Denial of Service
Apply Your Knowledge
As an ethical hacker, you will need knowledge of sniffing attacks, how session hijacking works, and how to find and detect DDoS tools.
Exercises
7.1. Scanning for DDoS Programs
In this exercise, you will scan for DDoS tools.
Estimated Time: 15 minutes.
- Download the DDoS detection tool DDoSPing. It is available from www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ddosping.htm.
- Unzip the program into its default directory.
- Use Windows Explorer to go to the DDOSPing folder and launch the executable.
- Next, set the transmission speed to MAX by moving the slider bar all the way to the right.
- Under the target range, enter your local subnet.
- Click Start.
- Examine the result to verify that no infected hosts were found.
7.2. Using SMAC to Spoof Your MAC Address
In this exercise, you will use SMAC to learn how to spoof a MAC address.
Estimated Time: 15 minutes.
- Download the SMAC tool from www.klcconsulting.net/smac/.
- Unzip the program into its default directory.
- Start the program from the Windows Start, Programs menu.
- Open a DOS prompt and type ipconfig /all. Record your MAC address here: ___________
- Now use the SMAC program to change your MAC address. If you would like to change your MAC to a specific value, you could sniff it from the network or you could the table at http://standards.ieee.org/regauth/oui/index.shtml to research specific Organizational Unique Identifiers (OUIs) at the IEEE website.
- Once you have determined what to use for a new MAC address, enter it into the SMAC program; then save the value and exit.
- Finally reboot the system and perform the ipconfog /all command from the DOS prompt. Record the MAC address here and compare to the results in step 4. _________
You should see that the two MAC addresses are different. This is a value that can be used to demonstrate the trivial process of MAC spoofing and can be used to bypass controls that lock down networks to systems that have an approved MAC address.
Exam Questions
| 1. |
How many steps are in the ARP process? |
| 2. |
One of the members of your Red Team would like to run dsniff on a span of the network that is composed of hubs. Which of the following types best describes this attack? |
| 3. |
You have been able to intercept many packets with Ethereal that are addressed to the broadcast address on your network and are shown to be from the web server. The web server is not sending this traffic, so it is being spoofed. What type of attack is the network experiencing? |
| 4. |
What does the following command in ettercap do? ettercap -T -q -F cd.ef -M ARP /192.168.13.100 |
| 5. |
This form of active sniffing is characterized by a large number of packets with bogus MAC addresses. |
| 6. |
Which DDoS tool uses TCP port 6667? |
| 7. |
Which of the following is a tool used to find DDoS programs? |
| 8. |
Which of the following is not a DoS program? |
| 9. |
Why is a SYN flood attack detectable? |
| 10. |
When would an attacker want to perform a session hijack? |
| 11. |
You have just captured some TCP traffic. In the TCP session, you will notice that the SYN flag is set and that the sequence number is 0BAA5001. The next packet has the SYN ACK flag set. What should the acknowledgement value be? |
| 12. |
You are attempting to DoS a target by sending fragments that when reconstructed are over 65,536. From the information given, what kind of DoS attack is this? |
| 13. |
Denial of service attacks target which of the following? |
| 14. |
J.N. has just launched a session hijack against his target. He has managed to find an active session and has predicted sequence numbers. What is next? |
| 15. |
Which of the following is a valid defense against DNS poisoning? |
Answers to Exam Questions
| A1: |
1. B. The ARP process is a two step process that consists of an ARP request and an ARP reply. Answers A, C, and D are incorrect because the ARP process is not one, three, or four steps |
| A2: |
2. D. Passive sniffing is all that is required to listen to traffic on a hub. Answer A is incorrect, as active sniffing is performed on switches. Answers B and C are incorrect, as ARP poisoning and MAC flooding are both forms of active sniffing, and these activities are not required when using a switched network. |
| A3: |
3. C. A Smurf attack uses ICMP to send traffic to the broadcast address and spoof the source address to the system under attack. Answer A is incorrect because a SYN attack would not be indicated by traffic to a broadcast address. Answer B is incorrect, as a Land attack is to and from the same address. Answer D is incorrect because a Chargen attack loops between Chargen and Echo. |
| A4: |
4. A. Here is what the command-line option flags do: -T tells ettercap to use the text interface; -q tells ettercap to be quieter; -F tells ettercap to use a filter, in this case cd.ef; -M tells ettercap the MITM (man-in-the-middle) method of ARP poisoning. Therefore Answers B, C, and D are incorrect because this command is not logging sniffed passwords, it is not checking to see if someone else is performing ARP poisoning, and it is not used to place the NIC into promiscuous mode. |
| A5: |
5. C. MAC flooding is the act of attempting to overload the switches content addressable memory (CAM) table. By sending a large stream of packets with random addresses, the CAM table of the switch will evenly fill up and the switch can hold no more entries; some switches might divert to a "fail open" state. This means that all frames start flooding out all ports of the switch. Answer A is incorrect because active sniffing is not the specific type requested in the question. Answer B is incorrect because ARP poisoning is characterized by spoofing address in the ARP request or response. Answer D is incorrect, as passive sniffing is usually performed only on hubs. |
| A6: |
6. A. Trinity uses TCP port 6667. Trinoo and Shaft do not use port 6667, and DDoSPing is a scanning tool; therefore, answers B, C, and D are incorrect. |
| A7: |
7. D. DDoSPing is a Windows GUI scanner for the DDoS agents Wintrinoo, Trinoo, Stacheldraht and TFN. Answers A, B, and C are incorrect because MStream, Trinoo, and Shaft are all DDoS programs. |
| A8: |
8. B. Stacheldraht is a DDoS program. All other answers are incorrect because they are DoS programs; Smurf, Land, and Fraggle. |
| A9: |
9. A. A SYN flood disrupts Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This large number of half open TCP connections fills the buffer on victim's system and prevents it from accepting legitimate connections. Answer B is incorrect, as this describes a Land attack. Answer C is incorrect, as a large number of SYN ACK packets would not be present. Answer D is incorrect because ACK packets would not be the signature of this attack. |
| A10: |
10. C. The optimum time to perform a session hijack is after authentication. Answers A, B, and D are incorrect because if performed at the point of the three-step handshake, the attacker would not have an authenticated sessionanytime before authentication would not do the hacker much good. If performed right before shutdown, any misstep would mean that the user would log out and the attacker might have missed his chance to steal user's credentials. |
| A11: |
11. C. The first packet is the first step of the three-step startup. During the second step with the SYN ACK flags set, the acknowledgement value is set to 0BAA5002. Answers A, B, and D are incorrect because the second step will always have a value of the initial sequence number (ISN)+1. |
| A12: |
12. D. A ping of death can occur in some older systems when data is broken down into fragments and could add up to more than the allowed 65,536 bytes. Answers A, B, and C are incorrect because a Smurf attack uses ICMP, SYN attacks target TCP, and Land is characterized by identical source and target ports. |
| A13: |
13. C. A DoS attack targets availability. Answers A, B, and D are incorrect because DoS attacks do not target authentication, integrity, or confidentiality. |
| A14: |
14. C. For hijacking to be successful, several things must be accomplished: 1.) Identify and find an active session; 2.) Predict the sequence number; 3.) Take one of the parties offline; and 4.) Take control of the session. Answers A and B are incorrect, as MAC flooding or ARP poisoning would have already been started before the attack if the attacker were on a switched network. Answer D is incorrect because session control is the final step according to EC-Council documentation. |
| A15: |
15. C. DNS spoofing can be thwarted by using DNS Security Extensions (DNSSEC). DNSSEC act as an anti-spoofer because it digitally signs all DNS replies to ensure their validity. Answers A, B, and D are incorrect because disabling zone transfers or blocking TCP 53, which is the port and protocol used for zone transfers, cannot stop spoofing. Disabling DNS timeouts would also not help, as it would only cause the spoofing to persist. |
Suggested Reading and Resources
www.infosyssec.com/infosyssec/secdos1./htmDDoS information
www.honeynet.org/papers/forensics/index.htmlIdentifying a DDOS and buffer overflow attack
www.bitland.net/taranis/index.phpSwitches vulnerable to ARP poisoning
www.watchguard.com/infocenter/editorial/135324.aspMan-in-the-middle attacks
www.samspublishing.com/articles/article.asp?p=29750&seqNum=3&rl=1ARP poisoning
http://staff.washington.edu/dittrich/misc/ddosDDoS attacks
www.sans.org/dosstep/roadmap.phpDefeating DDOS attacks
www.cert.org/archive/pdf/DoS_trends.pdfDDoS trends
www.ethereal.comEthereal home page
http://www.datanerds.net/~mike/dsniff.htmlport of Dsniff
http://ketil.froyn.name/poison.htmlDNS poisoning
www.dnssec.netDNSSEC information
Web Server Hacking, Web Applications, and Database Attacks
|