harden security devices against increasingly sophisticated evasions
DESCRIPTION
separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer. Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions? Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.TRANSCRIPT
Harden Security Devices Against Increasingly Sophisticated Evasions
BreakingPoint Webcast Wednesday
December 16, 2009
www.breakingpointlabs.com2
Introductions/Agenda
• BreakingPoint speakers:– Dennis Cox, CTO– Todd Manning, Protocol & Security Researcher– Dustin D. Trammell, Protocol & Security Researcher
• Quick Glance Agenda:– Evasions Overview– Evasions in Layer 3, 4, 5, 7 and more– Latest evasion techniques– How to validate you are protected– BreakingPoint Five Keys
www.breakingpointlabs.com3
Evasion Technique Introduction
• What Is An Evasion?– Legitimate Permutation of Data
• Data remains valid• Data looks different
– Attempt at bypassing detection or filters• Data representation not recognized or understood by the
monitoring entity• Cause the monitor to revert to a less scrutinizing state• Transport of data in a state that is not observable by the
monitor
www.breakingpointlabs.com4
Where are Evasions Used?
• Everywhere!– Layer 3: IP– Layer 4: TCP– Layer 5: DCERPC, SunRPC, SIP– Layer 7: HTTP, SMTP, POP3, FTP– Content: HTML, OLE, Command-lines (Windows &
UNIX), Exploit Shellcode
www.breakingpointlabs.com5
Layer 3: IP Evasions
• FragEvasion– IP Fragmentation– Four IP fragmentation methods available:
• Overlapping end fragments, favoring either old or new data• Overlapping all fragments, favoring either old or new data
• FragOrder– Change the order in which fragments are sent– Three behavior options:
• Normal order• Reverse order• Randomize order
www.breakingpointlabs.com6
Layer 4: TCP Evasions
• SegmentOrder– Change the order in which segments are sent– Three behavior options:
• Normal order• Reverse order• Randomize order
• SkipHandShake– Skip the three-way handshake for all connections
www.breakingpointlabs.com7
Layer 5: SIP Evasions
• CompactHeaders– Use compact header names instead of full-length header names– Example: “From: <user>” -> “f: <user>”
• PadHeadersLineBreak– Pad headers with line breaks– Example: ‘Authorization: Digest username=“user”, realm=“home”’
-> ‘Authorization: Digest \r\nusername=“user”, \r\nrealm=“home”’
• PadHeadersWhitespace– Pad headers with whitespace elements– Example: “From: <user>” -> “From:\t\t<user> “
• RandomizeCase– Randomize the case of data which is case insensitive– Example: “From: <user>” -> “fROm: <UsEr>”
www.breakingpointlabs.com8
Layer 7: Common Evasions
• PadCommandWhiteSpace– SMTP, POP3, FTP, Commands (Windows, UNIX)– Inserts arbitrary whitespace between commands and their
arguments– Examples:
• SMTP: “HELO example.com” -> “HELO\t\t \t example.com”• FTP: “USER username” -> “USER \t \t\t username”• Commands: “rm -rf /” -> “rm\t \t –rf\t \t\t/”
• PadPathSlashes– Commands (Windows, UNIX)– Uses slashes to pad command path names– Examples:
• Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”
www.breakingpointlabs.com9
Layer 7: HTTP Evasions
• Too many to list them all here…• DirectorySelfReference
– Convert all directories to self-referenced relative directories– Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”
• EncodeHexRandom– Encode random parts of the URI in hex– Example: “GET /index.html” -> “GET /ind%65x.%68tml”
• ServerChunkedTransfer– Use “chunked” transfer-encoding to split up the server response
• ServerCompression– Use gzip to encode the server response
• EncodeUnicodeRandom– Encode random parts of the URI in wide Unicode (UTF-16)
www.breakingpointlabs.com10
Content Evasions
• HTML Evasions: HTMLUnicodeEncoding• Encodes HTML in the selected flavor of Unicode:
– UTF_7: 7-bit– UTF_8: 8-bit– UTF_16BE: 16-bit big-endian– UTF_16LE: 16-bit little-endian– UTF_32BE: 32-bit big-endian– UTF_32LE: 32-bit little-endian
• Shellcode Evasions: RandomNops• Uses random nop-equivalent sequences instead of actual No-Op
instructions• Example (ia32):
– “\x90\x90\x90\x90\x90\x90\x90\x90”– becomes– “\x16\x2f\x5d\x55\x91\x06\x44\x0e”
www.breakingpointlabs.com11
The Latest Evasion Techniques
• Latest and greatest• 2010 Forecast?
www.breakingpointlabs.com12
Do Evasions Cause Damage?
www.breakingpointlabs.com13
How To Validate You Are Protected
• Forward Thinking• Test, Test, Test• Be Realistic• Be Random• Be Consistent
Properly Testing Using Evasions
www.breakingpointlabs.com15
Enabling Evasions for BreakingPoint
• BreakingPoint Methods– Attack Manager:
• Attack Group Options - Affects only the attack group selected
– Security Test Component:• Parameters Tab, Attack Profile setting - Affects the entire test• Overrides Tab - Affects the entire test
• Order of precedence– Overrides– Group Options– Attack Profile
www.breakingpointlabs.com16
The Five Keys BreakingPoint Provides
1. 80+ evasion techniques
2. Dedicated security team
3. New evasion techniques
4. Apply across 4,300+ attacks
5. Multi-layered evasions
www.breakingpointlabs.com17
Q&A
Thank You!