Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cehv8 Labs - Module10: Denial of Service.

1 086 vues

Publié le

Cehv8 labs
Module10: Dos

Download here:
CCNAv5: ccna5vn.wordpress.com
CEHv8: cehv8vn.blogspot.com

Publié dans : Formation
  • Soyez le premier à commenter

Cehv8 Labs - Module10: Denial of Service.

  1. 1. CEH Lab Manual Denial of Service Module 10
  2. 2. ICON KEY ; Valuable information . Test your knowledoe 2 '"eb exercise . -1’; "orkbook review Module 10 — Denial of Service ill ‘I1 ill ill Df/ //fl/ 0f Se/ '/'/ re (D05) /5 (7/1 /7/7/mé 01/ (I ('0// /P/ I/K’/ ' 0/‘ / M/11'0/‘k I‘/ .2/II‘1b/ ‘(J/1°/ /fr / (fig/7‘/ /// aft’ / /re 0f / '1‘; /‘(>50// /m‘. I11 computing. a denial-of-service attack (DOS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out. motives for. and targets of a DoS attack may vary. it generally consists of tlie efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Perpetrators of D05 attacks typically target sites or services hosted on h. igh— profile web servers such as banks, credit card payment gateways. and even root nameservers. The term is generally used relating to computer networks. but is not limited to this field; for example. it is also used in reference to CPU resource management. One common method of attack involves saturating the target machine with external communications requests. such that it cannot respond to legitimate traffic. or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. Denial-otlservice attacks can essentially disable your computer or your network. D05 attacks can be lucrative for criminals; recent attacks have shown that DOS attacks a way for cyber criminals to profit. As an expert ethical hacker or security administrator of an organization. you should have sound knowledge of how denial-of-service and distributed denial-of-service attacks are carried out, to detect and neutralize attack handlers. and to mitigate such attacks. I 2 '5'? - 2 -I C» 6 {min f 3 S The objective of this lab is to help students learn to perform DoS attacks and to test network for DOS flaws. In this lab. you will: ' Create and launch a denial-of-service attack to a victim " Remotely administer clients I Perform a DOS attack by sending a huge amount of SYN packets continuously Perform a DOSHTTP attack CEH Lab . l.1nual Page 703 Ethical Hacking and Countenneasures Copyright 5- by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Modu| e10-Denlalofservlce E Tools Lab Environment demonstrated in ‘his lab are To carry out this. you need: a"°“aI"° in ' A computer running ‘C"indow Server 2008 D: cEl-I- . _ _ _ _ Too| scEHy8 ' V'indows XP / 7 ru. nning in virtual machine Module 10 Denial‘ ' A web browser with Internet access of-Service ' Administrative privileges to run tools Lab Duration Time: 60 Minutes Overview of Denial of Service Denial—of—service (DoS) is an attack on a computer or network that prevents legitimate use of its resources. In a DoS attack. attackers flood a victim’s system with illegitimate service requests or traffic to overload its resources and prevent it from performing intended tasks. E ‘r A s K 1 Lab Tasks av . Pick an organization that you feel is worthy of your attention. This could be an educational institution. a commercial company. or perhaps a nonprofit charity. Recommended labs to assist you in denial of service: ' SYN flooding a target host using hping3 ' HTTP flooding using DOSHTTP Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. CEH Lab Marlual Page 704 Ethical Hacking and Countenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  4. 4. ICON KEY E Valuable information of Test your knowledge U "eb exercise [El "orkbook review ModII| o10—DonIa| ofSoWIoo SYN Flooding a Target Host Using hping3 /711)/ i/lg} / '5 (I r0// /// /m/ I/—/ /‘Me 0/ 7'9// fed TCP/ IP]>(Ir, é€f (I. s'. re/ //b/ w'/ (I/ I(l_/ )': {€I§ Lab Scenario A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK. or by spoofing the source IP address in the SYN, cause the server to send the SYN—ACK to a falsified IP address. which will not send an ACK because it "knows" that it never sent a SYN. The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half—open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved of resources in this way. As an expert ethical hacker or security administrator of an organization. you should have sound knowledge of denial-of-service and distributed denial-of- service attacks and should be able to detect and neutralize attack handlers. You should use SYN cookies as a countermeasure against the SYN flood which eliminates the resources allocated on the target host. Lab Objectives The objective of this lab is to help students learn to perform denial-of-service attacks and test the network for DOS flaws. In this lab. you will: ' Perform denial-of-service attacks ' Send huge amount of SYN packets continuously CEH Lab Manual Page 705 Ethical Hacking and Cotlntenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  5. 5. ff“ Tools demonstrated in this lab are available at D: CEH- ToolsCEl'lv8 Module 10 Denial- of-Service Q TASK 1 Flood SYN Packet L; hping3 is a command-line oriented TCP/ IP packet assembler/ analyzer. lg; Type only hping3 without any argument. If hping3 was compiled with Tcl scripting capabilities. you should see a prompt. Modulo10—DcnlaIofScrVleo Lab Environment To carry out the lab, you need: A computer running ‘C'indows 7 as victim machine BackTrack 5 r3 running in virtual machine as attacker machine Wireshark is located at D: CEH-TooIsCEHv8 Module 08 SniffingSniffing TooIsWireshark Lab Duration Time: 10 Minutes Overview of hping3 hping3 is a network tool able to send custom TCP/ IP packets and to display target replies like a ping program does with ICMP replies. hping3 handles fragmentation. arbitrary packets body, and size and can be used in order to transfer files encapsulated under supported protocols. Lab Tasks 1. 2. Launch BackTack 5 r3 on the virtual machine. Launch the hingp3 utility from the BackTrack 5 r3 virtual machine. Select BackTrack Menu 9 Backtrack 9 Information Gathering 9 Network Analysis 9 Identify Live Hosts 9 I-Iping3. Figure 1.1: BackTraclt 5 r3 Menu The hping3 utility starts in tlie command shell. CEH Lab Manual Page 706 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Module 10- Denlal ofseivloe FIGURE 1.2: l3ackTmck 5 13 Command Shell with hping3 4. In the command shell, type hping3 -5 10.0.0.11 —a 10.0.0.13 —p 22 — flood and press Enter. F45:-. First, type a simple command and see the result #hping3.0.0-alpha- 1> hping resolve wwW. goog1c. com 66.10.19.104. The hping3 command should be called with a subcommaiid as 3 FIGURE 1.3: BackT(ack 5 13 hping3 command first argument and F ‘ ‘ _ additional axgumciits 3. In the previous command, 10.0.0.1 1 (Windows 7) 1s the victim’: maclnne dd“ P“‘“°“]“ IP address, and 10.0.0.13 (BackTrack 5 r3) is the attacker’s machine IP address. The hping "solve FIGURE 1.4: B2ii: liTxack4 Command Shell with lipiiigfi d ’ rd . . . . . c°m"“” '5 "5 ‘° 6. l1p1ng3 floods the vxcmn machuie by sending bulk SYN packets and convert a hosmaine to an H’ address. overloading victini resources. CEH Lab Manual Page 707 Ethical Hacking and C0|lnlEfl'nE2IS| l.l’ES Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Big hping3 was mainly used as a set: u.iity tool in the past. It can be used i. n many ways by people who don't care for security to test networks and hosts. A subset of the things you can do using hping3: I Firewall testing I Advanced port scanning I . letwoik testing, using vaiious protocols. T05, fragmentation I Manual path MTU discovery I Advanced ttaeeroute, under all the supported protocols I Remote OS fingrrpfiming I Remote uptime guessing I TCP/ H’ stacks auditing Modulo10—DoniaIofSoWioo 7. Go to the victim’: machine (Windows 7). Install and launch Wiresliark, and observe the SYN packets. file run low QC 3 H H U fl Filtm Saytuie Analyze itatistics iaepriouz luols lmtmals ueip WEXQQ EIQQFI UM Eapissinn. .. Clear sppi 5a. : Piotutul Length lvifo . crane 1: 54 bytes on wire (432 bits). 54 bytes captured (632 bits) on interface 0 0 Ethernet u. srcz Microsof_aa:7s: o7 (00 75:07), Dst iIicrosof_a 15 id as 75 05 00 15 5d as 73 07 05 00 45 ca 28 d1 33 0C 00 40 06 95 7e 03 00 00 0d 0a C0 Db Id fa M 16 3a 29 09 Fe 61 62 d5 d7 50 C2 00 ee df DC 00 Pvofile: Default 0 me ’C: ‘iUsenAdrrinAppData‘Loea| Temp. .. Packets 119311 Dlspliyed: 119311 Marie" FIGURE 1.5: W’irv. -shark with SYN Packets Traffic 8. You sent huge number of SYN packets, which caused the victim’s machine to crash. Lab Analysis Docuinent all the results gather during the lab. Tool/ Utility Information Collected/ Objectives Achieved SYN packets observed over flooding the resources in h in 3 . . . P g victuninachine I’I. l.l. ll. K l‘() ()liR lN. l‘l{l (Il()l{ H ()l l{l. l., l‘l'. l) l() llll> I. ,l3. Il»'I-I Ql l. l l() Intemet Connection Required El Yes El No Platform Supported E Classroom IZI iL:1|)s CEH Lab Manual Page 708 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. ICON KEY . : Valuable information s Test your knowledoe 2 "eb exercise Module 10 — Denial of Service D05 H l l P / It (7/1 HTTP_f700/2' r/ r=/ ///1/—o_/3.i‘(’/ '/'/ rt’ D05) faif/ /(37 foo/ _ fb/ ' ll"/ /// /011 Lt‘. D05 HTTP / //1‘/ //(7l(’. s‘/ )0I7‘ d0i{g/ //If/ o// mm’ / rpo/7‘/ //g. Q 337;’ '3 a .3). HTTP flooding is an attack that uses enormous useless packets to jam a web server. In this paper, we use hidden semi—Markov models (HSll1I) to describe "eb— browsing patterns and detect HTTP flooding attacks. "e tirst use a large number of legitimate request sequences to train an HSl[il model and then use this legitimate model to check each incoming request sequence. Abnormal "wb traffic whose likelihood falls into unreasonable range for the legitimate model would be classified as potential attack traffic and should be controlled with special actions such as filtering or limiting the traffic. Finally we validate our approach by testing the method with real data. The result shows that our method can detect the anomaly web traffic effectively. In the previous lab you learned about SYN flooding using hping3 and the countermeasures that can be implemented to prevent such attacks. Another method that attackers can use to attack a seiyer is by using the HTTP flood approach As an expert ethical hacker and penetration tester, you must be aware of all types of hacking attempts on a web S€1''€1‘. For HTTP flooding attack you should implement an advanced technique known as “tarpitting, " which once established successfully will set connections windov size to few bytes. According to TCP/ IP protocol design. the connecting device will initially only send as much data to target as it takes to fill the window until tl1e seiyer responds. "ith tarpitting . there will be no response back to the packets for all unwanted HTTP requests. thereby protecting your web server. -3 J - 333;‘ ES The objective of this lab is to help students learn HTTP flooding dei1ial—of seiyice (DOS) attack. CEH Lab . I.1nual Page 709 Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. 3 Tools demonstrated in this lab are available in D: cEl-l- ToolsCEHv8 Module 10 Denial- ofservice =4 TASK 1 DoSl-l'| 'l'P Flooding Module 10 — Denlal of Service - - . u -3 J - '. ’ . '3 ' .3"'.3_' II To carry o11t this lab, you need: " DoSH1TP tool located at D: CE| -I-ToolsCEHv8 Module 10 DeniaI-of- ServiceDDoS Attack ToolsDoS H1TP ' You can also download the latest version of Dosl-ITTP from the link http: 5' [1W'. socketsoftnet [ ' If you decide to download the latest version, then screensl1ots shown in the lab might differ ' A computer running Windows Sewer 2012 as host machine ' Windows 7 running on virtual machine as attacker machine ' A Web browser with an Internet connection " Administrative privileges to run tools * ‘Y 4- . ) v-4.-. ma -2; 1-‘aa. , J Time: 10 Minutes 9‘ _", -“ ’! .a v‘/2" . 'o'~. « id’- DOSHTTP is an HTTP flood denial-of-service (DOS) testing tool for V'indo's. It includes URL verification, HTTP redirection, and performance monitoring. DOSHTTP uses multiple asynchronous sockets to perform an effective HTTP flood. DOSHTTP can be used simultaneously on multiple clients to emulate a distributed denial-of-service (DDOS) attack This tool is used by IT professionals to test Web server performance. '- ". .¢I- . cJ 5;a‘s 1. Install and launch DOSHTTP in Windows Sewer 2012. 2. To launch DOSHTTP, move your mouse cursor to lower left corner of the desktop and click Start. 7.. * . .W. FIGURE 21: Windows Server 2012 Desktop view CEH Lab Manual Page 710 Ethical Hacking and Coumemleasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Module 10—Den| a|ofSeI'Vlce 3. Click the DoSl-lttp 2.5 app fron1 the Start menu apps to launch the program. J’; DcSH'I'l'P is an easy to use and powerful HTTP Flood Denial of Service (DOS) Testing Tool for Vindows. DOSHTTP includes URL Verification, HTTP Redirection. Port Designation, Performance Monitoring and Enhanced Reporting. 3 Tools demonstrated in this lab are available in D: CEl'l- ToolscEHv8 Module 10 Denial- of-service U1 »“u: rm vMr. rt- FIGURE 22: Windows Server 2012 Start Menu Apps The Dosl-l'lTP main screen appears as shown in the following figure; in this lab We have demonstrated trial Version. Click Try to continue. H DOSHTTP 2.5.1 - Socketsoftnet [Loading. ..] Help We Optrons Unteqistered Version You have 13 days or 3 uses Iell on your lies lnal Close -= 'r'1l'. HHb>’-' Register Enter your 5 erial Number and click the H egister bullon. Mtg Jflwww socketsoft nell FIGURE 23: DoSH'ITP main window Enter the URL or IP address in the Target URL field. Select a User Agent, number of Sockets to send. and the type of Requests to send. Click Start. In this lab, we are using ‘C"indovs 7 IP (10.0.0.7) to flood. CEH Lab Manual Page 711 Q DOSHTTI’ includes Port Designation and Reporting. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Module 10- Donlal ofsetvloe DoSHTTP 2.5.1 - Socketsoftnet [Evaluation Mode] file Qptions _l-_lelp DOSHTTP HTI'P Flood Denial of Service (Dos) Testing Tool Tatgel URL 1lJ.0.D.11 User Agent MOZIHB/8.0 lcompatible; MSIE 7.Ua; Windows NT 5.2; SV1] Request: FIGURE .14: DoSHTl'P Flooding Note: These IP addresses may differ in your lab enviroiitneiit. 8. Click OK in the DOSHTTP evaluation pop—up. v DoSHTTP 2.5.1 - Socketsoftnet [Evaluation Mode] X file Qptions fielp 13 . ~’''‘’ DOSHTTP uses multiple asynclnonous sockets to perform an effective HTTP Flood. DOSHTFP can be used . Evaluation mode will only perform a maximum of 10000 requests per simultaneously on multiple ‘ Sesslom clients to emulate a Distributed Denial of Service (DDOS) attack. Ht; .~ ‘www sockelsoftmeti FIGURE 2.5: DoSI-HTP Evaluation mode pop-up 9. Imlnch the Wireshark network protocol a11al_'zer in the Windows 7 virtual machine and start its interface. 10. DOSHTTP sends asynchronous sockets and performs HTTP flooding of the / “ D0514-I-1-p cm MP target iietwork. IT Professionals test web _ . server performance and 11. Go to Virtual machine, open Wireshark, and observe that 21 lot of packet °"‘1““'? “b 5”“ traffic is captured bv ‘C'iresl1ark. protection software. ' DOSHTTP was developed by certified IT Security and Software Development professionals CEH Lab Maiiual Page 712 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. /'9 DOSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDOS) attack. Module 10- Denial ofsetvloe E3'(IptmnglromMn<rnsottCorpnvationzDwiteNPF_6O5FlD17v5ZCFv4EAE»BD63~5E~lBl-1-BED0ZCUl {W-: eshavk1.81. V - l ; l file Edit ‘yew go glpture Analyze fitatistiu Telephory Incl; lnlanals flep 3 .9. i V: 2»; .2. 4 ‘ . 1 n‘ ~i at L M -1 npmsm. .. I Ime >ouce L‘E§lln! (Il7n s11A.77sasxn1n. n.o.1o m. n.n. n rev 214.226S89010.0.(>.1 . . . -- 53 1rl. "30623010.0.0.1O . 14.73D663010.0.(>.1 as 14.9«u9o3o De'l'| _:3:c3:ce Broadcast AR? 86 1s.4s1094o1o. o.o.1o 1o. o.o.2ss mans 57 is.4slzsoo rem: :2saa: s39o: s54ffo2::1;a Lumk 55 114813250 10.0.0.10 224.0.0.Z52 LLNNR S9 15.9012270 fe50: :38aa:6390:554ff02: 21:3 LLNNR Stardard query 0x1‘E99 90 1S.901302010.(7.0.1O z24.o. o.2s2 LLNNR stardard query oxfe99 91 1§.949d97oual1_c3:c3:cc Broadcast AR? 42 who has 10.0.0137 Ti 92 161313250 1o. o.o.1o 1o. o.o.2ss mans 92 Mame query NB wi>Ao<oo> 93 16.99621ZO10.0.0.10 1o. o.o.255 News 92 name query Na wPAO<0O> in 17 76‘9600feR0"2Ra: '6?G0:i§AfF07"I'7 rmtvvfi -. s7 <n1irir xvn: nx. -mam r 95 18.45l7800 De'| '|_c3:c3:ct Nlcrosof_a8:78:0S AR? 42 who has 10i0.0.11" Tt Protztul Length Inn: 66 37751 > http [SYN] Set Mame query us ilFAD<0O> srardarn query 0xfe99 Stardard query 0xf299 < Frane 1: 41 bytes on wlre (316 bits). 42 bytes captured (336 bits) an interface 0 . Ethernet I1. srz: De1l_t3:c3:cc (d4:be: d9:c3:tZ: c¢), ost: Broadcast (ff: ff: ff: ff: ff: ff) . Address oamiurinr Prnrnrnl (request) 0000 rr tr rr rr rr rr in be a9 :5 Ci cc 0:: on 00 01 00:0 O8 00 06 04 O0 01 d4 be d9 (3 (3 Ct 03 O0 O0 03 0020 00 oo 00 00 oo 00 on no on Dd C‘ Microsoft Corprtatim ‘ DevIteWPF_{605F1D1' Patkets‘ 93 Displa, E: 95 Marked. 0 Prolia Delault FIGURE 2.6: Wueshark window 12. You see a lot of HTTP packets are flooded to the host machine. 13. DOSHTTP uses multiple asynchronous sockets to perform an HTTP flood against the entered network. Analyze and document the results related to the lab exercise. DOSHTTP HTTP packets observed flooding the host machine l’l_l~_. .l~§ l. l_K l'() Ul'R lNS'l'Rl (jl()R 114 ()l H; 'l-L Ql l~_>'l'l()N> RELATED TO THIS LAB. 9 ‘- ___. to-S a, do . ... ..p. . 1. Evaluate how DOSHTTP can be used simultaneously on multiple clients and perform DDOS attacks. CEH Lab Manual Page 713 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Mothlo10-Donlnlofsorvleo 2. Determine how you can prevent DOSHTTP attacks on 2 network. Internet Connection Required D Yes Platform Supported I2] Classroom CEH Lab Mmunl Page 714 Ethical Hacking and Countenmeasnres Copyright 0 by EC-Council All Rights Reserved. Reproduction is Suicdy Prohibited.

×