Professional Documents
Culture Documents
In this lab, we will send ping requests to a target system, but then we will trick the target system
to reply to another system by spoofing our IP address.
Preparations:
1 – Open virtualBox Manager > File >Preferences > Network and click the icon on the left.
Type an arbitrary name into the field and click OK.
2 – Right click on your virtual machine, Settings > Network and change from NAT to NAT Network.
Select the name you created in step 1.
3 – Right click on the setting again and change the name of the VM to “Attacker”.
5 – Adding a new VM: Open virtualBox Manager> file> import Appliance and select the
Lubuntu.ova file which you copied to your /local/scratch/<your-username> folder.
Make sure the text field “Machine Base folder” points to your “/local/scratch/<your-
username>/Virtualbox VMs” folder. In the “MAC address policy” option, select “Change the MAC
address for all network adapters”
Click next and proceed with importing the ova file and creating the new virtual machine.
6 - Right click on the setting again and change the name of this VM to “Victim”.
8 – Start both virtual machine and login as cybr371/cybr371 account. In order to minimize
confusion, on the Attacker VM, switch to ben’s account who also has sudo privileges
$su – ben
Your machines are now a part of a LAN network. Get the IP address of each system using $sudo
ifconfig or “$sudo ip –c addr ” command and try to ping each other.
1
Instructions:
Next, check the IP address of your Attacker and Victim machine by typing "$sudo ifconfig"
or “$sudo ip –c addr ” in the command line and record it (replace <local IP> with your IP
in the following steps).
Attacker’s VM
VICTIM’s VM
In the following steps, the examples are demonstrated for. You should use your IP addresses
when testing the steps.
<Attacker’s IP>= 10.0.2.15
<Victim’s IP>= 10.0.2.5
<Spoofed IP>= 10.0.2.86 <anything between 10.0.2.16 to 10.0.2.254>
2
A. IP Spoofing with hping3
hping3 is very powerful tool to test firewalls and routers.
1. Open one terminal tab windows in each Attacker and Victim VMs. In the terminal window of
Attacker VM we will use hping3 and in the terminal window of Victim VM, we will capture
packets to/from the using tcpdump.
2. In the command-line of the Victim terminal window, type the following command to capture
packets to/from the system and press enter.
Question 1 a): What does host and –nnS options mean in the above command?
3. Now, from the terminal window of Attacker VM, send three packets to Victim target, by typing
the following command in the terminal window.
Question 1 b): What does the –S and –c options mean in the above command?
3
You should expect to see the output for the hping3 command in the terminal of Attacker VM as
shown in the following picture.
Attacker’s VM
The output of the tcpdump is also given below (use Crtl+C to stop capturing packets). We sent
TCP packets with SYN flag (10.0.2.15.2808 > 10.0.2.5.0: Flags [S]) and the target responds back
with the RST flag (10.0.2.5.0 > 10.0.2.15.2808: Flags [R.]), which means an abnormal session
disconnection. In the output, the numbers following the IP addresses are port numbers.
Victim’s VM
4. Now let us repeat the same experiment while spoofing the IP address of our host (Attacker
VM). If you stopped the tcpdump on the Victim VM, start it again in the terminal window.
This time we will use the -a flag to spoof our IP address. In the Attacker VM, type the following
command by replacing <spoofed IP> with the spoof IP which you wrote down before.
Victim’s VM
Question 2: Why did we get a 100% packet loss in the terminal of the Attacker’s VM?
We get a 100% packet loss, because we are trying to spoof 10.0.2.86 on attackers VM, so
the replies for these pings will not be received by attackers original IP
1. This time we need three terminal windows, one for tcpdump on the Victim VM, one for
hping3, and one for pinging the Victim IP from the Attacker’s VM (or host system or
another VM).
2. Start the tcpdump again in the Victim terminal window by typing:
WE
5
$sudo tcpdump host <Victim IP> -nnS
3. In the Attacker terminal window ping the Victim IP address three times to make sure that
you can get a reply back as follows:
4. This time we will send ping requests to the target IP, and will spoof the source address as
follows.
The -1 option is to send icmp request (or ping request), the --flood option send many of packets
in short time.
5. In the Attacker VM, open a new terminal tab and ping the spoofed IP again from a new
terminal on Attacker as follows.
If you try pinging the 10.0.2.5 from a “Third” virtual machine (below), you should see same
output.
6
Question 3: a) Check your tcpdump terminal on the Victim VM terminal window. What do you
see?
Question 3: b) Do you get a ping reply back on the Attacker VM? If you do, how long does it take
get a reply back? Why?
Question 3: c) Repeat the experiment using 10 packets and calculate the average of Rount Trip
Delay Time before and during the flooding attack.
7
Question 4: Write a command to send Ping of Death from the Attacker host to the Victim. Is it
effective? How can you make a ping of death effective these days?
sudo hiping3 -S 10.0.2.4 -s 66000
Yes, it is effective
We can do DDOS attack to make a ping of death effective in these days
Question 5: Perform a web research and briefly discuss how to detect ip spoofing? Explain
We can detect ip spoofing by a direct time-to-live probe, in this case we send a packet to the
claimed host and we are waiting for a reply once we get that we check the time-to-live value in
the reply in the IP header and if it’s not the same as the packet that we are checking we can
detect the spoofed packet