CEH Lab Manual

Denial of Service
Module 10


Module 10 - Denial of Service

Denial of Service
Denial of Service (DoS) is an attack on a con/pnter or network thatprevents
kgitimate use of its resources.
I C O N

K E Y

Valuable
information
Test your
^

Web exercise
Workbook re\

Lab Scenario
111 c o m p u tin g , a d en ial-o f-serv ice atta c k (D oS attack) is an a tte m p t to m ak e a
m a c h in e o r n e tw o rk re so u rce u n av ailab le to its in te n d e d users. A lth o u g h th e
m e an s to earn* o u t, m o tiv es fo r, an d targ ets o f a D o S attack m ay van*, it
generally co n sists o f th e e ffo rts o f o n e o r m o re p e o p le to te m p o rarily 01‫־‬
indefinitely in te rru p t 01‫ ־‬s u sp e n d seiv ices o f a h o s t c o n n e c te d to th e In te rn e t.
P e rp e tra to rs o f D o S attack s typically ta rg et sites 01‫ ־‬seiv ices h o s te d 011 h ig h p ro file w eb s e n ‫־‬ers su c h as b an k s, c re d it ca rd p a y m e n t gatew ays, a n d ev e n ro o t
n am ese iv ers. T h e te rm is g enerally u se d rela tin g to c o m p u te r n e tw o rk s, b u t is

n o t lim ite d to tins field; fo r ex am p le, it is also u se d 111 re fe re n c e to C P U
re so u rc e m a n ag e m en t.
O n e c o m m o n m e th o d o f attack in v o lv es sa tu ra tin g th e ta rg e t m a ch in e w ith
ex tern al co m m u n ic a tio n s req u e sts, su ch th a t it c a n n o t re s p o n d to legitim ate
traffic, o r re sp o n d s so slow ly as to b e re n d e re d essentially u navailable. Such
attacks usually lead to a se iv e r o v erlo ad . D e m a l-o f-se n 'ic e attack s can essentially
disable y o u r c o m p u te r 01‫ ־‬y o u r n etw o rk . D o S attack s can be lu crativ e for
crim inals; re c e n t attack s h av e sh o w n th a t D o S attack s a w ay fo r cy b er crim inals
to p ro fit.
A s a n e x p e rt ethical h a c k e r 01‫ ־‬secu rity adm inistrator o f a n o rg an iz atio n , y o u
sh o u ld h av e s o u n d k n o w led g e o f h o w denial-of-service a n d distributed
denial-of-service attacks are ca rried o u t, to d e te c t an d neutralize attack
h a n d lers, a n d to m itigate su c h attacks.

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm D o S attack s a n d to
te st n e tw o rk fo r D o S flaws.
111 tliis lab, y o u will:

■

C reate a n d la u n c h a d e n ia l-o f-se n Tice attack to a victim

■

R e m o te ly ad m in ister clients

■

P e rfo rm a D o S attac k b y se n d in g a h u g e a m o u n t o f S Y N p ac k ets

c o n tin u o u sly
P e rfo rm a D o S H T T P attack

C E H L ab M an u al Page 703

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 10 Denialof-Service

Lab Environment
T o earn ‫ ־‬o u t this, y ou need:
■

A co m p u ter ru n n in g W in d o w Server 2008

■

W indow s X P / 7 ru n n in g 111 virtual m achine

■


A w eb brow ser w ith In tern et access

■

A dm inistrative privileges to rn n tools

Lab Duration
Tim e: 60 M inutes

Overview of Denial of Service
D em al-of-service (DoS) is an attack o n a co m p u ter o r n etw o rk th a t prevents
legitim ate use o f its resources. 111 a D o S attack, attackers flood a victim ’s system
w ith illegitimate service requests o r traffic to overload its resources an d p rev en t it
fro m perfo rm in g intended tasks.

Lab Tasks
Overview

P ick an organization that you feel is w o rth y o f your attention. T ins could be an
educational institution, a com m ercial com pany, o r p erhaps a n o n p ro fit charity.
R ecom m ended labs to assist you in denial o f service:
■

SY N flooding a target h o st using hping3

■

H T T P flooding u sing D o S H T T P

Lab Analysis

A nalyze an d d o cu m en t th e results related to the lab exercise. G ive your o p in io n o n
your target’s security p ostu re an d exposure.

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D TO T H I S LAB.

C E H L ab M an u al Page

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

SYN Flooding a Target Host Using
hping3
hpingJ is a command-line oriented TCP/IP packet assembler/ analyser.

■con

key

1^~/ Valuable
information
y*' Test your

Lab Scenario
A S Y N flo o d is a fo rm o f d em al-o f-serv ice atta c k 111 w h ic h ail attac k er sen d s a
su ccessio n o f S Y N req u e sts to a targ et's sy stem 111 an a tte m p t to c o n s u m e
e n o u g h server re so u rce s to m ak e th e system u n re sp o n siv e to leg itim ate traffic.


knowledge
** Web exercise
m

Workbook review

A S Y N flo o d attack w o rk s by n o t re sp o n d in g to th e se rv e r w ith th e e x p e cted
A C K code. T h e m aliciou s clien t ca n eith er sim ply n o t se n d th e ex p e c te d A C K ,
o r by sp o o fin g th e so u rce IP ad d re ss 111 th e S Y N , cause th e serv er to se n d th e
S Y N -A C K to a falsified IP ad d re ss, w h ic h will n o t se n d an A C K b ecau se it
"k n o w s" th a t it n e v e r se n t a S Y N . T h e serv er w ill w ait fo r th e
ac k n o w le d g e m e n t fo r so m e tim e, as sim p le n e tw o rk c o n g e stio n c o u ld also be
th e cause o f th e m issin g A C K , b u t 111 an attac k in creasin g ly large n u m b e rs o f
h a lf-o p e n c o n n e c tio n s w ill b in d re so u rc e s o n th e serv er u n til n o n e w
c o n n e c tio n s ca n b e m ad e, resu ltin g 111 a d en ial o f service to leg itim ate traffic.
S om e system s m a y also m a lfu n c tio n b ad ly o r ev en cra sh if o th e r o p e ra tin g
system fu n c tio n s are sta rv e d o f re so u rce s 111 tins way.
A s an e x p e rt eth ical hacker o r secu rity adm inistrator o f an o rg an iz atio n , you
sh o u ld h av e so u n d kn o w led g e o f denial-of‫־‬ser v ice and distributed denial-ofserv ice attacks a n d sh o u ld b e able to d e te c t a n d neutralize attack h an d lers.
Y o u sh o u ld use S Y N co o k ies as a c o u n te rm e a su re ag ain st th e S Y N flo o d w h ic h
elim inates th e re so u rce s allo cated o n th e ta rg e t h o st.

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm d en ial-o f-serv ice
attacks a n d te st th e n e tw o rk fo r D o S flaws.
111 tins lab, y o u will:

C E H L ab M an u al Page 705


■

P e rlo rm d en ial-o t-serv ic e attacks

■

S end h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

& Tools
dem onstrated in
this lab are
available at
D:\CEHTools\CEHv8
Module 10 Denialof-Service

Lab Environment
T o earn ’ o u t die k b , y ou need:
■ A co m p u ter m n n in g W indow s 7 as victim m achine
■ B ackT rack 5 r3 ru n n in g 111 virtual m ach in e as attacker m achine

" Wireshark is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing
Tools\Wi reshark

Lab Duration

T une: 10 M inutes

Overview of hping3
11p111g3 is a n etw o rk to o l able to send cu sto m T C P /I P packets an d to display target
replies like a ping p rogram does w ith IC M P replies. 11p111g3 handles fragm entation,
arbitrary packets body, an d size an d can be used 111 o rd er to transfer hies
encapsulated u n d er su p p o rted protocols.

Lab Tasks
—

j

Flood SYN Packet

1.

L aunch BackTack 5 r3 o n th e virtual m achine.

2.

L aunch die hingp3 utility h o rn th e B ackT rack 5 r3 virtual macliine. Select

BackTrack Menu -> Backtrack -> Information Gathering -> Network
A nalysis -> Identify Live H osts -> Hping3.
^^Applications Places System ( \

rj

3


Sun Oct 21. 1:34 PM

V Accessories

► C<. information Gathering
Graphics

► ‫ | ^״‬vulnerability Assessment

^

internet

‫ ״‬-# Exploitation Tools

‫ |ף‬Database ^

aiiveo

►

^

alrvefi

SB cyftce
Other
! f , Sound & Vi dec


0=5! hping3 is a
command-line oriented
T C P /IP packet
assembler/analyzer.

. . . Network Analysis

^

System Tools
9 Wine

Web Appl ^

Pnvilege Escalation

Wireless ^

Otrace

► i| Maintaining Access

‫־‬, fc; arping

•

^

Reverse Engineering


.!4 Network ITaffic Analysis

(Jetect*new‫־‬ip6

‫ ; ן ״‬RFID Tools

”*b dnmap

>n OSIMT Analysis

► t j Stress Ifcsting

^

fping

Route Analysis » !.

hplng2

-‫־‬K service Fingerprinting

forensics

^

Repotting Tools

hpingj


<< back

^

netciscovcf

^

netifera
nmap

.

t

^ Pbrj
sctpscan

tiacefi
araceroute
wo»-e
^

zenmap

Figure 1.1: BackTrack 5 r3 Menu
1y=I Type only hping3
w ithout any argument. If
hping3 was compiled with
Tel scripting capabilities,

you should see a prompt.

C E H L ab M anual P ag e 706

3.

T h e hping3 utility starts 111 d ie co m m an d shell.

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

*

* root(afbt: -

File Edit View t r m in a l Help
>
sy n
t
‫־־‬r s t
*
‫ ־ ־‬p ush
v
ack
J
‫ ־ ־‬u rg
(

- ‫ ־‬xnas
f
ynas
■ t c p e x itc o d e

tcp -tin e sta T p

set
set
set
set
set
set
set
u se

SYN f l a g
RST f l a g
PUSH f l a g
ACK f l a g
URG f l a g
X u n u se d f l a g
(0 x 4 0 )
Y u n u se d f l a g
(0 x 8 0 )
l a s t tc p - > th f la g s a s e x i t code
enable t h e TCP tim e s ta m p o p t i o n to g u e s s t h e H Z /u p tin e

(d e fa u lt is 0)


d a ta s iz e
d a ta fro n f i l e
a d d , s ig n a t u r e *

Bum packets in
enoalt pTO'TOrotSR.

|

1

\

-u ^ e nd
t e l l y o tr v t t t n
r e a c h e J EOF a n d p r e v e n t re A in d
•T - • t r a c e r o u t e t r a c e r o u t e mode
\ ( I m p l i e s • • b i n d a n d ‫ ־ ־‬t t l 1)
--tr- s to p
E x it
when r e c e i v e t h e f i r s t n o t ICMP i n t r a c e r o u t e no d e
t r < c ep t t l
K eep t h e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t o n e hop
* * tr * n o - rtt
D o n 't c a l c u l a t e / s h o w RTT i n f o r m a t i o n i n t r a c e r o u t e node
ARS p a c k e t d e s c r i p t i o n (n ew , u n s t a b l e )
ap d se n d
Send
t h e p a c k e t d e s c r i b e d w i t h apo ( s e e d o c s /A P O .tx t)


FIGURE 1.2: BackTrack 5 13 Command Shell with hpiug3

4.

111 die c o m m an d shell, type hping3 -S 10.0.0.11 -a 10.0.0.13 -p 22 --

flood an d press Enter.
m First, type a simple
command and see tlie
result: #11ping3.0.0-alpha1> hping resolve
www.google.com
66.102.9.104.

m The hping3
command should be called
with a subcommand as a
first argument and
additional arguments
according to die particular
subcommand.

a

v

* root(abt: -

File Edit View Terminal Help

FIGU RE 1.3: BackTrack 5 r3 11ping3 command


5.

L i die previous co m m an d , 10.0.0.11 (Windows 7) is d ie victim ’s m aclune
IP address, an d 10.0.0.13 (BackTrack 5 r3) is d ie attack er’s m aclune IP
address.
/v

v

x root(§bt: -

File Edit View *fenminal Help
‫״‬o o t e b t : - # hp1ng3 - s 1 0 . 0 . 0 . 1 1 ■a 1 0 . 0 . 0 . 1 3 •p 22 • ■ f lo o d
HPING 1 0 .0 9 .1 1 (e th O 1 0 . 6 . 0 . 1 1 ) : S s e t , 40 h e a d e r s
0 d a ta
h p in g i n f l o o d n o d e , no r e p l i e s w i l l be shown

<< b a ck tra c k
H=y1 The h p in g resolve
command is used to
convert a hostname to an
IP address.

C E H L ab M anual Page 707

FIGU RE 1.4: BackTrack4 Command Shell with 11pi11g3

6.


hping3 floods the victim m aclune by sending bulk SY N packets and
overloading victim resources.

Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

7.

G o to die victim’s machine (Windows 7). Install an d launch W ireshark,
an d observe the SY N packets.
‫ט‬

Microsoft Corporation: \Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [Wireshark 122 (SVN Rev 44520-

Pile

Edit

View

Gc

Capture

Analyze

Statistics


Telephony

Tools

Internals

Help

IBTal

0.
m m

»

m

11ping3 was mainly
used as a security tool in
the past. It can be used in
many ways by people who
don't care for security to
test networks and hosts. A
subset o f the things you
can do using hping3:
■ Firewall testing
‫ י‬Advanced port scanning
‫ י‬Network testing, using

various protocols, TOS,
fragmentation
■ Manual padi MTU
discovery
■ Advanced traceroute,
under all the supported
protocols
■ Remote OS
fingerprinting
* Remote uptime guessing
■ T C P /IP stacks auditing

Destination

Protocol

‫ כ‬. 13
‫ כ‬. 13
‫ נ‬. 13
‫ נ‬. 13

1 0 .0 .0 .1 1

TCP

1 0 .0 .0 .1 1
1 0 .0 .0 .1 1

1

1 0 .0 .0 .1 1

TCP
TCP
TCP
TCP

Length Info
54
54
54
54
■
54

[TCP
[TCP
[TCP
[TCP
f f 1 i ‫־‬M
[TCP

P e rt
P e rt
P e rt
P o rt
7 ‫־‬r 3
P o rt

n u m b e rs

n u m b e rs
n u m b e rs
n u m b e rs
^ T
n u m b e rs

re u s e d ]
re u s e d ]
re u s e d ]
re u s e d ]
T
T
1U
re u s e d ]

5 3 6 2 0 > s s h [S Y N ]
5 3 6 2 1 > s s h [S Y N ]
5 3 6 2 2 > s s h [S Y N ]
5 3 6 2 3 > s s h [S Y N ]
- t I & Z W W t t 7 M 13771 ■
5 3 6 2 5 > s s h [S Y N ]

5
S
5
5
3
51

| Gl F ra m e 1 : 54 b y t e s o n w i r e ( 4 3 2 b i t s ) , 54 b y t e s c a p t u r e d ( 4 3 2 b i t s ) o n i n t e r f a c e 0

. E t h e r n e t I I , S r c : M ic r o s o f _ a 8 : 7 8 : 0 7 ( 0 0 : 1 5 : 5 d : a 8 : 7 8 : 0 7 ) , D s t : M 'c r o s o f _ a 8 : 7 8 : 0 5 ( 0 0 : 1 5 : 5 d : a
I E in t e r n e t P r o to c o l v e r s io n 4 , s r c : 1 0 .0 .0 . 1 3 ( 1 0 . 0 . 0 . 1 3 ) , D s t: 1 0 .0 .0 . 1 1 ( 1 0 .0 . 0 .1 1 )
I j T ra n s m is s io n c o n t r o l P r o t o c o l, s r c P o r t : 11 7 6 6 ( 1 1 7 6 6 ) , D s t P o r t : s s h ( 2 2 ) , s e q : 0 , L e n : 0

OOOO
0019
0020
0030

00 15
00 28
0 0 Ob
02 0 0

5d
d l
2d
ee

as
3a
f6
df

78
00
00
00

0 5 0 0 15

0 0 4 0 06
1 6 3 a a9
00

5d
95
09

O File: *C\Usen\Admin\AppData\Local\Temp...

aS 7 8 07 OS 0 0 4 5 0 0
7 e Oa 0 0 0 0 Od Oa 0 0
f c 6 1 62 d 6 d 7 5 0 02

..] .x ...

] .X ...E .

• (• :..®. .............

Packets: 119311 Displayed: 119311 Marke...

Profile: Default

FIGURE 1.5: Wireshark with SYN Packets Traffic

Y ou sent huge n u m b er o l SYN packets, w hich caused die victim ’s m achine
to crash.

Lab Analysis

D o c u m e n t all die results gadier during die lab.
T o o l/U tility
h p in g 3

I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
SY N p ack ets o b se rv e d o v er flo o d in g th e reso u rces in
v ic tim m a ch in e

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE QUE S T I O N S
R E L AT E D TO THI S LAB.

I n t e r n e t C o n n e c t io n R e q u ir e d
□ Y es

0 No

P la tf o r m S u p p o r te d
0 C la s s r o o m

C E H L ab M anual Page 708

0 1L abs

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

Lab

HTTP Flooding Using DoSHTTP
DoSH TTP is an H TTP flood denial-of-service (DoS) testing too!for Windows.
DoSHTTP includesport designation and repo!ting.
I C O N

K E Y

/ Valuable
information
.-*v Test your
____knowledge
m. Web exercise

Lab Scenario
H T T P flooding is an attack th at uses en o rm o u s useless packets to jam a w eb server.
111 tliis paper, w e use lu d d en sem i-M arkov m odels (HSM M ) to d escn b e W eb brow sing patterns an d detect H T T P flooding attacks. W e first use a large n u m b e r of
legitim ate request sequences to train an H S M M m o d el an d th en use tins legitim ate
m odel to check each inco m in g request sequence. A b n o rm al W w b traffic w hose
likelihood falls into unreasonable range for th e legitim ate m o d el w o u ld be classified
as potential attack traffic and should be controlled w ith special actions such as
filtering or lim iting the traffic. Finally w e validate o u r ap p ro ach by testing die
m e th o d w ith real data. T h e result show s th at o u r m e th o d can d etect the anom aly
w eb traffic effectively.
111 the previous lab y ou learned ab o u t S Y N flooding using 11p111g3 an d the
counterm easures th a t can be im plem ented to p rev e n t such attacks. A n o th e r m e th o d
th a t attackers can use to attack a server is by using the H T T P flood approach.
A s an expert ethical hacker an d penetration tester, y o u m u st be aw are o f all types
o f hacking attem pts o n a w eb server. F o r H T T P flooding attack y o u should
im plem ent an advanced technique k n o w n as “ tarpitting,” w h ich once established

successfully will set connections w in d o w size to few bytes. A ccording to T C P /I P
p ro to co l design, the conn ectin g device w ill initially only send as m u ch data to target
as it takes to fill die w in d o w until the server responds. W ith tarpitting , there will be
n o response back to th e packets fo r all u nw anted H T T P requests, thereby
protecting your w eb server.

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp sm d e n ts learn H T T P flo o d in g d em al-o t
service (D oS) attack.

C E H L ab M an u al Page 709

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 10 Denialof-Service

Lab Environment
T o earn ’ o u t this lab, you need:

■

DoSHTTP tool located at D:\CEH-Tools\CEHv8 Module 10 Denial-ofService' DDoS Attack Tools\DoS HTTP

■

Y o u can also d o w n lo a d th e la test v e rsio n o f DoSHTTP fro m th e link
h ttp : / / w w w .s o c k e ts o ft.n e t/

■

I f y o u d ecid e to d o w n lo a d th e la te st version, th e n s c re e n sh o ts sh o w n
111 th e lab m ig h t d iffer

■

A co m p u ter ru n n in g Windows Server 2012 as h o st m achine

■

Windows 7 run n in g o n virtual m ach in e as attacker m achine

■

A w eb brow ser w ith an In te rn e t co n n ectio n

■

A dm inistrative privileges to 11111 tools

Lab Duration
T im e: 10 M inutes

Overview of DoSHTTP
D o S H T T P is an H T T P Hood denial-of-service (DoS) testing to o l for W indow s. It
includes U R L verification, H T T P redirection, an d p erfo rm an ce m onitoring.
D o S H T T P uses m ultiple asynchronous sockets to p erfo rm an effective H T T P
flood. D o S H T T P can be used sim ultaneously o n m ultiple clients to em ulate a
d istn b u ted den 1al-of-senTice (D D oS) attack. T ins tool is u sed by IT professionals to
test w eb sender perform ance.

Lab Tasks

DoSHTTP
Flooding

1.

Install an d launch D o S H T T P 111 Windows Server 2 0 1 2 .

2.

T o launch D o S H T T P , m ove y o u r m o u se cu rso r to low er left co rn er o f die
desktop and click Start.

FIGURE 2.1: Windows Server 2012 Desktop view

C E H L ab M anual Page 710

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 10 - Denial of Service

3.

Click die DoSHttp 2.5 ap p fro m die Start m e n u apps to lau n ch die program .

Start
CcroUcr

y*

D oSHTTP is an easy
to use and powerful HTTP
Flood Denial o f Service
(DoS) Testing Tool for
Windows. DoSHTTP
includes URL Verification,
HTTP Redirection, Port
Designation, Performance
Monitoring and Enhanced
Reporting.

A d m in is tra to r ^

Task
Manager

Moiilla
Firefox

*

©

•

Command
Prompt

Notefao*

S

C to n e

rr‫־‬

VtmnKtr

HypofV

%

‫וי‬

l

Nk «k
WobClcnt

rwSHTTP

■

FIGURE 2.2: Windows Server 2012 Start Menu Apps

T he DoSHTTP m ain screen appears as show n 111 the follow ing figure; 111 diis lab
w e have d em o n strated trial version. Click Try to continue.
DoSHTTP

H

|

Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 10 Denialof-Service

File

O p tio n s

2 .5 .1

-

X

Socketsoft.net [Loading...]

H elp

DoSHTTP Registration

D
H ‫־‬

Ta

r

/

V

U n re q is te re d V e rs io n

(

Sa

J

3

Close

Us
[m

fry

You have 13 days or 3 uses left on your free trial.

Enter your Serial Number and click the Register button.
Register

jSerial Number

3
I

C‫׳‬s c 3 r -s r

t‫־‬ttD ://w w w .s o c k e ts o ft. r e t ‫'׳‬

1

Ready

FIGURE 2.3: D oSH TIP main window

C E H L ab M an u al P ag e 711

m D oSHTTP includes
Port Designation and

Reporting.

5.

E n te r die U R L or IP address 111 die Target URL field.

6.

Select a User Agent, n u m b er o t S ock ets to send, an d the type of Requests to
send. Click Start.

7.

111 diis lab, w e are using W in d o w s 7 IP (10.0.0.7) to flood.

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

H
File

nn^HTTP ?
Options

S1

*1

- W k p f c n f t n p t [F v a ln a tin n M n r lp ]

Help

DoSHTTP
HTTP Flood D enial o f S e rv ic e (D o S ) T esting Tool
Target URL
10.0.0.11
Usei Agent
|Mozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)
Sockets

Requests

1500

▼| |Continuous

▼
]

jStart FloodJ

Verify URL

Close

h ttD ://w w w .s o c k e ts o ft.re t‫'׳‬

Laa> D s c a mer

----- !------------------J

Ready

FIGURE 2.4: DoSHTTP Flooding

Note: T hese IP addresses m ay d iffer 111 y o u r lab environm ent.
8.

Click OK 111 the D o S H T T P evaluation p op-up.
H

DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode]

File

Options

y

DoSH TTP uses
multiple asynchronous
sockets to perform an
effective H TTP Flood.
DoSH TTP can be used
simultaneously on multiple
clients to emulate a
Distributed Denial o f

Service (DDoS) attack.

x

Help

DoSHTTP

Evaluation mode will only perform a maximum of 10000 requests per
session.

OK

Lees D-Sca rrer

t‫־‬ttD:.|,.‫’׳‬w w w .so ctetso ft.re t/

Ready

FIGURE 2.5: DoSHTTP Evaluation mode pop-up

9.

y DoSHTTP can help
IT Professionals test web
server performance and
evaluate web server
protection software.
D oSHTTP was developed
by certified IT Security and

Software Development
professionals

C E H L ab M an u al Page 712

L au n ch die Wireshark n etw o rk p ro to co l analyzer 111 die Windows 7 virtual
machine and start its interface.

10. D o S H T T P sends asynchronous sockets an d perfo rm s HTTP flooding o f die
target netw ork.
11. G o to Virtual machine, o p en Wireshark. an d observe th a t a lo t o f packet
traffic is captured by W ireshark.

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Module 10 - Denial of Service

^j"^ptjringfromMicrosofKorporat!onADev!n\NP^605FlD1^2CMEA^A6^E48A8CW2^
File

£dit

View £0 Capture

Analyze Statistics

Telephony

Tools Internals

Help

ojai 1‫ * ט‬mm

pyai
Filter

| ▼| Expression..

No.

Time

Source

81 1 4 .2 2 6 8 5 3 0 1 0 . 0 . 0 . 1 0

85
85
87
83
89
90
91
92
93
94
95

Clear Apply

Destination

Protocol Length

1 0 .0 .0 .1 1

TCP

1 4 . 9 4 8 9 0 3 0 D el I _ c 3 : c 3 : c c
B ro a d c a s t
1 5 .4 8 1 0 9 4 0 1 0 . 0 . 0 . 1 0
1 0 .0 .0 .2 5 5
1 5 .4 8 1 2 8 0 0 f e 8 0 : : 3 8 a a : 6 3 9 0 : 554 f f 0 2 : : 1 : 3
1 5 .4 8 1 3 2 8 0 1 0 . 0 . 0 . 1 0
2 2 4 .0 .0 .2 5 2
15. 9 0 1 2 2 7 0 fe 8 0 : :3 8 a a :6 3 9 0 :5 5 4 ff0 2 : :1 :3
15 90 13 02 0 1 0 .0 .0 . 1 0
2 2 4 .0 .0 .2 5 2
1 5 9 4 9 4 9 7 0 D e 1 1 _ c 3 :c 3 :c c
B ro a d c a s t
16 2313280 1 0 .0 .0 .1 0
1 0 . 0 .0 .2 5 5
16 9962120 1 0 .0 .0 .1 0
1 0 . 0 .0 .2 5 5
1 7 7 6 7 5 6 0 0 f p 80 : : 38 aa : 6 3 9 0 :5 54 f f 0 ? : :1
18 4 5 4 7 8 0 0 D e l1 _ c 3 :c 3 :c c
M ic r o s o f _ a 8 : 7 8 : 0 5

7

ARP
NBNS
lln n r
LLNNR
LLNNR
lln n r

ARP
NBNS
nbns

DHCPv6
ARP

Info

6 6 57281

42
92
84
64
84
64
42
92
92

157
42

»

Save
•*
> h ttp

[S Y N ] Sec

who h as 1 0 . 0 . 0 . 1 3 ?
Te
Name q u e r y NB WPAD<00>
s ta n d a rd q u e ry
0 x fe 9 9
s ta rd a rd q u e ry
0 x fe 9 9
S ta rd a rd q u e ry
0 x fe 9 9
s ta rd a r d q u e ry 0 x fe 9 9
w ho h a s 1 0 . 0 . 0 . 1 3 ?
T€
Name q u e r y NB w p a d <00>
Name q u e r y NB W PAD<00>.
S o l i c i t XTD: 0 x a QQ84 C
w ho h a s 1 0 . 0 . 0 . 1 1 ?
T€

w F ra n e 1: 42 b y te s on w ir e (336 b i t s ) . 42 b y te s c a p tu re d (336 b i t s ) on in t e r f a c e 0

• E t h e r n e t I I , s r c : D e 1 1 _ c 3 :c 3 :c c ( d 4 : b e : d 9 : c 3 : c 3 : c c ) , D s t: B ro a d c a s t ( f f : f f : f f : f f : f f : f f )
ffi A d d rp s s R P * 0 lu t1 0 n

0000
0010
0020

P ro to c o l

f f f f f f f t f t f f d4 be
0 8 0 0 06 04 0 0 0 1 d4 b e
0 0 0 0 0 0 0 0 0 0 0 0 Oa 0 0

(re q u e s t)

d9
d9
00

c3 c 3 c c 0 8 0 6 0 0 0 1
c3 c 3 c c Oa 0 0 0 0 Oa
Od

F I G U R E 26: Wireshaik wi n do w

D oSHTTP can be
used simultaneously on
multiple clients to emulate
a Distributed Denial of
Service (DDoS) attack.

12. Y o u see a lo t o l H T T P packets are flooded to die h o st m achine.
13. D o S H T T P uses m ultiple asy nchronous sockets to p erfo rm an H T T P flood
against die entered netw ork.

Lab Analysis
A nalyze an d d o cu m en t die results related to th e lab exercise.
T o o l/U tility
D oSH TTP

I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
H T T P p ac k ets o b se rv e d flo o d in g th e h o s t m a ch in e

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.

Questions
E valuate h o w D o S H T T P can be used sim ultaneously o n m ultiple clients
an d perfo rm D D o S attacks.

C E H L ab M an u al Page 713

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


Module 10 - Denial of Service

2.

D eterm in e h o w y ou can p rev e n t D o S H T T P attacks 011 a netw ork.

I n t e r n e t C o n n e c t io n R e q u ir e d
□ Y es
P la tf o r m S u p p o r te d
0 C la s s r o o m

C E H L ab M an u al Page 714

0 !Labs

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.