This practice will allow you to better understand spoofing and DoS techniques, as well as their effects in a web environment.
By @rosinni and other contributors at 4Geeks Academy
These instructions are available in spanish
We need you! These exercises are built and maintained in collaboration with contributors such as yourself. If you find any bugs or misspellings please contribute and/or report them.
Do not clone this or any repository, follow the instructions below:
For this specific practice of Spoofing and DoS, it is best to set up the network as an Internal Network. This is due to several reasons:
-
Complete Isolation: Ensures that attack and test activities do not interfere with the production network or other external networks. This prevents any potential unwanted impact on other systems.
-
Controlled Environment: Allows complete control over the network environment, facilitating the monitoring and analysis of network traffic generated during the tests.
-
Realistic Simulation: Although isolated, an internal network can effectively simulate a real network environment for Spoofing and DoS practices.
- Oracle VirtualBox
- Virtual machine with Kali Linux (Attacker)
- Virtual machine with Debian (Web Server): Where we have the Apache server and the WordPress site hosted.
- Spoofing and DoS tools installed on virtual machines.
- An isolated network environment.
- Necessary tools: arpspoof, hping3, wireshark
- Open VirtualBox.
- Select your Debian virtual machine and click "Settings".
- Go to the "Network" section.
- Set "Adapter 1" to "Internal Network".
- In the "Name" field, enter a name for the internal network, for example, "LabNetwork".
- Start the machine and check the available network interface and its current settings using the following command in the terminal:
ip addr show
You will generally find lines labeled as eth0, enp0s3, wlan0, etc. The one that is active and has an assigned IP address will be the interface you are using.
- Manual IP Configuration to use the internal network in the
/etc/network/interfaces
file with the following command:
sudo nano /etc/network/interfaces
- Add the following to the file that opens:
auto enp0s3
iface enp0s3 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
- Save the changes and close the configuration window.
Example configuration for both files (Kali and Debian), may contain more commands than shown, but add any missing commands from the previously provided configuration, as they will be necessary.
- Restart the network service:
sudo systemctl restart networking
- Use the ip addr show command again and verify that your IP address is the one you configured in the address.
- Select your Kali Linux virtual machine and click "Settings".
- Go to the "Network" section.
- Set "Adapter 1" to "Internal Network".
- In the "Name" field, select the same internal network name you used for the Debian machine ("LabNetwork").
- Start the machine and check the available network interface and its current settings using the following command in the terminal:
ip addr show
You will generally find lines labeled as eth0, enp0s3, wlan0, etc. The one that is active and has an assigned IP address will be the interface you are using.
- Manual IP Configuration to use the internal network in the
/etc/network/interfaces
file with the following command:
sudo nano /etc/network/interfaces
- Add the following to the file that opens:
auto eth0
iface eth0 inet static
address 192.168.1.11
netmask 255.255.255.0
gateway 192.168.1.1
- Save the changes and close the configuration window.
- Restart the network service:
sudo systemctl restart networking
- Use the ip addr show command again and verify that your IP address is the one you configured in the address.
- Open a terminal and ping the Debian machine to verify the connection:
$ ping <IP_debian>
Replace <IP_debian> with the IP address you obtained for the Debian machine.
- Open a terminal and ping the Kali Linux machine to verify the connection:
$ ping <IP_kali>
Replace <IP_kali> with the IP address you obtained for the Kali machine.
Graphical example of how pings look when connected
To carry out this practice, we will use arpspoof. This tool is used to send spoofed ARP packets to the network, making a device (like the Debian machine) believe that the attacker's MAC address (Kali Linux) is the MAC address of the gateway (router). This can be verified by observing the ARP tables on the Debian machine before and after running arpspoof.
- Install arpspoof:
sudo apt update
sudo apt install dsniff
Note: arpspoof is part of the dsniff package..
- Verify if arpspoof is installed:
sudo arpspoof -h
- Run arpspoof to poison the ARP tables of the Debian machine and the gateway:
sudo arpspoof -i <interfaz_kali> -t <IP_debian> <gateway>
- -i <kali_interface>: Specifies the network interface from which ARP packets will be sent, e.g., eth0.
- -t <IP_debian>: Specifies the victim's IP address (the Debian machine in this case).
- : Specifies the gateway's IP address. (initially configured in the /etc/network/interfaces file, it is the same for both machines)
Wireshark is ideal for analyzing network traffic, identifying possible attacks, and monitoring security in a network environment.
- Install Wireshark:
sudo apt update
sudo apt install wireshark
During the installation, you might be asked if non-root users should be able to capture packets. Select "Yes". If you completed the installation without this setting, you can configure it later with:
sudo dpkg-reconfigure wireshark-common
- Add your user to the Wireshark group:
sudo usermod -aG wireshark $USER
NOTE: $USER is the username you use on the Debian virtual machine.
Once the installation is complete, log out and back in to apply the group changes. You can start Wireshark by running:
sudo wireshark
- With Wireshark open, click the "play" button to start capturing packets.
- Apply filters to focus on specific types of traffic, such as ARP, TCP, UDP, etc.
To perform an ICMP flooding attack (ping flood) from Kali to Debian, you can use the following command:
sudo hping3 -1 <IP_debian> -I eth0
- hping3: A command-line tool for generating TCP/IP packets that can be used for various network tests, including port scanning, firewall testing, and network performance testing.
- -1: Indicates that ICMP type 1 (ICMP Echo Request) packets should be sent, which are the packets used by the ping command.
- -I eth0: Specifies the network interface to use for sending the packets. In this case, eth0 is the network interface of the attacking machine.
- With Wireshark open, click the "play" button to start capturing packets.
- While hping3 is running, you can apply a filter to see only the ICMP traffic. The filter is icmp.
- Guide students on the monitoring tools available in Kali Linux, such as
htop
, to observe the impact of the DoS attack on the WordPress server. - Students should monitor the WordPress server's responsiveness, error rate, and system resource usage during the attack.
- Discussion on mitigation strategies (10 minutes):
- Cover possible defensive measures, such as using firewalls.
- Conclude with best practices for protecting a WordPress site against real-world DoS and spoofing attacks.
Thanks goes to these wonderful people (emoji key):
-
Rosinni Rodríguez (rosinni) contribution: (build-tutorial) ✅, (documentation) 📖
-
Alejandro Sanchez (alesanchezr), contribution: (bug reports) 🐛
-
Lorena Gubaira (lorenagubaira), contribution: (bug reports) 🐛, contribution: (editor), (translation) 🌎
-
Tomas Gonzalez (tommygonzaleza), contribution: (editor)
This project follows the all-contributors specification. Contributions of any kind are welcome!
This and many other exercises are built by students as part of the 4Geeks Academy Coding Bootcamp by Alejandro Sánchez and many other contributors. Find out more about our Full Stack Developer Course, and Data Science Bootcamp.You can alse deepdive in the world of cybersecurity with our Cybersecurity Bootcamp