Penetration Testing mailing list archives
Re: Client DDoS requests, ideas?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 14 Jul 2008 19:28:28 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erin Carroll wrote:
Jon, Thanks for the reply. This wasn't a question specific to any client. However, in some cases in the past clients with very narrow external exposure have asked for this kind of testing. Fragmentation, Amplification, protocol & app attacks either weren't effective or the client's existing countermeasures effective enough to handle the attacks of those types above. We're talking straight pipe vs. pipe DoS options. I'm not aware of any "legitimate" botnets for this kind of load testing or service providers which offer similar services so I was hoping to get some ideas/options. On Mon, 2008-07-14 at 17:24 -0400, Jon Kibler wrote: Erin Carroll wrote:Pen-testers,There have been times when, during the course of a pen-test for a client, a request is made for DoS/DDoS attacks against external systems & services. While there are resource exhaustion & other attack methods for certain services/systems, let's assume that Smurf-like attacks aren't viable. I'm curious for ideas or methods to simulate straight bandwidth DDoS attacks if the client pipe(s) are larger than your available pipe(s).It's not like we all have huge botnets in our back pocket... Has anyone faced this situation before and if so, how did you manage?Hi, What services (e.g., IIS x.x, BIND v.e.r)? What network infrastructure devices (e.g., Cisco xxxx w/ IOS yy.zz)? What O/Ses / versions? There are a number of protocol and device specific attacks where a single to a few hosts with not much bandwidth can successful DoS a system on a much larger pipe. Attacks are not available for every environment, but there is usually just enough of a range of equipment and services on most network to make a DoS attack against something on a target network possible. What to look for? Fragmentation attacks (e.g., jolt) Amplification attacks (e.g., DNS: request a VERY large TXT record) Protocol attacks (e.g., LAND) Application attacks (e.g., SQL Injection 'shutdown with nowait') Where to look? PacketStorm Milw0rm Just some starters. Give some specifics and I can be more specific. Hope this helps! Jon Kibler
Erin, Okay, let's look at some options within the parameters you just provided. First, get a *nix hosted server on a very fat pipe -- say an OC48. A /27 netblock would also be a nice addition. You can get one with huge bandwidth allocations for under $500 / mo. Use this as a basis for other attacks, such as: a) A mail server that uses spf could be attacked by creating HUGE spf records. Then simply create a script that floods SMTP requests that would require the retrieval of the spf records. Using a bunch of domains housed on your fat pipe, you could easily swamp the inbound pipe. b) An anonymous ftp server (or, a real ftp server with an account you have cracked). Flood the server with requests to send/receive huge files. c) Dictionary or brute force attacks against mail clients. d) Protocol flood, such as ICMP 0/0 with SIP == DIP in both IP header and payload. (An ICMP LAND attack that also starves bandwidth.) Use a few thousand hping processes (make sure you don't exceed your kernel's process limit), each slamming out packets at the maximum rate, such as: for i in $(seq 16382) do hping -i u1 -c 999999999 -q ... done e) Find a web application that has lame authentication. Then create multiple data streams, each trying to brute force a user of that application -- legit user or not. For example, try to BF Citrix web-based login or client email services (pop or imap). This has three possible DoS abilities: - Lockout of legit users - Resource starvation on the application server - Bandwidth starvation f) Attack a misconfigured name server -- one that allows public recursion. - Set up a bunch of domains w/ default TTL = 1. - Create NS records that point to different virtual IPs on your fat pipe server. - Create very large TXT records. - Flood the server with requests for those TXT records, but forge the source IP to be something on the client's network. g) Use SQL Injection attacks to: - Flood the server with complex queries. - Execute stored procedures to shut down the server. h) Attack a client and use that to leapfrog to a critical server. - Whack a privileged user. For example, if you know that they have installed an old version of QuickTime, send them one of the Metasploit QuickTime images embedded in their email, so when they open it, it starts the vulnerable application, giving you control of their computer. - Use this system and the user's privilege to jump to a critical server and shut it down. (Or, use psshutdown) i) Oh, I almost forgot the obvious: Use the Nessus 'DoS' ability on any exposed vulnerabilities. Are these these types of ideas you are looking for? Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkh74RwACgkQUVxQRc85QlO3VgCdG3jSBLwVtyw4daMb6G0s+KZT 1/IAn1uZMqvxp/0HKZ0fL+ZzrLb1U2jl =LgSw -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Client DDoS requests, ideas? Erin Carroll (Jul 14)
- Re: Client DDoS requests, ideas? Jon Kibler (Jul 14)
- Re: Client DDoS requests, ideas? Erin Carroll (Jul 14)
- Re: Client DDoS requests, ideas? Jon Kibler (Jul 14)
- Re: Client DDoS requests, ideas? Erin Carroll (Jul 14)
- RE: Client DDoS requests, ideas? Sergio Castro (Jul 14)
- Message not available
- Re: Client DDoS requests, ideas? Erin Carroll (Jul 14)
- RE: Client DDoS requests, ideas? Sergio Castro (Jul 14)
- Re: Client DDoS requests, ideas? Roland Dobbins (Jul 14)
- Re: Client DDoS requests, ideas? Erin Carroll (Jul 14)
- Re: Client DDoS requests, ideas? Jon Kibler (Jul 14)