Lab 1 TCP IP Attacks PDF

Title Lab 1 TCP IP Attacks
Author Trang Duong
Course National Security
Institution New York University
Pages 15
File Size 1.5 MB
File Type PDF
Total Downloads 100
Total Views 148
Preview
CLICK TO PREVIEW PDF
Summary

Download Lab 1 TCP IP Attacks PDF

Description

Task 1: SYN Flooding Attack At first, I listed the IPv4 addresses of the virtual machines. The IP address of the observer machine: 10.0.2.4.

The IP address of the hacker machine: 10.0.2.15.

The IP address of the victim machine: 10.0.2.5.

Now, I checked the size of the queue to show the maximum number of SYN requests using the command “sysctl -q net.ipv4.tcp_max_syn_backlog”. I ran the command “netstat -na” to check the status of all the connections.

I then tried to connect to the server normally as the client.

Before launching the attack, the telnet connection is successful from the victim to the observer using the command “netstat -na”.

I then initiated the SYN flooding attack from the attacker. The attacker used netwox 76 to send a spoofed SYN request to the victim using port 23. The observer can see the spoofed TCP SYN packets with different IP addresses being sent to the victim.

As a result, since the victim’s syn queue gets filled up, it sends out the SYN-ACK packet and waits for the ACK which can be seen as SYN_RECV. This indicates that the connection is in half opened state.

Once I saw that the queue was filled, I tried to connect to the server from the victim machine and it was successful.

When the cookie is enabled, SYN flooding isn’t successful. The SYN attack has no effect on the victim machine because the SYN cookie is enabled, which protects the victim machine against the SYN flooding from the attacker machine.

I then disabled the SYN cookie using the command “sudo sysctl -w net.ipv4.tcp_syncookies=0” and typed “sysctl -a | grep cookie” to see the change. The SYN cookie is now set to value 0. I then again initiated the SYN Flooding Attack from the attacker. The attacker used netwox 76 to send a spoofed SYN request to the victim using port 23.

The connection from the victim isn’t successful now since the attack is successful. Therefore, when trying the command “telnet 10.0.2.4” on the victim machine, it would just stay at “Trying”. Hence, the service was denied because of the attack.

Task 2: TCP RST Attacks on telnet and ssh Connections Telnet connection I tried to establish a telnet connection from the victim using “telnet 10.0.2.4” to the observer to see if there are any issues or attacks. I see that the victim can make a telnet connection to the observer just fine when there is no TCP RST attack. Using the “ifconfig” command shows that the victim now has the observer’s IPv4 address.

Using Wireshark, the attacker can see the connection made between the observer and victim as well as the packet being sent to these two machines.

After the connection is established, the “ls” command in the victim machine shows the folders inside the observer computer.

After a few observations, we start the attack. The attacker sends out the TCP RST packet to the victim through the source IP address described as an observer. The command in the attacker machine is: “netwox 78 --device “Eth0” --filter “host 10.0.2.5” --spoofip “raw” --ips “10.0.2.4””.

At this point, the attacker waits for any victim packet in LAN. If the victim types any further command inside the observer, the TCP RST packet is sent to the victim and the telnet connection is forced to get terminated. We get an error saying that “connection closed by foreign host”.

SSH connection I used the command “ssh 10.0.2.4” to see what would happen. I saw that the victim can make a successful SSH connection with the observer before the attack.

After we see that the connection is established, using the “ls” command in the victim machine shows the folders of the observer.

I started the attack in which the attacker generates a forged TCP RST packet using netwox 78 and listens to any packet through port 22.

Figure 13: TCP RST attack on SSH connection After that, the SSH connection is forced to be terminated when the victim tries to list the folders in the observer machine using the “ls” command. Therefore, it showed an error saying “Write failed: broken pipe”.

Scrapy At first, I ran the command “telnet 10.0.2.4” on the victim machine and entered the username and password that were prompted. In Wireshark, I observed what was happening and recorded all the values needed for the python script such as scr, dst, sport, dport, flags, seq and ack.

Using the information received from Wireshark, I then wrote the code to conduct the TCP RST attack.

After that, I ran the python script in the attacker machine using the following command shown below.

I then tried to see what would happen in the victim machine and observed that the connection is closed as seen below.

Task 3: TCP RST Attacks on Video Streaming Applications The victim machine went on the browser and watched online video streaming. The video will keep on streaming if there is no reset attack.

Now, I tried to initiate the attack in the victim machine where the video is streaming. The TCP RST packet is sent by the victim machine. The command used in the victim machine is shown below.

When I ran the command, the connection was terminated through forged TCP RST and the video played as long as it was streamed before the attack. Once it loaded to the point before the attack, the video stopped and came to an end.

Task 4: TCP Session Hijacking Netwox In the victim machine, I ran the command “telnet 10.0.2.4” to make a connection to the observer 10.0.2.4.

In Wireshark, we see the connection between the victim and the observer.

As shown above, Wireshark provides the following information about source port, destination port, sequence numbers and acknowledgement number. Moreover, it shows fragment status (don’t fragment), time to live (ttl) and window size value. Furthermore, we can see that the observer acknowledges the victim’s TCP packet by sending the ACK (ACKnowledge) packet. I then went to the attacker machine and typed the command “"touch hijack\r\n".encode("hex")”.

After gathering all the needed information, I will now initiate the TCP Session Hijacking Attack. The attacker forges a TCP packet using netwox 40 with the following command: “sudo netwox 40 --ip4-ttl 64 --ip4-src 10.0.2.5 --ip4-dst 10.0.2.4 --tcp-src 45962 --tcp-dst 23 --tcp-seqnum 2766603448 --tcp-acknum 4197454672 --tcp-data 746f7563682068696a61636b0d0a --tcp-urg --tcp-ack --tcp-window 245”. The attacker has successfully forged and sent a telnet packet to the observer.

According to Wireshark, retransmission packets between the victim and observer showed that the attack was successful since the injected data from the attacker is

causing confusion regarding sequence and acknowledgement numbers between the victim and the observer.

As a result, we can see the file “hijack” was created in the observer machine.

Moreover, if we tried to type any command in the victim machine, we can see that the terminal got frozen.

Scrapy I used the command “telnet 10.0.2.4” to establish the telnet connection from victim to observer.

In Wireshark, I obtained the necessary information such as source port, destination port, sequence number and acknowledgement number.

The session hijacking python script is written on the attacker machine. We write the .py based on the information we received from Wireshark.

After that, I run the command “sudo python scrapy_hijacking.py”.

Utilized session hijacking python script to spoof a TCP packet and hijack the telnet session. According to Wireshark, retransmission packets between the victim and observer showed that the attack was successful since the injected data from the attacker is causing confusion regarding sequence and acknowledgement numbers between the victim and the observer.

As a result, we can see the file “testing” was created in the observer machine.

Moreover, the victim terminal froze, which showed that the attack was underway.

Task 5: Creating Reverse Shell using TCP Session Hijacking On the attacker machine, I typed the command “nc -lv 9090” and showed that it’s listening.

After that, on the victim machine, I established the telnet connection from the victim to the observer using the command “telnet 10.0.2.4”

Using Wireshark, I obtained the necessary information.

The session hijacking python script is written on the attacker machine. We write the .py based on the information we received from Wireshark.

After that, I run the command “sudo python hijacking.py”.

Utilized session hijacking python script to spoof a TCP packet and hijack the telnet session. According to Wireshark, retransmission packets between the victim and observer showed that the attack was successful since the injected data from the attacker is causing confusion regarding sequence and acknowledgement numbers between the victim and the observer.

As a result, we can see the file “task5_hijacking” was created by the attacker in the observer machine.

The attacker was able to hijack the session using the reverse shell command and can now type any command from the attacker on the server machine. The attacker then tried to create an attack.txt file on the server . As a result, it was successful....

Similar Free PDFs
Lab 1 TCP IP Attacks
  • 15 Pages
Práctica Comandos TCP/IP
  • 33 Pages
Tcp-ip-question-bank
  • 25 Pages
Consulta TCP-IP - Nota: 8
  • 3 Pages
TCP IP Protocol AND Layers
  • 3 Pages
Lab4b TCP - TCP lab material
  • 6 Pages
Apuntes TCP-IP-37-51
  • 15 Pages
HUBUNGAN DAN PERBEDAAN TCP/IP DENGAN OSI
  • 6 Pages
Makalah TCP - IP Fikri Zakaria Rahman
  • 10 Pages
Wireshark Lab: TCP v7 - lab
  • 3 Pages
TCP Lab Assessment
  • 8 Pages
L5. Los modelos OSI y TCP IP
  • 6 Pages
4.1.2.5 Packet Tracer – Configure IP ACLs to Mitigate Attacks Answers
  • 6 Pages
IP LAB Manual 2017
  • 60 Pages
4.1.2.5 Packet Tracer - Configure IP ACLs to Mitigate Attacks Instructor
  • 5 Pages
Wireshark Lab: IP v7 - lab
  • 3 Pages
Popular Institutions