DOS Attack with Packet Crafting using Colasoft

In our previous article we had discuss “packet crafting using Colasoft Packet builder”  and today you will DOS attack using colasoft Packet builder. In DOS penetration testing part 1 we had used Hping3 in Kali Linux for generating TCP, UDP, SYN, FIN and RST traffic Flood for DOS attack on target’s network. Similarly we are going to use colasoft for all those attack by making change in their data size of packets and time elapse between packets.

Let’s start!!!

TCP DOS Attack

You can download it from given link, once it get downloaded then run the applictaion as admionistrator to begin the DOS attack.

Click on ADD given in menu bar.

A small window will pop up to select mode of attack here we are going to choose TCP packet for generating TCP packet flood on target’s network. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.  This is because as much as the time elapse will be smaller as much as packet will be sent faster on target’s network.

Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet

Decode Editor: This section contains packet information such as protocol, Time to live and etc. Here you need to add source address responsible for sending packet and then add destination address which is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the data length of the packet.

Packet size: 112 bytes

Packet List: It displays complete information of your packet which contain source address and destination address, time to live and and other information which we had edited.

Click on Adpter  gien in menu bar to select specific adpter for DOS attack. From given below image you can observe it  showning adapter status: LAN Operational.

Note: It is only availabe when you have run the application as adminsitrator.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

Using wireshark we can capture packet and traffic between source and destination. So here  you can perceive that infinite TCP packet is being transferring on target’s network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP SYN DOS Attack

Again repeat the same to choose TCP packet for generating TCP SYN flood on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

You people must aware of TCP-SYN Flood attack so in oder to generate only SYN packet traffic, activate TCP flag for synchronize sequence by changing bit form 0 to 1.

Hence this time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Flag: SYN

Packet size: 115 bytes

And repeat above step of TCP flood to begin the attack.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

You can clearly observe the flow of traffic of SYN packet from attacker network to targets network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP RST DOS Attack

Again repeat the same to choose TCP packet for generating TCP Reset flood on target’s network. If you will notice given below image then you will observe that again I had set delta time 0.1 sec  this is because as much as the time elapse will be smaller as much as packet will be sent faster on target’s network.

You people must aware of TCP-RST Flood attack so in oder to generate only Reset packet traffic, activate TCP flag for Reset the connection by changing bit form 0 to 1.

Hence this time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Flag: Reset

Packet size: 104 bytes

After then repeat above step to begin the attack.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

You can clearly observe the flow of traffic of RST packet from attacker network to targets network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

UDP DOS Attack

Again repeat the same to choose UDP packet for generating TCP flood on target’s network. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.

This time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Source port: 80

Packet size: 113bytes

After editing your packet information verifies that changes through packet list given on right side of window before launching attack.

Click on Adpter to select specific adpter for DOS attack. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch UDP packet for DOS attack.

You can clearly observe in given below image the flow of traffic of UDP packets from attacker network to targets network after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

Packet Crafting with Colasoft Packet Builder

In this tutorial we are going to discuss Packet Crafting by using a great tool Colasoft packet builder which is quite useful in testing strength of Firewall and IDS and several servers against malicious Flood of network traffic such as TCP and UDP Dos attack. This tool is very easy to use especially for beginners.

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behavior, instead of using existing network traffic. Testing may target the firewall, IDS, TCP/IP stack, router or any other component of the network. Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding.

For more detail visit Wikipedia.org

Mode of Operation

Packet Assembly: It is the initial state of packet crafting where tester needs to decide the network that can be compromise easily by creating a packet which can exploit the network by shooting its vulnerability. The packet should be design in a manner that it maintains its ability to being undetectable in target’s network.

Famous Tools for Packet Assembly are: Hping3 and Yersinia   

Packet Editing: In this stage captured packet is edited or modified which cannot be possible to do in Packet Assembly phase. In this phase packet is edited in a manner that it can dump more and more information of target’s network by making small amount of change in it. For example change data length (payload) of packets.

Famous Tool of packet Editing: Colasoft and Scapy   

Packet Playing: In this phase when packet is ready to launch then it sends to target’s network for exploiting its network and collect the information. This is the actual arena where above both actions is tested and if packet is failed to complete its goal of retrieving victim’s information or exploit its vulnerability then again the packet send back to Packet Editing phase for modification.

Packet Analysis: This is the last stage where packet is analysis when it received on targeted network. The captured packet is decoded for further investigating for retrieving its internal details which can speak up its goal for establishing connection on target’s network.

Famous Tool of Packet Analysis: wireshark and Tcpdump

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Users are also able to edit decoding information in two editors - Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create packets. Any changes will be immediately displayed in the other two windows. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.

From:  http://www.colasoft.com/packet_builder/

Let’s start!!!

TCP Packet Crafting

You can download it from above given link, once it get downloaded then run the applictaion as administrator to begin with crafting various Packets. As I had example above a packet crafting involves 4 phases, lets  start it by adding the packet which we will craft for testing our newtork.

Click on ADD given in menu bar.

A small window will pop up to select mode of IP packet to be crafted. Here we are going to choose TCP packet for crafting for example by increasing the size of the packet or by sending the individual flag of the Tcp Protocol to the destination IP address. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all crafted packets. The delta time is the time gap between the each packet.

Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet

Decode Editor: This section contains packet information such as protocol, Time to live and etc. Here you need to add source address responsible for sending packet and then add destination address which is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the size of the packet.

Packet size: 77 bytes

 This phase is also known as Packet Editing mode where we can modify our packet.

Packet List: It displays complete information of your packet which contains source address, destination address, time to live and and other information which we had edited.

Click on Adpter  given in the menu bar to select specific adpter from which packets will be sent. From given below image you can observe it, it showning adapter status: LAN Operational.

Note: It is only availabe when you have run the application as adminsitrator.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packets to be sent to the Destination Network and the delay time gap between the each packets.

Then click on start to send the TCP packets. This phase is know as Packet playing mode where are ready to sent packet on target netwok.

Using wireshark we can capture packet and traffic between source and destination. So here you can perceive that infinite TCP packet is being transferring to target’s network. This phase is known as packet analysis mode where sent packet is sniff or analysis for identifying sender objectives behind sending the packet.

ARP  Packet Crafting

Again repeat the same to choose ARP packet for crafting Packet for ARP protocol on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

Apart from editing source and destination IP here we need to add source and destination physical address also.

Hence this time I had set below information in decoder Editor and Hex editor.

Source MAC: AA:AA:AA:AA:AA:AA

Source address: 192.168.1.102

Destination MAC: BB:BB:BB:BB:BB:BB

Destination address: 192.168.1.107

Packet size: 78 bytes

You can use any method to find destination MAC address.

After editing your packet information verifies that changes through packet list given on right side of window before sending the packet. If you notice given image below then you can read the summary where it is show broadcasting ARP message who is 192.168.1.107?

Click on Adpter  given in menu bar to select specific adpter for network selection. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start to launch sending process of ARP packet. This action is known as Packet playing.

Form given below image you can observe the continue ARP packet making request for who is 192.168.1.107, which meaning our packet playing is gives positive result. From wireshark target is able to analysis the goal of packet received from sender’s network.

IPv4 Packet Crafting 

Again repeat the same process to choose IP packet for crafting Packet for IPv4 protocol on target’s network. Again if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

This time I had set below information in decoder Editor and Hex editor for Editing Packet.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Packet size: 71 bytes

After editing your packet information verifies that changes through packet list given on right side of window before sending the packet.

Click on Adpter  given in menu bar to select specific adpter for sending the packet. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start to send the IPv4 packet.

You can clearly observe in given below image the flow of traffic of IPv4 packets from senders network to Receivers network in packet analyzing mode.

UDP Packet Crafting

Again repeat the same to choose UDP packet for crafting UDP Packet. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.

This time I had Editied below information in decoder Editor and Hex editor for desigining my packet.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Packet size: 72 bytes

After editing your packet information verifies that changes through packet list given on right side of window.

Click on Adpter to select specific adpter for sending the packets. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start button to sending the crafted UDP packet.

You can clearly observe in given below image the flow of traffic of UDP packets from senders network to the Receivers network.

Hence in this tutorial we tried to explain all for mode of operation of crafting a packet for testing a network using colasoft and wireshark.

DHCP Penetration Testing

DHCP stands for Dynamic Host Configuration Protocol and a DHCP server dynamically assigns an IP address to enable hosts (DHCP Clients). Basically DHCP server reduce the manually effort of administer of configuring IP address in client machine by assign a valid IP automatically to each network devices. A DHCP is available for distributing IP address of any Class among: A B C D E basis on their netmask description which means it is applicable even for small network or a huge network.

DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.

There are three mechanisms used to assign an IP address to the client. They are:

·         Automatic allocation - DHCP assigns a permanent IP address to a client

·         Manual allocation - Client's IP address is assigned by the administrator, DHCP conveys the address to the client.

·         Dynamic allocation- DHCP assigns an IP address to the client for a limited period of time (lease).

Mode of Operation DHCP server and DHCP Client

·         DHCP Discover: DHCP client broadcast a DHCP discover message to DHCP server for an IP address lease request through subnet mask for e.g. 255.255.255.255.

·         DHCP Offer: DHCP server receives DHCP Discover message for an IP address lease form DHCP client and reserve IP for it and send DHCP OFFER message to DHCP Client for IP lease.   

·         DHCP Request: DHCP client broadcast a message to DHCP server for acceptance of IP by receiving Offered IP packets and make DHCP request for IP parameter configuration.

·         DHCP Acknowledgment: DHCP server receives DHCP client request for IP configuration process and as responds DHCPACK message sent to client with committed IP address and its configuration and with some additional information such lease time of offered IP.

·         DHCP Release:  DHCP client sends a DHCP Release packet to the DHCP server to release the IP address.

DHCP Starvation Attack

A DHCP starvation attack may also categories as DHCP DOS attack where the attacker broadcasting fake DHCP requests with spoofed MAC addresses. If official replies to this fake request then it can exhaust the address space available to the DHCP servers for a period of time. This can be performed by using attacking tools such as “Yersinia”.

Now attacker may place rouge server in the network and respond to new DHCP requests from clients.

Form given below image you can observe that by executing given command we discovered bind hardware with our official router. Here we had used CISCO router for DHCP penetration testing.

ip  dhcp binding

Launch DHCP Starvation Attack using Yersinia

Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Currently yersinia supports:

Spanning Tree Protocol (STP)

Cisco Discovery Protocol (CDP)

Dynamic Trunking Protocol (DTP)

Dynamic Host Configuration Protocol (DHCP)

Hot Standby Router Protocol (HSRP)

IEEE 802.1Q

IEEE 802.1X

Inter-Switch Link Protocol (ISL)

VLAN Trunking Protocol (VTP)

From http://www.yersinia.net/

By default in Kali Linux installed yersinia is available for DHcp penetration testing, open the terminal and execute given command which will open yersinia in GUI mode as shown in given below image.

yersinia -G

You will observe few tabs in menu bar click on launch attack; a small window will pop up for choosing protocol for attack  here we had select DHCP, now enable the option for sending  DISCOVER packet.

Now it will start sending Discovered packet to the router for release IP for each of its fake Discover message as shown in given image.

From given below image you can observe wireshark has capture the DHCP packet where the attacker machine as source 0.0.0.0 is broadcasting DISCOVER message to Destination on 255.255.255.255. This is DHCP starvation attack which also considered as DHCP Dos attack because its send Discover message infinitely in network to block the responded server for other genuine request from other DHCP client.

Now when again you will check our router IP table then you will observe that all IP is allocated on some different-different Hardware address as shown in given below image.

Rogue DHCP Server

A rough DHCP server is a forged server of attacker which is place in a local network for stealing information that is being shared among several clients. After DHCP starvation attack, the official DHCP server is unable to Offer IP to DHCP client. Therefore when a client release its old IP and request new IP by broadcasting DHCP Discover message then rough server offer an IP as responds to the DHCP client and hence Client request for IP configuration from fake server and get trap into fake network. Now if client is transferring any information over fake network that can easily sniff by rough server. 

Form given below image you check attacker’s machine IP is 192.168.1.104 which will reflect as DNS address in victim’s machine (Windows’s).

Now open the terminal and type “msfconsole” for metasploit framework and execute given below commands which will create your Rouge server in the network.

use auxiliary/server/dhcp

msf auxiliary(dhcp) > set srvhost 192.168.104

msf auxiliary(dhcp) >set netmask 255.255.255.0

msf auxiliary(dhcp) >set DHCPIPSTART 192.168.1.200

msf auxiliary(dhcp) >set DHCPIPEND 192.168.1.205

msf auxiliary(dhcp) >Exploit

If you perceive above command then you will find that it will Start DHCP service and behave like a DHCP server which will offer Class C IP to official DHCP client form specified pool between 192.168.1.200 to 192.168.1.205.

Now turn on any another system in network and check its IP configuration.

Let’s study the given image where attack is broadcasting Offer packet in the network and then in 2^nd packet we saw DHCP ACK which means some DHCP client ask for offered IP configuration then we can see DNS query send from an IP 192.168.1.202 to 192.168.1.104.

Form given below image you can observed that 192.168.1.202 IP is allocated to ubuntu which is official DHCP client. Now if client is transferring any information over fake network that can easily sniff by rough server.  For detail read our previous article “Comprehensive guide on sniffing”