Perform a DoS Attack (SYN Flooding) on a Target Host using Metasploit
SYN flooding takes advantage of a flaw with regard to how most hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, the connection establishes with the TCP three-way handshake, and the host keeps track of the partially open connections while waiting in a listening queue for response ACK packets.
Metasploit is a penetration testing platform that allows a user to find, exploit, and validate vulnerabilities. Also, it provides the infrastructure, content, and tools to conduct penetration tests and comprehensive security auditing. The Metasploit framework has numerous auxiliary module scripts that can be used to perform DoS attacks.
Here, we will use the Metasploit tool to perform a DoS attack (SYN flooding) on a target host.
-We will use the Parrot Security (10.10.10.13) machine to perform SYN flooding on the Windows 10 (10.10.10.10) machine through port 21.
-Click switch to the Parrot Security machine.
-Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.
-A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.
-The password that you type will not be visible.
Now, type cd and press Enter to jump to the root directory.
-First, determine whether port 21 is open or not. This involves using Nmap to determine the state of the port.
-On the Parrot Terminal window, type nmap -p 21 (Target IP address) (here, target IP address is 10.10.10.10 [Windows 10]) and press Enter.
-p: specifies the port to be scanned.
-The result appears, displaying the port status as open, as shown in the screenshot.
-Now, we will perform SYN flooding on the target machine (Windows 10) using port 21.
-we will use an auxiliary module of Metasploit called synflood to perform a DoS attack on the target machine.
-Type msfconsole from a command-line terminal and press Enter to launch msfconsole.
-In the msf command line, type use auxiliary/dos/tcp/synflood and press Enter to launch a SYN flood module.
-Now, determine which module options need to be configured to begin the DoS attack.
-Type show options and press Enter. This displays all the options associated with the auxiliary module.
-Here, we will perform SYN flooding on port 21 of the Windows 10 machine by spoofing the IP address of the Parrot Security machine with that of the Windows Server 2019 (10.10.10.19) machine.
-Issue the following commands:
- set RHOST (Target IP Address) (here, 10.10.10.10)
- set RPORT 21
- set SHOST (Spoofable IP Address) (here, 10.10.10.19)
-By setting the SHOST option to the IP address of the Windows Server 2019 machine, you are spoofing the IP address of the Parrot Security machine with that of Windows Server 2019.
-Once the auxiliary module is configured with the required options, start the DoS attack on the Windows 10 machine.
-To do so, type exploit and press Enter. This begins SYN flooding the Windows 10 machine.
-To confirm, click Windows 10 to switch to the Windows 10 machine
-Double-click Wireshark shortcut present on the Desktop.
-The Wireshark Network Analyzer window appears. Double-click on the primary network interface (here, Ethernet 2) to start capturing the network traffic
-Wireshark displays the traffic coming from the machine. Here, you can observe that the Source IP address is that of the Windows Server 2019 (10.10.10.19) machine. This implies that the IP address of the Parrot Security machine has been spoofed.
-Observe that the target machine (Windows 10) has drastically slowed, implying that the DoS attack is in progress on the machine. If the attack is continued for some time, the machine’s resources will eventually be completely exhausted, causing it to stop responding.
-Once the performance analysis of the machine is complete, click on Parrot Security to switch to the Parrot Security machine and press Ctrl+C to terminate the attack.
-This concludes the demonstration of how to perform SYN flooding on a target host using Metasploit.
