1

I am working on a project which involves me to simulate a network attack and to use wireshark to detect the attack. DOS/MIM etc. I have found the following links that provided help but there are still some ambiguities in attack generation. Can anyone provide a simple method to do so?

http://www.lidi.info.unlp.edu.ar/WorldComp2011-Mirror/SAM4991.pdf https://www.academia.edu/6009916/DETECTION_AND_ANALYSIS_OF_SYN_FLOOD_DDOS_ATTACK_USING_WIRESHARK

@pss Thanks a lot, i have achieved my task using KALI SOFTWARE and deploying a virtual machine. For anyone interested, please know that wireshark can't detect packets that have the same source and destination address. You need a virtual machine on your system that will be assigned a separate ip address by the router.

Goldriver
  • 19
  • 1
  • 1
  • 4

1 Answers1

3

First of all I would recommend you to create a test network and isolate it from the production network.

Creating a test network: It depends upon your budget. If you have a big budget then buy couple of systems running Windows and linux, buy some switches and connect them with network cables.

If the budget is not that big then try using virtualization tools like VMware workstation or VirtualBox etc. Here is a nice paper about making a test lab.

In order to simulate attacks it is good to know about how these attacks works and how to detect them. (I assume you know this.) Also most of these attacks are not very common these days but for simulation and playing around it will be fun.

For DOS simulation:

DOS attacks usually send a lot of traffic to the victim machine to consume its resources so that the legit users are not able to access the services. A very common traditional example is Ping flood as DOS attack.

Ping flood: Send a huge amount of Ping packets with packet size as big as possible. In windows you can specify the data/buffer size too. The command is ping -l. The attacker will use the maximum value.

Detection: The normal ping packet has default packet size of 32 bytes in case of Windows. So if you see a lot of Ping packets with unusual size of buffer for eg: like 4000 then you could say it could be a Ping flood. You can use PING command to simulate this attack. In wireshark create a filter for ICMP Echo packets and check the buffer size.

MAC flooding: In this attack the attacker will transmit a lot of ARP packets to fill up the switch's CAM table. This causes the switch to operate in fail open mode, which means that the switch will broadcast the incoming packet to all the ports.

Detection: If you see a lot of ARP requests coming from random source MAC addresses, then you can assume it is ARP flooding. This is not an ideal detection method. But still if you have only 3-4 devices in your network and on contrast you are seeing many ARP requests with different source addresses then it could be an ARP flooding because 3-4 devices are not going to make a huge ARP requests with different source MAC addresses. You can use some ARP flooding tool for simulation. In wireshark create a filter for ARP request to see the ARP request frames.

ARP spoofing: In this case you shall associate your MAC address to victim's IP address by sending a specially crafted ARP frame! If the attack is successful then all traffic that was destined to Victim's IP will be now redirected to you. Currently I have no idea how you can detect this attack with just a wireshark. What you could try is that you can make a filter for all the ARP probes/requests and then check for which source MAC address the source IP address has been changed in the ARP probes.

Detection: This is not an ideal detection method because this could make a false positive if some one has merely replaced a machine in the network. But if you assume that no machine is replaced in the network then this method could help to detect the attack.

Tools for simulating the attacks: I would recommend using Kali linux it contains a lot of tools. There are some tools that can help you:

Ping flooding tool: Nping

MAC flooding tool: Macof

ARP spoofing tool: dSniff

Also here is a good article regarding tools!.

I hope it helps.

ρss
  • 344
  • 2
  • 8
  • 1.How do i create a test network? 2.Are there any softwares that generate any of the attacks that you have mentioned above and can wireshark easily detect them in the traffic that will be passing in the test network? – Goldriver Jun 09 '15 at 13:01
  • i have been trying to do the following before you edited your post: 1.I tried this command on my cmd "ping -n 20 -l 7000 192.168.1.25", in hope of sending two packets with unusual size and get them detected by wireshark. In wireshark, i typed, icmp, to filter out the echo packets but couldn't find any packet with the same source and destination address – Goldriver Jun 09 '15 at 15:16
  • is the above method a correct way to generate and detect ping flooding attack? – Goldriver Jun 09 '15 at 17:27
  • Are you sure that wireshark is sniffing on the correct network interface. – ρss Jun 09 '15 at 17:32
  • Yes,when i start wireshark and click on the interfaces tab. It shows only two options,microsoft and realtek. In the microsoft option,the packets are increasing implying communication while on the realtek there are only 0 packets. – Goldriver Jun 09 '15 at 17:42
  • Did the ping command work in the cmd? Its strange that icmp packets are not shown. – ρss Jun 09 '15 at 17:45
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/24632/discussion-between-goldriver-and-ss). – Goldriver Jun 09 '15 at 17:53