[ Certified Ethical Hacker v10 ] :: [ Module 8 ] :: Denial of Service

This entry is part 10 of 21 in the series [ Certified Ethical Hacker Training ]

Module 8: Denial of Service

DoS is the tool of hacktivists and sometimes organized crime.

Types of Attacks

Service request flood

Simply make millions of page requests, for instance. See the effects:

SYN attack/flood:

hping3 -i u1 -S -p 80 <target ip>

S = SYN flag, -p 80 = port 80, -i u1 = interval, 1 microsecond

ICMP floods

These include Smurfing, ICMP flooding and ping flooding.

A simple ICMP flood:

hping3 -1 --flood -a <target ip> <broadcast ip>

Ping of Death (note that this no longer works)

From a Windows machine:

ping -l 65500 <target ip> -w 1 -n 1

Teardrop attack

This involves fragmenting a packet but mis-matching the numbers where the segments should meet (the fragment offset).

Amplification attacks, which include:

Smurf attack

hping3 --icmp --spoof <target ip> <broadcast ip>

Fraggle attack

hping3 --udp --spoof <target ip> <broadcast ip>

LAND attack (Local Area Network Denial)
(no modern network is susceptible to this attack)

hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source <target ip>

Permanent DoS attacks

Phlashing is flashing malicious code to BIOS or any other firmware location. For most people, this is irrecoverable.

Application-level attacks

Flooding the network

Disrupting services, for instance the login service by making lots of failed attempts so that users get locked out

Jamming the network, usually by crafting SQL that locks or corrupts a database

Buffer Overflow

Know these critical four C functions that don’t perform bounds checking, and thus are susceptible to buffer overflows:

gets( )
scanf( )
strcopy( )
strcat( )

The Heap

This is a loosely (dis)organized area for random storage. Memory space gets allocated and recovered automatically.

The Stack

This is much more organized, or constrained. It is literally a “stack” of information, each piece “on top of” the piece before it. Each running process gets its own stack (and heap).

You put information into the stack using the push operator (and you’re always pushing to the top). You get information from the stack using the pop operator, which deletes the info from the stack but hands it to you as the return value.

Smashing the Stack

The critical acronym (from the standpoint of the CEH exam) is the Extended Instruction Pointer (EIP). When a process is running, it needs a memory address to return to once it’s done. Usually it’s the address just after the currently running process’s address, but not always.

So if we want to fill up a buffer area (really just a space in memory, but one that’s defined with a specific size), we need some extra code or instructions just to fill up space. Often this is done by jamming a bunch of “no-op instructions”, or NOPs, into the buffer. Stacking a bunch of NOPs together to fill the buffer creates a NOP Sled.

The NOP instruction is 0x90, which means that when you see a bunch of these in a row, you’re probably looking at an evil NOP Sled.

Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Module 7 ][ Certified Ethical Hacker v10 ] :: [ Module 9 ] :: Session Hijacking >>

Leave a Reply