Ceh v8 labs module 10 denial of service

C E H L a b M a n u a l

D e n i a l o f S e r v i c e

M o d u l e 1 0

Module 10 - Denial of Service

D e n i a l o f S e r v i c e

Denial of Service (DoS) is an attack on a computer or network that prevents legitimate use of its resources.L a b S c e n a r io111 c o m p u tin g , a d e n ia l-o f-se rv ice a tta c k (D o S a ttack ) is an a tte m p t to m ak e a m a c h in e o r n e tw o rk re so u rc e u n av a ilab le to its in te n d e d u se rs . A lth o u g h th e m e a n s to earn* o u t, m o tiv e s fo r , an d ta rg e ts o f a D o S a tta c k m a y van*, it g en e ra lly c o n s is ts o f th e e ffo r ts o f o n e o r m o re p e o p le to te m p o ra r ily 0 ־1in d e fin ite ly in te r ru p t 0 su ־1 s p e n d se iv ices o f a h o s t c o n n e c te d to th e In te rn e t .

P e rp e tra to rs o f D o S a tta ck s typ ica lly ta rg e t sites 01־ se iv ices h o s te d 0 11 h ig h - p ro f ile w e b s e n ers su־ c h as b a n k s , c re d it c a rd p a y m e n t g a tew ays, a n d ev e n ro o t n a m e se iv e rs . T h e te rm is g en e ra lly u se d re la tin g to c o m p u te r n e tw o rk s , b u t is n o t lim ite d to tin s field; fo r ex am p le , it is a lso u se d 111 re fe re n c e to C P U re s o u rc e m a n a g e m e n t.

O n e c o m m o n m e th o d o f a tta c k in v o lv e s sa tu ra tin g th e ta rg e t m a c h in e w ith e x te rn a l c o m m u n ic a tio n s re q u e s ts , su ch th a t it c a n n o t re s p o n d to leg itim a te tra ffic , o r re s p o n d s so slow ly as to b e re n d e re d essen tia lly un av a ilab le . S uch a tta ck s u su a lly lead to a s e iv e r o v e rlo ad . D e 111al-o f-sen* 1ce a tta ck s can essen tia lly d isab le y o u r c o m p u te r 0 y ־1 o u r n e tw o rk . D o S a tta c k s can b e lu c ra tiv e fo r c rim in a ls; r e c e n t a tta ck s h a v e sh o w n th a t D o S a tta ck s a w ay fo r cy b e r c rim in a ls to p ro f it.

A s a n e x p e r t e th ica l h a c k e r s ־01 e c u r i ty a d m in i s t r a to r o f a n o rg a n iz a tio n , y o u sh o u ld h av e s o u n d k n o w led g e o f h o w d e n ia l -o f - s e rv ic e a n d d is t r ib u te d d e n ia l -o f - s e rv ic e a ttack s a re c a rr ie d o u t, to d e t e c t a n d n e u tr a l i z e a tta c k h a n d le rs , a n d to m i t ig a te su c h a ttacks.

L a b O b je c t iv e s

T h e o b je c tiv e o f tin s lab is to h e lp s tu d e n ts le a rn to p e r fo rm D o S a tta ck s a n d to te s t n e tw o rk fo r D o S flaw s.

1 1 1 d iis lab , y o u will:

■ C rea te a n d la u n c h a d e 11ia l־o f se־ 1v ic e a tta c k to a v ic tim

■ R e m o te ly a d m in is te r c lien ts

■ P e r fo rm a D o S a tta c k b y se n d in g a h u g e a m o u n t o f S Y N p a c k e ts c o n tin u o u s ly

ICON KEYV a lu a b le

in f o r m a t io n

T e s t y o u r

^ W e b e x e rc is e

W o r k b o o k re \

P e rfo rm a D o S H T T P a tta c k

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C EH Lab Manual Page 703


L a b E n v iro n m e n tT o e a rn o ־ u t this, y o u need:

■ A c o m p u te r ru n n in g W in d o w S erver 2008

■ W in d o w s X P /7 ru n n in g 111 v irtua l m ach ine

■ A w eb b ro w ser w ith In te rn e t access

■ A dm in istra tive privileges to m n too ls

L a b D u ra tio nT im e: 60 M inu tes

O v e r v ie w o f D e n ia l o f S e r v ic eD enia l-o f-serv ice (D oS) is an a ttack o n a co m p u te r o r n e tw o rk th a t p r e v e n t s legitim ate use o f its resources. 111 a D o S attack, attackers f lo o d a v ic tim ’s system w ith illegitim ate service requests o r t r a f f ic to o v e r lo a d its resou rces an d p re v e n t it fro m p e rfo rm in g in te n d e d tasks.

L a b T a s k sP ick an o rgan iza tion th a t y o u feel is w o rth y o f yo u r a tten tion . T in s co u ld be an educational in s titu tion , a com m ercia l com pany , o r p e rh ap s a n o n p ro f it charity.

R eco m m en d ed labs to assist you in denial o f service:

■ S Y N flood ing a ta rget h o s t u sing 11pi11g3

■ H T T P flo od ing u sin g D o S H T T P

L a b A n a ly s is

A nalyze an d d o c u m e n t th e results re la ted to th e lab exercise. G ive yo u r o p in io n o n y o u r ta rg e t’s security p o stu re an d exposure.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B .

Ethical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.

& T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- Tools\C E H v8

M odule 10 D enial- o f-S e rv ice

O verv iew

C EH Lab Manual Page


S Y N F l o o d in g a T a r g e t H o s t U s in g

h p in g 3

hpingJ is a command-line oriented T C P / IP packet assembler/ analyser.

■ con k e y L a b S c e n a r io

A S Y N flo o d is a fo rm o f d en ia l-o f-se rv ice a tta c k 111 w h ic h ail a tta c k e r sen d s a su cce ss io n o l S Y N re q u e s ts to a ta rg e t's sy s tem 111 an a tte m p t to c o n su m e e n o u g h se rv e r re so u rc e s to m ak e th e sy s tem u n re s p o n s iv e to leg itim a te tra flic .

A S Y N flo o d a tta c k w o rk s by n o t r e s p o n d in g to th e se rv e r w ith th e e x p e c te d A C K co d e . T h e m a lic io u s c lien t c a n e ith e r s im p ly n o t se n d th e e x p e c te d A C K , o r b y s p o o lin g th e so u rc e IP a d d re ss 111 th e S Y N , cause th e se rv e r to se n d th e S Y N -A C K to a fa lsified IP a d d re ss , w h ic h w ill n o t se n d an A C K b ecau se it "k n o w s" th a t it n e v e r se n t a S Y N . T h e se rv e r w ill w a it fo r th e a c k n o w le d g e m e n t fo r so m e tim e , as s im p le n e tw o rk c o n g e s tio n c o u ld also b e th e cau se o f th e m iss in g A C K , b u t 111 an a tta c k in c reas in g ly la rge n u m b e rs o f h a lf -o p e n c o n n e c t io n s w ill b in d re s o u rc e s o n th e se rv e r u n ti l n o n e w c o n n e c t io n s c a n b e m a d e , re su ltin g 111 a d en ia l o f serv ice to leg itim a te traffic . S o m e sy s tem s m a y a lso m a lfu n c t io n b ad ly o r ev en c ra sh if o th e r o p e ra tin g sy s tem fu n c t io n s a re s ta rv e d o t re so u rc e s 111 tin s w ay.

A s an e x p e r t e th i c a l h a c k e r o r s e c u r i ty a d m in is t r a to r o t an o rg a n iz a tio n , y o u sh o u ld h av e s o u n d k n o w led g e o f d e n ia l -o f - s e rv ic e a n d d is t r ib u te d d e n ia l-o f- s e r v ic e a tta ck s a n d sh o u ld b e ab le to d e t e c t a n d n e u tr a l i z e a tta c k h an d le rs . Y o u sh o u ld u se S Y N c o o k ie s as a c o u n te rm e a s u re ag a in s t th e S Y N flo o d w h ic h e lim in a tes th e re so u rc e s a llo ca ted o n th e ta rg e t h o s t.

L a b O b je c t iv e sT h e o b je c tiv e o f tin s lab is to h e lp s tu d e n ts le a rn to p e r fo rm d en ia l-o f-se rv ice a tta ck s a n d te s t th e n e tw o rk fo r D o S flaw s.

1 1 1 tin s lab , y o u will:

■ P e r fo rm d en ia l-o t-se rv ic e a ttack s

■ S en d h u g e a m o u n t o f S Y N p a c k e ts c o n tin u o u s ly

1 ^~ / V a lu a b le

i n f o r m a t io n

y * ' T e s t y o u r

k n o w le d g e

* * W e b e x e rc is e

m W o r k b o o k re v ie w

Ethical Hacking and Countenneasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.



L a b E n v iro n m e n tT o e a rn ’ o u t d ie lab, y o u need:

■ A c o m p u te r ru n n in g W in d o w s 7 as v ic tim m ach ine

■ B ackT rack 5 r3 ru n n in g 111 v irtua l m ach in e as a ttacker m ach ine

" W ire sh a rk is lo ca ted a t D:\CEH-Tools\CEHv8 M odu le 08 Sniffing\Sniffing ToolsV W ireshark

& T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le a t D:\CEH- Tools\C E H v8


L a b D u ra tio nT une: 10 M inu tes

O v e r v ie w o f h p in g 311pu1g3 is a n e tw o rk to o l able to sen d cu s to m T C P / I P packets an d to d isplay target replies like a p in g p ro g ram does w ith IC M P replies. 11pu1g3 h an d les fragm en ta tion , a rb itran packets body ־ , an d size a n d can be u sed u i o rd e r to tran sfe r hies encapsu la ted u n d e r su p p o r te d p ro toco ls .

L a b T a s k s1. L au n ch B a c k T a c k 5 r3 o n th e v irtual m ach ine .

2. L au n ch d ie h in g p 3 utility fro m th e B ackT rack 5 r3 v irtual m ach ine . Select B a c k T r a c k M en u -> B a c k t r a c k -> In fo rm a tio n G a th e r in g -> N e tw o rk A n a ly s is -> Id e n tify L ive H o s ts -> H ping3 .

rj 3 Sun Oct 21. 1:34 PM

.!4 Network Traffic Analysis

n OSIMT Analysis>»!. Route Analysis

H service Fingerprinting.־

... Network AnalysisWeb Appl ^ Otrace

Database |ף aiiveo ^ Wireless ^ alrvefi

fc; arping,־^ detect*new־ip6 ”*b dnmap ^ fping ^ hplng2

hpingj^ netAscovcr ^ netifera

t. nmap

Pbnj sctpscan

trace® traceroute wol-e

^ zenmap

^^Applications Places System (\ V Accessories

information Gathering vulnerability Assessment |״ ►Exploitation Tools #- ״► Pnvilege Escalation► i| Maintaining Access • Reverse Engineering

״ ן ; RFID Tools► tj Stress Ifcsting

forensics Reporting Tools

^ Graphics ^ internet SB (yfke

Other !f, Sound & Video

System Tools 9 Wine

<< back

— j

Flood SYN P a c k e t

0=5! hping3 is a command-line oriented TCP/IP packet assembler/analyzer.

Figure 1.1: BackTrack 5 r3 Menu

3. T h e h p in g 3 utility starts in d ie c o m m a n d shell.1y=I Type only hping3 without any argument. If hping3 was compiled with Tel scripting capabilities, you should see a prompt.

C EH Lab Manual Page 706 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


* * root(afbt: -File Edit View trminal Help

> syn set SYN flag- rst set RST flag־־ >push set PUSH flag־־ *v ack set ACK flagJ ־־urg set URG flag( -־xnas set X unused flag (0x40)f ynas set Y unused flag (0x80)■tcpexitcode use last tcp->th flags as exit code tcp-tinestaTp enable the TCP timestamp option to guess the HZ/uptine

(default is 0)data size data fron file add ,signature*Bum packets inenoalt pTO'TOrotSR. | 1 \

-u ^ end te ll youmn reacheJ EOF and prevent reAind•T -•traceroute traceroute mode \ (Implies ••bind and ־־tt l 1)--tr-stop Exit when receive the first not ICMP in traceroute node

tr <ccp t t l Keep the source TTL fixed, useful to nonitor ]ust one hop**tr*no-rtt Don't calculate/show RTT information in traceroute node

ARS packet description (new, unstable)apd send Send the packet described with apo (see docs/APO.txt)

FIG U RE 1.2: BackTrack 5 13 Command Shell with hping3

4. 111 th e co m m an d shell, type h p in g 3 - S 1 0 .0 .0 .1 1 - a 1 0 .0 .0 .1 3 - p 2 2 --f lo o d an d p ress E n te r .

a v * root(abt: -File Edit View Terminal Help

FIG U RE 1.3: BackTrack 5 r3 11ping3 command

5. L i d ie p rev ious c o m m an d , 1 0 .0 .0 .1 1 (W in d o w s 7) is th e v ic t im ’s m ach ine IP address, an d 1 0 .0 .0 .1 3 (B a c k T ra c k 5 r3 ) is th e a t t a c k e r ’s m ach in e IP address.

/v v x root(§bt: -File Edit View *fenminal Help ootebt:-# hp1ng3 -s 10.0.0.11 ■a 10.0.0.13 •p 22 •■flood״HPING 10.0 9.11 (ethO 10.6.0.11): S set, 40 headers 0 data hping in flood node, no replies w ill be shown

<< b a c k t r a c k

m First, type a simple command and see the result: #hping3.0.0-alpha- 1> hping resolve www.google.com 66.102.9.104.

m The hping3 command should be called with a subcommand as a first argument and additional arguments according to die particular subcommand.

FIG U RE 1.4: BackTrack4 Command Shell with hping3

6. 11pi11g3 floods th e v ic tim m ach ine by send ing bu lk SY N packets and overload ing v ic tim resources.

H=y1 The hping resolve command is used to convert a hostname to an IP address.

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.google.com


7. G o to d ie v ic tim ’s m a c h in e (W indow s 7). Install an d launch W ireshark , an d o b se rv e the SY N packets.

ט Microsoft Corporation: \Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [Wireshark 122 (SVN Rev 44520- Pile Edit View Gc Capture Analyze Statistics Telephony Tools Internals Help

IBTal 0. <a. 0 1 m m m »Destination Protocol Length Info

.כ13 10.0.0.11 TCP 54 [TCP Pert numbers reused] 53620 > ssh [SYN] 5.כ13 54 [TCP Pert numbers reused] 53621 > ssh [SYN] sנ13 . 10.0.0.11 TCP 54 [TCP Pert numbers reused] 53622 > ssh [SYN] 5נ13 . 10.0.0.11 TCP 54 [TCP Port numbers reused] 53623 > ssh [SYN] 5

TCP ■ ff1i־M7־r 3 ^ T T T 1U-t I&ZWWtt 7M13771 ■31 10.0.0.11 TCP 54 [TCP Port numbers reused] 53625 > ssh [SYN] 51

| Gl Frame 1: 54 b/tes on wire (432 b its ), 54 bytes captured (432 b its ) on interface 0 . Ethernet I I , Src: Microsof_a8:78:07 (00:15:5d:a8:78:07), Dst: M'crosof_a8:78:05 (00:15:5d:a

I E Internet Protocol version 4, src: 10.0.0.13 (10.0.0.13), Dst: 10.0.0.11 (10.0.0.11)I j Transmission control Protocol, src Port: 11766 (11766), Dst Port: ssh (22), seq: 0, Len: 0

. . ] . x . . . ] .X . . .E . • (• :..®. —........

OOOO 00 15 5d as 78 05 00 15 5d a8 78 07 OS 00 45 000019 00 28 dl 3a 00 00 40 06 95 7e Oa 00 00 Od Oa 000020 00 Ob 2d f6 00 16 3a a9 09 fc 61 62 d6 d7 50 020030 02 00 ee df 00 00

O File: *C\Usen\Admin\AppData\Local\Temp... Packets: 119311 Displayed: 119311 Marke... Profile: Default

FIG U RE 1.5: Wireshark with SYN Packets Traffic

Y o u sen t huge n u m b e r o l SY N packets, w h ich caused d ie v ic tim ’s m ach ine to crash.

m hping3 was mainly used as a security tool in the past. It can be used in many ways by people who don't care for security to test networks and hosts. A subset of the things you can do using hping3:■ Firewall testing Advanced port scanning י Network testing, using י

various protocols, TOS, fragmentation

■ Manual path MTU discovery

■ Advanced traceroute, under all the supported protocols

■ Remote OS fingerprinting

* Remote uptime guessing■ TCP/IP stacks auditing

L a b A n a ly s isD o c u m e n t all d ie results g ad ie r d u rin g d ie lab.

T o o l / U t i l i t y I n f o r m a t io n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

h p in g 3S Y N p a c k e ts o b se rv e d o v e r f lo o d in g th e re so u rc e s in v ic tim m a c h in e



I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P la t f o r m S u p p o r t e d

0 C la s s r o o m

0 N o

0 1L ab s




L a b

H T T P F l o o d in g U s i n g D o S H T T P

D oS H T T P is an H T T P flood denial-of-service (DoS) testing tool for Windows. D oSH T T P includes port designation and reporting.

L a b S c e n a r ioH T T P flood ing is an a ttack th a t uses en o rm o u s useless packe ts to jam a w eb server. 111 tliis p ap er, w e use lu d d en sem i-M arkov m o d els (H SM M ) to d e scn b e W eb - b ro w sin g p a tte rn s an d de tec t H T T P flo od ing attacks. W e first u se a large n u m b e r o f legitim ate req u est sequences to tra in an H S M M m o d e l an d th en use tins legitim ate m o d e l to check each in co m in g req u est sequence. A b n o rm a l W w b traffic w hose likelihood falls in to u n reasonab le range fo r th e legitim ate m o d e l w o u ld be classified as po ten tia l a ttack traffic an d sh o u ld be con tro lled w ith special actions such as filtering 01־ lim iting th e traffic. Finally w e validate o u r ap p ro ach by testing d ie m e th o d w ith real data. T h e resu lt show s th a t o u r m e th o d can d e tec t th e anom aly w eb traffic effectively.

111 th e p rev ious lab y o u lea rned a b o u t SY N flo od ing u sing 11p111g3 an d th e cou n te rm easu res th a t can be im p lem en ted to p re v e n t such attacks. A n o th e r m e th o d th a t attackers can use to a ttack a server is by u sing the H T T P flood ap p roach .

A s an expert e th ic a l h a c k e r a n d p e n e tr a tio n t e s te r , y o u m u s t be aw are o f all types o f hack ing a ttem p ts 0 11 a w eb server. F o r H T T P flood ing attack y o u shou ld im p lem en t an advanced techn ique k n o w n as “ tarp itting ,” w h ich o n ce estab lished successfully w ill set co n n ec tio n s w in d o w size to few bytes. A cco rd in g to T C P / I P p ro to c o l design, th e co n n ec tin g device w ill initially on ly sen d as m u c h data to target as it takes to fill d ie w in d o w un til th e server resp o n d s. W ith tarp itting , th ere w ill be110 re sp o n se b ack to th e packe ts fo r all u n w an ted H T T P requests, th e reb y p ro tec tin g yo u r w eb server.

L a b O b je c t iv e s

T h e o b je c tiv e o f tin s lab is to h e lp sm d e n ts le a rn H T T P flo o d in g d e m a l-o t se rv ice (D oS ) a ttack .

ICON KEY/ V a lu a b le

in f o r m a t io n

.-* v T e s t y o u r

______ k n o w le d g e

m . W e b e x e rc is e




L a b E n v iro n m e n tT o e a rn ’ o u t this lab, y o u need:

■ D oSHTTP to o l lo ca ted a t D:\CEH-Tools\CEHv8 M odu le 10 D enial-of- S e rv ic e ' DDoS A tta c k T oo ls\D oS HTTP

■ Y o u can also d o w n lo a d th e la te s t v e rs io n o f D oSH T T P fro m th e lin k h ttp : / / w w w .so c k e ts o f t. 11e t /

■ I f y o u d ec id e to d o w n lo a d th e l a t e s t v e r s io n , th e n sc re e n sh o ts sh o w n 111 th e lab m ig h t d if fe r

■ A c o m p u te r m m iu ig W in d o w s S e rv e r 2 0 1 2 as h o s t m ach ine

■ W in d o w s 7 ru n n in g o n v irtual m acliu ie as a ttacker m acliu ie

■ A w e b b ro w ser w ith an In te rn e t co n n ec tio n

■ A dm in istra tive privileges to m il too ls

L a b D u ra tio nT une: 10 M inu tes

O v e r v ie w o f D o S H T T PD o S H T T P is an H T T P H ood denial-of-serv ice (D oS) testing to o l fo r W indow s. I t includes U R L verification , H T T P red irec tion , an d p e rfo rm an ce m onito ring . D o S H T T P uses m ultip le a sy n ch ro n o u s sockets to p e rfo rm an effective H T T P flood. D o S H T T P can be u sed sim ultaneously o n m ultip le clients to em ula te a d is tn b u ted den ial-of-service (D D oS ) attack. T in s to o l is u sed by IT p ro fessionals to te s t w e b server perfo rm ance .

L a b T a s k s1. Install an d lau n ch D o S H T T P u i W in d o w s S e rv e r 2 0 1 2 .

2. T o lau n ch D o S H T T P , m o v e y o u r m o u se cu rso r to low er left co rn e r o f d ie d e sk to p an d click S ta r t.

& T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- Tools\C E H v8


DoSHTTPF lood ing

FIGURE 2.1: Windows Server 2012 Desktop view




3. C lick d ie D oS H ttp 2 .5 ap p fro m d ie S ta r t m e n u ap p s to lau n ch d ie p rog ram .

Start Administrator ^

CcroUcr Tafc MoiillaManager Firefox Ctone* © •

SCommandPrompt Notefao*

rr־ lVtmnKtr HypofV Nk«kWobClcnt rwSHTTP

% וי ■

FIGURE 2.2: Windows Server 2012 Start Menu Apps

T h e D oSHTTP m ain screen appears as sh o w n 111 th e fo llow ing figure; 111 d iis lab w e have d e m o n s tra te d trial version . C lick T ry to con tinue .

y * DoSHTTP is an easy to use and powerful HTTP Flood Denial of Service (DoS) Testing Tool for Windows. DoSHTTP includes URL Verification, HTTP Redirection, Port Designation, Performance Monitoring and Enhanced Reporting.

H DoSHTTP 2.5.1 - Socketsoft.net [Loading...] X

| File O ptions Help

DH־TarUs[m

DoSHTTP Registration

/ U nreqistered VersionV You have 13 days or 3 uses left on your free trial.

( fry J3

Close

Enter your Serial Number and click the Register button. 3

SajSerial Number Register

I

C׳ sc 3 r-sr t־ttD://www.socketsoft. ret׳'

Ready 1

T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C E H v8


FIGURE 2.3: DoSHTIP main window

5. E n te r d ie U R L o r IP address 111 d ie T a rg e t URL field.

6. Select a U se r A g en t, n u m b e r o f S o c k e ts to send , an d the type o f R e q u e s ts to send. C lick S ta r t.

7. 111 diis lab , w e are using W in d o w s 7 IP (10.0.0.7) to flood.

m DoSHTTP includes Port Designation and Reporting.

C EH Lab Manual Page 711 Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

http://www.socketsoft


H nn^HTTP ? S 1 - W kpfcnft npf [Fvaliiatmn Mnrlp] *1File O ptions Help

D o S H T T PHTTP Flood Denial of Service (DoS) Testing ToolTarget URL10.0.0.11

Usei Agent|Mozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)

Sockets Requests1500 ▼ | |Continuous ▼] Verify URL jStart FloodJ Close

Leca D s c a mer httD://www.socketsoft.ret׳'

Ready -------- !-------------------------- J

FIGURE 2.4: DoSHTTP Flooding

N ote: T h ese IP addresses m ay d iffe r 111 y o u r lab en v iro n m en t.

8. C lick OK m th e D o S H T T P evalua tion p o p -u p .

H DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode] xFile O ptions Help

DoSHTTP

Evaluation m ode w ill on ly pe rfo rm a m ax im um o f 10000 requests per session.

OK

Lees D-Sca rrer t־ttD:.|,.׳’www.soctetsoft.ret/

Ready

y DoSHTTP uses multiple asynchronous sockets to perform an effective HTTP Flood. DoSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDoS) attack.

FIGURE 2.5: DoSHTTP Evaluation mode pop-up

9. L au n ch d ie W ire sh a rk n e tw o rk p ro to c o l analyzer 111 d ie W in d o w s 7 v irtu a l m a c h in e an d start its in terface.

10. D o S H T T P sends a s y n c h ro n o u s sockets an d p e rfo rm s HTTP flo o d in g o f d ie ta rget netw ork .

11. G o to V irtua l m a c h in e , o p e n W ire sh a rk . a n d observe th a t a lo t o f pack e t traffic is c ap tu red by W ireshark .

y DoSHTTP can help IT Professionals test web server performance and evaluate web server protection software. DoSHTTP was developed by certified IT Security and Software Development professionals

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.


http://www.soctetsoft.ret/


j"ptjringfromMicrosofKorporat!onADev!n\NP605FlD12CMEAA6E48A8CW2File £dit View £0 Capture Analyze Statistics Telephony Tools Internals Help

pyai ojai 1 ט * mm »Filter | ▼ | Expression.. Clear Apply SaveNo. Time Source Destination Protocol Length Info •*

81 14.2268530 10.0.0.10 10.0.0.11 TCP 66 57281 > http [SYN] Sec

ARP 42 who has 10.0.0.13? TeNBNS 92 Name query NB WPAD<00>l l n n r 84 standard query 0xfe99LLNNR 64 stardard query 0xfe99LLNNR 84 Stardard query 0xfe99

85 14. 9489030 Del 1_c3:c3:cc Broadcast85 15.4810940 1 0.0 .0 .10 10.0.0.25587 15.4812800 fe80: : 38aa: 6390 : 554 f f 02: :1:3 83 15.4813280 10.0.0.10 224.0.0.25289 15. 9012270fe80: :38aa:6390:554ff02: :1:3

llnnr 64 stardard query 0xfe99ARP 42 who has 10.0.0.13? T€NBNS 92 Name query NB wpad<00>nbns 92 Name query NB WPAD<00>.DHCPv6 157 So lic it XTD: 0xaQQ84 CARP 42 who has 10.0.0.11? T€

224.0.0.252 Broadcast10.0.0.25510.0.0.255

9013020 10.0.0.109494970 De11_c3:c3:cc 2313280 10.0.0.10 9962120 10.0.0.107675600 f p80 : : 38aa : 6390 :5 54 f f0?: :1 7 4547800 Del1_c3:c3:cc M icrosof_a8:78:05

90 1591 1592 1693 1694 1795 18

w Frane 1: 42 bytes on wire (336 bits). 42 bytes captured (336 bits) on interface 0• Ethernet I I , src: De11_c3:c3:cc (d4:be:d9:c3:c3:cc), Dst: Broadcast ( f f : f f : f f : f f : f f : f f ) E Address Resolution Protocol (request)

0000 f f f f f f f t f t f f d4 be d9 c3 c3 cc 08 06 00 010010 08 00 06 04 00 01 d4 be d9 c3 c3 cc Oa 00 00 Oa0020 00 00 00 00 00 00 Oa 00 00 Od

FIGURE 26: Wireshark window

12. Y o u see a lo t o l H T T P packets are flo o d ed to d ie h o s t m ach ine.

13. D o S H T T P uses m ultip le a sy n ch ro n o u s sockets to p e rfo rm an H T T P flood against d ie en te red netw ork .

L a b A n a ly s isA nalyze an d d o c u m e n t d ie results re la ted to d ie lab exercise.

T o o l / U t i l i t y I n f o r m a t io n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

D o S H T T P H T T P p a c k e ts o b se rv e d flo o d in g th e h o s t m a c h in e



Q u e s tio n sE valuate h o w D o S H T T P can be u sed sim ultaneously o n m ultip le clients an d p e rfo rm D D o S attacks.

DoSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDoS) attack.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



2. D e te rm in e h o w y o u can p re v e n t D o S H T T P attacks 0 11 a ne tw ork .

I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P la t f o r m S u p p o r t e d

0 C la s s r o o m 0 !L abs



Sports

Ceh v8 labs module 10 denial of service