PURPOSE and SCENARIO
The goal of this laboratory test is to make effort to attack server and to deface website. Here is the scenario: your client is worried about some stuff posted on a blog. They ask You to take care of it. They have a throwaway “script kiddie”[Script kiddie] in a third world country, who will mount the attack so You don’t need to worry about hiding the attackers identity.
Therefore, we need to devise a way to attack wordpress (default installation) based site to render it unusable (page view times over 60 seconds). Attack resources: one PC with Microsoft Windows XP, a script kiddie, internet connection of 2Mbit/s. In addition, server has to stay down for two days and script kiddie has up to 1 day to set up the attack.
For scenario above their three different proposals from the fallow students. Each proposal is described in section Proposals and their effectiveness, installation process and the evaluation of the efficient use of available resources.
Firstly, easy solution for limiting the internet connection of 2Mbit/s by Oracle VirtualBox configuration manager. Secondly, the bandwidth capacity of the connection and their performance is measured by vnstat1 for graphs to display our utilization. The steps are vivid on section Methods.
Finally, providing measurement results with different proposals will help us to identify the most beneficial proposal for above scenario, declared in Conclusion section.
Moreover, after each attack, test the virtual server environment is restarted, because of the affective situation that server after attack needs time to recover.
Because of requirements of our scenario we need to limit the internet connection of 2 Mbit/s and to provide graphs that can help as with the measurement results to conclude which proposals is more competent. Therefore, Method 1 is describing the step how we limited the connection bandwidth and Method 2 providing as solution how to setup that can help you in measuring the speed and the bandwidth.
For limiting the internet traffic of the server we have to do the following steps in command prompt. The following solution is gathered from Manual of Oracle Virtualbox, Chapter 8 [User Manual].
Limiting VirtualBox – virtual environment speed of network interface:
Where you need to replace name of virtual box with real one, and specie which network interface adapter you wont to limited. In the above illustration is only second network adapter affected and then you set the limitation, in our case is 2 Mbit/s.
Furthermore, to make sure that the result have been effective please use the following command:
Results and information important to be aware refer to Appendix 1.
We are going to install an application that will help us to gather a visual graphs of traffic manipulation of script kiddie. The application is vnstat.
In the server virtual environment in command prompt please type the following command:
Next step is to select which interface should be monitored and create graphs. In our case is eth1, which is second network interface. For furthermore detailed installation process please refer to the following link:
To check if the installation process is finished please use your browser, as shown in illustration 1 and on the address bar type: http://192.168.56.102/vnstat
Illustration 1: Vnstat PHP interface
The three proposals are following and described in each different section and their results. The main measure goal which is going to grate for kiddie script is: easy to use instructions, the most efficient use of available resources and can the script be up to 1 day attacking.
Moreover, the results will be provided with two different graphs in period of 5 minutes attack and 10 minutes attack. Which would guide us to compare which kiddie script has performed the attack more in force.
This is the first proposal and the installation process instruction: Script kiddie uses a little program to connection flood the WordPress installation! The program uses Apache autobench to take the site down in seconds.
Guide for the scipt Kiddie:
- Download the program from http://enos.itcollege.ee/~avein/anti2.rar
- Unpack and run AntiXakkerv2.0.exe
- Enter the address for wordpress site and press the button
Above script did no run/work on the VirtualMachine Windows XP. Therefore, from the same author we have other solution:
1. Download http://enos.itcollege.ee/\~avein/anti.exe, save it on Desktop
2. Open Start menu, select run and type “cmd” into the box and press enter
3. Drag anti.exe file to the black box (commandline) , select the box and type the address of your server ( eg. www.delfi.ee ) after the anti.exe
For example, if the address for your webserver is 192.168.56.101 type the following:
- Press enter and the site will go down very soon :=) P.S. This is lightweight version tat doesnot use much bandwith and is targeted against a bug in apache server :)
After running the first proposal we can see that the script kiddie does attack the server, but the server was reachable after a bit long delay, but still we could access to the wordpress.
Here are some results graphs.
- 5 minutes attack
Illustration 2: Proposal 1, 5 min, traffic graph
- 10 minutes attack
Illustration 3: Proposal 1, 10 min, traffic graph
On the one hand the script kiddie did attack the server, but on the other hand the server was still accessible. I’d like to conclude by stating that the above script did not meet our needs, and it did not stop, bring down the response time of the server.
Second proposal and the installation process:
- You (Script kiddie) download the file from http://share.ee/x49176f
- You will get an warning message, but you continue to download anyway
- In chrome it looks like this
- Execute the file
- Will get a warning but continue
- Will look something like this
- Insert the URL to attack and define how long you want to attack
- Will look like
The script is basic vbscript that will overwhelm the server by as many connections that are required to keep the server down for as long as you define.
The above script did not work on the laboratory performance, because it had an code error. Therefore, for this proposal we are not able to provide you with the result graphs
Third proposal and the installation process is listed below: There is a free and very easy Denial of service script written in PHP, called Keep-Dead (Version 1.14). You can download it from the following link: http://www.esrun.co.uk/blog/imp/2011/03/Keep-Dead.zip
It is developed for a research purpose, but still we can use it for our scenario. The good think is primarily meant for use via the terminal; although it will also work if launched via the browser.
- Unpack the Keep-Dead.zip
- Open in notepad or any other text/script editor
- On line #26 change the
$target_url = “http://www.example.com/wordpress/?s=%rand%”;to our targeted wordpress blog. We can stop even certain page or post in wordpres or use of
%rand%for a random value to be automatically generated for each individual request • You can change the maximum number of requests to be made on line #32
- Changeable is maximum number of requests to be made per connection #37, etc.
- After setting the setting of our needs save the file.
- And in terminal you need to run the following script:
php –e keep-dead.phpor if you run a xamp or other webserver it is possible to run the script from your browser.
- You can terminate the script by pressing CTRL+C in terminal console or stop/close the browser.
For more information or video tutorials please refer to the following link: http://www.esrun.co.uk/blog/keep-alive-dos-script/
If we follow the above steps we can perform our scenario 3 to make the server to stay down for two days or even more.
There many ways to keep the server down for two days, this script for me is kind of easy usable. In addition, the author had provide and more details with following content: In addition of my proposal pls install the following script: http://windows.php.net/downloads/releases/php-5.3.8-nts-Win32-VC9-x86.msi in the installation process in the section of Select Web Server you wish to setup please chose Do not setup a web server -> Next click on the PHP small narrow down icon and select Entire future will be installed on local hard drive (second option) -> Next ->Install
The results and graphs of the above proposal are demonstrated in the next section.
This is the script that actually does the job and it keeps the server down until the script is down.
Test results are following:
1. 5 minutes attack
Illustration 4: Proposal 3, 5 min, traffic graph
- 10 minutes attack
Illustration 5: Proposal 3, 10 min, traffic graph
A case in point is that from the above graphs we can see that the server does get more traffic and it does get attacked by the script kiddie. Illustration 6, bellow demonstrated that actually the server is down, is not responding any more to requests.
Illustration 6: Proposal 3, server down after trying to reach the blog
There are three points that we should consider and to see which proposal was more accurate and it did the job that was required in the scenario.
First I would like to start with rating from 1 to 5 each proposal. Higher score present better results. Which is proving our destination to hold down the server for longer then one day. The bellow table demonstrates which proposal has succeed.
|Proposal 1||Proposal 2||Proposal 3|
On the scoring rate 3 of server down is means that the server was down, but after few seconds was retrievable. Where the highest score 5 means that the server was not retrievable during this proposal test until we shutdown or cancel the process of script kiddie. In addition, the Proposal 3 due to a code error was not able to perform attack, that is why it is graded with server down score of 1. Therefore, our winner for this laboratory test is Proposal 3 with script kiddie Keep-dead.
The next issue that I would like to focus is to the network speed, tested with other tool bmon2 which manifests that the speed limit of the bandwidth did not go over the 2 Mbit/s.
In conclusion, the above proposals are nice and good example to have an view of how and with what tools we should perform script kiddie techniques. How to shutdown access to a server. On the whole, it show as how to use tools and methods of measuring the bandwidth of network and how to limit the transfer in comfortable way.
Appendix 1 is connected with the Method 1, which highlighted points are illustration on what information we should check, to clarify that the virtual environment has limitation of the network interface. Where Appendix 2 is for installation process of Ubuntu Server 10.04 LTS and wordpress, mysql installation.
- Installation media: Ubuntu 10.04 LTS 32bit iso image;
- HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
- NIC1 NAT;
- NIC2 host only (for ssh and http access from host);
- Language used in installation process: English and country Estonia;
- Keyboard Layout English;
- Hostname: pece
- Partition methods: Guided, use entire disk
- Username: pece
- no http proxy
- Default applications
- sudo apt-get install lamp phpmyadmin
- wget -c http://wordpress.org/latest.tar.gz
- tar xvjf latest.tar.gz
- sudo cp wordpress /var/www/wordpress
- sudo nano /var/www/wordpress/wp-config.php Change the settings to your needs
Script kiddie: Wikipedia, Script Kiddie, October 2011, http://en.wikipedia.org/wiki/Script_kiddie
User Manual: Oracle Corporation, User Manual, 2004-2011, http://www.virtualbox.org/manual/ch08.html
 vnstat – http://humdi.net/vnstat/
 Bmon – http://www.infradead.org/~tgr/bmon/