CEH Lab Manual Denial of Service Module 10 Module 10 - Denial of Service Denial of Service Denial of Service (DoS) is an attack on a con/pnter or network thatprevents kgitimate use of its resources I C O N K E Y Valuable information Test your ^ Web exercise Workbook re\ Lab Scenario 111 c o m p u tin g , a d en ial-o f-serv ice atta c k (D oS attack) is an a tte m p t to m ak e a m a c h in e o r n e tw o rk re so u rce u n av ailab le to its in te n d e d users A lth o u g h th e m e an s to earn* o u t, m o tiv es fo r, an d targ ets o f a D o S attack m ay van*, it generally co n sists o f th e e ffo rts o f o n e o r m o re p e o p le to te m p o rarily 01‫־‬ indefinitely in te rru p t 01‫ ־‬s u sp e n d seiv ices o f a h o s t c o n n e c te d to th e In te rn e t P e rp e tra to rs o f D o S attack s typically ta rg et sites 01‫ ־‬seiv ices h o s te d 011 h ig h p ro file w eb s e n ‫־‬ers su c h as b an k s, c re d it ca rd p a y m e n t gatew ays, a n d ev e n ro o t n am ese iv ers T h e te rm is g enerally u se d rela tin g to c o m p u te r n e tw o rk s, b u t is n o t lim ite d to tins field; fo r ex am p le, it is also u se d 111 re fe re n c e to C P U re so u rc e m a n ag e m en t O n e c o m m o n m e th o d o f attack in v o lv es sa tu tin g th e ta rg e t m a ch in e w ith ex tern al co m m u n ic a tio n s req u e sts, su ch th a t it c a n n o t re s p o n d to legitim ate traffic, o r re sp o n d s so slow ly as to b e re n d e re d essentially u navailable Such attacks usually lead to a se iv e r o v erlo ad D e m a l-o f-se n 'ic e attack s can essentially disable y o u r c o m p u te r 01‫ ־‬y o u r n etw o rk D o S attack s can be lu crativ e for crim inals; re c e n t attack s h av e sh o w n th a t D o S attack s a w ay fo r cy b er crim inals to p ro fit A s a n e x p e rt ethical h a c k e r 01‫ ־‬secu rity adm inistrator o f a n o rg an iz atio n , y o u sh o u ld h av e s o u n d k n o w led g e o f h o w denial-of-service a n d distributed denial-of-service attacks are ca rried o u t, to d e te c t an d neutralize attack h a n d lers, a n d to m itigate su c h attacks Lab Objectives T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm D o S attack s a n d to te st n e tw o rk fo r D o S flaws 111 tliis lab, y o u will: ■ C reate a n d la u n c h a d e n ia l-o f-se n Tice attack to a victim ■ R e m o te ly ad m in ister clients ■ P e rfo rm a D o S attac k b y se n d in g a h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly P e rfo rm a D o S H T T P attack C E H L ab M an u al Page 703 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 10 - Denial of Service & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 10 Denialof-Service Lab Environment T o earn ‫ ־‬o u t this, y ou need: ■ A co m p u ter ru n n in g W in d o w Server 2008 ■ W indow s X P / ru n n in g 111 virtual m achine ■ A w eb brow ser w ith In tern et access ■ A dm inistrative privileges to rn n tools Lab Duration Tim e: 60 M inutes Overview of Denial of Service D em al-of-service (DoS) is an attack o n a co m p u ter o r n etw o rk th a t prevents legitim ate use o f its resources 111 a D o S attack, attackers flood a victim ’s system w ith illegitimate service requests o r traffic to overload its resources an d p rev en t it fro m perfo rm in g intended tasks Lab Tasks Overview P ick an organization that you feel is w o rth y o f your attention T ins could be an educational institution, a com m ercial com pany, o r p erhaps a n o n p ro fit charity R ecom m ended labs to assist you in denial o f service: ■ SY N flooding a target h o st using hping3 ■ H T T P flooding u sing D o S H T T P Lab Analysis A nalyze an d d o cu m en t th e results related to the lab exercise G ive your o p in io n o n your target’s security p ostu re an d exposure P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D TO T H I S LAB C E H L ab M an u al Page E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 10 - Denial of Service SYN Flooding a Target Host Using hping3 hpingJ is a command-line oriented TCP/IP packet assembler/ analyser ■con key 1^~/ Valuable information y*' Test your Lab Scenario A S Y N flo o d is a fo rm o f d em al-o f-serv ice atta c k 111 w h ic h ail attac k er sen d s a su ccessio n o f S Y N req u e sts to a targ et's sy stem 111 an a tte m p t to c o n s u m e e n o u g h server re so u rce s to m ak e th e system u n re sp o n siv e to leg itim ate traffic knowledge ** Web exercise m Workbook review A S Y N flo o d attack w o rk s by n o t re sp o n d in g to th e se rv e r w ith th e e x p e cted A C K code T h e m aliciou s clien t ca n eith er sim ply n o t se n d th e ex p e c te d A C K , o r by sp o o fin g th e so u rce IP ad d re ss 111 th e S Y N , cause th e serv er to se n d th e S Y N -A C K to a falsified IP ad d re ss, w h ic h will n o t se n d an A C K b ecau se it "k n o w s" th a t it n e v e r se n t a S Y N T h e serv er w ill w ait fo r th e ac k n o w le d g e m e n t fo r so m e tim e, as sim p le n e tw o rk c o n g e stio n c o u ld also be th e cause o f th e m issin g A C K , b u t 111 an attac k in creasin g ly large n u m b e rs o f h a lf-o p e n c o n n e c tio n s w ill b in d re so u rc e s o n th e serv er u n til n o n e w c o n n e c tio n s ca n b e m ad e, resu ltin g 111 a d en ial o f service to leg itim ate traffic S om e system s m a y also m a lfu n c tio n b ad ly o r ev en cra sh if o th e r o p e tin g system fu n c tio n s are sta rv e d o f re so u rce s 111 tins way A s an e x p e rt eth ical hacker o r secu rity adm inistrator o f an o rg an iz atio n , you sh o u ld h av e so u n d kn o w led g e o f denial-of‫־‬ser v ice and distributed denial-ofserv ice attacks a n d sh o u ld b e able to d e te c t a n d neutralize attack h an d lers Y o u sh o u ld use S Y N co o k ies as a c o u n te rm e a su re ag ain st th e S Y N flo o d w h ic h elim inates th e re so u rce s allo cated o n th e ta rg e t h o st Lab Objectives T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm d en ial-o f-serv ice attacks a n d te st th e n e tw o rk fo r D o S flaws 111 tins lab, y o u will: C E H L ab M an u al Page 705 ■ P e rlo rm d en ial-o t-serv ic e attacks ■ S end h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 10 - Denial of Service & Tools dem onstrated in this lab are available at D:\CEHTools\CEHv8 Module 10 Denialof-Service Lab Environment T o earn ’ o u t die k b , y ou need: ■ A co m p u ter m n n in g W indow s as victim m achine ■ B ackT rack r3 ru n n in g 111 virtual m ach in e as attacker m achine " Wireshark is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Wi reshark Lab Duration T une: 10 M inutes Overview of hping3 11p111g3 is a n etw o rk to o l able to send cu sto m T C P /I P packets an d to display target replies like a ping p rogram does w ith IC M P replies 11p111g3 handles fragm entation, arbitrary packets body, an d size an d can be used 111 o rd er to transfer hies encapsulated u n d er su p p o rted protocols Lab Tasks — j Flood SYN Packet L aunch BackTack r3 o n th e virtual m achine L aunch die hingp3 utility h o rn th e B ackT rack r3 virtual macliine Select BackTrack Menu -> Backtrack -> Information Gathering -> Network A nalysis -> Identify Live H osts -> Hping3 ^^Applications Places System ( \ rj Sun Oct 21 1:34 PM V Accessories ► C< information Gathering Graphics ► ‫ | ^״‬vulnerability Assessment ^ internet ‫ ״‬-# Exploitation Tools ‫ |ף‬Database ^ aiiveo ► ^ alrvefi SB cyftce Other ! f , Sound & Vi dec 0=5! hping3 is a command-line oriented T C P /IP packet assembler/analyzer Network Analysis ^ System Tools Wine Web Appl ^ Pnvilege Escalation Wireless ^ Otrace ► i| Maintaining Access ‫־‬, fc; arping • ^ Reverse Engineering !4 Network ITaffic Analysis (Jetect*new‫־‬ip6 ‫ ; ן ״‬RFID Tools ”*b dnmap >n OSIMT Analysis ► t j Stress Ifcsting ^ fping Route Analysis » ! hplng2 -‫־‬K service Fingerprinting forensics ^ Repotting Tools hpingj sy n t ‫־־‬r s t * ‫ ־ ־‬p ush v ack J ‫ ־ ־‬u rg ( - ‫ ־‬xnas f ynas ■ t c p e x itc o d e tcp -tin e sta T p set set set set set set set u se SYN f l a g RST f l a g PUSH f l a g ACK f l a g URG f l a g X u n u se d f l a g (0 x ) Y u n u se d f l a g (0 x ) l a s t tc p - > th f la g s a s e x i t code enable t h e TCP tim e s ta m p o p t i o n to g u e s s t h e H Z /u p tin e (d e fa u lt is 0) d a ta s iz e d a ta fro n f i l e a d d , s ig n a t u r e * Bum packets in enoalt pTO'TOrotSR | \ -u ^ e nd t e l l y o tr v t t t n r e a c h e J EOF a n d p r e v e n t re A in d •T - • t r a c e r o u t e t r a c e r o u t e mode \ ( I m p l i e s • • b i n d a n d ‫ ־ ־‬t t l 1) tr- s to p E x it when r e c e i v e t h e f i r s t n o t ICMP i n t r a c e r o u t e no d e t r < c ep t t l K eep t h e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t o n e hop * * tr * n o - rtt D o n 't c a l c u l a t e / s h o w RTT i n f o r m a t i o n i n t r a c e r o u t e node ARS p a c k e t d e s c r i p t i o n (n ew , u n s t a b l e ) ap d se n d Send t h e p a c k e t d e s c r i b e d w i t h apo ( s e e d o c s /A P O tx t) FIGURE 1.2: BackTrack 13 Command Shell with hpiug3 111 die c o m m an d shell, type hping3 -S 10.0.0.11 -a 10.0.0.13 -p 22 flood an d press Enter m First, type a simple command and see tlie result: #11ping3.0.0-alpha1> hping resolve www.google.com 66.102.9.104 m The hping3 command should be called with a subcommand as a first argument and additional arguments according to die particular subcommand a v * root(abt: - File Edit View Terminal Help FIGU RE 1.3: BackTrack r3 11ping3 command L i die previous co m m an d , 10.0.0.11 (Windows 7) is d ie victim ’s m aclune IP address, an d 10.0.0.13 (BackTrack r3) is d ie attack er’s m aclune IP address /v v x root(§bt: - File Edit View *fenminal Help ‫״‬o o t e b t : - # hp1ng3 - s 1 ■a •p 22 • ■ f lo o d HPING 0 1 (e th O 1 ) : S s e t , 40 h e a d e r s d a ta h p in g i n f l o o d n o d e , no r e p l i e s w i l l be shown