa. Click here for more information on the same.

PTES

The penetration testing execution standard comprises of seven (7) primary segments. These cover everything identified with an entrance test – from the underlying correspondence and thinking behind a pentest, through the insight social occasion and risk demonstrating stages where analyzers are working in the background keeping in mind the end goal to improve comprehension of the tried association, through powerlessness research, abuse and post misuse, where the specialized security skill of the analyzers come to play and consolidate with the business comprehension of the commitment, lastly to the detailing, which catches the whole procedure, in a way that sounds good to the client and gives the most incentive to it. Click here for more information on the same.

OWASP Penetration Testing Resources

Each vibrant technology commercial center needs a fair wellspring of data on best practices and in addition a dynamic body pushing open models. In the Application Security space, one of those gatherings is the Open Web Application Security Project or OWASP. Click here for more information on the same.

PENTEST-WIKI

PENTEST-WIKI is a free online security information library for pentesters/researchers. In the event that you have a smart thought, please share it with others. Click here for more information on the same.

Vulnerability Assessment Framework

Network Footprinting the analyzer would endeavor to assemble however much data as could reasonably be expected about the chosen organize. Observation can take two structures i.e. dynamic and latent. Click here for more information on the same.

XSS-Payloads

A fine accumulation of chose javascript payloads. In excess of 50 bits of code, from the regular javascript utilization to the totally surprising. Click here for more information on the same.

Source : Github

PhEmail Open Source Tool to Sending Phishing Emails Automatically

PhEmail is a python open source phishing email tool that mechanizes the way toward sending phishing messages as a component of a social designing test. The primary motivation behind it is to send a pack of phishing messages and demonstrate who tapped on them without endeavoring to misuse the internet browser or email customer however gathering however much data as could be expected.

It accompanies a motor to garther email addresses through LinkedIN, helpful amid the data gathering stage. Likewise, this tool bolsters Gmail authentication which is a substantial alternative in the event that the objective area has boycotted the source email or IP address. At long last, this device can be utilized to clone corporate login gateways keeping in mind the end goal to take login certifications.

Also Read ReelPhish – A Real-Time Two-Factor Phishing Tool

PhEmail Installation

You can download the latest version of PhEmail by cloning the GitHub repository:

git clone https://github.com/Dionach/PhEmail

Usage

PHishing EMAIL tool v0.13
Usage: phemail.py [-e <emails>] [-m <mail_server>] [-f <from_address>] [-r <replay_address>] [-s <subject>] [-b <body>]
          -e    emails: File containing list of emails (Default: emails.txt)
          -f    from_address: Source email address displayed in FROM field of the email (Default: Name Surname <name_surname@example.com>)
          -r    reply_address: Actual email address used to send the emails in case that people reply to the email (Default: Name Surname <name_surname@example.com>)
          -s    subject: Subject of the email (Default: Newsletter)
          -b    body: Body of the email (Default: body.txt)
          -p    pages: Specifies number of results pages searched (Default: 10 pages)
          -v    verbose: Verbose Mode (Default: false)
          -l    layout: Send email with no embedded pictures 
          -B    BeEF: Add the hook for BeEF
          -m    mail_server: SMTP mail server to connect to
          -g    Google: Use a google account username:password
          -t    Time delay: Add deleay between each email (Default: 3 sec)
          -R    Bunch of emails per time (Default: 10 emails)
          -L    webserverLog: Customise the name of the webserver log file (Default: Date time in format "%d_%m_%Y_%H_%M")
          -S    Search: query on Google
          -d    domain: of email addresses
          -n    number: of emails per connection (Default: 10 emails)
          -c    clone: Clone a web page
          -w    website: where the phishing email link points to
          -o    save output in a file
          -F    Format (Default: 0): 
                0- firstname surname
                1- firstname.surname@example.com
                2- firstnamesurname@example.com
                3- f.surname@example.com
                4- firstname.s@example.com
                5- surname.firstname@example.com
                6- s.firstname@example.com
                7- surname.f@example.com
                8- surnamefirstname@example.com
                9- firstname_surname@example.com 
          
Examples: phemail.py -e emails.txt -f "Name Surname <name_surname@example.com>" -r "Name Surname <name_surname@example.com>" -s "Subject" -b body.txt
          phemail.py -S example -d example.com -F 1 -p 12
          phemail.py -c https://example.com

Disclaimer

Usage of PhEmail for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.

fsociety Hacking Tools Pack – A Penetration Testing Framework

fsociety is a penetration testing system comprises of all penetration testing devices that a programmer needs.

It incorporates every one of the devices that associated with the Mr. Robot Series. The tool comprises an immense devices list beginning structure Information social event to Post Exploitation.

Also Read Autovpn – Connect to a VPN in a Country of your Choice

Information Gathering

Nmap
Setoolkit
Host To IP
WPScan
CMS Scanner
XSStrike
Dork – Google Dorks Passive Vulnerability Auditor
Scan A server’s Users
Crips

Password Attacks:

Cupp
Ncrack

Wireless Testing:

Reaver
Pixiewps
Bluetooth Honeypot

Exploitation Tools:

ATSCAN
sqlmap
Shellnoob
commix
FTP Auto Bypass
JBoss Autopwn

Sniffing & Spoofing:

Setoolkit
SSLtrip
pyPISHER
SMTP Mailer

Web Hacking:

Drupal Hacking
Inurlbr
WordPress & Joomla Scanner
Gravity Form Scanner
File Upload Checker
WordPress Exploit Scanner
WordPress Plugins Scanner
Shell and Directory Finder
Joomla! 1.5 – 3.4.5 remote code execution
Vbulletin 5.X remote code execution
BruteX – Automatically brute force all services running on a target
Arachni – Web Application Security Scanner Framework

fsociety Private Web Hacking:

Get all websites
Get Joomla websites
Get WordPress websites
Control Panel Finder
Zip Files Finder
Upload File Finder
Get server users
SQli Scanner
Ports Scan (range of ports)
ports Scan (common ports)
Get server Info
Bypass Cloudflare

Post Exploitation:

Shell Checker
POET
Weeman

Screenshots

ReelPhish – A Real-Time Two-Factor Phishing Tool

ReelPhish is a real-time two-factor phishing tool. This ReelPhish tool has been released along with a FireEye blog post. The blog post can be found by clicking here.

Installation Steps For ReelPhish

The latest release of Python 2.7.x is required.
Install Selenium, a required dependency to run the browser drivers.
- pip install -r requirements.txt
Download browser drivers for all web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.
- Internet Explorer:
  - Download the Internet Explorer Driver Server for 32 bit Windows IE. Unzip the file and rename the binary to: IEDriver.exe.
  - In order for the Internet Explorer Driver to work, be sure protected mode is disabled. On IE11 (64 bit Windows), you must create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BFCACHE”. In this key, create a DWORD value named iexplore.exe and set the value to 0.
  - Further information on Internet Explorer requirements can be found on www.github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriver
Firefox:
- Download the latest release of the Firefox GeckoDriver for Windows 32 bit. Unzip the file and rename the binary to: FFDriver.exe.
  - On Linux systems, download the Linux version of Firefox GeckoDriver and rename the binary to: FFDriver.bin . Linux support is experimental.
- Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it into your PATH variable. Additionally, add firefox.exe to your PATH variable.
Chrome:
- Download the latest release of the Google Chrome Driver for Windows 32 bit. Unzip the file and rename the binary to: ChromeDriver.exe.
  - On Linux systems, download the Linux version of the Chrome Web Driver and rename the binary to: ChromeDriver.bin . Linux support is experimental.

Also Read THC-SSL-DOS – DoS Tool Against Secure Web-Servers and for Testing SSL-Renegotiation

Running ReelPhish

ReelPhish consists of two components: the phishing site handling code and this script. The phishing site can be designed as desired. Sample PHP code is provided in /examplesitecode. The sample code will take a username and password from a HTTP POST request and transmit it to the phishing script.

The phishing script listens on a local port and awaits a packet of credentials. Once credentials are received, the phishing script will open a new web browser instance and navigate to the desired URL (the actual site where you will be entering a user’s credentials). Credentials will be submitted by the web browser.

The recommended way of handling communication between the phishing site and this script is by using a reverse SSH tunnel. This is why the example PHP phishing site code submits credentials to localhost:2135.

ReelPhish Arguments

You must specify the browser you will be using with the –browser parameter. Supported browsers include Internet Explorer (“–browser IE”), Firefox (“–browser FF”), and Chrome (“–browser Chrome”). Windows and Linux are both supported. Chrome requires the least amount of setup steps. See above installation instructions for further details.
You must specify the URL. The script will navigate to this URL and submit credentials on your behalf.
Other optional parameters are available.
- Set the logging parameter to debug (–logging debug) for verbose event logging
- Set the submit parameter (–submit) to customize the element that is “clicked” by the browser
- Set the override parameter (–override) to ignore missing form elements
- Set the numpages parameter (–numpages) to increase the number of authentication pages (see below section)

Multi Page Authentication Support

ReelPhish supports multiple authentication pages. For example, in some cases a two factor authentication code may be requested on a second page. To implement this feature, be sure that –numpages is set to the number of authentication pages. Also be sure that the session ID is properly tracked on your phishing site. The session ID is used to track users as they proceed through each step of authentication.

In some cases, you may need to scrape specific content (such as a challenge code) off of a particular authentication page. Example commented out code is provided in ReelPhish.py to perform a scraping operation.

Wifite 2.1.0 – Automated Wireless Attack Tool

A complete re-write of wifite, a Python script for auditing wireless networks.

Wifite runs existing wireless-auditing tools for you. Stop memorizing command arguments & switches!

What’s new in Wifite 2.1.0?

Less bugs
- Cleaner process management. Does not leave processes running in the background (the old wifite was bad about this).
- No longer “one monolithic script”. Has working unit tests. Pull requests are less-painful!
Speed
- Target access points are refreshed every second instead of every 5 seconds.
Accuracy
- Displays realtime Power level of currently-attacked target.
- Displays more information during an attack (e.g. % during WEP chopchop attacks, Pixie-Dust step index, etc)
Educational
- The --verbose option (expandable to -vv or -vvv) shows which commands are executed & the output of those commands.
- This can help debug why Wifite is not working for you. Or so you can learn how these tools are used.
Actively developed (as of March 2018).
Python 3 support.
Sweet new ASCII banner.

Also Read BurpBounty – Active and Passive Scan Check Builder

What’s gone in Wifite 2.1.0?

No more WPS PIN attack, because it can take days on-average.
- However, the Pixie-Dust attack is still an option.
Some command-line arguments (--wept, --wpst, and other confusing switches).
- You can still access some of these, try ./Wifite.py -h -v

Brief Feature List

Reaver (or -bully) Pixie-Dust attack (enabled by-default, force with: --wps-only)
WPA handshake capture (enabled by-default, force with: --no-wps)
Validates handshakes against pyrit, tshark, cowpatty, and aircrack-ng (when available)
Various WEP attacks (replay, chopchop, fragment, hirte, p0841, caffe-latte)
Automatically decloaks hidden access points while scanning or attacking.
- Note: Only works when channel is fixed. Use the -c <channel> switch.
- Disable this via --no-deauths switch
5Ghz support for some wireless cards (via -5 switch).
- Note: Some tools don’t play well on 5GHz channels (e.g. aireplay-ng)
Stores cracked passwords and handshakes to the current directory (--cracked)
- Includes metadata about the access point.
Provides commands to crack captured WPA handshakes (--crack)
- Includes all commands needed to crack using aircrack-ng, john, hashcat, or pyrit.

Required Tools

Only the latest versions of these programs are supported:

Required:

iwconfig: For identifying wireless devices already in Monitor Mode.
ifconfig: For starting/stopping wireless devices.
Aircrack-ng suite, includes:
- aircrack-ng: For cracking WEP .cap files and and WPA handshake captures.
- aireplay-ng: For deauthing access points, replaying capture files, various WEP attacks.
- airmon-ng: For enumerating and enabling Monitor Mode on wireless devices.
- airodump-ng: For target scanning & capture file generation.
- packetforge-ng: For forging capture files.

Optional, but Recommended:

tshark: For detecting WPS networks and inspecting handshake capture files.
reaver: For WPS Pixie-Dust attacks.
- Note: Reaver’s wash tool can be used to detect WPS networks if tshark is not found.
bully: For WPS Pixie-Dust attacks.
- Alternative to Reaver. Specify --bully to use Bully instead of Reaver.
- Bully is also used to fetch PSK if reaver cannot after cracking WPS PIN.
cowpatty: For detecting handshake captures.
pyrit: For detecting handshake captures.

Installing & Running

git clone https://github.com/derv82/wifite2.git
cd wifite2
./Wifite.py

Screenshots

**Cracking WPS PIN using reaver’s Pixie-Dust attack, then retrieving WPA PSK using bully**

**Decloaking & cracking a hidden access point (via the WPA Handshake attack)**

**Various cracking options (using –crack option)**

Autovpn – Connect to a VPN in a Country of your Choice

AutoVpn is a tool to automatically connect you to a random VPN in a country of your choice. It uses openvpn to connect you to a server obtained from VPN Gate.

Compiling Autovpn

First clone the repo and cd into the directory:

$ git clone https://github.com/adtac/autovpn
$ cd autovpn

Then run this to generate the executable:

$ go build autovpn.go

Also Read BurpBounty – Active and Passive Scan Check Builder

Requirements

This requires.openvpn To install this on a yum-based distro:

$ sudo dnf install openvpn

If you’re on a apt-based distro:

$ sudo apt-get install openvpn

Tested and works on Fedora 23. Dunno about Windows. Patches welcome.

Usage

Simply run:

$ ./autovpn

and you’re done. You’ll be connected to a server in the US. Welcome to the US!

You can give a country if you want. For example, if you want to connect to a server in Japan:

$ ./autovpn JP

You may need superuser privileges. Don’t worry, I’m not running underneathrm -rf --no-preserve-root /. It’s for.openvpn

License

autovpn – simple automatic VPN in a country of your choice Copyright (C) 2017 Adhityaa Chandrasekar This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.

BurpBounty – Active and Passive Scan Check Builder

BurpBounty permits you, in a speedy and basic way, to enhance the active and passive burpbounty suite scanner by methods for customized rules through an exceptionally natural graphical interface. Through a propelled pursuit of examples and a change of the payload to send, we can make our own particular issue profiles both in the active scanner and in the passive.

Also Read Best Free Hacking Books PDF Related To Security and Pentesting

Usage Of BurpBounty

1. Config section

Profile Manager: you can manage the profiles, enable, disable o remove any of them.
Select Profile: you can choose any profile, for modify it and save.
Profiles reload: you can reload the profiles directory, for example, when you add new external profile to directory.
Profile Directory: you choose the profiles directory path.

2. Payloads

You can add many payloads as you want.
Each payload of this secction will be sent at each entry point (Insertion points provided by the burpbounty api)
You can choos multiple Enocders. For example, if you want encode the string alert(1), many times (in descendent order):
- Plain text: alert(1)
- HTML-encode all characters: alert(1)
- URL-encode all characters: %26%23%78%36%31%3b%26%23%78%36%63%3b%26%23%78%36%35%3b%26%23%78%37%32%3b%26%23%78%37%34%3b%26%23%78%32%38%3b%26%23%78%33%31%3b%26%23%78%32%39%3b
- Base64-encode: JTI2JTIzJTc4JTM2JTMxJTNiJTI2JTIzJTc4JTM2JTYzJTNiJTI2JTIzJTc4JTM2JTM1JTNiJTI2JTIzJTc4JTM3JTMyJTNiJTI2JTIzJTc4JTM3JTM0JTNiJTI2JTIzJTc4JTMyJTM4JTNiJTI2JTIzJTc4JTMzJTMxJTNiJTI2JTIzJTc4JTMyJTM5JTNi
If you choose “URL-Encode these characters” option, you can put all characters that you want encode with URL.

3. Grep – Match

For each payload response, each string, regex or payload (depending of you choose) will be searched with the specific Grep Options.
Grep Type:
- Simple String: search for a simple string or strings
- Regex: search for regular expression
- Payload: search for payloads sended
- Payload without encode: if you encode the payload, and you want find for original payload, you should choose this
Grep Options:
- Negative match: if you want find if string, regex or payload is not present in response
- Case sensitive: Only match if case sensitive
- Not in cookie: if you want find if any cookie attribute is not present
- Content type: you can specify one or multiple (separated by comma) content type to search the string, regex or payload. For example: text/plain, text/html, …
- Response Code: you can specify one or multiple (separated by coma) HTTP response code to find string, regex or payload. For example. 300, 302, 400, …

4. Write an Issue

In this section you can specify the issue that will be show if the condition match with the options specified.
Issue Name
Severity
Confidence
And others details like description, background, etc.

Examples

So, the vulnerabilities identified so far, from which you can make personalized improvements are:

1- Active Scan

XSS reflected and Stored
SQL Injection error based
XXE
Command injection
Open Redirect
Local File Inclusion
Remote File Inclusion
Path Traversal
LDAP Injection
ORM Injection
XML Injection
SSI Injection
XPath Injection
etc

2- Passive Scan

Security Headers
Cookies attributes
Software versions
Error strings
In general any string or regular expression.

For example videos please visit our youtube channel:

YouTube

THC-SSL-DOS – DoS Tool Against Secure Web-Servers and for Testing SSL-Renegotiation

THC is The Hacker’s Choice. They are a group of hackers from Germany. Thc-SSL-dos is used for checking whether a website or server is enabled with SSL-renegotiation, thereby checking for renegotiation vulnerability (CVE-2009-3555).

SSL renegotiation is the process of renegotiating a client at the time of authentication. This tools sends SSL requests(Client Hello) to a webserver & then rejects the reply from the server(Server Hello) multiple times.

So eventually when the server tries to renegotiate during authentication, the client rejects it and thereby crashes the server making it a Denial of Service attack.

Also, this proves that the server is vulnerable to SSL-renegotiation vulnerability.

Homepage: http://www.thc.org/thc-ssl-dos

Options

Syntax: thc-ssl-dos <options> ip port
-h -Help
-l <n> Limit parallel connections [default: 400]

Lab : Perform an SSL stress test on the router HTTPS login page

NOTE: This lab causes a DOS attack, it may temporary disable your target. Please use this tool wisely. Never use it on a company network without an agreement.

In this lab, we perform a dos attack on the https login page of the router web-based control panel. The SSL-dos sends requests to the SSL/HTTPS server.

When receiving acknowledgments, it rejects before handshake occurs. Thus the server tries again & again if SSL-renegotiation is enabled. Here the router ip is 192.168.1.1 and HTTPS login page is running on port 443

Command: thc-ssl-dos 192.168.1.1 443 –accept

Now try to login to the page https://192.168.1.1 <replace with yours>

References:

http://www.pierobon.org/ssl/ch2/detail.htm

http://www.pierobon.org/ssl/ch2/diagram.htm