1 / 44

Bypassing Intrusion Detection Systems

Bypassing Intrusion Detection Systems. Ron Gula, Founder Network Security Wizards. Ron Gula. Wrote the Dragon IDS Tested, deployed and operated NIDS for major Internet company Designed a DOD network honeypot Technical expert for major IW exercises Penetration tested many networks

daniel_millan
Download Presentation

Bypassing Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bypassing Intrusion Detection Systems Ron Gula, Founder Network Security Wizards

  2. Ron Gula • Wrote the Dragon IDS • Tested, deployed and operated NIDS for major Internet company • Designed a DOD network honeypot • Technical expert for major IW exercises • Penetration tested many networks • Still learning ...

  3. Why this talk? • IDS solutions are not perfect • IDS administrators are not perfect • Security is a process! • Not a person! • Not a product! • Intrusion detection is part of security !!!

  4. Topics • NIDS, HIDS, FW and HP Technology • Technical Bypass Techniques • Practical Bypass Techniques • Conclusions

  5. Network IDS • Searches for patterns in packets • Searches for patterns of packets • Searches for packets that shouldn't be there • May ‘understand’ a protocol for effective pattern searching and anomaly detection • May passively log, alert with SMTP/SNMP or have real-time GUI

  6. Network IDS Limitations • Obtaining packets - topology & encryption • Number of signatures • Quality of signatures • Performance • Network session integrity • Understanding the observed protocol • Disk storage

  7. Jane used the PHF attack! /cgi-bin/phf

  8. Jane did a port sweep! NMAP

  9. Host Based IDS • Signature log analysis • application and system • File integrity checking • MD5 checksums • Enhanced Kernel Security • API access control • Stack security • Network Monitoring Hybrids

  10. Host Based IDS Limitations • Places load on system • Disabling system logging • Kernel modifications to avoid file integrity checking (and other stuff) • Management overhead • Network IDS Limitations

  11. messages xfer access_log secure sendmail

  12. messages xfer One Security Log access_log secure sendmail

  13. Firewalls as an IDS • Excellent source of network probe, attack and misuse information • Detect policy deviations based on access control lists • Some have “NIDS” capabilities

  14. Network Honeypots • Sacrificial system(s) or sophisticated simulations • Any traffic to the honeypot is considered suspicious • If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

  15. Firewall honeypot HTTP DNS

  16. NIDS fragmentation TCP un-sync Low TTL ‘Max’ MTU HTTP Protocol Telnet Protocol HIDS Kernel Hacks Bypassing stack protection Library Hacks HTTP Logging Technical Bypass Techniques insertion techniques

  17. IP #1 Session #1 IP #2 Session #2 IP #3 Session #3 FRAGMENT QUEUE SESSION QUEUE NIDS

  18. IP #1 Session #1 IP #2 Session #2 IP #3 Session #3 FRAGMENT QUEUE SESSION QUEUE NIDS

  19. Bypassing NIDS - Fragmentation • NIDS must reconstruct fragments • Maintain state = drain on resources • Must overwrite correctly = more drain on resources • Target server correctly de-frags • Attack #1 - just fragment • Attack #2 - frag with overwrite • Attack #3 - start an attack, follow with many false attacks, finish the first attack

  20. Bypassing NIDS - TCP un-sync • Inject a packet with a bad TCP checksum • fake ‘FIN’ packet • Inject a packet with a weird TCP sequence number • step up • wrapping numbers

  21. Bypassing NIDS - Low TTL WWW NIDS 3 2 1

  22. Bypassing NIDS - Max ‘MTU’ Segment with MTU = 1300 WWW NIDS 1350 byte packet with DF = 1

  23. Bypassing NIDS - HTTP Proto • ‘/’ padding: “/cgi-bin///phf” • Self referencing directories: “/cgi- bin/./phf” • URL Encoding: “%2fcgi-bin/phf” • Reverse Traversal: “/cgi-bin/here/../phf” • TAB instead of spaces removal • DOS/Win syntax: “/cgi-bin\phf” • Null method: “GET%00/cgi-bin/phf”

  24. Bypassing NIDS - Telnet Proto • Strip out Telnet codes • Automatic proxies which add random characters followed by backspace • “su X{backspace}root”

  25. Bypassing NIDS - Resources • Tools • Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2 • Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/ • Congestant - horizon, Phrack 54 • Papers • “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html • Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

  26. Bypassing HIDS - Kernel Hacks • Windows NT • 4 byte patch that removes all security restrictions from objects within the NT domain. • Could use access to disable or manipulate HIDS • Linux - “itfs.c” - kernel module • - not in /proc/modules • - hides a sniffer • - hides files • - hides processes • - redirects execve() • - socket backdoor • - magic setuid gets root

  27. Bypassing HIDS - Stack Protection • Stackguard • A ‘canary’ is placed next to return address • Program halts and logs if canary is altered • Canary can be random or terminating • Bypass: overwrite return address without touching canary • Fix: XOR the return address and the canary • Point: Yet another example of an arms race

  28. Bypassing HIDS - Library Hacks • Environment variables which redirect shared library locations • Library has a ‘wrapper’ run by a privileged program • Two choices • Provide certain APIs with original copies of Trojan files • Redirect certain APIs to completely different files

  29. Bypassing HIDS - HTTP Logging • The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis

  30. Bypassing HIDS - Resources • Phrack 51 • “Shared Library Redirection Techniques”,halflife,<halflife@infonexus.com> • “Bypassing Integrity Checking Systems”,halflife,<halflife@infonexus.com> • Phrack 52 • “Weakening the Linux Kernel”, plaguez <dube0866@eurobretagne.fr> • Phrack 55 • “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund <hoglund@ieway.com> • Phrack 56 • “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare • “Backdooring Binary Objects”, <klog@promisc.org> • “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <lam3rz@hert.org> • Stackguard - http://www.immunix.org/documentation.html

  31. NIDS identifying avoiding overwhelming “slow roll” “distributed scanning” HIDS identifying log deletion log modification Generic Social DOS Practical Bypass Techniques

  32. NIDS - Identifying • Is it in DNS? • Does it shoot down connections? • Is the sniffing interface detectable? • Is it running on a big red box labeled “IDS”? • Can the alert messages be observed?

  33. NIDS - Identifying • Any open ports that match a known IDS? • Has the target posted to an IDS saying, “We use product XYZ?” • Do they have a “This site protected by XYZ” message on their web site?

  34. NIDS - Avoiding • Are there other routes into the network? • Is there an encrypted path? • Modem dial in? • Alternate transport layer? (GRE ???) • Is there an attack not detected by the IDS? • Is there a technical bypass technique that is not detected by the IDS?

  35. NIDS - Overwhelming • Send as many false attacks as possible while still doing the real attack • May overload console • May drop packets • Admins may not believe there is a threat • Send packets that “cost” the NIDS CPU cycles to process • Fragmented, overlapping, de-synchronized web attacks with the occasional bad checksum

  36. NIDS - ‘Slow Roll’ • Port scans and sweeps • Obvious: incremental destination ports • Trivial: randomized ports • Sweep: one port and many addresses • Stealthy: random ports and addresses over time

  37. Plotting all destination ports from one source IP to a target network … P o r t s Port scan Port sweep IP addresses

  38. random Simple port walk Still maps out a network with one IP address P o r t s IP addresses

  39. MASTER SLAVES SLAVES Target sees traffic from many addresses

  40. HIDS - Identifying • Almost always after on a system ... • Is there anything in the system logs? • What ports are open? • What is running out of CRON? • What is in the NT registry? • What programs are running?

  41. HIDS - Logs • Simple log deletion may be possible • Simple log altering may also be possible • replace IP addresses to mislead • delete key logs • Logging may be disabled or intercepted • Removing syslog from services

  42. Generic - Social • Physical access • Obtaining “official” access • Getting others to hack/scan site for you • IRC & chat groups • Hacker challengers • Run the IDS ……

  43. Generic - DOS • Find the main ‘server’ • Kill it • IP Bomb • Port bomb • IDS DOS • Find the clients

  44. Contact Information • rgula@securitywizards.com • http://www.securitywizards.com

More Related