Denial of Service

Apply Your Knowledge

As an ethical hacker, you will need knowledge of sniffing attacks, how session hijacking works, and how to find and detect DDoS tools.

Exercises

7.1. Scanning for DDoS Programs

In this exercise, you will scan for DDoS tools.

Estimated Time: 15 minutes.

  1. Download the DDoS detection tool DDoSPing. It is available from www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ddosping.htm.
  2. Unzip the program into its default directory.
  3. Use Windows Explorer to go to the DDOSPing folder and launch the executable.
  4. Next, set the transmission speed to MAX by moving the slider bar all the way to the right.
  5. Under the target range, enter your local subnet.
  6. Click Start.
  7. Examine the result to verify that no infected hosts were found.

7.2. Using SMAC to Spoof Your MAC Address

In this exercise, you will use SMAC to learn how to spoof a MAC address.

Estimated Time: 15 minutes.

  1. Download the SMAC tool from www.klcconsulting.net/smac/.
  2. Unzip the program into its default directory.
  3. Start the program from the Windows Start, Programs menu.
  4. Open a DOS prompt and type ipconfig /all. Record your MAC address here: ___________
  5. Now use the SMAC program to change your MAC address. If you would like to change your MAC to a specific value, you could sniff it from the network or you could the table at http://standards.ieee.org/regauth/oui/index.shtml to research specific Organizational Unique Identifiers (OUIs) at the IEEE website.
  6. Once you have determined what to use for a new MAC address, enter it into the SMAC program; then save the value and exit.
  7. Finally reboot the system and perform the ipconfog /all command from the DOS prompt. Record the MAC address here and compare to the results in step 4. _________

    You should see that the two MAC addresses are different. This is a value that can be used to demonstrate the trivial process of MAC spoofing and can be used to bypass controls that lock down networks to systems that have an approved MAC address.

Exam Questions

1.

How many steps are in the ARP process?

A. 1

B. 2

C. 3

D. 4

2.

One of the members of your Red Team would like to run dsniff on a span of the network that is composed of hubs. Which of the following types best describes this attack?

A. Active sniffing

B. ARP poisoning

C. MAC flooding

D. Passive sniffing

3.

You have been able to intercept many packets with Ethereal that are addressed to the broadcast address on your network and are shown to be from the web server. The web server is not sending this traffic, so it is being spoofed. What type of attack is the network experiencing?

A. SYN

B. Land

C. Smurf

D. Chargen

4.

What does the following command in ettercap do?

ettercap -T -q -F cd.ef -M ARP /192.168.13.100  

A. This command tells ettercap to do a text mode man-in-the-middle attack.

B. This command will detach ettercap from the consol and log all sniffed passwords.

C. This command will check to see if someone else is performing ARP poisoning.

D. This command scans for NICs in promiscuous mode.

   
5.

This form of active sniffing is characterized by a large number of packets with bogus MAC addresses.

A. Active sniffing

B. ARP poisoning

C. MAC flooding

D. Passive sniffing

6.

Which DDoS tool uses TCP port 6667?

A. Trinity

B. Trinoo

C. Shaft

D. DDOSPing

7.

Which of the following is a tool used to find DDoS programs?

A. MStream

B. Trinoo

C. Shaft

D. DDOSPing

8.

Which of the following is not a DoS program?

A. Smurf

B. Stacheldraht

C. Land

D. Fraggle

9.

Why is a SYN flood attack detectable?

A. A large number of SYN packets will appear on the network without the corresponding reply.

B. The source and destination port of all the packets will be the same.

C. A large number of SYN ACK packets will appear on the network without the corresponding reply.

D. A large number of ACK packets will appear on the network without the corresponding reply.

   
10.

When would an attacker want to perform a session hijack?

A. At the point that the three-step handshake completes

B. Before authentication

C. After authentication

D. Right before the four-step shutdown

11.

You have just captured some TCP traffic. In the TCP session, you will notice that the SYN flag is set and that the sequence number is 0BAA5001. The next packet has the SYN ACK flag set. What should the acknowledgement value be?

A. 0BAA5000

B. 0BAA5001

C. 0BAA5002

D. 0BAA5004

12.

You are attempting to DoS a target by sending fragments that when reconstructed are over 65,536. From the information given, what kind of DoS attack is this?

A. Smurf

B. SYN flood

C. Land

D. Ping of Death

13.

Denial of service attacks target which of the following?

A. Authentication

B. Integrity

C. Availability

D. Confidentiality

14.

J.N. has just launched a session hijack against his target. He has managed to find an active session and has predicted sequence numbers. What is next?

A. Start MAC flooding

B. Begin ARP poisoning

C. Take the victim offline

D. Take control of the session

   
15.

Which of the following is a valid defense against DNS poisoning?

A. Disable zone transfers

B. Block TCP 53

C. DNSSEC

D. Disable DNS timeouts

Answers to Exam Questions

A1:

1. B. The ARP process is a two step process that consists of an ARP request and an ARP reply. Answers A, C, and D are incorrect because the ARP process is not one, three, or four steps

A2:

2. D. Passive sniffing is all that is required to listen to traffic on a hub. Answer A is incorrect, as active sniffing is performed on switches. Answers B and C are incorrect, as ARP poisoning and MAC flooding are both forms of active sniffing, and these activities are not required when using a switched network.

A3:

3. C. A Smurf attack uses ICMP to send traffic to the broadcast address and spoof the source address to the system under attack. Answer A is incorrect because a SYN attack would not be indicated by traffic to a broadcast address. Answer B is incorrect, as a Land attack is to and from the same address. Answer D is incorrect because a Chargen attack loops between Chargen and Echo.

A4:

4. A. Here is what the command-line option flags do: -T tells ettercap to use the text interface; -q tells ettercap to be quieter; -F tells ettercap to use a filter, in this case cd.ef; -M tells ettercap the MITM (man-in-the-middle) method of ARP poisoning. Therefore Answers B, C, and D are incorrect because this command is not logging sniffed passwords, it is not checking to see if someone else is performing ARP poisoning, and it is not used to place the NIC into promiscuous mode.

A5:

5. C. MAC flooding is the act of attempting to overload the switches content addressable memory (CAM) table. By sending a large stream of packets with random addresses, the CAM table of the switch will evenly fill up and the switch can hold no more entries; some switches might divert to a "fail open" state. This means that all frames start flooding out all ports of the switch. Answer A is incorrect because active sniffing is not the specific type requested in the question. Answer B is incorrect because ARP poisoning is characterized by spoofing address in the ARP request or response. Answer D is incorrect, as passive sniffing is usually performed only on hubs.

A6:

6. A. Trinity uses TCP port 6667. Trinoo and Shaft do not use port 6667, and DDoSPing is a scanning tool; therefore, answers B, C, and D are incorrect.

A7:

7. D. DDoSPing is a Windows GUI scanner for the DDoS agents Wintrinoo, Trinoo, Stacheldraht and TFN. Answers A, B, and C are incorrect because MStream, Trinoo, and Shaft are all DDoS programs.

A8:

8. B. Stacheldraht is a DDoS program. All other answers are incorrect because they are DoS programs; Smurf, Land, and Fraggle.

   
A9:

9. A. A SYN flood disrupts Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This large number of half open TCP connections fills the buffer on victim's system and prevents it from accepting legitimate connections. Answer B is incorrect, as this describes a Land attack. Answer C is incorrect, as a large number of SYN ACK packets would not be present. Answer D is incorrect because ACK packets would not be the signature of this attack.

A10:

10. C. The optimum time to perform a session hijack is after authentication. Answers A, B, and D are incorrect because if performed at the point of the three-step handshake, the attacker would not have an authenticated sessionanytime before authentication would not do the hacker much good. If performed right before shutdown, any misstep would mean that the user would log out and the attacker might have missed his chance to steal user's credentials.

A11:

11. C. The first packet is the first step of the three-step startup. During the second step with the SYN ACK flags set, the acknowledgement value is set to 0BAA5002. Answers A, B, and D are incorrect because the second step will always have a value of the initial sequence number (ISN)+1.

A12:

12. D. A ping of death can occur in some older systems when data is broken down into fragments and could add up to more than the allowed 65,536 bytes. Answers A, B, and C are incorrect because a Smurf attack uses ICMP, SYN attacks target TCP, and Land is characterized by identical source and target ports.

A13:

13. C. A DoS attack targets availability. Answers A, B, and D are incorrect because DoS attacks do not target authentication, integrity, or confidentiality.

A14:

14. C. For hijacking to be successful, several things must be accomplished: 1.) Identify and find an active session; 2.) Predict the sequence number; 3.) Take one of the parties offline; and 4.) Take control of the session. Answers A and B are incorrect, as MAC flooding or ARP poisoning would have already been started before the attack if the attacker were on a switched network. Answer D is incorrect because session control is the final step according to EC-Council documentation.

A15:

15. C. DNS spoofing can be thwarted by using DNS Security Extensions (DNSSEC). DNSSEC act as an anti-spoofer because it digitally signs all DNS replies to ensure their validity. Answers A, B, and D are incorrect because disabling zone transfers or blocking TCP 53, which is the port and protocol used for zone transfers, cannot stop spoofing. Disabling DNS timeouts would also not help, as it would only cause the spoofing to persist.

Suggested Reading and Resources

www.infosyssec.com/infosyssec/secdos1./htmDDoS information

www.honeynet.org/papers/forensics/index.htmlIdentifying a DDOS and buffer overflow attack

www.bitland.net/taranis/index.phpSwitches vulnerable to ARP poisoning

www.watchguard.com/infocenter/editorial/135324.aspMan-in-the-middle attacks

www.samspublishing.com/articles/article.asp?p=29750&seqNum=3&rl=1ARP poisoning

http://staff.washington.edu/dittrich/misc/ddosDDoS attacks

www.sans.org/dosstep/roadmap.phpDefeating DDOS attacks

www.cert.org/archive/pdf/DoS_trends.pdfDDoS trends

www.ethereal.comEthereal home page

http://www.datanerds.net/~mike/dsniff.htmlport of Dsniff

http://ketil.froyn.name/poison.htmlDNS poisoning

www.dnssec.netDNSSEC information

Web Server Hacking, Web Applications, and Database Attacks

Категории