CEH Lab Manual
Denial of Service
Module 10
Module 10 - Denial of Service
Denial of Service
Denial of Service (DoS) is an attack on a con/pnter or network thatprevents
kgitimate use of its resources.
I C O N
K E Y
Valuable
information
Test your
^
Web exercise
Workbook re\
Lab Scenario
111 c o m p u tin g , a d en ial-o f-serv ice atta c k (D oS attack) is an a tte m p t to m ak e a
m a c h in e o r n e tw o rk re so u rce u n av ailab le to its in te n d e d users. A lth o u g h th e
m e an s to earn* o u t, m o tiv es fo r, an d targ ets o f a D o S attack m ay van*, it
generally co n sists o f th e e ffo rts o f o n e o r m o re p e o p le to te m p o rarily 01־
indefinitely in te rru p t 01 ־s u sp e n d seiv ices o f a h o s t c o n n e c te d to th e In te rn e t.
P e rp e tra to rs o f D o S attack s typically ta rg et sites 01 ־seiv ices h o s te d 011 h ig h p ro file w eb s e n ־ers su c h as b an k s, c re d it ca rd p a y m e n t gatew ays, a n d ev e n ro o t
n am ese iv ers. T h e te rm is g enerally u se d rela tin g to c o m p u te r n e tw o rk s, b u t is
n o t lim ite d to tins field; fo r ex am p le, it is also u se d 111 re fe re n c e to C P U
re so u rc e m a n ag e m en t.
O n e c o m m o n m e th o d o f attack in v o lv es sa tu ra tin g th e ta rg e t m a ch in e w ith
ex tern al co m m u n ic a tio n s req u e sts, su ch th a t it c a n n o t re s p o n d to legitim ate
traffic, o r re sp o n d s so slow ly as to b e re n d e re d essentially u navailable. Such
attacks usually lead to a se iv e r o v erlo ad . D e m a l-o f-se n 'ic e attack s can essentially
disable y o u r c o m p u te r 01 ־y o u r n etw o rk . D o S attack s can be lu crativ e for
crim inals; re c e n t attack s h av e sh o w n th a t D o S attack s a w ay fo r cy b er crim inals
to p ro fit.
A s a n e x p e rt ethical h a c k e r 01 ־secu rity adm inistrator o f a n o rg an iz atio n , y o u
sh o u ld h av e s o u n d k n o w led g e o f h o w denial-of-service a n d distributed
denial-of-service attacks are ca rried o u t, to d e te c t an d neutralize attack
h a n d lers, a n d to m itigate su c h attacks.
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm D o S attack s a n d to
te st n e tw o rk fo r D o S flaws.
111 tliis lab, y o u will:
■
C reate a n d la u n c h a d e n ia l-o f-se n Tice attack to a victim
■
R e m o te ly ad m in ister clients
■
P e rfo rm a D o S attac k b y se n d in g a h u g e a m o u n t o f S Y N p ac k ets
c o n tin u o u sly
P e rfo rm a D o S H T T P attack
C E H L ab M an u al Page 703
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 10 Denialof-Service
Lab Environment
T o earn ־o u t this, y ou need:
■
A co m p u ter ru n n in g W in d o w Server 2008
■
W indow s X P / 7 ru n n in g 111 virtual m achine
■
A w eb brow ser w ith In tern et access
■
A dm inistrative privileges to rn n tools
Lab Duration
Tim e: 60 M inutes
Overview of Denial of Service
D em al-of-service (DoS) is an attack o n a co m p u ter o r n etw o rk th a t prevents
legitim ate use o f its resources. 111 a D o S attack, attackers flood a victim ’s system
w ith illegitimate service requests o r traffic to overload its resources an d p rev en t it
fro m perfo rm in g intended tasks.
Lab Tasks
Overview
P ick an organization that you feel is w o rth y o f your attention. T ins could be an
educational institution, a com m ercial com pany, o r p erhaps a n o n p ro fit charity.
R ecom m ended labs to assist you in denial o f service:
■
SY N flooding a target h o st using hping3
■
H T T P flooding u sing D o S H T T P
Lab Analysis
A nalyze an d d o cu m en t th e results related to the lab exercise. G ive your o p in io n o n
your target’s security p ostu re an d exposure.
P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D TO T H I S LAB.
C E H L ab M an u al Page
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
SYN Flooding a Target Host Using
hping3
hpingJ is a command-line oriented TCP/IP packet assembler/ analyser.
■con
key
1^~/ Valuable
information
y*' Test your
Lab Scenario
A S Y N flo o d is a fo rm o f d em al-o f-serv ice atta c k 111 w h ic h ail attac k er sen d s a
su ccessio n o f S Y N req u e sts to a targ et's sy stem 111 an a tte m p t to c o n s u m e
e n o u g h server re so u rce s to m ak e th e system u n re sp o n siv e to leg itim ate traffic.
knowledge
** Web exercise
m
Workbook review
A S Y N flo o d attack w o rk s by n o t re sp o n d in g to th e se rv e r w ith th e e x p e cted
A C K code. T h e m aliciou s clien t ca n eith er sim ply n o t se n d th e ex p e c te d A C K ,
o r by sp o o fin g th e so u rce IP ad d re ss 111 th e S Y N , cause th e serv er to se n d th e
S Y N -A C K to a falsified IP ad d re ss, w h ic h will n o t se n d an A C K b ecau se it
"k n o w s" th a t it n e v e r se n t a S Y N . T h e serv er w ill w ait fo r th e
ac k n o w le d g e m e n t fo r so m e tim e, as sim p le n e tw o rk c o n g e stio n c o u ld also be
th e cause o f th e m issin g A C K , b u t 111 an attac k in creasin g ly large n u m b e rs o f
h a lf-o p e n c o n n e c tio n s w ill b in d re so u rc e s o n th e serv er u n til n o n e w
c o n n e c tio n s ca n b e m ad e, resu ltin g 111 a d en ial o f service to leg itim ate traffic.
S om e system s m a y also m a lfu n c tio n b ad ly o r ev en cra sh if o th e r o p e ra tin g
system fu n c tio n s are sta rv e d o f re so u rce s 111 tins way.
A s an e x p e rt eth ical hacker o r secu rity adm inistrator o f an o rg an iz atio n , you
sh o u ld h av e so u n d kn o w led g e o f denial-of־ser v ice and distributed denial-ofserv ice attacks a n d sh o u ld b e able to d e te c t a n d neutralize attack h an d lers.
Y o u sh o u ld use S Y N co o k ies as a c o u n te rm e a su re ag ain st th e S Y N flo o d w h ic h
elim inates th e re so u rce s allo cated o n th e ta rg e t h o st.
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm d en ial-o f-serv ice
attacks a n d te st th e n e tw o rk fo r D o S flaws.
111 tins lab, y o u will:
C E H L ab M an u al Page 705
■
P e rlo rm d en ial-o t-serv ic e attacks
■
S end h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
& Tools
dem onstrated in
this lab are
available at
D:\CEHTools\CEHv8
Module 10 Denialof-Service
Lab Environment
T o earn ’ o u t die k b , y ou need:
■ A co m p u ter m n n in g W indow s 7 as victim m achine
■ B ackT rack 5 r3 ru n n in g 111 virtual m ach in e as attacker m achine
" Wireshark is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing
Tools\Wi reshark
Lab Duration
T une: 10 M inutes
Overview of hping3
11p111g3 is a n etw o rk to o l able to send cu sto m T C P /I P packets an d to display target
replies like a ping p rogram does w ith IC M P replies. 11p111g3 handles fragm entation,
arbitrary packets body, an d size an d can be used 111 o rd er to transfer hies
encapsulated u n d er su p p o rted protocols.
Lab Tasks
—
j
Flood SYN Packet
1.
L aunch BackTack 5 r3 o n th e virtual m achine.
2.
L aunch die hingp3 utility h o rn th e B ackT rack 5 r3 virtual macliine. Select
BackTrack Menu -> Backtrack -> Information Gathering -> Network
A nalysis -> Identify Live H osts -> Hping3.
^^Applications Places System ( \
rj
3
Sun Oct 21. 1:34 PM
V Accessories
► C<. information Gathering
Graphics
► | ^״vulnerability Assessment
^
internet
״-# Exploitation Tools
|ףDatabase ^
aiiveo
►
^
alrvefi
SB cyftce
Other
! f , Sound & Vi dec
0=5! hping3 is a
command-line oriented
T C P /IP packet
assembler/analyzer.
. . . Network Analysis
^
System Tools
9 Wine
Web Appl ^
Pnvilege Escalation
Wireless ^
Otrace
► i| Maintaining Access
־, fc; arping
•
^
Reverse Engineering
.!4 Network ITaffic Analysis
(Jetect*new־ip6
; ן ״RFID Tools
”*b dnmap
>n OSIMT Analysis
► t j Stress Ifcsting
^
fping
Route Analysis » !.
hplng2
-־K service Fingerprinting
forensics
^
Repotting Tools
hpingj
<< back
^
netciscovcf
^
netifera
nmap
.
t
^ Pbrj
sctpscan
tiacefi
araceroute
wo»-e
^
zenmap
Figure 1.1: BackTrack 5 r3 Menu
1y=I Type only hping3
w ithout any argument. If
hping3 was compiled with
Tel scripting capabilities,
you should see a prompt.
C E H L ab M anual P ag e 706
3.
T h e hping3 utility starts 111 d ie co m m an d shell.
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
*
* root(afbt: -
File Edit View t r m in a l Help
>
sy n
t
־־r s t
*
־ ־p ush
v
ack
J
־ ־u rg
(
- ־xnas
f
ynas
■ t c p e x itc o d e
tcp -tin e sta T p
set
set
set
set
set
set
set
u se
SYN f l a g
RST f l a g
PUSH f l a g
ACK f l a g
URG f l a g
X u n u se d f l a g
(0 x 4 0 )
Y u n u se d f l a g
(0 x 8 0 )
l a s t tc p - > th f la g s a s e x i t code
enable t h e TCP tim e s ta m p o p t i o n to g u e s s t h e H Z /u p tin e
(d e fa u lt is 0)
d a ta s iz e
d a ta fro n f i l e
a d d , s ig n a t u r e *
Bum packets in
enoalt pTO'TOrotSR.
|
1
\
-u ^ e nd
t e l l y o tr v t t t n
r e a c h e J EOF a n d p r e v e n t re A in d
•T - • t r a c e r o u t e t r a c e r o u t e mode
\ ( I m p l i e s • • b i n d a n d ־ ־t t l 1)
--tr- s to p
E x it
when r e c e i v e t h e f i r s t n o t ICMP i n t r a c e r o u t e no d e
t r < c ep t t l
K eep t h e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t o n e hop
* * tr * n o - rtt
D o n 't c a l c u l a t e / s h o w RTT i n f o r m a t i o n i n t r a c e r o u t e node
ARS p a c k e t d e s c r i p t i o n (n ew , u n s t a b l e )
ap d se n d
Send
t h e p a c k e t d e s c r i b e d w i t h apo ( s e e d o c s /A P O .tx t)
FIGURE 1.2: BackTrack 5 13 Command Shell with hpiug3
4.
111 die c o m m an d shell, type hping3 -S 10.0.0.11 -a 10.0.0.13 -p 22 --
flood an d press Enter.
m First, type a simple
command and see tlie
result: #11ping3.0.0-alpha1> hping resolve
www.google.com
66.102.9.104.
m The hping3
command should be called
with a subcommand as a
first argument and
additional arguments
according to die particular
subcommand.
a
v
* root(abt: -
File Edit View Terminal Help
FIGU RE 1.3: BackTrack 5 r3 11ping3 command
5.
L i die previous co m m an d , 10.0.0.11 (Windows 7) is d ie victim ’s m aclune
IP address, an d 10.0.0.13 (BackTrack 5 r3) is d ie attack er’s m aclune IP
address.
/v
v
x root(§bt: -
File Edit View *fenminal Help
״o o t e b t : - # hp1ng3 - s 1 0 . 0 . 0 . 1 1 ■a 1 0 . 0 . 0 . 1 3 •p 22 • ■ f lo o d
HPING 1 0 .0 9 .1 1 (e th O 1 0 . 6 . 0 . 1 1 ) : S s e t , 40 h e a d e r s
0 d a ta
h p in g i n f l o o d n o d e , no r e p l i e s w i l l be shown
<< b a ck tra c k
H=y1 The h p in g resolve
command is used to
convert a hostname to an
IP address.
C E H L ab M anual Page 707
FIGU RE 1.4: BackTrack4 Command Shell with 11pi11g3
6.
hping3 floods the victim m aclune by sending bulk SY N packets and
overloading victim resources.
Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
7.
G o to die victim’s machine (Windows 7). Install an d launch W ireshark,
an d observe the SY N packets.
ט
Microsoft Corporation: \Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [Wireshark 122 (SVN Rev 44520-
Pile
Edit
View
Gc
Capture
Analyze
Statistics
Telephony
Tools
Internals
Help
IBTal
0.
m m
»
m
11ping3 was mainly
used as a security tool in
the past. It can be used in
many ways by people who
don't care for security to
test networks and hosts. A
subset o f the things you
can do using hping3:
■ Firewall testing
יAdvanced port scanning
יNetwork testing, using
various protocols, TOS,
fragmentation
■ Manual padi MTU
discovery
■ Advanced traceroute,
under all the supported
protocols
■ Remote OS
fingerprinting
* Remote uptime guessing
■ T C P /IP stacks auditing
Destination
Protocol
כ. 13
כ. 13
נ. 13
נ. 13
1 0 .0 .0 .1 1
TCP
1 0 .0 .0 .1 1
1 0 .0 .0 .1 1
1
1 0 .0 .0 .1 1
TCP
TCP
TCP
TCP
Length Info
54
54
54
54
■
54
[TCP
[TCP
[TCP
[TCP
f f 1 i ־M
[TCP
P e rt
P e rt
P e rt
P o rt
7 ־r 3
P o rt
n u m b e rs
n u m b e rs
n u m b e rs
n u m b e rs
^ T
n u m b e rs
re u s e d ]
re u s e d ]
re u s e d ]
re u s e d ]
T
T
1U
re u s e d ]
5 3 6 2 0 > s s h [S Y N ]
5 3 6 2 1 > s s h [S Y N ]
5 3 6 2 2 > s s h [S Y N ]
5 3 6 2 3 > s s h [S Y N ]
- t I & Z W W t t 7 M 13771 ■
5 3 6 2 5 > s s h [S Y N ]
5
S
5
5
3
51
| Gl F ra m e 1 : 54 b y t e s o n w i r e ( 4 3 2 b i t s ) , 54 b y t e s c a p t u r e d ( 4 3 2 b i t s ) o n i n t e r f a c e 0
. E t h e r n e t I I , S r c : M ic r o s o f _ a 8 : 7 8 : 0 7 ( 0 0 : 1 5 : 5 d : a 8 : 7 8 : 0 7 ) , D s t : M 'c r o s o f _ a 8 : 7 8 : 0 5 ( 0 0 : 1 5 : 5 d : a
I E in t e r n e t P r o to c o l v e r s io n 4 , s r c : 1 0 .0 .0 . 1 3 ( 1 0 . 0 . 0 . 1 3 ) , D s t: 1 0 .0 .0 . 1 1 ( 1 0 .0 . 0 .1 1 )
I j T ra n s m is s io n c o n t r o l P r o t o c o l, s r c P o r t : 11 7 6 6 ( 1 1 7 6 6 ) , D s t P o r t : s s h ( 2 2 ) , s e q : 0 , L e n : 0
OOOO
0019
0020
0030
00 15
00 28
0 0 Ob
02 0 0
5d
d l
2d
ee
as
3a
f6
df
78
00
00
00
0 5 0 0 15
0 0 4 0 06
1 6 3 a a9
00
5d
95
09
O File: *C\Usen\Admin\AppData\Local\Temp...
aS 7 8 07 OS 0 0 4 5 0 0
7 e Oa 0 0 0 0 Od Oa 0 0
f c 6 1 62 d 6 d 7 5 0 02
..] .x ...
] .X ...E .
• (• :..®. .............
Packets: 119311 Displayed: 119311 Marke...
Profile: Default
FIGURE 1.5: Wireshark with SYN Packets Traffic
Y ou sent huge n u m b er o l SYN packets, w hich caused die victim ’s m achine
to crash.
Lab Analysis
D o c u m e n t all die results gadier during die lab.
T o o l/U tility
h p in g 3
I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
SY N p ack ets o b se rv e d o v er flo o d in g th e reso u rces in
v ic tim m a ch in e
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE QUE S T I O N S
R E L AT E D TO THI S LAB.
I n t e r n e t C o n n e c t io n R e q u ir e d
□ Y es
0 No
P la tf o r m S u p p o r te d
0 C la s s r o o m
C E H L ab M anual Page 708
0 1L abs
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
Lab
HTTP Flooding Using DoSHTTP
DoSH TTP is an H TTP flood denial-of-service (DoS) testing too!for Windows.
DoSHTTP includesport designation and repo!ting.
I C O N
K E Y
/ Valuable
information
.-*v Test your
____knowledge
m. Web exercise
Lab Scenario
H T T P flooding is an attack th at uses en o rm o u s useless packets to jam a w eb server.
111 tliis paper, w e use lu d d en sem i-M arkov m odels (HSM M ) to d escn b e W eb brow sing patterns an d detect H T T P flooding attacks. W e first use a large n u m b e r of
legitim ate request sequences to train an H S M M m o d el an d th en use tins legitim ate
m odel to check each inco m in g request sequence. A b n o rm al W w b traffic w hose
likelihood falls into unreasonable range for th e legitim ate m o d el w o u ld be classified
as potential attack traffic and should be controlled w ith special actions such as
filtering or lim iting the traffic. Finally w e validate o u r ap p ro ach by testing die
m e th o d w ith real data. T h e result show s th at o u r m e th o d can d etect the anom aly
w eb traffic effectively.
111 the previous lab y ou learned ab o u t S Y N flooding using 11p111g3 an d the
counterm easures th a t can be im plem ented to p rev e n t such attacks. A n o th e r m e th o d
th a t attackers can use to attack a server is by using the H T T P flood approach.
A s an expert ethical hacker an d penetration tester, y o u m u st be aw are o f all types
o f hacking attem pts o n a w eb server. F o r H T T P flooding attack y o u should
im plem ent an advanced technique k n o w n as “ tarpitting,” w h ich once established
successfully will set connections w in d o w size to few bytes. A ccording to T C P /I P
p ro to co l design, the conn ectin g device w ill initially only send as m u ch data to target
as it takes to fill die w in d o w until the server responds. W ith tarpitting , there will be
n o response back to th e packets fo r all u nw anted H T T P requests, thereby
protecting your w eb server.
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp sm d e n ts learn H T T P flo o d in g d em al-o t
service (D oS) attack.
C E H L ab M an u al Page 709
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 10 Denialof-Service
Lab Environment
T o earn ’ o u t this lab, you need:
■
DoSHTTP tool located at D:\CEH-Tools\CEHv8 Module 10 Denial-ofService' DDoS Attack Tools\DoS HTTP
■
Y o u can also d o w n lo a d th e la test v e rsio n o f DoSHTTP fro m th e link
h ttp : / / w w w .s o c k e ts o ft.n e t/
■
I f y o u d ecid e to d o w n lo a d th e la te st version, th e n s c re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
■
A co m p u ter ru n n in g Windows Server 2012 as h o st m achine
■
Windows 7 run n in g o n virtual m ach in e as attacker m achine
■
A w eb brow ser w ith an In te rn e t co n n ectio n
■
A dm inistrative privileges to 11111 tools
Lab Duration
T im e: 10 M inutes
Overview of DoSHTTP
D o S H T T P is an H T T P Hood denial-of-service (DoS) testing to o l for W indow s. It
includes U R L verification, H T T P redirection, an d p erfo rm an ce m onitoring.
D o S H T T P uses m ultiple asynchronous sockets to p erfo rm an effective H T T P
flood. D o S H T T P can be used sim ultaneously o n m ultiple clients to em ulate a
d istn b u ted den 1al-of-senTice (D D oS) attack. T ins tool is u sed by IT professionals to
test w eb sender perform ance.
Lab Tasks
DoSHTTP
Flooding
1.
Install an d launch D o S H T T P 111 Windows Server 2 0 1 2 .
2.
T o launch D o S H T T P , m ove y o u r m o u se cu rso r to low er left co rn er o f die
desktop and click Start.
FIGURE 2.1: Windows Server 2012 Desktop view
C E H L ab M anual Page 710
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
3.
Click die DoSHttp 2.5 ap p fro m die Start m e n u apps to lau n ch die program .
Start
CcroUcr
y*
D oSHTTP is an easy
to use and powerful HTTP
Flood Denial o f Service
(DoS) Testing Tool for
Windows. DoSHTTP
includes URL Verification,
HTTP Redirection, Port
Designation, Performance
Monitoring and Enhanced
Reporting.
A d m in is tra to r ^
Task
Manager
Moiilla
Firefox
*
©
•
Command
Prompt
Notefao*
S
C to n e
rr־
VtmnKtr
HypofV
%
וי
l
Nk «k
WobClcnt
rwSHTTP
■
FIGURE 2.2: Windows Server 2012 Start Menu Apps
T he DoSHTTP m ain screen appears as show n 111 the follow ing figure; 111 diis lab
w e have d em o n strated trial version. Click Try to continue.
DoSHTTP
H
|
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 10 Denialof-Service
File
O p tio n s
2 .5 .1
-
X
Socketsoft.net [Loading...]
H elp
DoSHTTP Registration
D
H ־
Ta
r
/
V
U n re q is te re d V e rs io n
(
Sa
J
3
Close
Us
[m
fry
You have 13 days or 3 uses left on your free trial.
Enter your Serial Number and click the Register button.
Register
jSerial Number
3
I
C׳s c 3 r -s r
t־ttD ://w w w .s o c k e ts o ft. r e t '׳
1
Ready
FIGURE 2.3: D oSH TIP main window
C E H L ab M an u al P ag e 711
m D oSHTTP includes
Port Designation and
Reporting.
5.
E n te r die U R L or IP address 111 die Target URL field.
6.
Select a User Agent, n u m b er o t S ock ets to send, an d the type of Requests to
send. Click Start.
7.
111 diis lab, w e are using W in d o w s 7 IP (10.0.0.7) to flood.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
H
File
nn^HTTP ?
Options
S1
*1
- W k p f c n f t n p t [F v a ln a tin n M n r lp ]
Help
DoSHTTP
HTTP Flood D enial o f S e rv ic e (D o S ) T esting Tool
Target URL
10.0.0.11
Usei Agent
|Mozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)
Sockets
Requests
1500
▼| |Continuous
▼
]
jStart FloodJ
Verify URL
Close
h ttD ://w w w .s o c k e ts o ft.re t'׳
Laa> D s c a mer
----- !------------------J
Ready
FIGURE 2.4: DoSHTTP Flooding
Note: T hese IP addresses m ay d iffer 111 y o u r lab environm ent.
8.
Click OK 111 the D o S H T T P evaluation p op-up.
H
DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode]
File
Options
y
DoSH TTP uses
multiple asynchronous
sockets to perform an
effective H TTP Flood.
DoSH TTP can be used
simultaneously on multiple
clients to emulate a
Distributed Denial o f
Service (DDoS) attack.
x
Help
DoSHTTP
Evaluation mode will only perform a maximum of 10000 requests per
session.
OK
Lees D-Sca rrer
t־ttD:.|,.’׳w w w .so ctetso ft.re t/
Ready
FIGURE 2.5: DoSHTTP Evaluation mode pop-up
9.
y DoSHTTP can help
IT Professionals test web
server performance and
evaluate web server
protection software.
D oSHTTP was developed
by certified IT Security and
Software Development
professionals
C E H L ab M an u al Page 712
L au n ch die Wireshark n etw o rk p ro to co l analyzer 111 die Windows 7 virtual
machine and start its interface.
10. D o S H T T P sends asynchronous sockets an d perfo rm s HTTP flooding o f die
target netw ork.
11. G o to Virtual machine, o p en Wireshark. an d observe th a t a lo t o f packet
traffic is captured by W ireshark.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 - Denial of Service
^j"^ptjringfromMicrosofKorporat!onADev!n\NP^605FlD1^2CMEA^A6^E48A8CW2^
File
£dit
View £0 Capture
Analyze Statistics
Telephony
Tools Internals
Help
ojai 1 * טmm
pyai
Filter
| ▼| Expression..
No.
Time
Source
81 1 4 .2 2 6 8 5 3 0 1 0 . 0 . 0 . 1 0
85
85
87
83
89
90
91
92
93
94
95
Clear Apply
Destination
Protocol Length
1 0 .0 .0 .1 1
TCP
1 4 . 9 4 8 9 0 3 0 D el I _ c 3 : c 3 : c c
B ro a d c a s t
1 5 .4 8 1 0 9 4 0 1 0 . 0 . 0 . 1 0
1 0 .0 .0 .2 5 5
1 5 .4 8 1 2 8 0 0 f e 8 0 : : 3 8 a a : 6 3 9 0 : 554 f f 0 2 : : 1 : 3
1 5 .4 8 1 3 2 8 0 1 0 . 0 . 0 . 1 0
2 2 4 .0 .0 .2 5 2
15. 9 0 1 2 2 7 0 fe 8 0 : :3 8 a a :6 3 9 0 :5 5 4 ff0 2 : :1 :3
15 90 13 02 0 1 0 .0 .0 . 1 0
2 2 4 .0 .0 .2 5 2
1 5 9 4 9 4 9 7 0 D e 1 1 _ c 3 :c 3 :c c
B ro a d c a s t
16 2313280 1 0 .0 .0 .1 0
1 0 . 0 .0 .2 5 5
16 9962120 1 0 .0 .0 .1 0
1 0 . 0 .0 .2 5 5
1 7 7 6 7 5 6 0 0 f p 80 : : 38 aa : 6 3 9 0 :5 54 f f 0 ? : :1
18 4 5 4 7 8 0 0 D e l1 _ c 3 :c 3 :c c
M ic r o s o f _ a 8 : 7 8 : 0 5
7
ARP
NBNS
lln n r
LLNNR
LLNNR
lln n r
ARP
NBNS
nbns
DHCPv6
ARP
Info
6 6 57281
42
92
84
64
84
64
42
92
92
157
42
»
Save
•*
> h ttp
[S Y N ] Sec
who h as 1 0 . 0 . 0 . 1 3 ?
Te
Name q u e r y NB WPAD<00>
s ta n d a rd q u e ry
0 x fe 9 9
s ta rd a rd q u e ry
0 x fe 9 9
S ta rd a rd q u e ry
0 x fe 9 9
s ta rd a r d q u e ry 0 x fe 9 9
w ho h a s 1 0 . 0 . 0 . 1 3 ?
T€
Name q u e r y NB w p a d <00>
Name q u e r y NB W PAD<00>.
S o l i c i t XTD: 0 x a QQ84 C
w ho h a s 1 0 . 0 . 0 . 1 1 ?
T€
w F ra n e 1: 42 b y te s on w ir e (336 b i t s ) . 42 b y te s c a p tu re d (336 b i t s ) on in t e r f a c e 0
• E t h e r n e t I I , s r c : D e 1 1 _ c 3 :c 3 :c c ( d 4 : b e : d 9 : c 3 : c 3 : c c ) , D s t: B ro a d c a s t ( f f : f f : f f : f f : f f : f f )
ffi A d d rp s s R P * 0 lu t1 0 n
0000
0010
0020
P ro to c o l
f f f f f f f t f t f f d4 be
0 8 0 0 06 04 0 0 0 1 d4 b e
0 0 0 0 0 0 0 0 0 0 0 0 Oa 0 0
(re q u e s t)
d9
d9
00
c3 c 3 c c 0 8 0 6 0 0 0 1
c3 c 3 c c Oa 0 0 0 0 Oa
Od
F I G U R E 26: Wireshaik wi n do w
D oSHTTP can be
used simultaneously on
multiple clients to emulate
a Distributed Denial of
Service (DDoS) attack.
12. Y o u see a lo t o l H T T P packets are flooded to die h o st m achine.
13. D o S H T T P uses m ultiple asy nchronous sockets to p erfo rm an H T T P flood
against die entered netw ork.
Lab Analysis
A nalyze an d d o cu m en t die results related to th e lab exercise.
T o o l/U tility
D oSH TTP
I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
H T T P p ac k ets o b se rv e d flo o d in g th e h o s t m a ch in e
P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.
Questions
E valuate h o w D o S H T T P can be used sim ultaneously o n m ultiple clients
an d perfo rm D D o S attacks.
C E H L ab M an u al Page 713
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 10 - Denial of Service
2.
D eterm in e h o w y ou can p rev e n t D o S H T T P attacks 011 a netw ork.
I n t e r n e t C o n n e c t io n R e q u ir e d
□ Y es
P la tf o r m S u p p o r te d
0 C la s s r o o m
C E H L ab M an u al Page 714
0 !Labs
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.