Categories
Penetration Testing Security Reconnaissance

SlowHTTPTest HTTP DoS Tool latest version 1.4 released

We have talked about SlowHTTPTest in detailed here, 2 days ago Shekyan released a new version, below is summary of change log.

SlowHTTPTest 1.4 release notes:

  • Added man pages as doc support
  • Some bug fixes
  • and now it can handle 64000 concurrent connections  😀 OpsS!!

You can read our previous post in detail that would help you, how to compile and use it.

Download and install SlowHTTPTest latest version :

wget http://slowhttptest.googlecode.com/files/slowhttptest-1.4.tar.gz
tar -zxvf slowhttptest-1.4.tar.gz

Categories
HowTos Linux Penetration Testing Security Reconnaissance

How to use SlowHTTPTest HTTP DoS Tool

Introduction :
Slow HTTP DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. SlowHTTPTest is developed by Sergey Shekyan, Who is  Developer Web Application Scanning at Qualys.

This tool is enough capable to acquire resource on server side at application layer.

How to Install SlowHTTPTest?
wget http://slowhttptest.googlecode.com/files/slowhttptest-1.1.tar.gz
gunzip slowhttptest-1.1.tar.gz
tar xf slowhttptest-1.1.tar
cd slowhttptest-1.1

Configure & Compile it. You can use custom –prefix=your-location
./configure
make
make install

How To Use SlowHTTPTest for DoS?
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20

Detailed options :

-a start start value of ranges-specifier for range header test
-b bytes limit of range-specifier for range header test
-c number of connections limited to 1024
-H, B, or R specify to slow down in headers section or in message body.
            -R enables range test
-g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html,
   where xxx is the time and date
-i seconds interval between follow up data in seconds, per connection
-l seconds test duration in seconds
-o file custom output file path and/or name, effective if -g is specified
-r connections per second connection rate
-s bytes value of Content-Length header, if -B specified
-t verb custom verb to use
-u URL target URL, the same format you type in browser, e.g https://host:port/
-v level verbosity level of log 0-4
-x bytes max length of follow up data

Troubleshooting :

configure: error: OpenSSL is missing

Install openssl devel package on backtrack(or any debian based distro)
aptitude install libssl-dev

On CEntOS Linux :
yum install openssl-devel

SlowHTTPTest Video Tutorial :