D(HE)ater is a security tool can perform DoS attack by enforcing the DHE key exchange.

Overview

D(HE)ater

D(HE)ater is an attacking tool based on CPU heating in that it forces the ephemeral variant of Diffie-Hellman key exchange (DHE) in given cryptography protocols (e.g. TLS, SSH). It is performed without calculating a cryptographically correct ephemeral key on the client side, but with a significant amount of calculation on the server side. Based on this, D(HE)ater can initiate a denial-of-service (DoS) attack.

Quick start

D(HE)ater can be installed directly via pip from PyPi

pip install dheater
dheat --protocol tls ecc256.badssl.com
dheat --protocol ssh ecc256.badssl.com

or can be used via Docker from Docker Hub

docker pull balasys/dheater
docker run --tty --rm balasys/dheater --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --protocol ssh ecc256.badssl.com

You can increase load by string extra threads.

dheat --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --thread-num 4 --protocol ssh ecc256.badssl.com

Mitigation

Configuration

Diffie-Hellman (DHE) key exchange should be disabled.

TLS

Apache
SSLCipherSuite ...:!kDHE
NGINX
ssl_ciphers ...:!kDHE;
Others

See moz://a SSL Configuration Generator for configuration syntax.

SSH

OpenSSH
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512

Fail2Ban

TLS

Apache

There are no relevant filters.

  1. apache-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory
  2. the followings should be added to the jail.local file in the fail2ban configuration directory
[apache-ssl]

port    = https
logpath = %(apache_error_log)s
maxretry = 1
Postfix

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[postfix]
mode = ddos
Dovecot

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[dovecot]
mode = aggressive

or a specific filter can be used without changing the mode of dovecot.

  1. dovecot-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory
  2. the followings should be added to jail.local in tge fail2ban configuration directory
[dovecot-ssl]

port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
maxretry = 1

SSH

OpenSSH

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[sshd]
mode = ddos

License

The code is available under the terms of Apache License Version 2.0. A non-comprehensive, but straightforward description and also the full license text can be found at Choose an open source license website.

Comments
  • not able to use

    not able to use

    Hello,

    I'm very new to this cybersecurity field Please anyone help me out with this problem. ### Note I have replace website name with ConfidentialWebsite.com

    When I use tls protocol I'm getting this error :-

    dheat --protocol tls ConfidentialWebsite.com Traceback (most recent call last): File "/usr/local/bin/dheat", line 8, in sys.exit(main()) File "/usr/local/lib/python3.9/dist-packages/dheater/main.py", line 512, in main enforcer = DHEnforcerThreadTLS(args.uri, args.timeout, pre_check_result) File "", line 14, in init File "/usr/local/lib/python3.9/dist-packages/dheater/main.py", line 125, in attrs_post_init self._pre_check() File "/usr/local/lib/python3.9/dist-packages/dheater/main.py", line 390, in _pre_check if is_tls_1_3: NameError: name 'is_tls_1_3' is not defined

    When I use ssh protocol I'm getting this error :-

    dheat --protocol ssh ConfidentialWebsite.com
    Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="ConfidentialWebsite.com", error="connection to target cannot be established"

    AddText_02-02-08 37 54

    bug 
    opened by souravkr529 5
  • It does not run from docker image

    It does not run from docker image

    I have ran the mentioned command: docker run --tty --rm balasys/dheater --protocol ssh ecc256.badssl.com andresulted the following error:

    #docker run --tty --rm balasys/dheater --thread-num 4 --protocol ssh ecc256.badssl.com
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 139, in _init_connection
        self._socket = socket.create_connection((self.ip, self.port), self.timeout)
      File "/usr/local/lib/python3.9/socket.py", line 844, in create_connection
        raise err
      File "/usr/local/lib/python3.9/socket.py", line 832, in create_connection
        sock.connect(sa)
    socket.timeout: timed out
     
    The above exception was the direct cause of the following exception:
     
    Traceback (most recent call last):
      File "/usr/local/bin/dheat", line 8, in <module>
        sys.exit(main())
      File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 258, in main
        enforcer = DHEnforcerThreadSSH(args.uri, args.timeout, pre_check_result)
      File "<attrs generated init dheater.__main__.DHEnforcerThreadBase>", line 15, in __init__
      File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 89, in __attrs_post_init__
        self._pre_check()
      File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 117, in _pre_check
        self.pre_check_result = analyzer.analyze(self._get_client())
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/dhparams.py", line 111, in analyze
        analyzer_result = AnalyzerCiphers().analyze(analyzable)
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/ciphers.py", line 80, in analyze
        server_messages = analyzable.do_handshake(last_message_type=SshMessageCode.KEXINIT)
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/client.py", line 111, in do_handshake
        self.init_connection()
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 251, in init_connection
        self._init_connection()
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/client.py", line 102, in _init_connection
        self.l4_transfer.init_connection()
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 73, in init_connection
        self._init_connection()
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 142, in _init_connection
        six.raise_from(NetworkError(NetworkErrorType.NO_CONNECTION), e)
      File "<string>", line 3, in raise_from
    cryptolyzer.common.exception.NetworkError: connection to target cannot be established
    
    opened by V0072 5
  • Errors trying to connect to target

    Errors trying to connect to target

    @c0r0n3r I can provide wireshark if needed in order to understand why the script fails despite having communication.

    Output: C:\Users\t>dheat --protocol tls gw.t.local Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="gw.t.local", error="connection to target cannot be established"

    C:\Users\t>dheat --protocol tls gw.t.local Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="gw.t.local", error="no response received from target"

    question 
    opened by KyferEz 4
  • Does not work

    Does not work

    Either way I run Install it via pip or use it via Docker I get the following error

    ┌──(kali㉿kali)-[~]
    └─$ docker run --tty --rm balasys/dheater --protocol tls domainwhichiownandreachable.com                                                    1 ⨯
    Traceback (most recent call last):
      File "/usr/local/bin/dheat", line 8, in <module>
        sys.exit(main())
      File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 331, in main
        enforcer = DHEnforcerThreadTLS(args.uri, args.timeout, pre_check_result)
      File "<attrs generated init dheater.__main__.DHEnforcerThreadBase>", line 15, in __init__
      File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 100, in __attrs_post_init__
        self._pre_check()
      File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 264, in _pre_check
        server_messages = self._get_client().do_tls_handshake(
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 429, in do_tls_handshake
        return self._do_handshake(
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 409, in _do_handshake
        l7_client.do_handshake(self, hello_message, record_version, last_handshake_message_type)
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 1181, in do_handshake
        self._process_non_handshake_message(record.content_type, message)
      File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 1135, in _process_non_handshake_message
        raise TlsAlert(message.description)
    cryptolyzer.tls.exception.TlsAlert: TlsAlert(description=<TlsAlertDescription.HANDSHAKE_FAILURE: 40>)
    
    question 
    opened by rtcms 4
  • gnuTLS support?

    gnuTLS support?

    It seems like it does not work against gnuTLS implementations, but the general problem described in the CVE sounds like it should. Any chance to get it modified for gnuTLS as well...

    bug 
    opened by Lockhead 3
  • Anti-DDoS Mechanism in openssh-8.5p1

    Anti-DDoS Mechanism in openssh-8.5p1

    Once, I also submitted a ddos question to the openssh community: https://bugzilla.mindrot.org/show_bug.cgi?id=3211

    They added the configuration items PerSourceMaxStartups and PerSourceNetBlockSize to openssh-8.5p1. I think that the two parameters can be properly configured to prevent "dheat" from attacking OpenSSH.

    documentation 
    opened by kircherlike 1
  • DHEater crashes on hardened SSH server

    DHEater crashes on hardened SSH server

    I just tested this against one of my machines. After bringing my cpu load up to ~70% I tried if I could mitigate this in my sshd by enabling the "modern" hardened configuration as recommended by Mozilla: https://infosec.mozilla.org/guidelines/openssh

    Effectively I disabled non-ed25519 hostkeys and enabled the following settings:

    KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
    
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    
    MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
    

    Once I reloaded my sshd dheater crashes with the following error:

    Traceback (most recent call last):
      File "/opt/homebrew/Cellar/[email protected]/3.9.7/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 197, in _run_module_as_main
        return _run_code(code, main_globals, None,
      File "/opt/homebrew/Cellar/[email protected]/3.9.7/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "/Users/rsc/dev/dheater/dheater/__main__.py", line 346, in <module>
        main()
      File "/Users/rsc/dev/dheater/dheater/__main__.py", line 259, in main
        enforcer = DHEnforcerThreadSSH(args.uri, args.timeout, pre_check_result)
      File "<attrs generated init __main__.DHEnforcerThreadBase>", line 15, in __init__
      File "/Users/rsc/dev/dheater/dheater/__main__.py", line 93, in __attrs_post_init__
        self.message_bytes = self._prepare_packets()
      File "/Users/rsc/dev/dheater/dheater/__main__.py", line 153, in _prepare_packets
        key_exchange_algorithm_with_greatest_key_size = self._get_algorithm_with_greatest_key_size()
      File "/Users/rsc/dev/dheater/dheater/__main__.py", line 131, in _get_algorithm_with_greatest_key_size
        if self.pre_check_result.key_exchange.kex_algorithms:
    AttributeError: 'NoneType' object has no attribute 'kex_algorithms'
    

    command used: python -m dheater --protocol ssh myhost

    I haven't bothered looking into this further, but if this disables the required DHE (looks like there's already a check for TLS) this should also be listed as possible mitigation and a message should be shown instead of the exception.

    opened by Nothing4You 1
  • Minimum versions defined for dependencies do not work

    Minimum versions defined for dependencies do not work

    On latest master 09f8cc9597fa0df2c652a760fc4fa4d98d5b6549 I'm getting the following exception:

    pdm run python -m dheater --protocol ssh myhost

    Traceback (most recent call last):
      File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 196, in _run_module_as_main
        return _run_code(code, main_globals, None,
      File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 86, in _run_code
        exec(code, run_globals)
      File ".../dheater/dheater/__main__.py", line 22, in <module>
        from cryptoparser.tls.ciphersuite import TlsCipherSuite
      File ".../dheater/__pypackages__/3.10/lib/cryptoparser/tls/ciphersuite.py", line 12, in <module>
        from cryptoparser.tls.version import (
      File ".../dheater/__pypackages__/3.10/lib/cryptoparser/tls/version.py", line 24, in <module>
        @attr.s(order=False, eq=False, hash=True)
    TypeError: attrs() got an unexpected keyword argument 'order'
    

    this is on Python 3.10.1 on macOS ARM with the following package versions:

    asn1crypto==1.4.0
    attrs==19.1.0
    certifi==2021.10.8
    certvalidator==0.11.1
    charset-normalizer==2.0.11
    cryptolyzer==0.7.2
    cryptoparser==0.7.1
    idna==3.3
    oscrypto==1.2.1
    python-dateutil==2.8.2
    requests==2.27.1
    six==1.16.0
    urllib3==1.26.8
    
    bug 
    opened by Nothing4You 0
  • software_version must be cryptoparser.ssh.version.SshSoftwareVersionBase

    software_version must be cryptoparser.ssh.version.SshSoftwareVersionBase

    On latest master 09f8cc9597fa0df2c652a760fc4fa4d98d5b6549 I'm getting the following exception:

    pdm run python -m dheater --protocol ssh myhost

    Traceback (most recent call last):
      File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 196, in _run_module_as_main
        return _run_code(code, main_globals, None,
      File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 86, in _run_code
        exec(code, run_globals)
      File ".../dheater/dheater/__main__.py", line 565, in <module>
        main()
      File ".../dheater/dheater/__main__.py", line 507, in main
        enforcer = DHEnforcerThreadSSH(args.uri, args.timeout, pre_check_result)
      File "<attrs generated init __main__.DHEnforcerThreadBase>", line 14, in __init__
      File ".../dheater/dheater/__main__.py", line 130, in __attrs_post_init__
        self.message_bytes = self._prepare_packets()
      File ".../dheater/dheater/__main__.py", line 232, in _prepare_packets
        protocol_message = SshProtocolMessage(
      File "<attrs generated init cryptoparser.ssh.subprotocol.SshProtocolMessage>", line 7, in __init__
      File ".../dheater/__pypackages__/3.10/lib/attr/validators.py", line 103, in __call__
        raise TypeError(
    TypeError: ("'software_version' must be <class 'cryptoparser.ssh.version.SshSoftwareVersionBase'> (got 'DHEater_0.3.1' that is a <class 'str'>).", Attribute(name='software_version', default=NOTHING, validator=<instance_of validator for type <class 'cryptoparser.ssh.version.SshSoftwareVersionBase'>>, repr=True, eq=True, eq_key=None, order=True, order_key=None, hash=None, init=True, metadata=mappingproxy({}), type=None, converter=None, kw_only=False, inherited=False, on_setattr=None), <class 'cryptoparser.ssh.version.SshSoftwareVersionBase'>, 'DHEater_0.3.1')
    

    this is on Python 3.10.1 on macOS ARM with the following package versions:

    asn1crypto==1.4.0
    attrs==21.4.0
    certifi==2021.10.8
    certvalidator==0.11.1
    charset-normalizer==2.0.11
    cryptolyzer==0.8.0
    cryptoparser==0.8.0
    idna==3.3
    oscrypto==1.2.1
    python-dateutil==2.8.2
    requests==2.27.1
    six==1.16.0
    urllib3==1.26.8
    
    bug 
    opened by Nothing4You 0
  • Using IPv6

    Using IPv6

    Hi,

    I am trying to use dheater with an IPv6 address but I always get an error like below:

    python3 -m dheater --protocol tls "[3011::4]:5060"
    Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="[3011::4]:5060", error="address of the target cannot be resolved"
    

    How should I use or is it some kind of bug?

    opened by VidarHUN 0
Releases(v0.3.2)
Owner
Balasys
Balasys
If you only have hash, you can still operate exchange

PTH Exchange If you only have hash, you can still operate exchange This project module is the same as my other project Exchange_SSRF, This project use

Jumbo 37 Dec 26, 2022
Este programa tem como objetivo o cadastro dos usuários. Assim, caso a autenticação seja feita, permitir que o usuário entre em determinado sistema ou programa.

LoginPy Este programa tem como objetivo o cadastro dos usuários. Assim, caso a autenticação seja feita, permitir que o usuário entre em determinado si

Jonas Carvalho 4 Dec 23, 2021
Discord Voice Call DoS

VC DoS Simple, effective Discord DM/GC voice call Denial of Service. How to Use & FAQ 1. Download the script (obviously). 2. In CMD prompt, find the l

Roover 4 Feb 28, 2022
Script que realiza a identificação de todos os logins e senhas dos wifis conectados em uma máquina e envia os dados para um e-mail especificado.

getWIFIConnection Script que realiza a identificação de todos os logins e senhas dos wifis conectados em uma máquina e envia os dados para um e-mail e

Vinícius Azevedo 3 Nov 27, 2022
API RestFull de uma clinica, onde vai efetuar os agendamentos dos pacientes e mostrar o historicos de cada agendamentos

API REstFull O que tem na API Usado para clinicas. Cadastro de pacientes. Agendamentos de pacientes. Históricos dos agendamentos vinculados com a tabe

Lucas Silva 3 Aug 29, 2022
Python script to replace BTC adresses in the clipboard with similar looking ones, whose private key can be retrieved by a netcat listener or similar.

BTCStealer Python script to replace BTC adresses in the clipboard with similar looking ones, whose private key can be retrieved by a netcat listener o

Some Person 6 Jun 7, 2022
A pre-attack hacker tool which aims to find out sensitives comments in HTML comment tag and to help on reconnaissance process

Find Out in Comment Find sensetive comment out in HTML ⚈ About This is a pre-attack hacker tool that searches for sensitives words in HTML comments ta

Pablo Emídio S.S 8 Dec 31, 2022
Upbit(업비트) Cryptocurrency Exchange OPEN API Client for Python

Base Repository Python Upbit Client Repository Upbit OPEN API Client @Author: uJhin @GitHub: https://github.com/uJhin/upbit-client/ @Officia

Yu Jhin 37 Nov 6, 2022
Nasdaq Cloud Data Service (NCDS) provides a modern and efficient method of delivery for realtime exchange data and other financial information. This repository provides an SDK for developing applications to access the NCDS.

Nasdaq Cloud Data Service (NCDS) Nasdaq Cloud Data Service (NCDS) provides a modern and efficient method of delivery for realtime exchange data and ot

Nasdaq 8 Dec 1, 2022
Andrei 1.4k Dec 24, 2022
Leveraged grid-trading bot using CCXT/CCXT Pro library in FTX exchange.

Leveraged-grid-trading-bot The code is designed to perform infinity grid trading strategy in FTX exchange. The basic trader named Gridtrader.py contro

Hao-Liang Wen 25 Oct 7, 2021
A muti pairs martingle trading bot for Binance exchange.

multi_pairs_martingle_bot English Documentation A muti pairs martingle trading bot for Binance exchange. Configuration { "platform": "binance_futur

51bitquant 62 Nov 16, 2022
Market calendar RESTful API with holiday, late open, and early close. Over 50+ unique exchange calendars for global equity and futures markets.

Trading Calendar Market calendar RESTful API with holiday, late open, and early close. Over 50+ unique exchange calendars for global equity and future

Apptastic Software 1 Feb 3, 2022
Repository to access information of stocks in Bombay Stock Exchange.

BSE Repository to access information of stocks in Bombay Stock Exchange. The code in this repository uses BSE API and conclusions made using the code

null 1 Nov 13, 2021
Exchange indicators & Basic functions for Binance API.

binance-ema Exchange indicators & Basic functions for Binance API. This python library has been written to calculate SMA, EMA, MACD etc. functions wit

Emre MENTEŞE 24 Jan 6, 2023
An unofficial Python wrapper for the 'Binance exchange REST API'

Welcome to binex_f v0.1.0 many interfaces are heavily used by myself in product environment, the websocket is reliable (re)connected. Latest version:

DeepLn 2 Jan 5, 2022
Python 3 SDK/Wrapper for Huobi Crypto Exchange Api

This packages intents to be an idiomatic PythonApi wrapper for https://www.huobi.com/ Huobi Api Doc: https://huobiapi.github.io/docs Showcase TODO Con

null 3 Jul 28, 2022
Programa de código abierto para probar el API de Bitso, el exchange más importante de América Latina.

Bitso Semiautomático Programa de código abierto para probar el API de Bitso, el exchange más importante de América Latina. Desarrollador Fernando Mire

Fernando Mireles 17 Dec 7, 2022