harden security devices against increasingly sophisticated evasions

Harden Security Devices Against Increasingly Sophisticated Evasions

BreakingPoint Webcast Wednesday

December 16, 2009

www.breakingpointlabs.com2

Introductions/Agenda

• BreakingPoint speakers:– Dennis Cox, CTO– Todd Manning, Protocol & Security Researcher– Dustin D. Trammell, Protocol & Security Researcher

• Quick Glance Agenda:– Evasions Overview– Evasions in Layer 3, 4, 5, 7 and more– Latest evasion techniques– How to validate you are protected– BreakingPoint Five Keys

www.breakingpointlabs.com3

Evasion Technique Introduction

• What Is An Evasion?– Legitimate Permutation of Data

• Data remains valid• Data looks different

– Attempt at bypassing detection or filters• Data representation not recognized or understood by the

monitoring entity• Cause the monitor to revert to a less scrutinizing state• Transport of data in a state that is not observable by the

monitor

www.breakingpointlabs.com4

Where are Evasions Used?

• Everywhere!– Layer 3: IP– Layer 4: TCP– Layer 5: DCERPC, SunRPC, SIP– Layer 7: HTTP, SMTP, POP3, FTP– Content: HTML, OLE, Command-lines (Windows &

UNIX), Exploit Shellcode

www.breakingpointlabs.com5

Layer 3: IP Evasions

• FragEvasion– IP Fragmentation– Four IP fragmentation methods available:

• Overlapping end fragments, favoring either old or new data• Overlapping all fragments, favoring either old or new data

• FragOrder– Change the order in which fragments are sent– Three behavior options:

• Normal order• Reverse order• Randomize order

www.breakingpointlabs.com6

Layer 4: TCP Evasions

• SegmentOrder– Change the order in which segments are sent– Three behavior options:

• Normal order• Reverse order• Randomize order

• SkipHandShake– Skip the three-way handshake for all connections

www.breakingpointlabs.com7

Layer 5: SIP Evasions

• CompactHeaders– Use compact header names instead of full-length header names– Example: “From: <user>” -> “f: <user>”

• PadHeadersLineBreak– Pad headers with line breaks– Example: ‘Authorization: Digest username=“user”, realm=“home”’

-> ‘Authorization: Digest \r\nusername=“user”, \r\nrealm=“home”’

• PadHeadersWhitespace– Pad headers with whitespace elements– Example: “From: <user>” -> “From:\t\t<user> “

• RandomizeCase– Randomize the case of data which is case insensitive– Example: “From: <user>” -> “fROm: <UsEr>”

www.breakingpointlabs.com8

Layer 7: Common Evasions

• PadCommandWhiteSpace– SMTP, POP3, FTP, Commands (Windows, UNIX)– Inserts arbitrary whitespace between commands and their

arguments– Examples:

• SMTP: “HELO example.com” -> “HELO\t\t \t example.com”• FTP: “USER username” -> “USER \t \t\t username”• Commands: “rm -rf /” -> “rm\t \t –rf\t \t\t/”

• PadPathSlashes– Commands (Windows, UNIX)– Uses slashes to pad command path names– Examples:

• Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”

www.breakingpointlabs.com9

Layer 7: HTTP Evasions

• Too many to list them all here…• DirectorySelfReference

– Convert all directories to self-referenced relative directories– Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”

• EncodeHexRandom– Encode random parts of the URI in hex– Example: “GET /index.html” -> “GET /ind%65x.%68tml”

• ServerChunkedTransfer– Use “chunked” transfer-encoding to split up the server response

• ServerCompression– Use gzip to encode the server response

• EncodeUnicodeRandom– Encode random parts of the URI in wide Unicode (UTF-16)

www.breakingpointlabs.com10

Content Evasions

• HTML Evasions: HTMLUnicodeEncoding• Encodes HTML in the selected flavor of Unicode:

– UTF_7: 7-bit– UTF_8: 8-bit– UTF_16BE: 16-bit big-endian– UTF_16LE: 16-bit little-endian– UTF_32BE: 32-bit big-endian– UTF_32LE: 32-bit little-endian

• Shellcode Evasions: RandomNops• Uses random nop-equivalent sequences instead of actual No-Op

instructions• Example (ia32):

– “\x90\x90\x90\x90\x90\x90\x90\x90”– becomes– “\x16\x2f\x5d\x55\x91\x06\x44\x0e”

www.breakingpointlabs.com11

The Latest Evasion Techniques

• Latest and greatest• 2010 Forecast?

www.breakingpointlabs.com12

Do Evasions Cause Damage?

www.breakingpointlabs.com13

How To Validate You Are Protected

• Forward Thinking• Test, Test, Test• Be Realistic• Be Random• Be Consistent

Properly Testing Using Evasions

www.breakingpointlabs.com15

Enabling Evasions for BreakingPoint

• BreakingPoint Methods– Attack Manager:

• Attack Group Options - Affects only the attack group selected

– Security Test Component:• Parameters Tab, Attack Profile setting - Affects the entire test• Overrides Tab - Affects the entire test

• Order of precedence– Overrides– Group Options– Attack Profile

www.breakingpointlabs.com16

The Five Keys BreakingPoint Provides

1. 80+ evasion techniques

2. Dedicated security team

3. New evasion techniques

4. Apply across 4,300+ attacks

5. Multi-layered evasions

www.breakingpointlabs.com17

Q&A

Thank You!