Lab 2

In this lab, we will send ping requests to a target system, but then we will trick the target system
to reply to another system by spoofing our IP address.

Preparations:
1 – Open virtualBox Manager > File >Preferences > Network and click the icon on the left.
Type an arbitrary name into the field and click OK.

2 – Right click on your virtual machine, Settings > Network and change from NAT to NAT Network.
Select the name you created in step 1.

3 – Right click on the setting again and change the name of the VM to “Attacker”.

4 - Start your VM (If it was on, restart it.)

5 – Adding a new VM: Open virtualBox Manager> file> import Appliance and select the
Lubuntu.ova file which you copied to your /local/scratch/<your-username> folder.

Make sure the text field “Machine Base folder” points to your “/local/scratch/<your-
username>/Virtualbox VMs” folder. In the “MAC address policy” option, select “Change the MAC
address for all network adapters”

Click next and proceed with importing the ova file and creating the new virtual machine.

6 - Right click on the setting again and change the name of this VM to “Victim”.

7 – Set the Victim’s VM to also use NAT, following the step 2.

8 – Start both virtual machine and login as cybr371/cybr371 account. In order to minimize
confusion, on the Attacker VM, switch to ben’s account who also has sudo privileges

$su – ben

Your machines are now a part of a LAN network. Get the IP address of each system using $sudo
ifconfig or “$sudo ip –c addr ” command and try to ping each other.

1
Instructions:

Next, check the IP address of your Attacker and Victim machine by typing "$sudo ifconfig"
or “$sudo ip –c addr ” in the command line and record it (replace <local IP> with your IP
in the following steps).

Attacker’s VM

VICTIM’s VM

Record your information:

<Attacker IP>= 10.0.2.15

<Victim IP>= 10.0.2.4

In the following steps, the examples are demonstrated for. You should use your IP addresses
when testing the steps.
<Attacker’s IP>= 10.0.2.15
<Victim’s IP>= 10.0.2.5
<Spoofed IP>= 10.0.2.86 <anything between 10.0.2.16 to 10.0.2.254>

2
A. IP Spoofing with hping3
hping3 is very powerful tool to test firewalls and routers.

1. Open one terminal tab windows in each Attacker and Victim VMs. In the terminal window of
Attacker VM we will use hping3 and in the terminal window of Victim VM, we will capture
packets to/from the using tcpdump.

2. In the command-line of the Victim terminal window, type the following command to capture
packets to/from the system and press enter.

$sudo tcpdump host <Victim IP> -nnS

Question 1 a): What does host and –nnS options mean in the above command?

Host determines the ip we want to connect to

-nn means don’t convert hostadrresses and portnumbers to names
-S means print absolute TCP sequence numbers

3. Now, from the terminal window of Attacker VM, send three packets to Victim target, by typing
the following command in the terminal window.

$sudo hping3 -S 10.0.2.5 -c 3

Question 1 b): What does the –S and –c options mean in the above command?

-S means print absolute TCP sequence numbers

-c means count the number of packets and then stops

3
You should expect to see the output for the hping3 command in the terminal of Attacker VM as
shown in the following picture.

Attacker’s VM

The output of the tcpdump is also given below (use Crtl+C to stop capturing packets). We sent
TCP packets with SYN flag (10.0.2.15.2808 > 10.0.2.5.0: Flags [S]) and the target responds back
with the RST flag (10.0.2.5.0 > 10.0.2.15.2808: Flags [R.]), which means an abnormal session
disconnection. In the output, the numbers following the IP addresses are port numbers.

Victim’s VM

4. Now let us repeat the same experiment while spoofing the IP address of our host (Attacker
VM). If you stopped the tcpdump on the Victim VM, start it again in the terminal window.

This time we will use the -a flag to spoof our IP address. In the Attacker VM, type the following
command by replacing <spoofed IP> with the spoof IP which you wrote down before.

$sudo hping3 -S <Victim IP> -a <spoofed IP> -c 3

Observe what happens on both the VMs.
4
 Attacker’s VM

Victim’s VM

Question 2: Why did we get a 100% packet loss in the terminal of the Attacker’s VM?

We get a 100% packet loss, because we are trying to spoof 10.0.2.86 on attackers VM, so
the replies for these pings will not be received by attackers original IP

B. IP Spoofing and Flooding with hping3

Now use IP spoofing with a ping flood to make a host unresponsive or slow. We need to spoof
the IP address of a machine currently running. For this we will use the Victim’s IP.

1. This time we need three terminal windows, one for tcpdump on the Victim VM, one for
hping3, and one for pinging the Victim IP from the Attacker’s VM (or host system or
another VM).
2. Start the tcpdump again in the Victim terminal window by typing:
WE
5
 $sudo tcpdump host <Victim IP> -nnS

3. In the Attacker terminal window ping the Victim IP address three times to make sure that
you can get a reply back as follows:

$ping <Victim IP> -c 3

4. This time we will send ping requests to the target IP, and will spoof the source address as
follows.

$sudo hping3 -1 --flood <Victim IP> -a <Any spoofed IP>

The -1 option is to send icmp request (or ping request), the --flood option send many of packets
in short time.

5. In the Attacker VM, open a new terminal tab and ping the spoofed IP again from a new
terminal on Attacker as follows.

$ping <spoofed IP> -c 3

If you try pinging the 10.0.2.5 from a “Third” virtual machine (below), you should see same
output.

6
Question 3: a) Check your tcpdump terminal on the Victim VM terminal window. What do you
see?

Flood of ICMP echo packets

Question 3: b) Do you get a ping reply back on the Attacker VM? If you do, how long does it take
get a reply back? Why?

It shows 100% packet loss attackers VM

It took 2040ms to get a reply

Question 3: c) Repeat the experiment using 10 packets and calculate the average of Rount Trip
Delay Time before and during the flooding attack.

The delay time is 9209ms during flooding attack

Round trip delay before flood attack is 0.627ms

6. Stop hping3 using Crtl+C.

7
Question 4: Write a command to send Ping of Death from the Attacker host to the Victim. Is it
effective? How can you make a ping of death effective these days?
sudo hiping3 -S 10.0.2.4 -s 66000
Yes, it is effective
We can do DDOS attack to make a ping of death effective in these days

Question 5: Perform a web research and briefly discuss how to detect ip spoofing? Explain

We can detect ip spoofing by a direct time-to-live probe, in this case we send a packet to the
claimed host and we are waiting for a reply once we get that we check the time-to-live value in
the reply in the IP header and if it’s not the same as the packet that we are checking we can
detect the spoofed packet