CEH v8 labs module 10 Denial of service

Denial of ServiceDenial of Service DoS is an attack on a con/pnter or network that prevents kgitimate use of its resources... SYN Flooding a Target Host Using hping3 hpingJ is a command-

Trang 1

Denial of Service

Module 10

Trang 2

Denial of Service

Denial of Service (DoS) is an attack on a con/pnter or network that prevents kgitimate use of its resources.

Lab Scenario

111 c o m p u tin g , a d e n ia l-o f-se rv ic e a tta c k (D o S attack) is an a tte m p t to m a k e a

m a c h in e o r n e tw o rk re so u rc e u n av a ila b le to its in te n d e d u se rs A lth o u g h th e

m e a n s to earn* o u t, m o tiv e s fo r, an d ta rg e ts o f a D o S a tta c k m a y van*, it

g en e rally c o n sists o f th e e ffo rts o f o n e o r m o re p e o p le to te m p o ra rily 01־

in d e fin itely in te r r u p t 01־ s u s p e n d se iv ic es o f a h o s t c o n n e c te d to th e In te rn e t

P e rp e tra to rs o f D o S atta c k s typically ta rg e t sites 01־ se iv ic es h o s te d 011 h ig h -

p ro file w e b s e n ־ers su c h as b a n k s, c re d it c a rd p a y m e n t gatew ay s, a n d ev e n r o o t

n a m e se iv e rs T h e te rm is g en e rally u s e d re la tin g to c o m p u te r n e tw o rk s, b u t is

n o t lim ite d to tin s field; fo r e x a m p le , it is also u s e d 111 re fe re n c e to C P U

re s o u rc e m a n a g e m e n t

O n e c o m m o n m e th o d o f a tta c k in v o lv e s s a tu ra tin g th e ta rg e t m a c h in e w ith

e x te rn a l c o m m u n ic a tio n s re q u e sts, su c h th a t it c a n n o t re s p o n d to leg itim ate traffic, o r re s p o n d s so slow ly as to b e re n d e re d essen tially u n av ailab le S uch

a ttac k s usually lead to a s e iv e r o v e rlo a d D e m a l-o f-s e n 'ic e atta c k s ca n essentially

d isa b le y o u r c o m p u te r 01־ y o u r n etw o rk D o S a ttac k s ca n b e lu c ra tiv e fo r crim in als; re c e n t atta c k s h a v e sh o w n th a t D o S attac k s a w ay fo r cy b e r crim in als

to p ro fit

A s a n e x p e rt e th ica l h a c k e r 01־ secu rity adm inistrator o f a n o rg a n iz a tio n , y o u

sh o u ld h a v e s o u n d k n o w le d g e o f h o w d en ial-of-service a n d distributed

h a n d le rs, a n d to m itigate su c h attacks

Lab Objectives

T h e o b je c tiv e o f tins la b is to h e lp s tu d e n ts le a rn to p e rf o rm D o S a ttac k s a n d to

te st n e tw o rk fo r D o S flaws

111 tliis lab, y o u will:

■ C re a te a n d la u n c h a d e n ia l-o f-s e n Tice a tta c k to a v ic tim

■ R e m o te ly a d m in iste r clients

■ P e r fo r m a D o S a tta c k b y se n d in g a h u g e a m o u n t o f S Y N p a c k e ts

c o n tin u o u s ly

Valuable

information

Test your

^ Web exercise

Workbook re\

P e rfo r m a D o S H T T P a tta c k

C E H L ab M an u al P ag e 703

Trang 3

Lab Environment

T o ea rn ־ o u t this, y o u need:

■ A c o m p u te r ru n n in g W in d o w S erver 2008

■ W in d o w s X P / 7 ru n n in g 111 virtual m ach in e

■ A w e b b ro w ser w ith In te rn e t access

■ A dm inistrative privileges to rn n tools

Lab Duration

Tim e: 60 M inutes

Overview of Denial of Service

D em al-of-service (DoS) is an attack o n a c o m p u te r o r n e tw o rk th a t prevents

legitim ate use o f its resources 111 a D o S attack, attackers flood a v ictim ’s system

w ith illegitim ate service requests o r traffic to overload its resources an d p re v e n t it fro m p erfo rm in g intended tasks

Lab Tasks

P ick an organization th a t y ou feel is w o rth y o f yo u r attention T ins could be an educational institution, a com m ercial com pany, o r p erh ap s a n o n p ro fit charity

R e c o m m en d e d labs to assist y ou in denial o f service:

■ S Y N flooding a target h o s t u sing h ping3

■ H T T P flo oding u sin g D o S H T T P

Lab Analysis

A nalyze a n d d o c u m e n t th e results related to th e lab exercise G ive yo u r o p in io n o n

y o u r targ et’s security p o stu re an d exposure

P L E AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D TO T H I S LAB

& Tools

dem onstrated in

this lab are

available in

D:\CEH-

Module 10 Denial-

of-Service

Overview

C E H L ab M an u al P age

Trang 4

SYN Flooding a Target Host Using hping3

hpingJ is a command-line oriented TCP/ IP packet assembler / analyser.

A S Y N flo o d is a fo rm o f d em a l-o f-se rv ic e a tta c k 111 w h ic h ail a tta c k e r se n d s a

su c c e ssio n o f S Y N re q u e sts to a ta rg e t's sy stem 111 a n a tte m p t to c o n s u m e

e n o u g h se rv e r re so u rc e s to m a k e th e sy stem u n re s p o n s iv e to le g itim ate traffic

A S Y N flo o d a tta c k w o rk s by n o t re s p o n d in g to th e se rv e r w ith th e e x p e c te d

A C K co d e T h e m a lic io u s c lien t c a n e ith e r sim ply n o t se n d th e e x p e c te d A C K ,

o r b y s p o o fin g th e so u rc e IP a d d re ss 111 th e S Y N , cause th e se rv e r to se n d th e

S Y N -A C K to a falsified IP a d d re ss, w h ic h will n o t se n d an A C K b e c a u se it

"k n o w s" th a t it n e v e r se n t a S Y N T h e se rv e r w ill w a it fo r th e

a c k n o w le d g e m e n t fo r so m e tim e, as sim p le n e tw o rk c o n g e s tio n c o u ld also b e

th e ca u se o f th e m issin g A C K , b u t 111 a n a tta c k in c re asin g ly large n u m b e rs o f

h a lf-o p e n c o n n e c tio n s w ill b in d re s o u rc e s o n th e se rv e r u n til n o n e w

c o n n e c tio n s c a n b e m a d e , re su ltin g 111 a d en ia l o f service to le g itim ate traffic

S o m e sy stem s m a y also m a lfu n c tio n b ad ly o r ev e n c ra sh if o th e r o p e ra tin g

sy stem fu n c tio n s are sta rv e d o f re so u rc e s 111 tin s w ay

A s an e x p e rt eth ical hacker o r secu rity adm inistrator o f a n o rg a n iz a tio n , y o u

sh o u ld h a v e s o u n d k n o w le d g e o f denial-of־se r v ic e and distributed denial-of-

Y o u sh o u ld use S Y N c o o k ies as a c o u n te rm e a s u re a g a in st th e S Y N flo o d w h ic h

e lim in a te s th e re so u rc e s a llo ca te d o n th e ta rg e t h o st

Lab Objectives

T h e o b je c tiv e o f tins la b is to h e lp s tu d e n ts le a rn to p e r f o rm d en ia l-o f-se rv ic e

a ttac k s a n d te s t th e n e tw o rk fo r D o S flaw s

111 tin s lab, y o u will:

■ P e r lo r m d e n ia l-o t-se rv ic e attac k s

■ S en d h u g e a m o u n t o f S Y N p a c k e ts c o n tin u o u s ly

1^~/ Valuable

information

y*' Test your

knowledge

** Web exercise

m Workbook review

Trang 5

Lab Environment

T o ea rn ’ o u t die k b , y o u need:

■ A c o m p u te r m n n in g W in d o w s 7 as victim m achine

■ B ackT rack 5 r3 ru n n in g 111 virtual m a ch in e as attacker m ach in e

Tools\Wi reshark

& Tools

this lab are

available at

D:\CEH-

of-Service

Lab Duration

T une: 10 M inutes

Overview of hping3

11p111g3 is a n e tw o rk to o l able to sen d c u sto m T C P / I P packets an d to display target replies like a p in g p ro g ra m does w ith IC M P replies 11p111g3 han d les fragm entation, arbitrary packets body, an d size a n d ca n be u se d 111 o rd er to tran sfer hies encapsulated u n d e r su p p o rte d protocols

Lab Tasks

1 L au n ch B ackT ack 5 r3 o n th e virtual m achine

2 L au n c h die hingp3 utility h o rn th e B ackT rack 5 r3 virtual m acliine Select

BackTrack Menu -> B acktrack -> Information Gathering -> Network

A nalysis -> Identify Live H osts -> Hping3.

rj 3 Sun Oct 21 1:34 PM

.!4 Network ITaffic Analysis

n OSIMT Analysis

>

» !.

Route Analysis

K service Fingerprinting -־

Network Analysis Web Appl ^ Otrace ף| Database ^ aiiveo

^ Wireless ^ alrvefi

־, fc; arping

^ (Jetect*new־ip6

”*b dnmap

^ fping

^ hplng2 hpingj

^ netciscovcf

^ netifera

t

nmap

^ Pbrj

sctpscan

tiacefi araceroute wo»-e

^ zenmap

^ ^Applicatio ns Places System ( \

V Accessories

► C< information Gathering

► ״^ | vulnerability Assessment

״ -# Exploitation Tools

► Pnvilege Escalation

► i| Maintaining Access

• Reverse Engineering ן

״ ; RFID Tools

►t j Stress Ifcsting

forensics Repotting Tools

^ Graphics

^ internet

SB cyftce Other

! f , Sound & Vi dec System Tools

9 Wine

<< back

Flood SYN Packet

0=5! hping3 is a

command-line oriented

T C P /IP packet

assembler/analyzer.

Figure 1.1: BackTrack 5 r3 Menu

3 T h e hping3 utility starts 111 d ie c o m m a n d shell

1y=I Type only hping3

w ithout any argument I f

hping3 was compiled with

Tel scripting capabilities,

you should see a prompt.

Trang 6

* * root(afbt:

-File Edit View t r m in a l Help

> s y n s e t SYN f l a g

t ־ ־ r s t s e t RST f l a g

-* ־ ־ p u s h s e t PUSH f l a g

v a c k s e t ACK f l a g

J ־ ־ u r g s e t URG f l a g

( - ־ x n a s s e t X u n u s e d f l a g (0 x 4 0 )

f y n a s s e t Y u n u s e d f l a g (0 x 8 0 )

■ t c p e x i t c o d e u s e l a s t t c p - > t h f l a g s a s e x i t c o d e

tc p -tin e s ta T p enable t h e TCP tim e s ta m p o p t i o n to g u e s s t h e H Z /u p tin e

( d e fa u lt i s 0)

d a t a s i z e

d a t a f r o n f i l e

Bum packets in

enoalt p TO'TOr o t S R | 1 \ -u ^ e nd t e l l y o t r v t t t n r e a c h e J EOF a n d p r e v e n t r e A in d

•T - • t r a c e r o u t e t r a c e r o u t e m ode \ ( I m p l i e s • • b i n d a n d ־ ־ t t l 1)

- - t r - s t o p E x i t w hen r e c e i v e t h e f i r s t n o t ICMP i n t r a c e r o u t e n o d e

t r < c e p t t l K eep t h e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t o n e hop

* * t r * n o - r t t D o n 't c a l c u l a t e / s h o w RTT i n f o r m a t i o n i n t r a c e r o u t e no d e ARS p a c k e t d e s c r i p t i o n (n e w , u n s t a b l e )

a p d s e n d S e n d t h e p a c k e t d e s c r i b e d w i t h apo ( s e e d o c s / A P O t x t )

FIGU RE 1.2: BackTrack 5 13 Command Shell with hpiug3

4 111 d ie c o m m a n d shell, type hping3 -S 10.0.0.11 -a 1 0 0 0 1 3 -p 22

a v * root(abt:

-File Edit View Terminal Help

FIG U R E 1.3: BackTrack 5 r3 11ping3 command

5 L i d ie p revious co m m a n d , 10.0.0.11 (Windows 7) is d ie victim ’s m aclune

IP address, an d 1 0 0 0 1 3 (BackTrack 5 r3) is d ie a tta ck er ’s m aclune IP address

/v v x root(§bt:

-File Edit V iew *fenminal Help

״o o t e b t : - # hp1ng3 - s 1 0 0 0 1 1 ■a 1 0 0 0 1 3 •p 22 • ■ f l o o d HPING 1 0 0 9 1 1 ( e th O 1 0 6 0 1 1 ) : S s e t , 40 h e a d e r s 0 d a t a

h p in g i n f l o o d n o d e , no r e p l i e s w i l l b e shown

<< b a ck tra c k

m First, type a simple

command and see tlie

result: #11ping3.0.0-alpha-

1> hping resolve

www.google.com

66.102.9.104.

command should be called

with a subcommand as a

first argument and

additional arguments

according to die particular

subcommand.

FIG U R E 1.4: BackTrack4 Command Shell with 11pi11g3

6 hpin g 3 floods th e victim m aclune by sending bulk S Y N packets and overloading victim resources

H=y1 The h p in g resolve

command is used to

convert a hostnam e to an

IP address.

Trang 7

7 G o to die victim ’s machine (Windows 7) Install an d launch W ireshark,

an d o b se rv e the S Y N packets

ט Microsoft Corporation: \Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [Wireshark 122 (SVN Rev 44520-

Pile Edit View Gc Capture Analyze Statistics Telephony Tools Internals Help

IBTal 0 <a 0 1m m m »

Destination Protocol Length Info 13

כ 1 0 0 0 1 1 TCP 54 [TCP P e r t n u m b e rs r e u s e d ] 5 3 6 2 0 > s s h [S Y N ] 5 13

כ 54 [TCP P e r t n u m b e rs r e u s e d ] 5 3 6 2 1 > s s h [S Y N ] S 13

נ 1 0 0 0 1 1 TCP 54 [TCP P e r t n u m b e rs r e u s e d ] 5 3 6 2 2 > s s h [S Y N ] 5 13

נ 1 0 0 0 1 1 TCP 54 [TCP P o r t n u m b e rs r e u s e d ] 5 3 6 2 3 > s s h [S Y N ] 5

TCP ■ f f 1 i ־M 7 ־r 3 ^ T T T 1U - t I & Z W W t t 7 M 13771 ■ 3

1 1 0 0 0 1 1 TCP 54 [TCP P o r t n u m b e rs r e u s e d ] 5 3 6 2 5 > s s h [S Y N ] 51

| G l F ra m e 1 : 54 b y t e s o n w i r e ( 4 3 2 b i t s ) , 54 b y t e s c a p t u r e d ( 4 3 2 b i t s ) o n i n t e r f a c e 0 E t h e r n e t I I , S r c : M ic r o s o f _ a 8 : 7 8 : 0 7 ( 0 0 : 1 5 : 5 d : a 8 : 7 8 : 0 7 ) , D s t : M 'c r o s o f _ a 8 : 7 8 : 0 5 ( 0 0 : 1 5 : 5 d : a

I E i n t e r n e t P r o t o c o l v e r s i o n 4 , s r c : 1 0 0 0 1 3 ( 1 0 0 0 1 3 ) , D s t : 1 0 0 0 1 1 ( 1 0 0 0 1 1 )

I j T r a n s m i s s i o n c o n t r o l P r o t o c o l , s r c P o r t : 1 1 7 6 6 ( 1 1 7 6 6 ) , D s t P o r t : s s h ( 2 2 ) , s e q : 0 , L e n : 0

] x ] X E

• (• : ®

OOOO 0 0 1 5 5 d as 78 0 5 0 0 15 5d aS 7 8 07 OS 0 0 4 5 0 0

0 0 1 9 0 0 2 8 d l 3a 0 0 0 0 4 0 06 95 7 e Oa 0 0 0 0 Od Oa 0 0

0 0 2 0 0 0 Ob 2 d f 6 0 0 1 6 3 a a9 09 f c 6 1 62 d 6 d 7 5 0 02

0 0 3 0 02 0 0 e e d f 00 0 0

O File: *C\Usen\Admin\AppData\Local\Temp Packets: 119311 Displayed: 119311 Marke Profile: Default

FIGURE 1.5: Wireshark with SYN Packets Traffic

Y o u sent huge n u m b e r o l SY N packets, w h ich caused die victim ’s m achine

to crash

m 11ping3 was mainly

used as a security tool in

the past It can be used in

many ways by people who

don't care for security to

test networks and hosts A

subset o f the things you

can do using hping3:

■ Firewall testing

י Advanced port scanning

י Network testing, using

various protocols, TOS,

fragmentation

■ Manual padi MTU

discovery

■ Advanced traceroute,

under all the supported

protocols

■ Remote OS

fingerprinting

* Remote uptime guessing

■ T C P /IP stacks auditing

Lab Analysis

D o c u m e n t all die results gad ier d u ring die lab

T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

h p in g 3 S Y N p ac k ets o b se rv e d o v e r flo o d in g th e re so u rc e s in

v ic tim m a c h in e

P LEAS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D TO T H I S LAB

I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P la tf o r m S u p p o r te d

0 C l a s s r o o m

0 N o

0 1L abs

Trang 8

HTTP Flooding Using DoSHTTP

DoS H TTP is an H TTP flood denial-of-service (DoS) testing too! for Windows

D oSH TTP includes port designation and repo !ting.

Lab Scenario

H T T P flooding is a n attack th a t uses en o rm o u s useless packets to jam a w e b server

111 tliis paper, w e use lu d d e n sem i-M arkov m o d els (H SM M ) to d esc n b e W e b -

b ro w sin g p attern s an d d etect H T T P flo oding attacks W e first use a large n u m b e r o f legitim ate req u est sequences to train an H S M M m o d e l an d th e n use tins legitim ate

m o d e l to check each in c o m in g req u est sequence A b n o rm a l W w b traffic w hose likelihood falls in to unreaso n ab le range for th e legitim ate m o d e l w o u ld be classified

as po ten tial attack traffic an d sh o u ld be co n tro lled w ith special actions such as filtering o r lim iting th e traffic Finally w e validate o u r ap p ro a c h by testing die

m e th o d w ith real data T h e result show s th a t o u r m e th o d can d etec t th e anom aly

w e b traffic effectively

111 th e p revious lab y o u learned a b o u t S Y N flo oding using 11p111g3 an d th e

co u n term easu res th a t can be im p lem e n te d to p re v e n t such attacks A n o th e r m e th o d

th a t attackers can use to attack a server is by using the H T T P flood approach

A s an expert ethical hacker a n d penetration tester, y o u m u s t be aw are o f all types

o f hacking attem p ts o n a w e b server F o r H T T P flooding attack y o u should

im p lem e n t an advanced technique k n o w n as “ tarpitting,” w h ich o n ce established successfully will set c o n n e ctio n s w in d o w size to few bytes A cc o rd in g to T C P /I P

p ro to c o l design, th e co n n e ctin g device w ill initially only sen d as m u c h data to target

as it takes to fill die w in d o w until th e server resp o n d s W ith tarpitting , th ere will be

n o resp o n se back to th e packets fo r all u n w an te d H T T P requests, thereb y

p ro tec tin g yo u r w eb server

Lab Objectives

T h e o b je c tiv e o f tins la b is to h e lp s m d e n ts le a rn H T T P flo o d in g d e m a l-o t service (D oS ) attack

/ Valuable

information

.-* v Test your

knowledge

m. Web exercise

Trang 9

Lab Environment

T o ea rn ’ o u t this lab, y o u need:

Service' DDoS Attack Tools\DoS HTTP

■ Y o u ca n also d o w n lo a d th e la te s t v e rs io n o f DoSHTTP f ro m th e lin k

h ttp : / / w w w s o c k e ts o f t.n e t/

■ I f y o u d e c id e to d o w n lo a d th e la te s t version, th e n s c re e n s h o ts sh o w n

111 th e lab m ig h t d iffe r

■ A c o m p u te r ru n n in g Windows Server 2 012 as h o s t m achine

■ A w e b b ro w ser w ith an In te rn e t co n n e ctio n

■ A dm inistrative privileges to 11111 tools

Lab Duration

T im e: 10 M inutes

Overview of DoSHTTP

D o S H T T P is an H T T P H ood denial-of-service (DoS) testing to o l for W indow s It includes U R L verification, H T T P redirection, an d p e rfo rm an ce m onitoring

D o S H T T P uses m ultiple asy n ch ro n o u s sockets to p e rfo rm an effective H T T P flood D o S H T T P ca n be u se d sim ultaneously o n m ultiple clients to em ulate a

d istn b u te d d en1al-of-senTice (D D oS ) attack T ins to o l is u se d by IT professionals to test w eb sender p erform ance

Lab Tasks

1 Install an d lau n ch D o S H T T P 111 Windows Server 2 0 1 2

2 T o lau n ch D o S H T T P , m o v e y o u r m o u se cu rso r to low er left co rn e r o f die

d esk to p an d click Start.

& Tools

this lab are

available in

D:\CEH-

of-Service

DoSHTTP

Flooding

FIGURE 2.1: Windows Server 2012 Desktop view

Trang 10

3 Click die DoSHttp 2.5 a p p fro m d ie Start m e n u ap p s to lau n ch die program

CcroUcr Task Moiilla Manager Firefox C to n e

S

Command Prompt Notefao*

r r ־ l VtmnKtr HypofV N k « k

WobClcnt rwSHTTP

יו

FIGURE 2.2: Windows Server 2012 Start Menu Apps

T h e DoSHTTP m ain screen appears as sh o w n 111 th e follow ing figure; 111 diis lab

w e have d e m o n stra te d trial version Click Try to continue

y * D oSH TTP is an easy

to use and powerful HTTP

Flood Denial o f Service

(DoS) Testing Tool for

Windows DoSHTTP

includes URL Verification,

H TTP Redirection, Port

Designation, Performance

M onitoring and Enhanced

Reporting.

H DoSHTTP 2 5 1 - Socketsoft.net [Loading ] X

| File O p tio n s H e lp

D

H ־

Ta

r Us

[ m

DoSHTTP Registration

/ U n r e q is te re d V e rs io n

V You have 13 days or 3 uses left on your free trial.

( f r y J

3 Close

Enter your Serial Number and click the Register button. 3

Sa jSerial Number Register

I

C׳ s c 3 r -s r t־ttD ://w w w s o c k e ts o ft r e t ׳'

Tools

this lab are

available in

D:\CEH-

of-Service

FIGURE 2.3: D oSH T IP main window

5 E n te r die U R L o r IP address 111 die Target URL field

6 Select a User Agent, n u m b e r o t S o ck ets to send, an d the type o f R equests to send Click Start.

7 111 diis lab, w e are using W in d o w s 7 IP (10.0.0.7) to flood

P ort Designation and

Định dạng
Số trang	13
Dung lượng	511,62 KB