CEH v8 Labs Module 10 Denial of Service

CEH Lab Manual

Denial of Service Module 10

Module 10 - Denial of Service

Denial of Service Denial of Service (DoS) is an attack on a con/pnter or network thatprevents kgitimate use of its resources. I C O N

K E Y

Valuable information Test your ^

Web exercise Workbook re\

Lab Scenario 111 c o m p u tin g , a d en ial-o f-serv ice atta c k (D oS attack) is an a tte m p t to m ak e a m a c h in e o r n e tw o rk re so u rce u n av ailab le to its in te n d e d users. A lth o u g h th e m e an s to earn* o u t, m o tiv es fo r, an d targ ets o f a D o S attack m ay van*, it generally co n sists o f th e e ffo rts o f o n e o r m o re p e o p le to te m p o rarily 01‫־‬ indefinitely in te rru p t 01‫ ־‬s u sp e n d seiv ices o f a h o s t c o n n e c te d to th e In te rn e t. P e rp e tra to rs o f D o S attack s typically ta rg et sites 01‫ ־‬seiv ices h o s te d 011 h ig h p ro file w eb s e n ‫־‬ers su c h as b an k s, c re d it ca rd p a y m e n t gatew ays, a n d ev e n ro o t n am ese iv ers. T h e te rm is g enerally u se d rela tin g to c o m p u te r n e tw o rk s, b u t is n o t lim ite d to tins field; fo r ex am p le, it is also u se d 111 re fe re n c e to C P U re so u rc e m a n ag e m en t. O n e c o m m o n m e th o d o f attack in v o lv es sa tu ra tin g th e ta rg e t m a ch in e w ith ex tern al co m m u n ic a tio n s req u e sts, su ch th a t it c a n n o t re s p o n d to legitim ate traffic, o r re sp o n d s so slow ly as to b e re n d e re d essentially u navailable. Such attacks usually lead to a se iv e r o v erlo ad . D e m a l-o f-se n 'ic e attack s can essentially disable y o u r c o m p u te r 01‫ ־‬y o u r n etw o rk . D o S attack s can be lu crativ e for crim inals; re c e n t attack s h av e sh o w n th a t D o S attack s a w ay fo r cy b er crim inals to p ro fit. A s a n e x p e rt ethical h a c k e r 01‫ ־‬secu rity adm inistrator o f a n o rg an iz atio n , y o u sh o u ld h av e s o u n d k n o w led g e o f h o w denial-of-service a n d distributed denial-of-service attacks are ca rried o u t, to d e te c t an d neutralize attack h a n d lers, a n d to m itigate su c h attacks.

Lab Objectives T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm D o S attack s a n d to te st n e tw o rk fo r D o S flaws. 111 tliis lab, y o u will:

■

C reate a n d la u n c h a d e n ia l-o f-se n Tice attack to a victim

■

R e m o te ly ad m in ister clients

■

P e rfo rm a D o S attac k b y se n d in g a h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly P e rfo rm a D o S H T T P attack

C E H L ab M an u al Page 703

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 10 - Denial of Service

& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 10 Denialof-Service

Lab Environment T o earn ‫ ־‬o u t this, y ou need: ■

A co m p u ter ru n n in g W in d o w Server 2008

■

W indow s X P / 7 ru n n in g 111 virtual m achine

■

A w eb brow ser w ith In tern et access

■

A dm inistrative privileges to rn n tools

Lab Duration Tim e: 60 M inutes

Overview of Denial of Service D em al-of-service (DoS) is an attack o n a co m p u ter o r n etw o rk th a t prevents legitim ate use o f its resources. 111 a D o S attack, attackers flood a victim ’s system w ith illegitimate service requests o r traffic to overload its resources an d p rev en t it fro m perfo rm in g intended tasks.

Lab Tasks Overview

P ick an organization that you feel is w o rth y o f your attention. T ins could be an educational institution, a com m ercial com pany, o r p erhaps a n o n p ro fit charity. R ecom m ended labs to assist you in denial o f service: ■

SY N flooding a target h o st using hping3

■

H T T P flooding u sing D o S H T T P

Lab Analysis A nalyze an d d o cu m en t th e results related to the lab exercise. G ive your o p in io n o n your target’s security p ostu re an d exposure.

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D TO T H I S LAB.

C E H L ab M an u al Page

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 10 - Denial of Service

SYN Flooding a Target Host Using hping3 hpingJ is a command-line oriented TCP/IP packet assembler/ analyser.

■con

key

1^~/ Valuable information y*' Test your

Lab Scenario A S Y N flo o d is a fo rm o f d em al-o f-serv ice atta c k 111 w h ic h ail attac k er sen d s a su ccessio n o f S Y N req u e sts to a targ et's sy stem 111 an a tte m p t to c o n s u m e e n o u g h server re so u rce s to m ak e th e system u n re sp o n siv e to leg itim ate traffic.

knowledge ** Web exercise m

Workbook review

A S Y N flo o d attack w o rk s by n o t re sp o n d in g to th e se rv e r w ith th e e x p e cted A C K code. T h e m aliciou s clien t ca n eith er sim ply n o t se n d th e ex p e c te d A C K , o r by sp o o fin g th e so u rce IP ad d re ss 111 th e S Y N , cause th e serv er to se n d th e S Y N -A C K to a falsified IP ad d re ss, w h ic h will n o t se n d an A C K b ecau se it "k n o w s" th a t it n e v e r se n t a S Y N . T h e serv er w ill w ait fo r th e ac k n o w le d g e m e n t fo r so m e tim e, as sim p le n e tw o rk c o n g e stio n c o u ld also be th e cause o f th e m issin g A C K , b u t 111 an attac k in creasin g ly large n u m b e rs o f h a lf-o p e n c o n n e c tio n s w ill b in d re so u rc e s o n th e serv er u n til n o n e w c o n n e c tio n s ca n b e m ad e, resu ltin g 111 a d en ial o f service to leg itim ate traffic. S om e system s m a y also m a lfu n c tio n b ad ly o r ev en cra sh if o th e r o p e ra tin g system fu n c tio n s are sta rv e d o f re so u rce s 111 tins way. A s an e x p e rt eth ical hacker o r secu rity adm inistrator o f an o rg an iz atio n , you sh o u ld h av e so u n d kn o w led g e o f denial-of‫־‬ser v ice and distributed denial-ofserv ice attacks a n d sh o u ld b e able to d e te c t a n d neutralize attack h an d lers. Y o u sh o u ld use S Y N co o k ies as a c o u n te rm e a su re ag ain st th e S Y N flo o d w h ic h elim inates th e re so u rce s allo cated o n th e ta rg e t h o st.

Lab Objectives T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm d en ial-o f-serv ice attacks a n d te st th e n e tw o rk fo r D o S flaws. 111 tins lab, y o u will:

C E H L ab M an u al Page 705

■

P e rlo rm d en ial-o t-serv ic e attacks

■

S end h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 10 - Denial of Service

& Tools dem onstrated in this lab are available at D:\CEHTools\CEHv8 Module 10 Denialof-Service

Lab Environment T o earn ’ o u t die k b , y ou need: ■ A co m p u ter m n n in g W indow s 7 as victim m achine ■ B ackT rack 5 r3 ru n n in g 111 virtual m ach in e as attacker m achine

" Wireshark is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing Tools\Wi reshark

Lab Duration T une: 10 M inutes

Overview of hping3 11p111g3 is a n etw o rk to o l able to send cu sto m T C P /I P packets an d to display target replies like a ping p rogram does w ith IC M P replies. 11p111g3 handles fragm entation, arbitrary packets body, an d size an d can be used 111 o rd er to transfer hies encapsulated u n d er su p p o rted protocols.

Lab Tasks —

j

Flood SYN Packet

1.

L aunch BackTack 5 r3 o n th e virtual m achine.

2.

L aunch die hingp3 utility h o rn th e B ackT rack 5 r3 virtual macliine. Select

BackTrack Menu -> Backtrack -> Information Gathering -> Network A nalysis -> Identify Live H osts -> Hping3. ^^Applications Places System ( \

rj

3

Sun Oct 21. 1:34 PM

V Accessories

► Cn OSIMT Analysis

► t j Stress Ifcsting

^

fping

Route Analysis » !.

hplng2

-‫־‬K service Fingerprinting

forensics

^

Repotting Tools

hpingj

sy n t ‫־־‬r s t * ‫ ־ ־‬p ush v ack J ‫ ־ ־‬u rg ( - ‫ ־‬xnas f ynas ■ t c p e x itc o d e

tcp -tin e sta T p

set set set set set set set u se

SYN f l a g RST f l a g PUSH f l a g ACK f l a g URG f l a g X u n u se d f l a g (0 x 4 0 ) Y u n u se d f l a g (0 x 8 0 ) l a s t tc p - > th f la g s a s e x i t code enable t h e TCP tim e s ta m p o p t i o n to g u e s s t h e H Z /u p tin e

(d e fa u lt is 0)

d a ta s iz e d a ta fro n f i l e a d d , s ig n a t u r e *

Bum packets in enoalt pTO'TOrotSR.

|

1

\

-u ^ e nd t e l l y o tr v t t t n r e a c h e J EOF a n d p r e v e n t re A in d •T - • t r a c e r o u t e t r a c e r o u t e mode \ ( I m p l i e s • • b i n d a n d ‫ ־ ־‬t t l 1) --tr- s to p E x it when r e c e i v e t h e f i r s t n o t ICMP i n t r a c e r o u t e no d e t r < c ep t t l K eep t h e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t o n e hop * * tr * n o - rtt D o n 't c a l c u l a t e / s h o w RTT i n f o r m a t i o n i n t r a c e r o u t e node ARS p a c k e t d e s c r i p t i o n (n ew , u n s t a b l e ) ap d se n d Send t h e p a c k e t d e s c r i b e d w i t h apo ( s e e d o c s /A P O .tx t)

FIGURE 1.2: BackTrack 5 13 Command Shell with hpiug3

4.

111 die c o m m an d shell, type hping3 -S 10.0.0.11 -a 10.0.0.13 -p 22 --

flood an d press Enter. m First, type a simple command and see tlie result: #11ping3.0.0-alpha1> hping resolve www.google.com 66.102.9.104.

m The hping3 command should be called with a subcommand as a first argument and additional arguments according to die particular subcommand.

a

v

* root(abt: -

File Edit View Terminal Help

FIGU RE 1.3: BackTrack 5 r3 11ping3 command

5.

L i die previous co m m an d , 10.0.0.11 (Windows 7) is d ie victim ’s m aclune IP address, an d 10.0.0.13 (BackTrack 5 r3) is d ie attack er’s m aclune IP address. /v

v

x root(§bt: -

File Edit View *fenminal Help ‫״‬o o t e b t : - # hp1ng3 - s 1 0 . 0 . 0 . 1 1 ■a 1 0 . 0 . 0 . 1 3 •p 22 • ■ f lo o d HPING 1 0 .0 9 .1 1 (e th O 1 0 . 6 . 0 . 1 1 ) : S s e t , 40 h e a d e r s 0 d a ta h p in g i n f l o o d n o d e , no r e p l i e s w i l l be shown