bypassing intrusion detection systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Bypassing Intrusion Detection Systems PowerPoint Presentation
Download Presentation
Bypassing Intrusion Detection Systems

Loading in 2 Seconds...

play fullscreen
1 / 44

Bypassing Intrusion Detection Systems - PowerPoint PPT Presentation


  • 386 Views
  • Uploaded on

Bypassing Intrusion Detection Systems. Ron Gula, Founder Network Security Wizards. Ron Gula. Wrote the Dragon IDS Tested, deployed and operated NIDS for major Internet company Designed a DOD network honeypot Technical expert for major IW exercises Penetration tested many networks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Bypassing Intrusion Detection Systems' - daniel_millan


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bypassing intrusion detection systems

Bypassing Intrusion Detection Systems

Ron Gula, Founder

Network Security Wizards

ron gula
Ron Gula
  • Wrote the Dragon IDS
  • Tested, deployed and operated NIDS for major Internet company
  • Designed a DOD network honeypot
  • Technical expert for major IW exercises
  • Penetration tested many networks
  • Still learning ...
why this talk
Why this talk?
  • IDS solutions are not perfect
  • IDS administrators are not perfect
  • Security is a process!
    • Not a person!
    • Not a product!
    • Intrusion detection is part of security !!!
topics
Topics
  • NIDS, HIDS, FW and HP Technology
  • Technical Bypass Techniques
  • Practical Bypass Techniques
  • Conclusions
network ids
Network IDS
  • Searches for patterns in packets
  • Searches for patterns of packets
  • Searches for packets that shouldn't be there
  • May ‘understand’ a protocol for effective pattern searching and anomaly detection
  • May passively log, alert with SMTP/SNMP or have real-time GUI
network ids limitations
Network IDS Limitations
  • Obtaining packets - topology & encryption
  • Number of signatures
  • Quality of signatures
  • Performance
  • Network session integrity
  • Understanding the observed protocol
  • Disk storage
slide7

Jane used

the PHF

attack!

/cgi-bin/phf

slide8

Jane did

a port

sweep!

NMAP

host based ids
Host Based IDS
  • Signature log analysis
    • application and system
  • File integrity checking
    • MD5 checksums
  • Enhanced Kernel Security
    • API access control
    • Stack security
  • Network Monitoring Hybrids
host based ids limitations
Host Based IDS Limitations
  • Places load on system
  • Disabling system logging
  • Kernel modifications to avoid file integrity checking (and other stuff)
  • Management overhead
  • Network IDS Limitations
slide11

messages

xfer

access_log

secure

sendmail

slide12

messages

xfer

One

Security

Log

access_log

secure

sendmail

firewalls as an ids
Firewalls as an IDS
  • Excellent source of network probe, attack and misuse information
  • Detect policy deviations based on access control lists
  • Some have “NIDS” capabilities
network honeypots
Network Honeypots
  • Sacrificial system(s) or sophisticated simulations
  • Any traffic to the honeypot is considered suspicious
  • If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
slide15

Firewall

honeypot

HTTP

DNS

technical bypass techniques
NIDS

fragmentation

TCP un-sync

Low TTL

‘Max’ MTU

HTTP Protocol

Telnet Protocol

HIDS

Kernel Hacks

Bypassing stack protection

Library Hacks

HTTP Logging

Technical Bypass Techniques

insertion

techniques

slide17

IP #1

Session #1

IP #2

Session #2

IP #3

Session #3

FRAGMENT QUEUE

SESSION QUEUE

NIDS

slide18

IP #1

Session #1

IP #2

Session #2

IP #3

Session #3

FRAGMENT QUEUE

SESSION QUEUE

NIDS

bypassing nids fragmentation
Bypassing NIDS - Fragmentation
  • NIDS must reconstruct fragments
    • Maintain state = drain on resources
    • Must overwrite correctly = more drain on resources
  • Target server correctly de-frags
  • Attack #1 - just fragment
  • Attack #2 - frag with overwrite
  • Attack #3 - start an attack, follow with many false attacks, finish the first attack
bypassing nids tcp un sync
Bypassing NIDS - TCP un-sync
  • Inject a packet with a bad TCP checksum
    • fake ‘FIN’ packet
  • Inject a packet with a weird TCP sequence number
    • step up
    • wrapping numbers
bypassing nids max mtu
Bypassing NIDS - Max ‘MTU’

Segment with

MTU = 1300

WWW

NIDS

1350 byte

packet with

DF = 1

bypassing nids http proto
Bypassing NIDS - HTTP Proto
  • ‘/’ padding: “/cgi-bin///phf”
  • Self referencing directories: “/cgi- bin/./phf”
  • URL Encoding: “%2fcgi-bin/phf”
  • Reverse Traversal: “/cgi-bin/here/../phf”
  • TAB instead of spaces removal
  • DOS/Win syntax: “/cgi-bin\phf”
  • Null method: “GET%00/cgi-bin/phf”
bypassing nids telnet proto
Bypassing NIDS - Telnet Proto
  • Strip out Telnet codes
  • Automatic proxies which add random characters followed by backspace
    • “su X{backspace}root”
bypassing nids resources
Bypassing NIDS - Resources
  • Tools
    • Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
    • Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/
    • Congestant - horizon, Phrack 54
  • Papers
    • “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html
    • Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
bypassing hids kernel hacks
Bypassing HIDS - Kernel Hacks
  • Windows NT
    • 4 byte patch that removes all security restrictions from objects within the NT domain.
    • Could use access to disable or manipulate HIDS
  • Linux - “itfs.c” - kernel module
  • - not in /proc/modules
  • - hides a sniffer
  • - hides files
  • - hides processes
  • - redirects execve()
  • - socket backdoor
  • - magic setuid gets root
bypassing hids stack protection
Bypassing HIDS - Stack Protection
  • Stackguard
    • A ‘canary’ is placed next to return address
    • Program halts and logs if canary is altered
    • Canary can be random or terminating
    • Bypass: overwrite return address without touching canary
    • Fix: XOR the return address and the canary
    • Point: Yet another example of an arms race
bypassing hids library hacks
Bypassing HIDS - Library Hacks
  • Environment variables which redirect shared library locations
  • Library has a ‘wrapper’ run by a privileged program
  • Two choices
    • Provide certain APIs with original copies of Trojan files
    • Redirect certain APIs to completely different files
bypassing hids http logging
Bypassing HIDS - HTTP Logging
  • The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis
bypassing hids resources
Bypassing HIDS - Resources
  • Phrack 51
    • “Shared Library Redirection Techniques”,halflife,<halflife@infonexus.com>
    • “Bypassing Integrity Checking Systems”,halflife,<halflife@infonexus.com>
  • Phrack 52
    • “Weakening the Linux Kernel”, plaguez <dube0866@eurobretagne.fr>
  • Phrack 55
    • “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund <hoglund@ieway.com>
  • Phrack 56
    • “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare
    • “Backdooring Binary Objects”, <klog@promisc.org>
    • “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <lam3rz@hert.org>
  • Stackguard - http://www.immunix.org/documentation.html
practical bypass techniques
NIDS

identifying

avoiding

overwhelming

“slow roll”

“distributed scanning”

HIDS

identifying

log deletion

log modification

Generic

Social

DOS

Practical Bypass Techniques
nids identifying
NIDS - Identifying
  • Is it in DNS?
  • Does it shoot down connections?
  • Is the sniffing interface detectable?
  • Is it running on a big red box labeled “IDS”?
  • Can the alert messages be observed?
nids identifying33
NIDS - Identifying
  • Any open ports that match a known IDS?
  • Has the target posted to an IDS saying, “We use product XYZ?”
  • Do they have a “This site protected by XYZ” message on their web site?
nids avoiding
NIDS - Avoiding
  • Are there other routes into the network?
    • Is there an encrypted path?
    • Modem dial in?
    • Alternate transport layer? (GRE ???)
  • Is there an attack not detected by the IDS?
  • Is there a technical bypass technique that is not detected by the IDS?
nids overwhelming
NIDS - Overwhelming
  • Send as many false attacks as possible while still doing the real attack
    • May overload console
    • May drop packets
    • Admins may not believe there is a threat
  • Send packets that “cost” the NIDS CPU cycles to process
    • Fragmented, overlapping, de-synchronized web attacks with the occasional bad checksum
nids slow roll
NIDS - ‘Slow Roll’
  • Port scans and sweeps
    • Obvious: incremental destination ports
    • Trivial: randomized ports
    • Sweep: one port and many addresses
    • Stealthy: random ports and addresses over time
slide37

Plotting all destination

ports from one source IP

to a target network …

P

o

r

t

s

Port scan

Port sweep

IP addresses

slide38

random

Simple port walk

Still maps out

a network with

one IP address

P

o

r

t

s

IP addresses

slide39

MASTER

SLAVES

SLAVES

Target sees traffic

from many addresses

hids identifying
HIDS - Identifying
  • Almost always after on a system ...
  • Is there anything in the system logs?
  • What ports are open?
  • What is running out of CRON?
  • What is in the NT registry?
  • What programs are running?
hids logs
HIDS - Logs
  • Simple log deletion may be possible
  • Simple log altering may also be possible
    • replace IP addresses to mislead
    • delete key logs
  • Logging may be disabled or intercepted
    • Removing syslog from services
generic social
Generic - Social
  • Physical access
  • Obtaining “official” access
  • Getting others to hack/scan site for you
    • IRC & chat groups
    • Hacker challengers
  • Run the IDS ……
generic dos
Generic - DOS
  • Find the main ‘server’
  • Kill it
    • IP Bomb
    • Port bomb
    • IDS DOS
  • Find the clients
contact information
Contact Information
  • rgula@securitywizards.com
  • http://www.securitywizards.com