CEH Lab Manual

Denial of Service
Module 10
 Module 10 - Denial of Service

Denial of Service
Denial of Service (DoS) is an attack on a con/pnter or network thatprevents
kgitimate use of its resources.
I C O N K E Y Lab Scenario
Valuable 111 c o m p u tin g , a d en ial-o f-serv ice atta c k (D oS attack) is an a tte m p t to m ak e a
information
m a c h in e o r n e tw o rk re so u rce u n av ailab le to its in te n d e d users. A lth o u g h th e
Test your m e an s to earn* o u t, m o tiv es fo r, an d targ ets o f a D o S attack m ay van*, it
generally co n sists o f th e e ffo rts o f o n e o r m o re p e o p le to te m p o rarily 01‫־‬
^ Web exercise indefinitely in te rru p t 01‫ ־‬s u sp e n d seiv ices o f a h o s t c o n n e c te d to th e In te rn e t.

Workbook re\ P e rp e tra to rs o f D o S attack s typically ta rg et sites 01‫ ־‬seiv ices h o s te d 011 h ig h -
p ro file w eb s e n ‫־‬ers su c h as b an k s, c re d it ca rd p a y m e n t gatew ays, a n d ev e n ro o t
n am ese iv ers. T h e te rm is g enerally u se d rela tin g to c o m p u te r n e tw o rk s, b u t is
n o t lim ite d to tins field; fo r ex am p le, it is also u se d 111 re fe re n c e to C P U
re so u rc e m a n ag e m en t.

O n e c o m m o n m e th o d o f attack in v o lv es sa tu ra tin g th e ta rg e t m a ch in e w ith

ex tern al co m m u n ic a tio n s req u e sts, su ch th a t it c a n n o t re s p o n d to legitim ate
traffic, o r re sp o n d s so slow ly as to b e re n d e re d essentially u navailable. Such
attacks usually lead to a se iv e r o v erlo ad . D e m a l-o f-se n 'ic e attack s can essentially
disable y o u r c o m p u te r 01‫ ־‬y o u r n etw o rk . D o S attack s can be lu crativ e for
crim inals; re c e n t attack s h av e sh o w n th a t D o S attack s a w ay fo r cy b er crim inals
to p ro fit.

A s a n e x p e rt ethical h a c k e r 01‫ ־‬secu rity adm inistrator o f a n o rg an iz atio n , y o u

sh o u ld h av e s o u n d k n o w led g e o f h o w denial-of-service a n d distributed
denial-of-service attacks are ca rried o u t, to d e te c t an d neutralize attack
h a n d lers, a n d to m itigate su c h attacks.

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm D o S attack s a n d to
te st n e tw o rk fo r D o S flaws.

111 tliis lab, y o u will:

■ C reate a n d la u n c h a d e n ia l-o f-se n Tice attack to a victim

■ R e m o te ly ad m in ister clients

■ P e rfo rm a D o S attac k b y se n d in g a h u g e a m o u n t o f S Y N p ac k ets

c o n tin u o u sly

P e rfo rm a D o S H T T P attack

C E H L ab M an u al Page 703 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

& Tools Lab Environment

dem onstrated in
this lab are T o earn ‫ ־‬o u t this, y ou need:
available in ■ A co m p u ter ru n n in g W in d o w Server 2008
D:\CEH-
Tools\CEHv8 ■ W indow s X P / 7 ru n n in g 111 virtual m achine
Module 10 Denial-
■ A w eb brow ser w ith In tern et access
of-Service
■ A dm inistrative privileges to rn n tools

Lab Duration
Tim e: 60 M inutes

Overview of Denial of Service

D em al-of-service (DoS) is an attack o n a co m p u ter o r n etw o rk th a t prevents
legitim ate use o f its resources. 111 a D o S attack, attackers flood a victim ’s system
w ith illegitimate service requests o r traffic to overload its resources an d p rev en t it
fro m perfo rm in g intended tasks.

Lab Tasks
P ick an organization that you feel is w o rth y o f your attention. T ins could be an
Overview
educational institution, a com m ercial com pany, o r p erhaps a n o n p ro fit charity.

R ecom m ended labs to assist you in denial o f service:

■ SY N flooding a target h o st using hping3

■ H T T P flooding u sing D o S H T T P

Lab Analysis
A nalyze an d d o cu m en t th e results related to the lab exercise. G ive your o p in io n o n
your target’s security p ostu re an d exposure.

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D TO T H I S LAB.

C E H L ab M an u al Page E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

SYN Flooding a Target Host Using

hping3
hpingJ is a command-line oriented TCP/IP packet assembler/ analyser.

■con key Lab Scenario

1^~/ Valuable A S Y N flo o d is a fo rm o f d em al-o f-serv ice atta c k 111 w h ic h ail attac k er sen d s a
information
su ccessio n o f S Y N req u e sts to a targ et's sy stem 111 an a tte m p t to c o n s u m e
y*' Test your e n o u g h server re so u rce s to m ak e th e system u n re sp o n siv e to leg itim ate traffic.
knowledge
A S Y N flo o d attack w o rk s by n o t re sp o n d in g to th e se rv e r w ith th e e x p e cted
** Web exercise A C K code. T h e m aliciou s clien t ca n eith er sim ply n o t se n d th e ex p e c te d A C K ,
m Workbook review o r by sp o o fin g th e so u rce IP ad d re ss 111 th e S Y N , cause th e serv er to se n d th e
S Y N -A C K to a falsified IP ad d re ss, w h ic h will n o t se n d an A C K b ecau se it
"k n o w s" th a t it n e v e r se n t a S Y N . T h e serv er w ill w ait fo r th e
ac k n o w le d g e m e n t fo r so m e tim e, as sim p le n e tw o rk c o n g e stio n c o u ld also be
th e cause o f th e m issin g A C K , b u t 111 an attac k in creasin g ly large n u m b e rs o f
h a lf-o p e n c o n n e c tio n s w ill b in d re so u rc e s o n th e serv er u n til n o n e w
c o n n e c tio n s ca n b e m ad e, resu ltin g 111 a d en ial o f service to leg itim ate traffic.
S om e system s m a y also m a lfu n c tio n b ad ly o r ev en cra sh if o th e r o p e ra tin g
system fu n c tio n s are sta rv e d o f re so u rce s 111 tins way.

A s an e x p e rt eth ical hacker o r secu rity adm inistrator o f an o rg an iz atio n , you

sh o u ld h av e so u n d kn o w led g e o f denial-of‫־‬ser v ice and distributed denial-of-
serv ice attacks a n d sh o u ld b e able to d e te c t a n d neutralize attack h an d lers.
Y o u sh o u ld use S Y N co o k ies as a c o u n te rm e a su re ag ain st th e S Y N flo o d w h ic h
elim inates th e re so u rce s allo cated o n th e ta rg e t h o st.

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to p e rfo rm d en ial-o f-serv ice
attacks a n d te st th e n e tw o rk fo r D o S flaws.

111 tins lab, y o u will:

■ P e rlo rm d en ial-o t-serv ic e attacks

■ S end h u g e a m o u n t o f S Y N p ac k ets c o n tin u o u sly

C E H L ab M an u al Page 705 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

& Tools Lab Environment

dem onstrated in T o earn ’ o u t die k b , y ou need:
this lab are
available at ■ A co m p u ter m n n in g W indow s 7 as victim m achine
D:\CEH-
■ B ackT rack 5 r3 ru n n in g 111 virtual m ach in e as attacker m achine
Tools\CEHv8
Module 10 Denial- " Wireshark is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\Sniffing
of-Service Tools\Wi reshark

Lab Duration
T une: 10 M inutes

Overview of hping3
11p111g3 is a n etw o rk to o l able to send cu sto m T C P /I P packets an d to display target
replies like a ping p rogram does w ith IC M P replies. 11p111g3 handles fragm entation,
arbitrary packets body, an d size an d can be used 111 o rd er to transfer hies
encapsulated u n d er su p p o rted protocols.

Lab Tasks
— j
1. L aunch BackTack 5 r3 o n th e virtual m achine.
Flood SYN Packet 2. L aunch die hingp3 utility h o rn th e B ackT rack 5 r3 virtual macliine. Select
BackTrack Menu -> Backtrack -> Information Gathering -> Network
A nalysis -> Identify Live H osts -> Hping3.
^^Applications Places System ( \ rj 3 Sun Oct 21. 1:34 PM
V Accessories
► C<. information Gathering . . . Network Analysis
^ Graphics ► ‫ | ^״‬vulnerability Assessment Web Appl ^ Otrace
^ internet ‫ ״‬-# Exploitation Tools ‫ |ף‬Database ^ aiiveo
SB cyftce ► Pnvilege Escalation ^ Wireless ^ alrvefi
Other ► i| Maintaining Access ‫־‬, fc; arping .!4 Network ITaffic Analysis
! f , Sound & Vi dec • Reverse Engineering ^ (Jetect*new‫־‬ip6
0=5! hping3 is a System Tools ‫ ; ן ״‬RFID Tools ”*b dnmap >n OSIMT Analysis
command-line oriented 9 Wine ► t j Stress Ifcsting ^ fping Route Analysis » !.
T C P /IP packet forensics ^ hplng2 -‫־‬K service Fingerprinting
assembler/analyzer. Repotting Tools hpingj

^ netciscovcf
^ netifera

<< back
. nmap

t ^ Pbrj
sctpscan

tiacefi

araceroute
wo»-e
^ zenmap

Figure 1.1: BackTrack 5 r3 Menu

1y=I Type only hping3
w ithout any argument. If 3. T h e hping3 utility starts 111 d ie co m m an d shell.
hping3 was compiled with
Tel scripting capabilities,
you should see a prompt.

C E H L ab M anual P ag e 706 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.

m First, type a simple
command and see tlie
result: #11ping3.0.0-alpha-
1> hping resolve
www.google.com
66.102.9.104.
m The hping3
command should be called
with a subcommand as a
first argument and
additional arguments
according to die particular
subcommand.
H=y1 The h p in g resolve
command is used to
convert a hostname to an
IP address.
C E H L ab M anual Page 707
Module 10 - Denial of Service
* * root(afbt: -
File Edit View t r m in a l Help
> sy n set SYN f l a g
t ‫־־‬r s t set RST f l a g -
* ‫ ־ ־‬p ush set PUSH f l a g
v ack set ACK f l a g
J ‫ ־ ־‬u rg set URG f l a g
( - ‫ ־‬xnas set X u n u se d f l a g (0 x 4 0 )
f ynas set Y u n u se d f l a g (0 x 8 0 )
■ t c p e x itc o d e u se l a s t tc p - > th f la g s a s e x i t code
tcp -tin e sta T p enable t h e TCP tim e s ta m p o p t i o n to g u e s s t h e H Z /u p tin e
d a ta s iz e (d e fa u lt is 0)
d a ta fro n f i l e
a d d , s ig n a t u r e *
Bum packets in
enoalt pTO'TOrotSR. | 1 \
-u ^ e nd t e l l y o tr v t t t n r e a c h e J EOF a n d p r e v e n t re A in d
•T - • t r a c e r o u t e t r a c e r o u t e mode \ ( I m p l i e s • • b i n d a n d ‫ ־ ־‬t t l 1)
--tr- s to p E x it when r e c e i v e t h e f i r s t n o t ICMP i n t r a c e r o u t e no d e
t r < c ep t t l K eep t h e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t o n e hop
* * tr * n o - rtt D o n 't c a l c u l a t e / s h o w RTT i n f o r m a t i o n i n t r a c e r o u t e node
ARS p a c k e t d e s c r i p t i o n (n ew , u n s t a b l e )
ap d se n d Send t h e p a c k e t d e s c r i b e d w i t h apo ( s e e d o c s /A P O .tx t)
FIGURE 1.2: BackTrack 5 13 Command Shell with hpiug3
4. 111 die c o m m an d shell, type hping3 -S 10.0.0.11 -a 10.0.0.13 -p 22 --
flood an d press Enter.
a v * root(abt: -
File Edit View Terminal Help
FIGU RE 1.3: BackTrack 5 r3 11ping3 command
5. L i die previous co m m an d , 10.0.0.11 (Windows 7) is d ie victim ’s m aclune
IP address, an d 10.0.0.13 (BackTrack 5 r3) is d ie attack er’s m aclune IP
address.
/v v x root(§bt: -
File Edit View *fenminal Help
‫״‬o o t e b t : - # hp1ng3 - s 1 0 . 0 . 0 . 1 1 ■a 1 0 . 0 . 0 . 1 3 •p 22 • ■ f lo o d
HPING 1 0 .0 9 .1 1 (e th O 1 0 . 6 . 0 . 1 1 ) : S s e t , 40 h e a d e r s 0 d a ta
h p in g i n f l o o d n o d e , no r e p l i e s w i l l be shown
<< b a ck tra c k
FIGU RE 1.4: BackTrack4 Command Shell with 11pi11g3
6. hping3 floods the victim m aclune by sending bulk SY N packets and
overloading victim resources.
Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

7. G o to die victim’s machine (Windows 7). Install an d launch W ireshark,

an d observe the SY N packets.
‫ט‬ Microsoft Corporation: \Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [Wireshark 122 (SVN Rev 44520-
Pile Edit View Gc Capture Analyze Statistics Telephony Tools Internals Help

IBTal 0. <a. 0 1m m m »
m 11ping3 was mainly
used as a security tool in Destination Protocol Length Info
the past. It can be used in
‫ כ‬. 13 1 0 .0 .0 .1 1 TCP 54 [TCP P e rt n u m b e rs re u s e d ] 5 3 6 2 0 > s s h [S Y N ] 5
many ways by people who ‫ כ‬. 13 54 [TCP P e rt n u m b e rs re u s e d ] 5 3 6 2 1 > s s h [S Y N ] S
don't care for security to ‫ נ‬. 13 1 0 .0 .0 .1 1 TCP 54 [TCP P e rt n u m b e rs re u s e d ] 5 3 6 2 2 > s s h [S Y N ] 5
‫ נ‬. 13 1 0 .0 .0 .1 1 TCP 54 [TCP P o rt n u m b e rs re u s e d ] 5 3 6 2 3 > s s h [S Y N ] 5
test networks and hosts. A
TCP ■ f f 1 i ‫־‬M 7 ‫־‬r 3 ^ T T T 1U - t I & Z W W t t 7 M 13771 ■ 3
subset o f the things you 1 0 .0 .0 .1 1 TCP 54 [TCP P o rt n u m b e rs re u s e d ] 5 3 6 2 5 > s s h [S Y N ] 51
1
can do using hping3:
■ Firewall testing
‫ י‬Advanced port scanning
‫ י‬Network testing, using
various protocols, TOS,
fragmentation
■ Manual padi MTU | Gl F ra m e 1 : 54 b y t e s o n w i r e ( 4 3 2 b i t s ) , 54 b y t e s c a p t u r e d ( 4 3 2 b i t s ) o n i n t e r f a c e 0
discovery . E t h e r n e t I I , S r c : M ic r o s o f _ a 8 : 7 8 : 0 7 ( 0 0 : 1 5 : 5 d : a 8 : 7 8 : 0 7 ) , D s t : M 'c r o s o f _ a 8 : 7 8 : 0 5 ( 0 0 : 1 5 : 5 d : a
I E in t e r n e t P r o to c o l v e r s io n 4 , s r c : 1 0 .0 .0 . 1 3 ( 1 0 . 0 . 0 . 1 3 ) , D s t: 1 0 .0 .0 . 1 1 ( 1 0 .0 . 0 .1 1 )
■ Advanced traceroute, I j T ra n s m is s io n c o n t r o l P r o t o c o l, s r c P o r t : 11 7 6 6 ( 1 1 7 6 6 ) , D s t P o r t : s s h ( 2 2 ) , s e q : 0 , L e n : 0
under all the supported
protocols
OOOO 00 15 5d as 78 0 5 0 0 15 5d aS 7 8 07 OS 0 0 4 5 0 0 ..] .x ... ] .X ...E .
■ Remote OS 0019 00 28 d l 3a 00 0 0 4 0 06 95 7 e Oa 0 0 0 0 Od Oa 0 0 • (• :..®. .............
0020 0 0 Ob 2d f6 00 1 6 3 a a9 09 f c 6 1 62 d 6 d 7 5 0 02
fingerprinting 0030 02 0 0 ee df 00 00
* Remote uptime guessing
■ T C P /IP stacks auditing O File: *C\Usen\Admin\AppData\Local\Temp... Packets: 119311 Displayed: 119311 Marke... Profile: Default

FIGURE 1.5: Wireshark with SYN Packets Traffic

Y ou sent huge n u m b er o l SYN packets, w hich caused die victim ’s m achine

to crash.

Lab Analysis
D o c u m e n t all die results gadier during die lab.

T o o l/U tility I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

SY N p ack ets o b se rv e d o v er flo o d in g th e reso u rces in

h p in g 3
v ic tim m a ch in e

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE QUE S T I O N S

R E L AT E D TO THI S LAB.

I n t e r n e t C o n n e c t io n R e q u ir e d

□ Y es 0 No

P la tf o r m S u p p o r te d

0 C la s s r o o m 0 1L abs

C E H L ab M anual Page 708 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

Lab

HTTP Flooding Using DoSHTTP

DoSH TTP is an H TTP flood denial-of-service (DoS) testing too!for Windows.
DoSHTTP includesport designation and repo!ting.
I C O N K E Y
Lab Scenario
/ Valuable
information H T T P flooding is an attack th at uses en o rm o u s useless packets to jam a w eb server.
111 tliis paper, w e use lu d d en sem i-M arkov m odels (HSM M ) to d escn b e W eb -
.-*v Test your
____knowledge brow sing patterns an d detect H T T P flooding attacks. W e first use a large n u m b e r of
legitim ate request sequences to train an H S M M m o d el an d th en use tins legitim ate
m. Web exercise m odel to check each inco m in g request sequence. A b n o rm al W w b traffic w hose
likelihood falls into unreasonable range for th e legitim ate m o d el w o u ld be classified
as potential attack traffic and should be controlled w ith special actions such as
filtering or lim iting the traffic. Finally w e validate o u r ap p ro ach by testing die
m e th o d w ith real data. T h e result show s th at o u r m e th o d can d etect the anom aly
w eb traffic effectively.

111 the previous lab y ou learned ab o u t S Y N flooding using 11p111g3 an d the

counterm easures th a t can be im plem ented to p rev e n t such attacks. A n o th e r m e th o d
th a t attackers can use to attack a server is by using the H T T P flood approach.

A s an expert ethical hacker an d penetration tester, y o u m u st be aw are o f all types

o f hacking attem pts o n a w eb server. F o r H T T P flooding attack y o u should
im plem ent an advanced technique k n o w n as “ tarpitting,” w h ich once established
successfully will set connections w in d o w size to few bytes. A ccording to T C P /I P
p ro to co l design, the conn ectin g device w ill initially only send as m u ch data to target
as it takes to fill die w in d o w until the server responds. W ith tarpitting , there will be
n o response back to th e packets fo r all u nw anted H T T P requests, thereby
protecting your w eb server.

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp sm d e n ts learn H T T P flo o d in g d em al-o t
service (D oS) attack.

C E H L ab M an u al Page 709 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

& Tools Lab Environment

dem onstrated in T o earn ’ o u t this lab, you need:
this lab are
available in ■ DoSHTTP tool located at D:\CEH-Tools\CEHv8 Module 10 Denial-of-
D:\CEH- Service' DDoS Attack Tools\DoS HTTP
Tools\CEHv8
■ Y o u can also d o w n lo a d th e la test v e rsio n o f DoSHTTP fro m th e link
Module 10 Denial-
h ttp : / / w w w .s o c k e ts o ft.n e t/
of-Service
■ I f y o u d ecid e to d o w n lo a d th e la te st version, th e n s c re e n sh o ts sh o w n
111 th e lab m ig h t d iffer

■ A co m p u ter ru n n in g Windows Server 2012 as h o st m achine

■ Windows 7 run n in g o n virtual m ach in e as attacker m achine

■ A w eb brow ser w ith an In te rn e t co n n ectio n

■ A dm inistrative privileges to 11111 tools

Lab Duration
T im e: 10 M inutes

Overview of DoSHTTP
D o S H T T P is an H T T P Hood denial-of-service (DoS) testing to o l for W indow s. It
includes U R L verification, H T T P redirection, an d p erfo rm an ce m onitoring.
D o S H T T P uses m ultiple asynchronous sockets to p erfo rm an effective H T T P
flood. D o S H T T P can be used sim ultaneously o n m ultiple clients to em ulate a
d istn b u ted den 1al-of-senTice (D D oS) attack. T ins tool is u sed by IT professionals to
test w eb sender perform ance.

Lab Tasks
1. Install an d launch D o S H T T P 111 Windows Server 2 0 1 2 .

2. T o launch D o S H T T P , m ove y o u r m o u se cu rso r to low er left co rn er o f die

DoSHTTP desktop and click Start.
Flooding

FIGURE 2.1: Windows Server 2012 Desktop view

C E H L ab M anual Page 710 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

3. Click die DoSHttp 2.5 ap p fro m die Start m e n u apps to lau n ch die program .

Start A d m in is tra to r ^

CcroUcr Task Moiilla

Manager Firefox C to n e

y* D oSHTTP is an easy
* © •
to use and powerful HTTP
Command Notefao*
Flood Denial o f Service Prompt
S
(DoS) Testing Tool for rr‫־‬
l
Windows. DoSHTTP
VtmnKtr HypofV Nk «k rwSHTTP
includes URL Verification, WobClcnt
HTTP Redirection, Port
Designation, Performance
% ‫וי‬ ■

Monitoring and Enhanced

Reporting.

FIGURE 2.2: Windows Server 2012 Start Menu Apps

T he DoSHTTP m ain screen appears as show n 111 the follow ing figure; 111 diis lab
w e have d em o n strated trial version. Click Try to continue.
X
H DoSHTTP 2 .5 .1 - Socketsoft.net [Loading...]
| File O p tio n s H elp

Tools D DoSHTTP Registration

dem onstrated in H ‫־‬

this lab are Ta

available in r V
/ U n re q is te re d V e rs io n
You have 13 days or 3 uses left on your free trial.
( fry J
3
Close
D:\CEH- Us
Tools\CEHv8 [m Enter your Serial Number and click the Register button. 3
Module 10 Denial- Sa
jSerial Number Register

of-Service I

C‫׳‬s c 3 r -s r t‫־‬ttD ://w w w .s o c k e ts o ft. r e t ‫'׳‬

1
Ready

FIGURE 2.3: D oSH TIP main window

5. E n te r die U R L or IP address 111 die Target URL field.

6. Select a User Agent, n u m b er o t S ock ets to send, an d the type of Requests to

send. Click Start.

7. 111 diis lab, w e are using W in d o w s 7 IP (10.0.0.7) to flood.

C E H L ab M an u al P ag e 711 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
m D oSHTTP includes
Port Designation and
Reporting.
 Module 10 - Denial of Service

H nn^HTTP ? S1 - W k p f c n f t n p t [F v a ln a tin n M n r lp ] *1
File Options Help

DoSHTTP
HTTP Flood D enial o f S e rv ic e (D o S ) T esting Tool
Target URL
10.0.0.11

Usei Agent
|Mozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)

Sockets Requests
1500 ▼| |Continuous ▼
] Verify URL jStart FloodJ Close

Laa> D s c a mer h ttD ://w w w .s o c k e ts o ft.re t‫'׳‬

Ready ----- !------------------J

FIGURE 2.4: DoSHTTP Flooding

Note: T hese IP addresses m ay d iffer 111 y o u r lab environm ent.

8. Click OK 111 the D o S H T T P evaluation p op-up.

H DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode] x

File Options Help

y DoSH TTP uses DoSHTTP

multiple asynchronous
sockets to perform an
effective H TTP Flood.
Evaluation mode will only perform a maximum of 10000 requests per
DoSH TTP can be used
session.
simultaneously on multiple
clients to emulate a
Distributed Denial o f
Service (DDoS) attack.
OK

Lees D-Sca rrer t‫־‬ttD:.|,.‫’׳‬w w w .so ctetso ft.re t/

Ready

FIGURE 2.5: DoSHTTP Evaluation mode pop-up

9. L au n ch die Wireshark n etw o rk p ro to co l analyzer 111 die Windows 7 virtual

machine and start its interface.
10. D o S H T T P sends asynchronous sockets an d perfo rm s HTTP flooding o f die
y DoSHTTP can help target netw ork.
IT Professionals test web
server performance and 11. G o to Virtual machine, o p en Wireshark. an d observe th a t a lo t o f packet
evaluate web server
traffic is captured by W ireshark.
protection software.
D oSHTTP was developed
by certified IT Security and
Software Development
professionals

C E H L ab M an u al Page 712 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 10 - Denial of Service

^j"^ptjringfromMicrosofKorporat!onADev!n\NP^605FlD1^2CMEA^A6^E48A8CW2^
File £dit View £0 Capture Analyze Statistics Telephony Tools Internals Help

pyai ojai 1‫ * ט‬mm »

Filter | ▼| Expression.. Clear Apply Save

No. Time Source Destination Protocol Length Info •*

81 1 4 .2 2 6 8 5 3 0 1 0 . 0 . 0 . 1 0 1 0 .0 .0 .1 1 TCP 6 6 57281 > h ttp [S Y N ] Sec

85 1 4 . 9 4 8 9 0 3 0 D el I _ c 3 : c 3 : c c B ro a d c a s t ARP 42 who h as 1 0 . 0 . 0 . 1 3 ? Te
85 1 5 .4 8 1 0 9 4 0 1 0 . 0 . 0 . 1 0 1 0 .0 .0 .2 5 5 NBNS 92 Name q u e r y NB WPAD<00>
87 1 5 .4 8 1 2 8 0 0 f e 8 0 : : 3 8 a a : 6 3 9 0 : 554 f f 0 2 : : 1 : 3 lln n r 84 s ta n d a rd q u e ry 0 x fe 9 9
83 1 5 .4 8 1 3 2 8 0 1 0 . 0 . 0 . 1 0 2 2 4 .0 .0 .2 5 2 LLNNR 64 s ta rd a rd q u e ry 0 x fe 9 9
89 15. 9 0 1 2 2 7 0 fe 8 0 : :3 8 a a :6 3 9 0 :5 5 4 ff0 2 : :1 :3 LLNNR 84 S ta rd a rd q u e ry 0 x fe 9 9
90 15 90 13 02 0 1 0 .0 .0 . 1 0 2 2 4 .0 .0 .2 5 2 lln n r 64 s ta rd a r d q u e ry 0 x fe 9 9
91 1 5 9 4 9 4 9 7 0 D e 1 1 _ c 3 :c 3 :c c B ro a d c a s t ARP 42 w ho h a s 1 0 . 0 . 0 . 1 3 ? T€
92 16 2313280 1 0 .0 .0 .1 0 1 0 . 0 .0 .2 5 5 NBNS 92 Name q u e r y NB w p a d <00>
93 16 9962120 1 0 .0 .0 .1 0 1 0 . 0 .0 .2 5 5 nbns 92 Name q u e r y NB W PAD<00>.
94 1 7 7 6 7 5 6 0 0 f p 80 : : 38 aa : 6 3 9 0 :5 54 f f 0 ? : :1 7 DHCPv6 157 S o l i c i t XTD: 0 x a QQ84 C
95 18 4 5 4 7 8 0 0 D e l1 _ c 3 :c 3 :c c M ic r o s o f _ a 8 : 7 8 : 0 5 ARP 42 w ho h a s 1 0 . 0 . 0 . 1 1 ? T€

w F ra n e 1: 42 b y te s on w ir e (336 b i t s ) . 42 b y te s c a p tu re d (336 b i t s ) on in t e r f a c e 0
• E t h e r n e t I I , s r c : D e 1 1 _ c 3 :c 3 :c c ( d 4 : b e : d 9 : c 3 : c 3 : c c ) , D s t: B ro a d c a s t ( f f : f f : f f : f f : f f : f f )
ffi A d d rp s s R P * 0 lu t1 0 n P ro to c o l (re q u e s t)

0000 f f f f f f f t f t f f d4 be d9 c3 c 3 c c 0 8 0 6 0 0 0 1
0010 0 8 0 0 06 04 0 0 0 1 d4 b e d9 c3 c 3 c c Oa 0 0 0 0 Oa
0020 0 0 0 0 0 0 0 0 0 0 0 0 Oa 0 0 00 Od

F I G U R E 26: Wireshaik wi n do w
D oSHTTP can be
used simultaneously on 12. Y o u see a lo t o l H T T P packets are flooded to die h o st m achine.
multiple clients to emulate
a Distributed Denial of 13. D o S H T T P uses m ultiple asy nchronous sockets to p erfo rm an H T T P flood
Service (DDoS) attack.
against die entered netw ork.

Lab Analysis
A nalyze an d d o cu m en t die results related to th e lab exercise.

T o o l/U tility I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

D oSH TTP H T T P p ac k ets o b se rv e d flo o d in g th e h o s t m a ch in e

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

RE L A T E D TO T H I S LAB.

Questions
E valuate h o w D o S H T T P can be used sim ultaneously o n m ultiple clients
an d perfo rm D D o S attacks.

C E H L ab M an u al Page 713 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
 Module 10 - Denial of Service

2. D eterm in e h o w y ou can p rev e n t D o S H T T P attacks 011 a netw ork.

I n t e r n e t C o n n e c t io n R e q u ir e d

□ Y es

P la tf o r m S u p p o r te d

0 C la s s r o o m 0 !Labs

C E H L ab M an u al Page 714 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.