Bypassing Intrusion Detection Systems - PowerPoint PPT Presentation

1 / 44

About This Presentation

Title:

Bypassing Intrusion Detection Systems

Description:

Jane used. the PHF. attack! NMAP. Jane did. a port. sweep! Host Based IDS. Signature log analysis ... follow with many false attacks, finish the first attack ... – PowerPoint PPT presentation

Number of Views:90

Avg rating:3.0/5.0

Slides: 45

Provided by: rong89

Category:

more less

Transcript and Presenter's Notes

Title: Bypassing Intrusion Detection Systems

1
Bypassing Intrusion Detection Systems

Ron Gula, Founder
Network Security Wizards

2
Ron Gula

Wrote the Dragon IDS
Tested, deployed and operated NIDS for major
Internet company
Designed a DOD network honeypot
Technical expert for major IW exercises
Penetration tested many networks
Still learning ...

3
Why this talk?

IDS solutions are not perfect
IDS administrators are not perfect
Security is a process!
Not a person!
Not a product!
Intrusion detection is part of security !!!

4
Topics

NIDS, HIDS, FW and HP Technology
Technical Bypass Techniques
Practical Bypass Techniques
Conclusions

5
Network IDS

Searches for patterns in packets
Searches for patterns of packets
Searches for packets that shouldn't be there
May understand a protocol for effective pattern
searching and anomaly detection
May passively log, alert with SMTP/SNMP or have
real-time GUI

6
Network IDS Limitations

Obtaining packets - topology encryption
Number of signatures
Quality of signatures
Performance
Network session integrity
Understanding the observed protocol
Disk storage

7
Jane used the PHF attack!
/cgi-bin/phf
8
Jane did a port sweep!
NMAP
9
Host Based IDS

Signature log analysis
application and system
File integrity checking
MD5 checksums
Enhanced Kernel Security
API access control
Stack security
Network Monitoring Hybrids

10
Host Based IDS Limitations

Places load on system
Disabling system logging
Kernel modifications to avoid file integrity
checking (and other stuff)
Management overhead
Network IDS Limitations

11
messages
xfer
access_log
secure
sendmail
12
messages
xfer
One Security Log
access_log
secure
sendmail
13
Firewalls as an IDS

Excellent source of network probe, attack and
misuse information
Detect policy deviations based on access control
lists
Some have NIDS capabilities

14
Network Honeypots

Sacrificial system(s) or sophisticated
simulations
Any traffic to the honeypot is considered
suspicious
If a scanner bypassed the NIDS, HIDS and
firewalls, they still may not know that a
Honeypot has been deployed

15
Firewall
honeypot
HTTP
DNS
16
Technical Bypass Techniques

NIDS
fragmentation
TCP un-sync
Low TTL
Max MTU
HTTP Protocol
Telnet Protocol

HIDS
Kernel Hacks
Bypassing stack protection
Library Hacks
HTTP Logging

insertion techniques
17
IP 1
Session 1
IP 2
Session 2
IP 3
Session 3
FRAGMENT QUEUE
SESSION QUEUE
NIDS
18
IP 1
Session 1
IP 2
Session 2
IP 3
Session 3
FRAGMENT QUEUE
SESSION QUEUE
NIDS
19
Bypassing NIDS - Fragmentation

NIDS must reconstruct fragments
Maintain state drain on resources
Must overwrite correctly more drain on
resources
Target server correctly de-frags
Attack 1 - just fragment
Attack 2 - frag with overwrite
Attack 3 - start an attack, follow with many
false attacks, finish the first attack

20
Bypassing NIDS - TCP un-sync

Inject a packet with a bad TCP checksum
fake FIN packet
Inject a packet with a weird TCP sequence number
step up
wrapping numbers

21
Bypassing NIDS - Low TTL
NIDS
WWW
1
2
3
22
Bypassing NIDS - Max MTU
Segment with MTU 1300
NIDS
WWW
1350 byte packet with DF 1
23
Bypassing NIDS - HTTP Proto

/ padding /cgi-bin///phf
Self referencing directories /cgi- bin/./phf
URL Encoding 2fcgi-bin/phf
Reverse Traversal /cgi-bin/here/../phf
TAB instead of spaces removal
DOS/Win syntax /cgi-bin\phf
Null method GET00/cgi-bin/phf

24
Bypassing NIDS - Telnet Proto

Strip out Telnet codes
Automatic proxies which add random characters
followed by backspace
su Xbackspaceroot

25
Bypassing NIDS - Resources

Tools
Whisker - Rain Forest Puppy http//www.wiretrip.ne
t/rfp/p/doc.asp?id21iface2
Fragrouter - Dug Song http//www.anzen.com/researc
h/nidsbench/
Congestant - horizon, Phrack 54
Papers
Insertion, Evasion and Denial of Service
Eluding Network Intrusion Detection, Tom Ptacek,
Timothy Newsham http//secinf.net/info/ids/idspape
r/idspaper.html
Bro information ftp//ftp.ee.lbl.gov/papers/bro-C
N99.ps.gz

26
Bypassing HIDS - Kernel Hacks

Windows NT
4 byte patch that removes all security
restrictions from objects within the NT domain.
Could use access to disable or manipulate HIDS
Linux - itfs.c - kernel module

- not in /proc/modules - hides a sniffer - hides
files - hides processes
- redirects execve() - socket backdoor - magic
setuid gets root
27
Bypassing HIDS - Stack Protection

Stackguard
A canary is placed next to return address
Program halts and logs if canary is altered
Canary can be random or terminating
Bypass overwrite return address without touching
canary
Fix XOR the return address and the canary
Point Yet another example of an arms race

28
Bypassing HIDS - Library Hacks

Environment variables which redirect shared
library locations
Library has a wrapper run by a privileged
program
Two choices
Provide certain APIs with original copies of
Trojan files
Redirect certain APIs to completely different
files

29
Bypassing HIDS - HTTP Logging

The anti-NIDS HTTP techniques also may work for
host based IDS tools which do log analysis

30
Bypassing HIDS - Resources

Phrack 51
Shared Library Redirection Techniques,halflife,lt
halflife_at_infonexus.comgt
Bypassing Integrity Checking Systems,halflife,lth
alflife_at_infonexus.comgt
Phrack 52
Weakening the Linux Kernel, plaguez
ltdube0866_at_eurobretagne.frgt
Phrack 55
A real NT Rootkit, patching the NT Kernel, Greg
Hoglund lthoglund_at_ieway.comgt
Phrack 56
Shared Library Call Redirection via ELF PLT
Infection, Silvio Cesare
Backdooring Binary Objects, ltklog_at_promisc.orggt
Bypassing Stackguard and Stackshield, Bulba
Kil3r ltlam3rz_at_hert.orggt
Stackguard - http//www.immunix.org/documentation.
html

31
Practical Bypass Techniques

NIDS
identifying
avoiding
overwhelming
slow roll
distributed scanning

HIDS
identifying
log deletion
log modification
Generic
Social
DOS

32
NIDS - Identifying

Is it in DNS?
Does it shoot down connections?
Is the sniffing interface detectable?
Is it running on a big red box labeled IDS?
Can the alert messages be observed?

33
NIDS - Identifying

Any open ports that match a known IDS?
Has the target posted to an IDS saying, We use
product XYZ?
Do they have a This site protected by XYZ
message on their web site?

34
NIDS - Avoiding

Are there other routes into the network?
Is there an encrypted path?
Modem dial in?
Alternate transport layer? (GRE ???)
Is there an attack not detected by the IDS?
Is there a technical bypass technique that is not
detected by the IDS?

35
NIDS - Overwhelming

Send as many false attacks as possible while
still doing the real attack
May overload console
May drop packets
Admins may not believe there is a threat
Send packets that cost the NIDS CPU cycles to
process
Fragmented, overlapping, de-synchronized web
attacks with the occasional bad checksum

36
NIDS - Slow Roll

Port scans and sweeps
Obvious incremental destination ports
Trivial randomized ports
Sweep one port and many addresses
Stealthy random ports and addresses over time

37
Plotting all destination ports from one source
IP to a target network
P o r t s
Port scan
Port sweep
IP addresses
38
random
Simple port walk
Still maps out a network with one IP address
P o r t s
IP addresses
39
MASTER
SLAVES
SLAVES
Target sees traffic from many addresses
40
HIDS - Identifying