Netwox 78

Date: 2020-03-04

PLAGIARISM SCAN REPORT

Exclude Url : None

Content Checked For Plagiarism

ASSIGNMENT TCP/IP Attack Lab Student Name: University Name: February 21, 2020 ? Table of Contents Task 1: SYN Flooding Attack 3

Solution: 3 Step# 01: 6 Step# 02: 6 Step# 03: 7 Step# 04: 8 Step# 05: 9 Step# 06: 10 Step# 07: 11 Task 2: TCP RST Attacks on telnet and

ssh Connections 12 Solution: 12 Telnet Connection: 12 Step# 01: 12 Step# 02: 14 Step# 03: 16 Step# 04: 17 Step# 05: 18 SSH

connection: 19 Step# 01: 19 Step# 02: 20 Step# 03: 21 Step# 04: 22 Step# 05: 22 Step# 06: 23 Task 3: TCP RST Attacks on Video

Streaming Applications 24 Solution: 24 Step# 01: 24 Step# 02: 25 Step# 03: 26 Step# 04: 27 Task 4: TCP Session Hijacking 28 Solution:

28 Step# 01: 28 Step# 02: 28 Step# 03: 31 Step# 04: 31 Step# 05: 32 Step# 06: 33 Step# 09: 34 ? Task 1: SYN Flooding Attack Solution:

First of all, let’s list the IPv4 addresses of the virtual machines: Figure 3.1.1: IPv4 address of SEEDUbuntu Figure 3.1.2: IPv4 address of

SEEDUbuntu_Hacker Figure 3.1.3: IPv4 address of SEEDUbuntu_User Let’s list all the IPv4 addresses below for convenience:

SEEDUbuntu 192.168.56.101 SEEDUbuntu_Hacker 192.168.56.102 SEEDUbuntu_User 192.168.56.103 Step# 01: Check the status of

cookies in the victim machine: sysctl net.ipv4.tcp_syncookies Figure 3.1.4: Cookies status in the victim compute As we can see in Figure

3.1.4, in the victim machine, the cookies is on because the value is 1. Step# 02: In the victim machine, let’s use the command: netstat -anp |

grep ":23” Figure 3.1.5: netstat -anp | grep ":23 " As we can see in Figure 3.1.5, initially in the victim machine port 23 is open and listening

for any incoming packets. Step# 03: Feed the parameters in “Netwag” and “generate” the command for the attacker’s terminal: Figure 3.1.6:

Terminal command generated in Netwag Step# 04: Initiate the SYN Flooding Attack from the attacker using the command: netwox 76 --dst-

ip 192.168.56.103 --dst-port 23 --spoofip "raw" Figure 3.1.7: SYN Flooding Attack Here, sudo -s command was used to utilize the root

privilege for the netwox command. Without the root privilege, the command returns an error. As we see in Figure 3.1.7, the attacker used

netwox 76 to send spoofed SYN request to the victim under port 23. The packet type must ALWAYS be raw or else the attacker would send

an ARP request for the MAC address of the spoofed source IPv4 address. Step# 05: Observer observes the network traffic on Wire shark.

Figure 3.1.8: Wireshark output observed by observer As we can see in Figure 3.1.8, the observer can see the spoofed TCP SYN packets

with different IP address being sent to the victim. Step# 06: Let’s type the command netstat -anp | grep ":23 " in the victim machine while

the attack is in progress: Figure 3.1.9: netstat –na | less As we can see in Figure 3.1.9, there is no effect of the SYN attack in the victim

computer. It is because in Step# 01, we saw that the SYN Cookie is enabled, which is protecting the victim machine against the SYN

flooding from the attacker machine. Step# 07: Now let’s turn off the SYN cookie in the victim machine with command sysctl -w

net.ipv4.tcp_syncookies=0 and using sysctl net.ipv4.tcp_syncookies, see the change. After that repeat Step# 04, Step# 05 and Step# 06.

The results are as follows: Figure 3.1.10: Step# 07 + Repetition of Step# 04, Step# 05 and Step# 06 for a Successful SYN Flood Attack As

we can see in Figure 3.1.13, as the victim’s syn queue gets filled up it sends out the SYN-ACK packet and waits for the ACK which can be

seen as SYN_RECV which indicates that the connection is in half opened state. Below is the updated Wireshark observation on a random

transmission packet: Figure 3.1.11: Wire shark output observed by observe Task 2: TCP RST Attacks on telnet and ssh Connections

Solution: Telnet Connection: Figure 3.2.1: Telnet connection from the victim to the observer Step# 01: Establish telnet connection from the

victim to the observer: As we can see in Figure 3.2.1, when there is no TCP RST attack the victim can make a telnet connection to the

observer. The ifconfig command shows that the victim now possess the observer’s IPv4 address as displayed in Figure 3.2.2: Figure 3.2.2:

Victim possesses observer’s IPv4 address Figure 3.2.3: Wireshark observation of packet transmission Figure 3.2.4: Packet# 01 telnet data

As we can see in Figure 3.2.3 and Figure 3.2.4, the attacker watches the connection made between the victim and observer and the packet

being sent these two machines between utilizing Wire shark. Step# 02: After the connection is established, the ls command in the victim

machine shows the folder listing of the observer (Figure 3.2.5), which is verified by taking a screenshot of folders from the observer

55% Plagiarised

45% Unique

900 Words

6508 Characters

machine (Figure 3.2.6): Figure 3.2.5: ls command in victim machine displays the folders in the observer machine Figure 3.2.6: Screenshot

of folders from the observer machine Step# 03: Let's start the attack! The attacker sends out the forged TCP RCT packet to the victim by

modifying the source IP address as observer. The filter can also be changed to host 192.168.56.103 and dst port 23. Command in the

attacker: sudo -s netwox 78 --device "Eth0" --filter "host 192.168.56.103" --spoofip "raw" --ips "192.168.56.101" Figure 3.2.7: netwag

generated command Figure 3.2.8: TCP RST Attack on telnet Step# 04: The attacker prepares and waits for any victim packet in LAN.

Once the victim types any further command inside observer the TCP RST packet is sent to the victim and forces it to terminate the telnet

connection. Figure 3.2.9: telnet connection terminated Step# 05: The attacker can see the TCP RST packet sent by the observer to the

victim forcing it to terminate the connection utilizing Wire shark. Figure 3.2.10: Wireshark observation (Boxed in Blue: Frame# 13) Figure

3.2.11: Wireshark observation of Frame# 13 SSH connection:

35% Plagiarised

... filled up it sends out the SYN -ACK packet and waits for the ACK which can be seen as SYN_RECV which indicates that the

connection is in half opened state.

https://www.coursehero.com/file/p3bcaj1/16856103-Victim-Purple-background-Step-01-Check-the-status-of-cookies-in-the/

3% Plagiarised

3.2 Task 2: TCP RST Attacks on telnet and ssh Connections Using Ubuntu Seedlabs complete the following task: The TCP RST

Attack can terminate an ...

https://www.coursehero.com/file/49097634/32-Task-2-TCP-RST-Attacks-on-telnet-and-ssh-ConnectionsUsing-Ubudocx/

15% Plagiarised

Page 13 of 27 Figure 3.2.10: Wireshark observation (Boxed in Blue: Frame# 13) Figure 3.2.11: Wireshark observation of Frame# 13

SSH connection: Step# 01 : Before the attack the victim can make successful SSH connection with observer ...

https://www.coursehero.com/file/p1nv2c2v/In-this-task-you-need-to-launch-an-TCP-RST-attack-to-break-an-existing-telnet/

3% Plagiarised

Once the victim types any further command inside observer the TCP RST packet is sent to the victim and forces it to terminate the

telnet connection. Observation: ...

https://www.coursehero.com/file/p5df345p/The-attack-can-be-more-effective-if-the-following-parameters-are-changed-in/