Introduction to Network Attacks and DoS Attacks
This phase covers network attacks ranging from recon attacks, access attacks up to the concept of DoS attacks and more modern examples in order to get an idea of the various attacks going on every day.
Introduction
There are many different types of network attacks including:
Reconnaissance Attacks
Access Attacks
Insider Attacks
Denial of Service Attacks
Reconnaissance Attacks
These are unauthorized search and mapping of a target system. Generally used as a way to obtain information so an access attack can be achieved.
There are two forms:
Passive - uses publicly available information obtained from social networks and the Internet
Active - actively scanning network infrastructure with the objective of identifying possible vulnerabilities
Access Attacks
These aim to gain access to a target system/company. Modern attacks involve:
remote hacking against vulnerable systems
social engineering
attacks against weak passwords used in user authentication
Defense against these attacks is difficult. A motivated attacker can try many methods to gain access, including social engineering and malware.
Training and education is paramount, to at least mitigate some of the most common attack vectors.
Insider Attacks
Not all attacks come from outside the organization. Insider attacks are where a person within an organization obtains data that an attacker aims to reach/obtain.
Often, data gets stolen from the inside by:
Users with legitimate access
External attackers who manage to obtain or create an insider account
Attacks from the inside are easier (or where easier). IDS/IPS are not often configured to check internal traffic and firewalls are checking traffic at the edge of a network most of the time.
It can be very dangerous as it can be more difficult to detect.
Detection is best achieved with an "Assumed Compromise" approach that assumes an attack has already occurred.
Denial of Service Attacks
These type of attacks aim at disrupting the operation of a network rendering a service unusable to legitimate users. Modern versions are mostly in the form of a Distributed DoS.
If an attacker is well motivated and capable, the chances of stopping these attacks are limited.
Mitigation techniques can be put in place to limit the damage and the scope of the attack.
WHAT ARE DOS ATTACKS?
In a DoS attack, attackers do not have to gain access to the system to cause harm. A DoS attack is an attack through which an attacker can render a system unusable for legitimate users, by overloading its resources.
DoS attacks are a blunt, but powerful method that is easy to launch, but difficult to prevent. DoS attacks represent one of the biggest threats for a networked environment.
DISTRIBUTED DOS
DDoS is a large-scale, coordinated and more effective attack. It often uses botnets to organize a large army of computers.
It often consists of three components:
Master/Handler - the attack launcher
Slave/zombie/agent - a compromised host controlled by the master
Victim - the target system.
DOS CAUSES AND SYMPTOMS
DoS attacks use:
Bandwidth consumptions - blocks the communication capability of machines using all the network bandwidth
Resource Starvation - directs the flood of traffic at an individual service on a machine
Programming Flaws - causes a critical error on machines to halt their capability of operating
Symptoms of a DoS attack include:
an increase in the amount of spam
slow operation of the computer
failure to access websites
DOS DUE TO POOR DESIGN
DoS is NOT always due to attackers, but may be the result of resources being unable to cope with the volume of traffic from genuine sources.
The Impact of DoS Attacks
well timed DDoS attack can cause a great deal of damage. The impact of a DoS attack can never be underestimated as it can essentially disable an organization's network and business.
DoS Attack Examples
There are many different types of DoS Attacks. Some of them will be discussed below:
SMURF ATTACK
A smurf attack using packet flooding to send a deluge of traffic to a system, overwhelming its capability to respond to legitimate users.
A smurf attack used to be serious as it could be launched with relatively low bandwidth to disable a system with higher bandwidth.
It exploits ICMP by sending a large amount of spoofed ping packet addressed to the broadcast address with the source address of the system under attack.
Many systems reply, so the attack results in the victim being flooded in ping response.
The steps are as follows:
The attacker forges a ping packet with the source address set to that of the target system
The forged ping packet is sent to the broadcast address of remote network
Pinging the broadcast address cauases all hosts on that network to respond to the forged request
The hosts on the remote network each return pings to the target, flooding it with pings
Nowadays, ping requests to broadcast addresses are now dropped by the router today - defunct attack today.
FRAGGLE ATTACK
A Fraggle atack is similiar to a smurf attack in that its goal is to use up bandwidth resources.
However, Fraggle attack uses UDP echo packets. It sends a large amount of UDP traffic to ports 7 (echo) and 19 (chargen) to an IP broadcast address..
If enough traffic is generated, the network bandwidth will be used up and communication might be halted.
Fraggle attacks usually achieves smaller amplification factor than smurf attacks.
SYN FLOODING ATTACK
SYN flooding exploits the flaw in three-way handshake mechanism of the TCP/IP protocol to waste resources/prevent connectivity.
The attacker sends mulitple fake TCP SYN requests to the target's server with spooed random (unreachable) return IP addresses.
The target allocates resources to the connection and replies with an ACK/SYN to the non-existent address.
The target's connection table fills up waiting for replies; after the table is full, all new connections are ignored.
PING OF DEATH ATTACK
Ping of death attacks are caused by sending an oversized IP packet (IP packet larger than 65,536 bytes). Oversized packets are illegal, but possible when fragmentation is used.
If the reconstituted fragments add up to more than the allowed 65,536 bytes, the target OS - unable to handle oversized packets - crashes.
This is an obsolete attack. Most OS can deal with this type of attack.
TEARDROP ATTACK
IP requires that a large packet is divided into fragments. Malformed packet attack format packets in an unexpected way.
Teardrop attacks exploits TCP/IP stacks that do not properly handle overlapping IP fragments.
Teardrop attacks send packets that are malformed, with the fragmentation offset value tweaked, so that the receiving packets overlap when reassembled.
The system under attack does not know how to process these overlapping fragments, and crashes or locks up the receiving system, which causes a DoS.
This is also an obsolete attack
LAND ATTACK
The Land DoS attack works by sending a spoofed TCP packet with the SYN flag set to any port that is open and listening. The SYN request has the same source/destination IP and port number.
This can fool the machine into thinking it is sending itself a message.
Depending on the OS, the target becomes confused by the flawed packets, crashing as they do not know how to handle it.
Modern DoS Attack Example
A more modern example of a DoS attack is the DNS Amplication Attack. These are also known as DNS reflection attacks as it uses DNS servers to "reflect" and amplify traffic and direct it against a specific target.
An attacker would send a DNS request to several DNS servers, which would reply with all of their data to the target and send it to the target.
A fairly modern example of a DDoS attack is the Mirai Botnet.
The oversimplified process is:
An attacker spoofs DNS requests to several DNS servers directing their response to the target
The query requests for ANY entry, the DNS query returns a much larger response directed at the target network
For this to work, the DNS server must be misconfigured (Open DNS resolvers) - reply to any type of request. The original request is often relayed through a botnet for a larger base of attack and further concealment.
Difficult to defend from as it comes from valid DNS servers.
Practical Examples
The first thing I will cover is ARP Poisoning. Many of the common protocols used today are inherently insecure. It can be very simple to intercept traffic between two hosts in a LAN by taking advantage of ARP's insecurities.
Once logged into Windows 7, we can open a CMD and ping the Windows 2016 server at 192.168.95.100 and the router at 192.168.95.254:
At this point, we can check the ARP cache by typing:
arp -a
Take note of the MAC addresses for 95.100 and 95.254.
The ARP cache is used by devices to keep a list of IP addresses and their corresponding MACs. In a LAN environment, the physical address (or MAC) is used to deliver data to the destination. ARP does not use any form of security. Devices in an Ethernet network or WiFi network always accept ARP traffic as valid. This is also true for unsolicited ARP replies.
With the appropriate tools, an attacker could forge an ARP reply with the MAC of their machine and a corresponding IP of a victim device. This can be sent to other hosts in the network which will automatically consider the packet as being valid and change their ARP cache with new values.
From then, all traffic directed to the victim IP, will pass through the attacker.
The first thing we need to do is check whether Kali is capable of routing. By default, most Linux distros have routing or IP forwarding disabled.
For this attack to work, we need to ensure that this is active. The two targets should NOT be able to notice something is wrong. Traffic should be able to flow from one source to destination as expected.
To check this, type:
cat /proc/sys/net/ipv4/ip_forward
A result of 0 indicates that IP forwarding is disabled. A result of 1 indicates otherwise. To change this, type:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Next, we need to have a network interface active inside the CALEY.uni internal subnet (192.168.95.0/24):
nmcli connection down Outside
nmcli connection up Inside
Then, we can run Ettercap by typing:
ettercap -G
Select eth1 as the interface and click on the play button to start sniffing.
Then, click on the three dots and select Host --> Scan for hosts:
Now, we select the target of the attack by selecting the IP address of Windows 7 (95.11), right click and select Add to Target 1:
Select the IP of Windows 2016 Server (95.100) and click on "Add to Target 2"
At this point, we are ready to start. Click on MITM Menu --> ARP Poisoning:
Make sure that "Sniff remote connections" is selected as it is required for capturing some information from the communications between two devices. Leave the other option blank:
The attack is running and will take a few seconds to complete. Once finished, we can launch Wireshark from Kali and listen on eth1 interface:
Then, move to Windows 7 and check the ARP table as previously shown to confirm that the IP-MAC address combination has changed:
Now, we can run a ping from Windows 7 to Windows 2016 Server. If the attack is successful, you should be able to capture the ICMP packets in Wireshark.
From Windows 7, we can connect to the Windows 2016 Server using FTP:
ftp neptune.caley.uni
We can use the credentials of student:B3Safe!
Once connected, go back to Ettercap GUI and the credentials should be visible:
This is a simple attack that takes advantage of the inherent insecurity of FTP. However, the main difference from previously is that in this case, Kali is not meant to receive traffic, but it is able to do so because of the ARP poisoning attack.
DNS Poisoning
The ARP poisoning attack could also be used to perform other more complex malicious tasks. One example is DNS poisoning which involves hijacking a DNS request, and replying with false info. This information is saved by the supplication in its DNS cache and used to access a fake web site.
The objective of this is to poison the DNS cache of Windows 7 host in our LAN. The overall aim is for Windows 7 to be tricked into accessing the wrong web site whenever its user wants to browse Internet sites like Google or Yahoo.
By performing DNS poisoning, Windows 7 will be redirected to the web server running on Linux.
Ettercap can be used again using a plugin. First, we need to tell ETtercap the details of the poisoning. Open a terminal and type:
nano /etc/ettercap/etter.dns
Scroll down until the end of the file and add the following:
*.yahoo.com A 192.168.207.101
This enables Ettercap to poison the DNS server for the selected entries. Therefore, if successful, the attack redirects any traffic to www[.]yahoo[.]com to our Linux server with IP 192.168.207.101.
Now, we can start Ettercap and launch another ARP poisoning attack as before. This time, add Windows 7 as TARGET 1 and the default gateway and Windows 2016 together in TARGET 2.
Then, check that the attack works (arp -a) on Windows 7:
Then, on Ettercap, click on Plugins --> Manage Plugins:
Double click on dns_spoof - the DNS spoofing attack is now operational. As with ARP poisoning, you won't be able to see much until a test is run:
On Windows 7, move to Windows 7 and check the DNS cache:
ipconfig /displaydns
Then, we can clear the cache:
ipconfig /flushdns
From Windows 7, we can try pinging www[.]yahoo[.]com and see that it pings 192.168.207.101:
Browsing to www[.]yahoo[.]com also reveals the Linux server web page:
Phishing Attack with the Social Engineering Toolkit
From a terminal, launch the SET:
sudo setoolkit
First, select option 1. Next, select Website Attack Vectors (option 2) and then Credentials Harvester Attack Method (option 3):
From here, three options are available:
Web Templates
Site Cloner
Custom Import
The first two are excellent when an Internet connection is available as they require connectivity to external websites.
In this example, we choose a Custom Import and enter the IP of the Kali VM and give the full path to the website (/home/kali/Documents/Fakesite/index.html):
Then, for the URL of the website imported, enter:
http://intranet.caley.uni
Next, open another terminal and launch Thunderbird - we will be sending a fake email using the student email account to Lionel Messi asking them to connect to http[:]//172.16.10.20.
From our student email, send the following:
Then, after logging into Windows XP and checking lmessi's email, we see the message:
Once we click on the link, we get taken to a website:
Enter the login details for Messi and click Login. Once done, you get redirected to the real Caley intranet web site.
This is a very simple exercise to explain how easy it is to implement a phishing attack. Of course, an attacker would spend more time in ensuring that the email, web link and web site are more realistic.
Denial of Service Attack with Metasploit
DoS attacks can come in many forms. Here, we can imlpement a simple SYN flooding attack against the Windows 2016 Server. The attack would be easily detectable, but it is still important to be aware of its methodology.
First, we select the SYN flood module:
use auxiliary/dos/tcp/synflood
We can perform SYN flooding on port 21 by spoofing the IP address of Kali with that of the Windows 10 VM:
By setting the SHOST option to the Windows 10 IP, we are spoofing the IP address of Kali. Once it is configured, start the DoS attack on the Windows 2016 Server:
exploit
The attack on its own does not cause much trouble to the target. However, check its Resource Monitor and notice the peak in network traffic.
We can try logging into to FTP from another machine:
Now, we can stop the attack and perform the same attack on the FTP server running on Linux server:
This time, we can login to another Windows VM and connect to the FTP server on the Linux server:
ftp 192.168.207.101
It hangs due to the DoS attack.