bypassing intrusion detection systems
DESCRIPTION
Bypassing Intrusion Detection Systems. Ron Gula, Founder Network Security Wizards. Ron Gula. Wrote the Dragon IDS Tested, deployed and operated NIDS for major Internet company Designed a DOD network honeypot Technical expert for major IW exercises Penetration tested many networks - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/1.jpg)
Bypassing Intrusion Detection
SystemsRon Gula, Founder
Network Security Wizards
![Page 2: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/2.jpg)
Ron Gula
• Wrote the Dragon IDS• Tested, deployed and operated NIDS
for major Internet company• Designed a DOD network honeypot• Technical expert for major IW
exercises• Penetration tested many networks• Still learning ...
![Page 3: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/3.jpg)
Why this talk?
• IDS solutions are not perfect• IDS administrators are not perfect• Security is a process!
– Not a person!– Not a product!– Intrusion detection is part of
security !!!
![Page 4: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/4.jpg)
Topics
• NIDS, HIDS, FW and HP Technology• Technical Bypass Techniques• Practical Bypass Techniques• Conclusions
![Page 5: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/5.jpg)
Network IDS• Searches for patterns in packets• Searches for patterns of packets• Searches for packets that shouldn't be
there• May ‘understand’ a protocol for effective
pattern searching and anomaly detection• May passively log, alert with SMTP/SNMP
or have real-time GUI
![Page 6: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/6.jpg)
Network IDS Limitations
• Obtaining packets - topology & encryption
• Number of signatures• Quality of signatures• Performance• Network session integrity• Understanding the observed protocol• Disk storage
![Page 7: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/7.jpg)
/cgi-bin/phf
Jane usedthe PHFattack!
![Page 8: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/8.jpg)
NMAP
Jane dida portsweep!
![Page 9: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/9.jpg)
Host Based IDS
• Signature log analysis– application and system
• File integrity checking– MD5 checksums
• Enhanced Kernel Security– API access control– Stack security
• Network Monitoring Hybrids
![Page 10: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/10.jpg)
Host Based IDS Limitations
• Places load on system• Disabling system logging• Kernel modifications to avoid file
integrity checking (and other stuff)• Management overhead• Network IDS Limitations
![Page 11: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/11.jpg)
messages
xfer
access_log
secure
sendmail
![Page 12: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/12.jpg)
messages
xfer
access_log
secure
sendmail
OneSecurity
Log
![Page 13: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/13.jpg)
Firewalls as an IDS
• Excellent source of network probe, attack and misuse information
• Detect policy deviations based on access control lists
• Some have “NIDS” capabilities
![Page 14: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/14.jpg)
Network Honeypots
• Sacrificial system(s) or sophisticated simulations
• Any traffic to the honeypot is considered suspicious
• If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
![Page 15: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/15.jpg)
honeypot HTTP DNS
Firewall
![Page 16: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/16.jpg)
Technical Bypass Techniques
• NIDS– fragmentation– TCP un-sync– Low TTL– ‘Max’ MTU– HTTP Protocol– Telnet Protocol
• HIDS– Kernel Hacks– Bypassing stack
protection– Library Hacks– HTTP Logging
insertiontechniques
![Page 17: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/17.jpg)
NIDS
FRAGMENT QUEUE SESSION QUEUE
IP #1
IP #2
IP #3
Session #1
Session #2
Session #3
![Page 18: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/18.jpg)
NIDS
FRAGMENT QUEUE SESSION QUEUE
IP #1
IP #2
IP #3
Session #1
Session #2
Session #3
![Page 19: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/19.jpg)
Bypassing NIDS - Fragmentation
• NIDS must reconstruct fragments– Maintain state = drain on resources– Must overwrite correctly = more drain on
resources
• Target server correctly de-frags• Attack #1 - just fragment• Attack #2 - frag with overwrite• Attack #3 - start an attack, follow with
many false attacks, finish the first attack
![Page 20: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/20.jpg)
Bypassing NIDS - TCP un-sync
• Inject a packet with a bad TCP checksum– fake ‘FIN’ packet
• Inject a packet with a weird TCP sequence number– step up– wrapping numbers
![Page 21: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/21.jpg)
Bypassing NIDS - Low TTL
NIDS
123
WWW
![Page 22: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/22.jpg)
Bypassing NIDS - Max ‘MTU’
NIDSWWW
Segment withMTU = 1300
1350 bytepacket with
DF = 1
![Page 23: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/23.jpg)
Bypassing NIDS - HTTP Proto
• ‘/’ padding: “/cgi-bin///phf”• Self referencing directories: “/cgi-
bin/./phf”• URL Encoding: “%2fcgi-bin/phf”• Reverse Traversal: “/cgi-bin/here/../phf”• TAB instead of spaces removal• DOS/Win syntax: “/cgi-bin\phf”• Null method: “GET%00/cgi-bin/phf”
![Page 24: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/24.jpg)
Bypassing NIDS - Telnet Proto
• Strip out Telnet codes• Automatic proxies which add
random characters followed by backspace– “su X{backspace}root”
![Page 25: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/25.jpg)
Bypassing NIDS - Resources • Tools
– Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
– Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/
– Congestant - horizon, Phrack 54
• Papers– “Insertion, Evasion and Denial of Service: Eluding Network
Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html
– Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
![Page 26: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/26.jpg)
Bypassing HIDS - Kernel Hacks
• Windows NT– 4 byte patch that removes all security
restrictions from objects within the NT domain.– Could use access to disable or manipulate HIDS
• Linux - “itfs.c” - kernel module
- not in /proc/modules- hides a sniffer- hides files- hides processes
- redirects execve()- socket backdoor- magic setuid gets root
![Page 27: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/27.jpg)
Bypassing HIDS - Stack Protection
• Stackguard– A ‘canary’ is placed next to return address– Program halts and logs if canary is altered– Canary can be random or terminating– Bypass: overwrite return address without
touching canary– Fix: XOR the return address and the canary– Point: Yet another example of an arms race
![Page 28: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/28.jpg)
Bypassing HIDS - Library Hacks
• Environment variables which redirect shared library locations
• Library has a ‘wrapper’ run by a privileged program
• Two choices– Provide certain APIs with original copies of
Trojan files– Redirect certain APIs to completely
different files
![Page 29: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/29.jpg)
Bypassing HIDS - HTTP Logging
• The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis
![Page 30: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/30.jpg)
Bypassing HIDS - Resources
• Phrack 51– “Shared Library Redirection
Techniques”,halflife,<[email protected]> – “Bypassing Integrity Checking
Systems”,halflife,<[email protected]>• Phrack 52
– “Weakening the Linux Kernel”, plaguez <[email protected]>
• Phrack 55– “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund
• Phrack 56– “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare– “Backdooring Binary Objects”, <[email protected]>– “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <[email protected]>
• Stackguard - http://www.immunix.org/documentation.html
![Page 31: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/31.jpg)
Practical Bypass Techniques
• NIDS– identifying– avoiding– overwhelming– “slow roll”– “distributed
scanning”
• HIDS– identifying– log deletion– log modification
• Generic– Social– DOS
![Page 32: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/32.jpg)
NIDS - Identifying
• Is it in DNS?• Does it shoot down connections?• Is the sniffing interface detectable?• Is it running on a big red box
labeled “IDS”?• Can the alert messages be
observed?
![Page 33: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/33.jpg)
NIDS - Identifying
• Any open ports that match a known IDS?
• Has the target posted to an IDS saying, “We use product XYZ?”
• Do they have a “This site protected by XYZ” message on their web site?
![Page 34: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/34.jpg)
NIDS - Avoiding
• Are there other routes into the network?– Is there an encrypted path?– Modem dial in?– Alternate transport layer? (GRE ???)
• Is there an attack not detected by the IDS?
• Is there a technical bypass technique that is not detected by the IDS?
![Page 35: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/35.jpg)
NIDS - Overwhelming• Send as many false attacks as possible
while still doing the real attack– May overload console– May drop packets– Admins may not believe there is a threat
• Send packets that “cost” the NIDS CPU cycles to process– Fragmented, overlapping, de-synchronized
web attacks with the occasional bad checksum
![Page 36: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/36.jpg)
NIDS - ‘Slow Roll’
• Port scans and sweeps– Obvious: incremental destination
ports– Trivial: randomized ports– Sweep: one port and many addresses– Stealthy: random ports and addresses
over time
![Page 37: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/37.jpg)
IP addresses
Ports
Port sweepPort scan
Plotting all destinationports from one source IPto a target network …
![Page 38: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/38.jpg)
IP addresses
Ports
random Simple port walk
Still maps outa network withone IP address
![Page 39: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/39.jpg)
MASTER
SLAVESSLAVES
Target sees trafficfrom many addresses
![Page 40: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/40.jpg)
HIDS - Identifying
• Almost always after on a system ...
• Is there anything in the system logs?• What ports are open?• What is running out of CRON?• What is in the NT registry?• What programs are running?
![Page 41: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/41.jpg)
HIDS - Logs
• Simple log deletion may be possible• Simple log altering may also be
possible– replace IP addresses to mislead– delete key logs
• Logging may be disabled or intercepted– Removing syslog from services
![Page 42: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/42.jpg)
Generic - Social
• Physical access• Obtaining “official” access• Getting others to hack/scan site for
you– IRC & chat groups– Hacker challengers
• Run the IDS ……
![Page 43: Bypassing Intrusion Detection Systems](https://reader036.vdocuments.mx/reader036/viewer/2022081505/56815862550346895dc5bfd4/html5/thumbnails/43.jpg)
Generic - DOS
• Find the main ‘server’• Kill it
– IP Bomb– Port bomb– IDS DOS
• Find the clients