C EH

Lab M a n u a l

D e n ia l o f S e r v ic e M o d u l e 10

M odule 10 - D enial o f S e rv ic e

D e n ia l o f S e r v i c e

Denialof Se rv ic e (DoS) isa nattack o na c o m p u t e rorn e t w o r kthatp r e v e n ts le g itim a teu s eof its r e s o u r c e s .
ICON KEY
V a lu a b le in fo r m a tio n

L a b S c e n a r io
111 c o m p u tin g , a d e n ia l-o f -s e rv ic e a tta c k (D o S a tta c k ) is a n a tt e m p t to m a k e a m a c h in e o r n e tw o r k re s o u rc e u n a v a ila b le to its in te n d e d u s e rs . A lth o u g h th e m e a n s to earn* o u t, m o tiv e s fo r, a n d ta rg e ts o f a D o S a tta c k m a y van*, it g e n e ra lly c o n s is ts o f th e e f f o r ts o f o n e o r m o r e p e o p le to te m p o ra r ily 0 1 in d e fin ite ly in t e r r u p t 0 1 s u s p e n d s e iv ic e s o f a h o s t c o n n e c t e d to th e I n te r n e t. P e r p e tr a to r s o f D o S a tta c k s ty p ic a lly ta r g e t sites 0 1 s e iv ic e s h o s t e d 0 1 1 h ig h p ro f ile w e b s e n ers s u c h as b a n k s , c r e d it c a rd p a y m e n t g a te w a y s, a n d e v e n r o o t n a m e s e iv e r s . T h e te r m is g e n e ra lly u s e d re la tin g to c o m p u te r n e tw o rk s , b u t is n o t lim ite d to tin s field ; fo r e x a m p le , it is a ls o u s e d 111 r e f e r e n c e to C P U r e s o u r c e m a n a g e m e n t. O n e c o m m o n m e t h o d o f a tta c k in v o lv e s s a tu ra tin g th e ta r g e t m a c h in e w ith e x te r n a l c o m m u n ic a tio n s re q u e s ts , s u c h th a t it c a n n o t r e s p o n d to le g itim a te tra ffic , o r r e s p o n d s so slo w ly as to b e r e n d e r e d e ss e n tia lly u n a v a ila b le . S u c h a tta c k s u su a lly le a d to a s e iv e r o v e rlo a d . D e 111 al-o f-se n * 1 ce a tta c k s c a n e sse n tia lly d is a b le y o u r c o m p u t e r 0 1 y o u r n e tw o rk . D o S a tta c k s c a n b e lu c ra tiv e fo r c rim in a ls; r e c e n t a tta c k s h a v e s h o w n th a t D o S a tta c k s a w a y fo r c y b e r c rim in a ls to p ro f it. A s a n e x p e r t e th ic a l h a c k e r 0 1 s e c u r i t y a d m i n i s t r a t o r o f a n o rg a n iz a tio n , y o u s h o u ld h a v e s o u n d k n o w le d g e o f h o w d e n ia l - o f - s e r v i c e a n d d i s t r i b u t e d d e n ia l - o f - s e r v i c e a tta c k s a re c a rr ie d o u t, to d e t e c t a n d n e u t r a l i z e a tta c k h a n d le r s , a n d to m i t i g a t e s u c h a tta c k s.

Test yo u r

W e b e x e r c is e

W o r k b o o k re \

L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to p e r f o r m D o S a tta c k s a n d to te s t n e tw o r k fo r D o S flaw s.
1 1 1 d iis la b , y o u w ill:

C re a te a n d la u n c h a d e 11 ia lo f se 1v ic e a tta c k to a v ic tim R e m o te ly a d m in is te r c lie n ts P e r f o r m a D o S a tta c k b y s e n d in g a h u g e a m o u n t o f S Y N p a c k e ts c o n tin u o u s ly P e r f o r m a D o S H T T P a tta c k

C E H Lab Manual Page 703

Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

& T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 1 0 D en ialo f-S e rv ic e

L a b E n v ir o n m e n t
T o e a rn o u t th is, y o u n eed : A c o m p u te r ru n n in g W in d o w S e rv e r 2 0 0 8 W in d o w s X P / 7 ru n n in g 111 v irtu a l m a c h in e A w e b b ro w s e r w ith I n te rn e t access A d m in istra tiv e privileges to m n to o ls

L a b D u r a tio n
T im e: 60 M in u te s

O v e r v ie w o f D e n ia l o f S e r v ic e
D e n ia l-o f-se rv ic e (D o S ) is a n a tta c k o n a c o m p u te r o r n e tw o rk th a t p r e v e n t s leg itim ate u se o f its re so u rc e s. 111 a D o S attack , atta c k e rs flo o d a v ic tim s sy ste m w ith illegitim ate service re q u e s ts o r t r a f f i c to o v e r l o a d its re s o u rc e s a n d p re v e n t it fro m p e rfo rm in g in t e n d e d tasks.

Lab T asks
O v e rv ie w P ic k a n o rg a n iz a tio n th a t y o u feel is w o rth y o f y o u r a tte n tio n . T in s c o u ld b e an e d u c a tio n a l in s titu tio n , a c o m m e rc ia l c o m p a n y , o r p e rh a p s a n o n p ro f it charity. R e c o m m e n d e d lab s to assist y o u in d en ial o f service: S Y N flo o d in g a ta rg e t h o s t u sin g 11pi11g3 H T T P flo o d in g u sin g D o S H T T P

L a b A n a ly s is
A n aly ze a n d d o c u m e n t th e resu lts re la te d to th e la b exercise. G iv e y o u r o p in io n o n y o u r ta rg e ts secu rity p o s tu re a n d e x p o su re .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

C E H Lab Manual Page

Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

S Y N

F lo o d in g

T a r g e t H o s t U s in g

h p in g 3 hpingJ is a command-line oriented T C P / IP packet assembler/ analyser. co n

k ey

L a b S c e n a r io
A S Y N flo o d is a f o r m o f d e n ia l-o f-s e rv ic e a tta c k 111 w h ic h ail a tta c k e r s e n d s a s u c c e s s io n o l S Y N re q u e s ts to a ta rg e t's s y s te m 111 a n a tt e m p t to c o n s u m e e n o u g h s e rv e r re s o u rc e s to m a k e th e s y s te m u n re s p o n s iv e to le g itim a te tra flic . A S Y N flo o d a tta c k w o rk s b y n o t r e s p o n d in g to th e s e r v e r w ith th e e x p e c te d

1 ^ ~ / V a lu a b le in fo r m a tio n

y *'

Test yo ur k n o w le d g e

* *

W e b e x e r c is e

A C K c o d e . T h e m a lic io u s c lie n t c a n e ith e r sim p ly n o t s e n d th e e x p e c te d A C K , o r b y s p o o lin g th e s o u r c e IP a d d re s s 111 th e S Y N , c a u se th e s e r v e r to s e n d th e S Y N -A C K to a fa lsifie d I P a d d re s s , w h ic h w ill n o t s e n d a n A C K b e c a u s e it "k n o w s" th a t it never sen t a SYN. The s e rv e r w ill w a it fo r th e a c k n o w le d g e m e n t f o r s o m e tim e , as s im p le n e tw o r k c o n g e s tio n c o u ld a lso b e th e c a u s e o f th e m is s in g A C K , b u t 111 a n a tta c k in c re a s in g ly la rg e n u m b e r s o f h a lf - o p e n c o n n e c tio n s w ill b in d re so u rc e s on th e s e rv e r u n til no new c o n n e c tio n s c a n b e m a d e , re s u ltin g 111 a d e n ia l o f se rv ic e to le g itim a te tra ffic . S o m e sy s te m s m a y a ls o m a lf u n c tio n b a d ly o r e v e n c ra s h if o th e r o p e r a tin g s y s te m f u n c tio n s a re s ta rv e d o t re s o u rc e s 111 tin s w ay . A s a n e x p e r t e t h i c a l h a c k e r o r s e c u r i t y a d m i n i s t r a t o r o t a n o r g a n iz a tio n , y o u s h o u ld h a v e s o u n d k n o w le d g e o f d e n ia l - o f - s e r v i c e a n d d i s t r i b u t e d d e n ia l-o f s e r v i c e a tta c k s a n d s h o u ld b e a b le to d e t e c t a n d n e u t r a l i z e a tta c k h a n d le rs . Y o u s h o u ld u se S Y N c o o k ie s as a c o u n te r m e a s u r e a g a in s t th e S Y N flo o d w h ic h e lim in a te s th e re s o u rc e s a llo c a te d o n th e ta r g e t h o s t.

W o r k b o o k r e v ie w

L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to p e r f o r m d e n ia l-o f-s e rv ic e a tta c k s a n d te s t th e n e tw o r k f o r D o S flaw s.
1 1 1 tin s la b , y o u w ill:

P e r f o r m d e n ia l-o t-s e r v ic e a tta c k s S e n d h u g e a m o u n t o f S Y N p a c k e ts c o n tin u o u s ly

C E H Lab Manual Page 705

Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

& T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le a t D:\CEHT oo ls\C E H v 8 M o d u le 1 0 D en ialo f-S e rv ic e

L a b E n v ir o n m e n t
T o e a rn o u t d ie lab , y o u need: " A c o m p u te r r u n n in g W in d o w s 7 as v ic tim m a c h in e B a c k T ra c k 5 r3 ru n n in g 111 v irtu a l m a c h in e as a tta c k e r m a c h in e W ir e s h a rk is lo c a te d a t D :\C EH -Tools\C EH v 8 M o d u le 0 8 S n iffin g \S n iffin g T oolsV W iresh ark

L a b D u r a tio n
T u n e : 10 M in u te s

O v e r v ie w o f h p in g 3
11pu1g3 is a n e tw o rk to o l ab le to se n d c u s to m T C P / I P p a c k e ts a n d to d isp lay ta rg e t rep lies like a p in g p ro g ra m d o e s w ith IC M P replies. 11pu1g3 h a n d le s fra g m e n ta tio n , a rb itra n p a c k e ts b o d y , a n d size a n d c a n b e u s e d u i o rd e r to tra n s fe r hies e n c a p su la te d u n d e r s u p p o r te d p ro to c o ls.

Lab T asks j
F lo o d SYN P a c k e t 1. 2. L a u n c h B a c k T a c k 5 r3 o n th e v irtu al m a c h in e . L a u n c h d ie h in g p 3 utility fro m th e B a c k T ra c k 5 r3 v irtu al m a c h in e . S elect B a c k T r a c k M e n u -> B a c k t r a c k -> I n f o r m a tio n G a th e r i n g -> N e tw o r k A n a ly s is -> I d e n tif y L iv e H o s t s -> H p in g 3 .
^^Applications Places System (\ r j 3 Sun Oct 21. 1:34 PM

V Accessories inform ationG athering

^ Graphics ^ internet ^| vulnerability Assessment -# Exploitation Tools Pnvilege Escalation

... N etw ork Analysis W eb Appl ^

|Database ^ ^ Wireless ^ Otrace aiiveo a l r v e f i .!4 Network T r a f f i c Analysis

S B (yfke Other !f, Sound & Video

i |Maintaining Access
Reverse Engineering ; RFID Tools tj StressI f c s t i n g

,f c ; arping ^ detect*new ip6

0=5! hping3 is a command-line oriented TC P/IP packet assembler/analyzer.

System Tools 9 Wine

*b dnmap ^ ^ fping hplng2 hpingj

>n OSIMT Analysis

R oute Analysis !. .H service Fin g erp rin tin g

forensics R eportin gT o o ls

^ netAscovcr ^ netifera

<< back

nmap

^P b n j
sctpscan t r a c e traceroute w o l e ^ zenmap

1y=I Type only hping3 without any argument. If hping3 was compiled with Tel scripting capabilities, you should see a prompt.

Figure 1.1: BackTrack 5 r3 Menu

3.

T h e h p in g 3 u tility starts in d ie c o m m a n d shell.

C E H Lab Manual Page 706

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

root(afbt: -

File Edit View trm inal Help > syn set SYN flag < rst set RST flag * push set PUSH flag v ack set ACK flag urg set U RG flag -xnas set X unused flag (0x40) ynas set Y unused flag (0x80) tcpexitcode use last tcp->th flags as exit code tcp-tinestaTp enable the TCP timestamp option to guess the HZ/uptine

J ( f

data size data fron file add ,signature* Bum packets in

(default is 0 )

-u ^ end te ll you reacheJ EO F and prevent reAind T -traceroute traceroute m ode (Implies bind and t t l 1) --tr-stop Exit when receive the firs t not ICMP in traceroute node tr <ccp t t l Keep the source TTL fixed, useful to nonitor ]ust one hop **tr*no-rtt Don't calculate/show RTT information in traceroute node ARS packet description (new, unstable) apd send Send the packet described with apo (see docs/APO.txt)

e n o a lt p T O 'T O ro tS R .
mn

F IG U R E 1.2: BackTrack 5 13 Command Shell with hping3

4.
m First, type a simple command and see the result: #hping3.0.0-alpha1> hping resolve www.google.com 66.102.9.104.

111 th e c o m m a n d shell, ty p e h p in g 3 - S 1 0 .0 .0 .1 1 - a 1 0 .0 .0 .1 3 - p 2 2 -flo o d a n d p re s s E n te r .

a

root(abt: -

File Edit View Terminal Help

m The hping3 command should be called with a subcommand as a first argument and additional arguments according to die particular subcommand.

F IG U R E 1.3: BackTrack 5 r3 11ping3 command

5.

L i d ie p re v io u s c o m m a n d , 1 0 .0 .0 .1 1 (W in d o w s 7 ) is th e v ic t im s m a c h in e IP a d d re ss, a n d 1 0 .0 .0 .1 3 ( B a c k T r a c k 5 r3 ) is th e a t t a c k e r s m a c h in e IP ad d ress.
/v v x root(bt: -

File Edit View *fenminal Help

ootebt:-# hp1ng3 -s 10.0.0.11 a 10.0.0.13 p 22 flood HPING 10.0 9.11 (ethO 10.6.0.11): S set, 40 headers 0 data hping in flood node, no replies w ill be show n

<< b a c k
H = y1 The hping resolve command is used to convert a hostname to an IP address.

tra c k

F IG U R E 1.4: BackTrack4 Command Shell with hping3

6.

11pi11g3 flo o d s th e v ic tim m a c h in e b y se n d in g b u lk S Y N p a c k e ts a n d o v e rlo a d in g v ic tim reso u rc es.

C E H Lab Manual Page 707

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

7.

G o to d ie v ic tim s m a c h in e (W in d o w s 7). In stall a n d la u n c h W ire sh a rk , a n d o b se rv e th e S Y N p ack ets.

Micro s o f tC o r p o r a t i o n :\Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [ W i r e shark Pile Edit View Gc Capture Analyze Statistics Telephony Tools Internals Help

1 2 2(SVN Rev445200. < a .0 1m m m

IBTal
hping3 was mainly used as a security tool in the past. It can be used in many ways by people who don't care for security to test networks and hosts. A subset of the things you can do using hping3: Firewall testing Advanced port scanning Network testing, using various protocols, TOS, fragmentation Manual path M TU discovery Advanced traceroute, under all the supported protocols Remote OS fingerprinting * Remote uptime guessing TC P/IP stacks auditing
m

D estination . 13 . 13 . 13 . 13 10.0.0.11 10.0.0.11 10.0.0.11 10.0.0.11

Protocol Length Info TCP TCP TCP TCP TCP 54 [TCP Pert numbers 54 [TCP Pert numbers 54 [TCP Pert numbers 54 [TCP Port numbers ff1i M7 r 3 ^ T 54 [TCP Port numbers reused] reused] reused] reused] T T 1 reused] 53620 53621 53622 53623 [SYN] 5 [SYN] s [SYN] 5 [SYN] 5 137713 53625 > ssh [SYN] 5 1 > > > > ssh ssh ssh ssh

U-tI& ZW W tt7 M

|G l . IE Ij

Frame 1: 54 b/tes on wire (432 b it s ) , 54 bytes captured (432 b its ) on in te rface 0 Ethernet I I , Src: Microsof_a8:78:07 (00:15:5d:a8:78:07), Dst: M'crosof_a8:78:05 (00:15:5d:a Internet Protocol version 4, src: 10.0.0.13 (10.0.0.13), Dst: 10.0.0.11 (10.0.0.11) Transmission control Protocol, src Po rt: 11766 (11766), Dst Port: ssh (22), seq: 0, Len: 0

OO O O 0019 0020 0030

0015 0028 00Ob 0200

5d dl 2d ee

as 3a f6 df

78 00 00 00

05 00 15 00 40 06 16 3a a9 00

5d a8 78 07 OS 00 45 00 95 7e Oa 00 00 Od Oa 00 09 f c 61 62 d6 d7 50 02

. .] .x .. . ].X ...E .

( :... ........

O F i l e :*C\Usen\Admin\AppData\Local\Temp... P a c k e t s :119311 D i s p l a y e d : 119311 M a r k e . . . P r o f i l e :D e f a u l t

FIG U R E 1.5: Wireshark with SYN Packets Traffic

Y o u se n t h u g e n u m b e r o l S Y N p a c k e ts, w h ic h c a u se d d ie v ic tim s m a c h in e to crash .

L a b A n a ly s is
D o c u m e n t all d ie resu lts g a d ie r d u rin g d ie lab. T o o l/U tility h p in g 3 I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d S Y N p a c k e ts o b s e r v e d o v e r flo o d in g th e r e s o u rc e s in v ic tim m a c h in e

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

I n te rn e t C o n n e c tio n R e q u ire d Y es P la tfo rm S u p p o rte d 0 C la s s ro o m 0 1L a b s 0 No

C E H Lab Manual Page 708

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

Lab

H T T P

F lo o d in g

U s in g

D o S H T T P

D oS H T T P is an H T T P flood denial-of-service (D oS) testing toolfor Windows. D o S H T T P includesp o rt designation and reporting. ICON KEY
/ V a lu a b le in fo r m a tio n

L a b S c e n a r io
H T T P flo o d in g is a n a tta c k th a t u se s e n o rm o u s u seless p a c k e ts to jam a w e b server. 111 tliis p a p e r, w e u se lu d d e n se m i-M a rk o v m o d e ls (H S M M ) to d e s c n b e W e b b ro w s in g p a tte rn s a n d d e te c t H T T P flo o d in g attack s. W e first u se a large n u m b e r o f leg itim ate re q u e s t seq u e n c e s to tra in a n H S M M m o d e l a n d th e n u se tins leg itim ate m o d e l to c h e c k ea c h in c o m in g re q u e s t se q u en c e . A b n o rm a l W w b traffic w h o se lik e lih o o d falls in to u n re a s o n a b le ra n g e fo r th e leg itim ate m o d e l w o u ld b e classified as p o te n tia l a tta c k traffic a n d sh o u ld b e c o n tro lle d w ith special a ctio n s su c h as filtering 01 lim itin g th e traffic. F inally w e v alid ate o u r a p p ro a c h b y te stin g d ie m e th o d w ith real data. T h e re su lt sh o w s th a t o u r m e th o d c a n d e te c t th e a n o m a ly w e b traffic effectively. 111 th e p re v io u s lab y o u le a rn e d a b o u t S Y N flo o d in g u sin g 11p111g3 a n d th e c o u n te rm e a s u re s th a t c a n b e im p le m e n te d to p re v e n t su c h attack s. A n o th e r m e th o d th a t atta c k e rs c a n u se to a tta c k a se rv er is b y u sin g th e H T T P flo o d a p p ro a c h . A s a n e x p e rt e th i c a l h a c k e r a n d p e n e tr a ti o n t e s t e r , y o u m u s t b e aw are o f all types o f h a c k in g a tte m p ts 0 11 a w e b serv er. F o r H T T P flo o d in g a tta c k y o u sh o u ld im p le m e n t a n a d v a n c e d te c h n iq u e k n o w n as ta rp ittin g , w h ic h o n c e esta b lish e d su ccessfu lly w ill set c o n n e c tio n s w in d o w size to few bytes. A c c o rd in g to T C P / I P p ro to c o l d esig n , th e c o n n e c tin g d ev ice w ill initially o n ly se n d as m u c h d ata to targ et as it tak es to fill d ie w in d o w u n til th e serv er re s p o n d s. W ith ta rp ittin g , th e re w ill b e
110

.-* v

Test yo ur

______ k n o w le d g e

m .

W e b e x e r c is e

re s p o n s e b a c k to th e p a c k e ts fo r all u n w a n te d H T T P re q u e sts, th e re b y

p ro te c tin g y o u r w e b server.

L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s m d e n ts le a r n H T T P flo o d in g d e m a l-o t se rv ic e (D o S ) a tta c k .

C E H Lab Manual Page 709

Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

& T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 1 0 D en ialo f-S e rv ic e

L a b E n v ir o n m e n t
T o e a rn o u t th is lab , y o u n eed : D oSH T T P to o l lo c a te d a t D :\C E H -Tools\C E H v 8 M o d u le 1 0 D enial-ofS e rv ic e ' DDoS A tta c k T o o ls\D o S H TTP Y o u c a n a lso d o w n lo a d th e la te s t v e r s io n o f D o S H T T P f r o m th e lin k h ttp : / / w w w .s o c k e ts o f t. 11 e t / I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r

A c o m p u te r m m iu ig W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e W in d o w s

7 ru n n in g

o n v irtu a l m a c liu ie as a tta c k e r m ac liu ie

A w e b b ro w s e r w ith an I n te r n e t c o n n e c tio n A d m in istra tiv e p rivileges to m il to o ls

L a b D u r a tio n
T u n e : 10 M in u te s

O v e r v ie w o f D o S H T T P
D o S H T T P is an H T T P H ood d en ial-o f-se rv ic e (D oS ) te stin g to o l fo r W in d o w s. I t in clu d e s U R L v e rific atio n , H T T P re d ire c tio n , a n d p e rfo rm a n c e m o n ito rin g . D o S H T T P u ses m u ltip le a s y n c h ro n o u s so c k ets to p e rf o rm a n e ffectiv e H T T P flo o d . D o S H T T P c a n b e u s e d sim u lta n e o u sly o n m u ltip le clients to e m u la te a d is tn b u te d d e n ial-o f-serv ice (D D o S ) attack . T in s to o l is u s e d b y I T p ro fe ssio n a ls to te s t w e b se rv er p e rfo rm a n c e .

Lab T asks
1. 2. D oSH T T P F lo o d in g In sta ll a n d la u n c h D o S H T T P u i W in d o w s S e r v e r 2 0 1 2 . T o la u n c h D o S H T T P , m o v e y o u r m o u s e c u rs o r to lo w e r le ft c o rn e r o f d ie d e s k to p a n d click S ta r t.

FIG U RE 2.1: Windows Server 2012 Desktop view

C E H Lab Manual Page 710

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

3.

C lick d ie D o S H ttp 2 .5 a p p fro m d ie S t a r t m e n u a p p s to la u n c h d ie p ro g ra m .

Start
C c ro U c r DoSHTTP is an easy to use and powerful HTTP Flood Denial of Service (DoS) Testing Tool for Windows. DoSHTTP includes U R L Verification, H TTP Redirection, Port Designation, Performance Monitoring and Enhanced Reporting.
y *

Adm inistrator ^

T a f c M a n a g e r

M o iilla F ir e f o x

C to n e

*
S

C o m m a n d P r o m p t rr N k k W o b C lc n t

N otefao*

l
r w S H T T P

V tm n K tr

H y p o fV

FIG U R E 2.2: Windows Server 2012 Start Menu Apps

T h e D oSH T T P m a in scre e n ap p e a rs as s h o w n 111 th e fo llo w in g figure; 111 d iis lab w e h a v e d e m o n s tra te d trial v e rsio n . C lick T ry to c o n tin u e . H
| File O p tio n s

DoSHTTP 2.5.1 - Socketsoft.net [Loading...]

H elp

T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 1 0 D en ialo f-S e rv ic e

D
H Ta

DoSHTTP Registration

r
Us
[m Sa

/ U nreq istered V ersion

V
You have 13 days or 3 uses left on your free trial. Enter your Serial Number and click the Register button. jSerial Number

fry
Close

3 3

Register

I
Csc 3 r-sr
tttD://w w w .so cketsoft. ret '

R eady
FIG U R E 2.3: D oSH TIP main window

5. 6.

E n te r d ie U R L o r IP a d d re ss 111 d ie T a r g e t URL field. S elect a U s e r A g e n t, n u m b e r o f S o c k e t s to se n d , a n d th e ty p e o f R e q u e s ts to sen d . C lick S ta r t.

7.

111 d iis lab , w e are u sin g W in d o w s 7 I P (10.0.0.7) to flo o d .

C E H Lab Manual Page 711

m DoSHTTP includes Port Designation and Reporting.

Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

H
File

nn^HTTP ? S 1 - W kpfcnft npf [Fvaliiatmn Mnrlp]

O p tio n s H elp

*1

DoSH TTP
HTTP Flood Denial of S ervice (DoS) Testing Tool Target URL
10.0.0.11

Usei Agent
|Mozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)

Sockets

Requests
| |Continuous

1 500
Leca D s c a mer

] Verify URL jStart FloodJ

Close

httD://www.socketsoft.ret'

Ready

--------

!-------------------------- J

FIG U R E 2.4: DoSHTTP Flooding

N o te: T h e s e I P a d d re sses m a y d iffe r 111 y o u r la b e n v iro n m e n t. 8. C lick OK m th e D o S H T T P e v a lu a tio n p o p -u p .

H
File

DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode]

O p tio n s H elp

y DoSHTTP uses multiple asynchronous sockets to perform an effective H TTP Flood. DoSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDoS) attack.

DoSHTTP
E valuation m o d e w ill o n ly p e rfo rm a m a x im u m o f 10000 requests per session.

OK

Lees D - S c a rrer

t ttD:.| , . www.soctetsoft.ret/

Ready

FIG U R E 2.5: DoSHTTP Evaluation mode pop-up

9.

L a u n c h d ie W ir e s h a rk n e tw o rk p ro to c o l an aly zer 111 d ie W in d o w s 7 v irtu a l m a c h in e a n d sta rt its in terfa ce.

10. D o S H T T P sen d s a s y n c h r o n o u s so c k e ts a n d p e rfo rm s H TT P flo o d in g o f d ie

DoSHTTP can help IT Professionals test web server performance and evaluate web server protection software. DoSHTTP was developed by certified IT Security and Software Development professionals

ta rg e t n etw o rk . 11. G o to V irtu a l m a c h in e , o p e n W ire s h a rk . a n d o b se rv e th a t a lo t o f p a c k e t traffic is c a p tu re d b y W iresh a rk .

C E H Lab Manual Page 712

Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 10 - D enial o f S e rv ic e

^ j" ^ p t jr in g f r o m M ic r o s o f K o r p o r a t !o n A D e v !n \ N P ^ 6 0 5 F lD 1 ^ 2 C M E A ^ A 6 ^ E 4 8 A 8 C W 2 ^
F i l e d i t View

0 Capture Analyze S t a t i s t i c s Telephony Tools I n t e r n a l s Help

pyai
F i l t e r No. Time Source 81 14.2268530 10.0.0.10 D e s t i n a t i o n 10.0.0.11

ojai 1 *

m m

| |E x p r e s s i o n . . C l e a r Apply Save P r otocol Length I n f o * TCP 66 57281 > http [SYN] Sec

85 85 87 83 89 90 91 92 93 94 95

14. 9489030 Del 1_c3:c3:cc Broadcast 15.4810940 1 0 .0 .0 .1 0 1 0.0.0.255 15.4812800 fe80: : 38aa: 6390 : 554 f f 02: :1:3 15.4813280 10.0.0.10 224.0.0.252 15. 9012270fe80: :38aa:6390:554ff02: :1:3 15 9013020 10.0.0.10 224.0.0.252 15 9494970 De11_c3:c3:cc Broadcast 16 2313280 10.0.0.10 10.0.0.255 16 9962120 10.0.0.10 10.0.0.255 17 7675600 f p80 : : 38aa : 6390 :5 54 f f 0?: :1 7 18 4547800 D e l1 _c 3 :c3 :c c M icro sof_a8 :7 8 :0 5

ARP NBNS
llnnr

LLNNR LLNNR
llnnr

ARP NBNS
nbns

DHCPv6 ARP

42 who has 10.0.0.13? Te 92 Nam e query NB W PAD<00> 84 standard query 0xfe99 64 stardard query 0xfe99 84 Stardard query 0xfe99 64 stardard query 0xfe99 42 who has 10.0.0.13? T 92 N am e query NB wpad< 00> 92 N am e query NB WPAD<00>. 157 S o lic it XTD: 0xa QQ84 C 42 who has 10.0.0.11? T

w Frane 1: 42 bytes on wire (336 bits). 42 bytes captured (336 bits) on interface 0 Ethernet I I , src: De11_c3:c3:cc (d4:be:d9:c3:c3:cc), Dst: Broadcast ( f f : f f : f f : f f : f f : f f )
E Address Resolution Protocol (request)

0000 0010 0020

f f f f f f f t f t f f d4 be 0800 06 04 00 01 d4 be 0000 00 00 00 00 Oa 00

d9 c3 c3 cc 08 06 00 01 d9 c3 c3 cc Oa 00 00 Oa 00 O d

FIG U R E 26: Wireshark window DoSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDoS) attack.

12. Y o u see a lo t o l H T T P p a c k e ts are flo o d e d to d ie h o s t m ac h in e . 13. D o S H T T P u se s m u ltip le a s y n c h ro n o u s so ck e ts to p e rf o rm a n H T T P flo o d ag ain st d ie e n te re d n e tw o rk .

L a b A n a ly s is
A n a ly z e a n d d o c u m e n t d ie resu lts re la te d to d ie lab exercise. T o o l/U tility D oSH TTP I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d H T T P p a c k e ts o b s e r v e d flo o d in g th e h o s t m a c h in e

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

Q u e s t io n s
E v a lu a te h o w D o S H T T P ca n b e u se d sim u lta n e o u sly o n m u ltip le clients a n d p e rfo rm D D o S attacks.

C E H Lab Manual Page 713

Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 10 - D enial o f S e rv ic e

2.

D e te rm in e h o w y o u c a n p re v e n t D o S H T T P attack s 0 11 a n e tw o rk .

In te r n e t C o n n e c tio n R e q u ire d Y es P la tfo rm S u p p o rte d 0 C la s s ro o m 0 !L a b s

C E H Lab Manual Page 714

Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.