LAB 5: network level attacks AND COUNTERM

Abstract
Perform provide real-time experience in performing various network level attacks on the target organization

Moratiwa Mmopi
201902294
Table of Contents
OVERVIEW...................................................................................................................................................2
LAB1: PERFORM MAC FLOODING TO COMPROMISE THE SECURITY OF NETWORK SWITCHES...................3
TASK1: PERFORM MAC FLOODING USING MACOF......................................................................................3
LAB2: PERFORM ARP POISONING TO DIVERT ALL COMMUNICATION BETWEEN TWO MACHINES.............8
In this lab, In the beginning I followed the same steps from the previous lab where I
opened wireshark and clicked on an available Ethernet then I opened a new MATE
terminal and used the command sudo su in order to run the program as root user
then lastly used the command cd to jump to root directory and all these steps led
me to step 1 which will be shown below......................................................................................8
TASK1: PERFORM ARP POISONING USING ARPSPOOF................................................................................8
LAB3: DETECT ARP ATTACKS USING ARP SPOOFING DETECTION TOOLS TO ENSURE DATA PRIVACY.......12
TASK1: DETECT ARP POISONING IN A SWITCH-BASED NETWORK.............................................................12
LAB4: PERFORM DoS AND DDoS ATTACKS USING VARIOUS TECHNIQUES ON A TARGET HOST TO
PREVENT ACCESS TO SYSTEM RESOURCES FOR LEGITIMATE USERS.........................................................17
TASK1: PERFORM DoS AND DDoS ATTACKS USING HPING3......................................................................17
TASK 2: PERFORM ARP POISONING USING HOIC.......................................................................................23
LAB5: DETECT AND PROTECT AGAINST DDoS ATTACK...............................................................................26
TASK1: DETECT AND PROTECT AGAINST DDoS ATTACK USING ANTI DDoS GUARDIAN.............................26
LAB6: PERFORM SESSION HIJACKING TO SEIZE CONTROL OF A VALID TCP COMMUNICATION SESSION
BETWEEN TWO COMPUTERS....................................................................................................................29
TASK1: HIJACK A SESSION USING ZED ATTACK PROXY (ZAP).....................................................................29
LAB7: DETECT SESSION HIJACKING ATTEMPTS USING MANUAL METHOD................................................31
TASK1: DETECT SESSION HIJACKING ATTEMPTS USING WIRESHARK.........................................................31
CONCLUSION.............................................................................................................................................32
REFERENCES..............................................................................................................................................32
OVERVIEW

BRIEF DESCRIPTION
Attackers use a variety of methods, including MAC flooding, ARP poisoning, ARP
spoofing, DoS and DDoS attacks, and session hijacking, to compromise the security
of networks. Attackers are then able to intercept data packets carrying sensitive
data, including chat passwords, syslog traffic, router configuration, DNS traffic,
email traffic, web traffic, chat sessions, and passwords for FTP servers.

OBJECTIVES
 Sniff the network
 Analyze incoming and outgoing packets for any attacks
 Perform DoS attack, DDoS attack and session hijacking
 Secure the network from attacks

RESOURCES
 Parrot Security
 Windows Server 2019
 Windows Server 2016
 Ubuntu
 Android
LAB1: PERFORM MAC FLOODING TO COMPROMISE THE
SECURITY OF NETWORK SWITCHES
In this lab, I will actively sniff the target network using a variety of active sniffing
techniques, including MAC flooding, DHCP starvation, ARP poisoning, and MITM, to
collect all the information that is visible on the network and store it for later
analysis.

TASK1: PERFORM MAC FLOODING USING MACOF

In this particular task I will be using MAC flooding technique to force a switch to act
as a hub, so I can easily sniff the traffic.
Step 1
I will be using parrot security machine and in the parrot security I navigated to
wireshark as shown in the screenshot below.
Step 2
As soon as the wireshark window appeared, I then double clicked on available
Ethernet which is eth0 and the packet capture began as shot in the screenshot
below.

Step 3
I then left the wireshark application running in the background and opened a new
terminal window then I managed to use the command sudo su to run program as
root user as sown below.

Step 4
I then typed cd which is a command that lets me jump to the root directory
Step 5
In this lab, I used the command macof –I eth0 –n 10, whereby the –I specifies the
interface and the –n specifies the number of packets to be sent which is 10.This will
flood the CAM table with random MAC addresses.

Step 6
I clicked on a random IPv4 packet and it displayed regarding the source and
destination MAC addresses.
LAB2: PERFORM ARP POISONING TO DIVERT ALL
COMMUNICATION BETWEEN TWO MACHINES
In this lab, In the beginning I followed the same steps from the previous lab where I
opened wireshark and clicked on an available Ethernet then I opened a new MATE
terminal and used the command sudo su in order to run the program as root user
then lastly used the command cd to jump to root directory and all these steps led
me to step 1 which will be shown below.

TASK1: PERFORM ARP POISONING USING ARPSPOOF

In this task, I will be changing the IP address of the attacker’s computer to the IP
address of the target computer using ARP spoofing.

Step 1
I used the command arpspoof –I eth0 –t 10.10.1.1 10.10.1.1 to inform the access
point that we are the target system as shown whereby the –I specifies the network
interface and –t specifies the target and after sending a few packets where sent I
pressed CTRL+Z to stop sending ARP packets.

Step 2
I then switched to the Wireshark window and there were some ARP packets as
shown below.

Step 3
With the use of the command arpspoof -i eth0 -t 10.10.1.10 10.10.1.1 I managed to
inform the target system (10.10.1.10) that it is he access point (10.10.1.1) and after
sending a few packets where sent I pressed CTRL+Z to stop sending ARP packets.

Step 4
After the previous step, in the wireshark window there was a warning saying
duplicate use of 10.10.1.10 detected! I then clicked on one ARP packet and
observed the MAC addresses of IP 10.10.1.10 AND 10.10.1.1. Therefore managed to
use arpspoof to assign the MAC addresses of the host system and access point and
the warning of a duplicate use of 10.10.1.10 was displayed.
LAB3: DETECT ARP ATTACKS USING ARP SPOOFING
DETECTION TOOLS TO ENSURE DATA PRIVACY
TASK1: DETECT ARP POISONING IN A SWITCH-BASED NETWORK
Step 1
I installed the Cain & Abel application which I will be using in this lab.

Step 2
After installation I then opened the Cain & Abel application and its main window
appears as shown in the screenshot below.

Step 3
I then navigated to the configuration dialog box and went to the sniffer tab where I
ensured that the adapter associated with the IP address of e machine is selected
then clicked OK.
Step 4
In this step I went to the Sniffer tab and clicked on the + icon so as to scan the
network for hosts.

Step 5
After the scan was completed, a list of all active IP addresses were displayed as
shown in the screenshot.
Step 6
After monitoring traffic between two systems being the windows 10 machine and
parrot security I then switched to the parrot security machine where I opened a new
terminal window and used the command sudo su to run program as a root user then
I used the command cd to jump to root directory as shown in the screenshot down
below.

Step 7
With the use of the command hping3 10.10.1.10 -c 100000, this started pinging the
target machine which in this case is the windows 10 with 100000 packets. The –c
specifies the number of packets count.
Step 8
After issuing the previous command, I then went back to the windows Server 2019
where I opened the wireshark application and as shown in the screenshot below, the
wireshark begins to capture the traffic between the two machines.

Step 9
In the Cain & Abel window, you can see the packets flowing between the two
machines can be observed as shown by the arrows in the screenshot below.

Step 10
I then stopped capturing the packets and viewed the expert information and as it
shown in the screenshot below there are warnings which are highlighted.
LAB4: PERFORM DoS AND DDoS ATTACKS USING
VARIOUS TECHNIQUES ON A TARGET HOST TO PREVENT
ACCESS TO SYSTEM RESOURCES FOR LEGITIMATE USERS
TASK1: PERFORM DoS AND DDoS ATTACKS USING HPING3
Step 1
In windows 10, I navigated to wireshark and as soon as the wireshark window
appeared, I then double clicked on available Ethernet which is Ethernet 2 and the
packet capture began as shot in the screenshot below.

Step 3
I then left the wireshark application running in the background and opened a new
terminal window in parrot security then I managed to use the command sudo su to
run program as root user. I also used the command hping3 –S –a -p 22 --flood,
whereby the hping3 floods the victim machine by sending bulk SYN packets and
overloading the victim’s resources. –S sets the SYN flag, –a spoofs the IP address –p
specifies the destination port --flood sends a huge number of packets. All of this
can be seen in the screenshot below.
Step 4
I used command Ctrl+C to stop the SYN flooding of the target machine. I made an
observation that, in very little time, the huge number of packets are sent to the
target machine.

Step 5
I opened Task Manager to display the performance tab, as shown in the screenshot.
Step 6
I used the command -d which specifies data size. This command initiates the PoD
attack on the Windows 10 machine.

Step 7
I switched to the Windows 10 machine to observe the Performance tab to view the
performance of various system components. I can see that there is a degradation in
the performance of the system, which might result in the system crashing.

Step 8
Ctrl+C to terminate the PoD attack using hping3

Step 9
I will perform UDP application layer flood attack on the Windows Server 2019
machine using NetBIOS port 139 by using the command nmap -p 139. To do so,
first, I determined whether NetBIOS port 139 is open or not. And the used the
command hping3 -2 -p 139 –flood

Step 10
I opened wireshark on windows 2019, I then double clicked on available Ethernet
which is Ethernet and the packet capture began as shot in the screenshot below.
Wireshark displays the network’s flow of traffic. Here, I can see the huge number of
UDP packets coming from the Source IP address 10.10.1.13 via port 139.

Step 11
I used command Ctrl+C to terminate the DoS attack.

TASK 2: PERFORM ARP POISONING USING HOIC

Step 1
I navigated to wireshark in parrot security. The Wireshark Network Analyzer window
appeared and I double-clicked on the primary network interface (here, eth0) to start
capturing the network traffic.

Step 2
I switched to Windows 10 where I copied High Orbit Ion Cannon (HOIC) folder to
Desktop. Similarly, follow this step on the Windows Server 2019 and Windows
Server 2016 machines.

Step 3
I switched back to the Window 10 machine and navigate to Desktop and executed
hoic2.1.exe and HOIC GUI main window appears as shown below.

Step 4
The HOIC - [Target] pop-up appeared and I configured the ip address to 10.10.1.13,
slid the Power bar to High. Under the Booster section, I selected GenericBoost.hoic
from the drop-down list, and clicked Add. Finally I Set the THREADS value to 20.

Step 5
Now, switched to the Windows Server 2019 and Windows Server 2016 machines
and follow to configure HOIC. I observed that the Status changed from READY to
ENGAGING, as shown in the screenshot.
Step 6
I then switched to the Parrot Security machine where I observed that Wireshark
starts capturing a large volume of packets, which means that the machine is
experiencing a huge number of incoming packets. These packets are coming from
the Windows 10, Windows Server 2019, and Windows Server 2016 machines.

LAB5: DETECT AND PROTECT AGAINST DDoS ATTACK

TASK1: DETECT AND PROTECT AGAINST DDoS ATTACK USING
ANTI DDoS GUARDIAN
Step 1
I executed Anti_DDoS_Guardian_setup.exe and installed it in windows 10
Step 2
I launched the application and The Anti DDoS Guardian window appeared,
displaying information about incoming and outgoing traffic, as shown in the
screenshot.

Step 3
I switched to the Windows Server 2019 where I navigated to the HOIC GUI main
window. I then repeated step 4 and 5 from the lab 4 task 2.
Step 4
I then switched back to the Windows 10 machine and observed the packets
captured by Anti DDoS Guardian where I saw huge number of incoming packets.
These packets are coming from the Windows Server 2019 and Windows Server 2016
machines.

Step 5
I double-clicked any of the sessions 10.10.1.19 or 10.10.1.16 The Anti DDoS
Guardian Traffic Detail Viewer window appears, displaying the content of the
selected session in the form of raw data. I observed the high number of incoming
bytes from Remote IP address 10.10.1.16, as shown in the screenshot.
Step 6
In the Traffic Detail Viewer window, I clicked Block IP option from the left pane then I
observed that the blocked IP session turns red in the Action Taken column.

LAB6: PERFORM SESSION HIJACKING TO SEIZE CONTROL

OF A VALID TCP COMMUNICATION SESSION BETWEEN
TWO COMPUTERS
TASK1: HIJACK A SESSION USING ZED ATTACK PROXY (ZAP)
Step 1
In Windows 10 I configured the proxy settings of the victim’s machine.
Step 2
I then launched OWASP ZAP. The OWASP ZAP main window appears and select
Break. The Break tab allows you to modify a response or request when ZAP has
caught it.

Step 3
The Break tab is now added to the OWASP ZAP window, I then proceeded to
configure ZAP as a proxy as follows Local Proxy: 10.10.1.19 in the Address field and
set the Port value to the default, 8080
Step 4
I set break on all requests and responses icon on the main ZAP toolbar. This
button sets and unsets a global breakpoint that will trap and display the next
response or request from the victim’s machine in the Break tab icon then turns
automatically from green to red.

Step 5
In this lab, I have configured the Google Chrome browser. Proceed to
www.moviescope.com (unsafe) to open the website.
Step 6
I switched back to the attacker machine (Windows Server 2019) and I observed that
OWASP ZAP has begun to capture the requests of the victim’s machine. I Modified
www.moviescope.com to www.goodshopping.com in all the captured GET requests.

Step 7
I modified every HTTP request captured by OWASP ZAP until I saw the
www.goodshopping.com page in the victim’s machine. I switched to the victim’s
machine. As seen below the victim has navigated to www.moviescope.com, but now
sees www.goodshopping.com; while the address bar displays
www.moviescope.com, the window displays www.goodshopping.com.

Step 8
Now, I changed the proxy settings back to the default settings. To do so, performed
Steps 1 again.
LAB7: DETECT SESSION HIJACKING ATTEMPTS USING
MANUAL METHOD
TASK1: DETECT SESSION HIJACKING ATTEMPTS USING
WIRESHARK
Step 1
I launched the Wireshark Network Analyzer and Double-clicked the primary network
interface (in this case, Ethernet 2) to start capturing network traffic.
Step 2
I then launched a session hijacking attack on the target machine (Windows 10)
using bettercap in parrot security machine. Where I opened a new terminal window
and used the command sudo su to run program as a root user then I used the
command cd to jump to root directory as shown in the screenshot down below. I
also used the command bettercap -iface eth0.
-iface: specifies the interface to bind to.

Step 3
I used net.probe to send different types of probe packets to each IP in the current
subnet for the net.recon module to detect them. I then used net.recon on for
periodical reading of the system ARP table to detect new hosts on the network. The
net.sniff on is responsible for performing sniffing on the network. All of this is
shown in the screenshot below.
Step 4
I switched back to the Windows 10 machine and observe the huge number of ARP
packets captured by the Wireshark, as shown in the screenshot.

CONCLUSION
Attackers may cause interruption, harm, and loss to businesses and individuals by
compromising the security of a network using a variety of attack tactics. Therefore,
it is crucial for security experts to understand these attack tactics because doing so
is necessary for defending the network from numerous attacks.
REFERENCES
 https://umbrella.cisco.com/info/2021-cyber-security
 https://www.merriam-webster.com/dictionary/phishing