Description:

In this assignment, you will be launching a denial of service attack on a web server. We will be using hping3, a command-line oriented network security tool inside Kali Linux (an advanced penetration testing Linux distribution).

Setting up the victim machine

Download the Windows XP virtual machine with WebGoat server installed, using the following link. We will use this machine as the victim machine and launch a DoS attack on the WebGoat server.https://drive.google.com/open?id=0BwCbaZv8DevUejBPWlNHREFVc2s

Open the victim machine and launch a new command prompt. Determine the ip address of the victim machine by typing the following command:

Ipconfig

Note: Do not use or close the command prompt running WebGoat

Make sure the WebGoat is running by opening the chrome browser inside victim machineand browsing to the following URL:

localhost:8080/WebGoat/

Open Windows task manager inside the victim machine and click on performance. You will see a low CPU usage.

Setting up the attacker machine

Download the Kali Linux virtual machine using the following link. We will use this machine as the attackers machine.

https://drive.google.com/open?id=0BwCbaZv8DevUdUwtcDduZWd1WE0

Login to the machine using the following credentials:

Username: root

Password: toor

Open the firefox browser by clicking on Firefox ESR from the left pane inside attacker machine. You should be able to browse to the following URL and access the victim server from inside attacker machine:

Victim machine ip address: 8080/WebGoat/

Launch the terminal by clicking on Terminal from the left pane.

Type the following command in attacker machines terminal after replacing the destination ip address with the ip address of the victim machine:

hping3 c 10000 -S -p 8080 --flood --rand-source destination ip address

To understand the parameters in the above command, use the following reference manual

http://www.hping.org/manpage.html

Your goal is to figure out which type of denial of service attack is launched when you run the

above command.

Open Wireshark from the attacker machine by clicking on Applications -> 09 - sniffing and spoofing -> Wireshark

Click on Capture -> options -> eth0 -> start capture.

Analyze the packets as they are being captured. You can stop the capture after a while. Look at the source and destination ip address, protocol, and info columns of each packet.

Q. What type of DoS attack was launched? Explain using the packets you found in Wireshark. Add a relevant screenshot.

Also look at the CPU usage inside the task bar of the victim machine as soon as you launched the attack.

Q. Does the CPU usage of victim machine increase during the attack? Take a screenshot of the CPU usage history during the attack.

Wait for a while and try to access the victim web server again from the attackers machine

using the following URL:

Victim ip address: 8080/WebGoat/

Q: What happens when you try to access the web server? Does it take longer to load the URL? If you got an error, what was it?

Q. Briefly explain what did the following command do? What did each of its parameters mean?

hping3 c 10000 -S -p 8080 --flood --rand-source destination ip address

The syntaxs used in this command:

hping3 = Name of the application binary.

-c 100000 = Number of packets to send.

-d 120 = Size of each packet that was sent to target machine.

-S = I am sending SYN packets only.

-w 64 = TCP window size.

-p 21 = Destination port (21 being FTP port). You can use any port here.

--flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.

--rand-source = Using Random Source IP Addresses. You can also use -a or spoof to hide hostnames. See MAN page below.

www.hping3testsite.com = Destination IP address or target machines IP address. You can also use a website name here. In my case resolves to 127.0.0.1 (as entered in /etc/hosts file)