View
38
Download
1
Category
Preview:
DESCRIPTION
Bypassing Intrusion Detection Systems. Ron Gula, Founder Network Security Wizards. Ron Gula. Wrote the Dragon IDS Tested, deployed and operated NIDS for major Internet company Designed a DOD network honeypot Technical expert for major IW exercises Penetration tested many networks - PowerPoint PPT Presentation
Citation preview
Bypassing Intrusion Detection
SystemsRon Gula, Founder
Network Security Wizards
Ron Gula
• Wrote the Dragon IDS• Tested, deployed and operated NIDS
for major Internet company• Designed a DOD network honeypot• Technical expert for major IW
exercises• Penetration tested many networks• Still learning ...
Why this talk?
• IDS solutions are not perfect• IDS administrators are not perfect• Security is a process!
– Not a person!– Not a product!– Intrusion detection is part of
security !!!
Topics
• NIDS, HIDS, FW and HP Technology• Technical Bypass Techniques• Practical Bypass Techniques• Conclusions
Network IDS• Searches for patterns in packets• Searches for patterns of packets• Searches for packets that shouldn't be
there• May ‘understand’ a protocol for effective
pattern searching and anomaly detection• May passively log, alert with SMTP/SNMP
or have real-time GUI
Network IDS Limitations
• Obtaining packets - topology & encryption
• Number of signatures• Quality of signatures• Performance• Network session integrity• Understanding the observed protocol• Disk storage
/cgi-bin/phf
Jane usedthe PHFattack!
NMAP
Jane dida portsweep!
Host Based IDS
• Signature log analysis– application and system
• File integrity checking– MD5 checksums
• Enhanced Kernel Security– API access control– Stack security
• Network Monitoring Hybrids
Host Based IDS Limitations
• Places load on system• Disabling system logging• Kernel modifications to avoid file
integrity checking (and other stuff)• Management overhead• Network IDS Limitations
messages
xfer
access_log
secure
sendmail
messages
xfer
access_log
secure
sendmail
OneSecurity
Log
Firewalls as an IDS
• Excellent source of network probe, attack and misuse information
• Detect policy deviations based on access control lists
• Some have “NIDS” capabilities
Network Honeypots
• Sacrificial system(s) or sophisticated simulations
• Any traffic to the honeypot is considered suspicious
• If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
honeypot HTTP DNS
Firewall
Technical Bypass Techniques
• NIDS– fragmentation– TCP un-sync– Low TTL– ‘Max’ MTU– HTTP Protocol– Telnet Protocol
• HIDS– Kernel Hacks– Bypassing stack
protection– Library Hacks– HTTP Logging
insertiontechniques
NIDS
FRAGMENT QUEUE SESSION QUEUE
IP #1
IP #2
IP #3
Session #1
Session #2
Session #3
NIDS
FRAGMENT QUEUE SESSION QUEUE
IP #1
IP #2
IP #3
Session #1
Session #2
Session #3
Bypassing NIDS - Fragmentation
• NIDS must reconstruct fragments– Maintain state = drain on resources– Must overwrite correctly = more drain on
resources
• Target server correctly de-frags• Attack #1 - just fragment• Attack #2 - frag with overwrite• Attack #3 - start an attack, follow with
many false attacks, finish the first attack
Bypassing NIDS - TCP un-sync
• Inject a packet with a bad TCP checksum– fake ‘FIN’ packet
• Inject a packet with a weird TCP sequence number– step up– wrapping numbers
Bypassing NIDS - Low TTL
NIDS
123
WWW
Bypassing NIDS - Max ‘MTU’
NIDSWWW
Segment withMTU = 1300
1350 bytepacket with
DF = 1
Bypassing NIDS - HTTP Proto
• ‘/’ padding: “/cgi-bin///phf”• Self referencing directories: “/cgi-
bin/./phf”• URL Encoding: “%2fcgi-bin/phf”• Reverse Traversal: “/cgi-bin/here/../phf”• TAB instead of spaces removal• DOS/Win syntax: “/cgi-bin\phf”• Null method: “GET%00/cgi-bin/phf”
Bypassing NIDS - Telnet Proto
• Strip out Telnet codes• Automatic proxies which add
random characters followed by backspace– “su X{backspace}root”
Bypassing NIDS - Resources • Tools
– Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
– Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/
– Congestant - horizon, Phrack 54
• Papers– “Insertion, Evasion and Denial of Service: Eluding Network
Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html
– Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
Bypassing HIDS - Kernel Hacks
• Windows NT– 4 byte patch that removes all security
restrictions from objects within the NT domain.– Could use access to disable or manipulate HIDS
• Linux - “itfs.c” - kernel module
- not in /proc/modules- hides a sniffer- hides files- hides processes
- redirects execve()- socket backdoor- magic setuid gets root
Bypassing HIDS - Stack Protection
• Stackguard– A ‘canary’ is placed next to return address– Program halts and logs if canary is altered– Canary can be random or terminating– Bypass: overwrite return address without
touching canary– Fix: XOR the return address and the canary– Point: Yet another example of an arms race
Bypassing HIDS - Library Hacks
• Environment variables which redirect shared library locations
• Library has a ‘wrapper’ run by a privileged program
• Two choices– Provide certain APIs with original copies of
Trojan files– Redirect certain APIs to completely
different files
Bypassing HIDS - HTTP Logging
• The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis
Bypassing HIDS - Resources
• Phrack 51– “Shared Library Redirection
Techniques”,halflife,<halflife@infonexus.com> – “Bypassing Integrity Checking
Systems”,halflife,<halflife@infonexus.com>• Phrack 52
– “Weakening the Linux Kernel”, plaguez <dube0866@eurobretagne.fr>
• Phrack 55– “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund
<hoglund@ieway.com>
• Phrack 56– “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare– “Backdooring Binary Objects”, <klog@promisc.org>– “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <lam3rz@hert.org>
• Stackguard - http://www.immunix.org/documentation.html
Practical Bypass Techniques
• NIDS– identifying– avoiding– overwhelming– “slow roll”– “distributed
scanning”
• HIDS– identifying– log deletion– log modification
• Generic– Social– DOS
NIDS - Identifying
• Is it in DNS?• Does it shoot down connections?• Is the sniffing interface detectable?• Is it running on a big red box
labeled “IDS”?• Can the alert messages be
observed?
NIDS - Identifying
• Any open ports that match a known IDS?
• Has the target posted to an IDS saying, “We use product XYZ?”
• Do they have a “This site protected by XYZ” message on their web site?
NIDS - Avoiding
• Are there other routes into the network?– Is there an encrypted path?– Modem dial in?– Alternate transport layer? (GRE ???)
• Is there an attack not detected by the IDS?
• Is there a technical bypass technique that is not detected by the IDS?
NIDS - Overwhelming• Send as many false attacks as possible
while still doing the real attack– May overload console– May drop packets– Admins may not believe there is a threat
• Send packets that “cost” the NIDS CPU cycles to process– Fragmented, overlapping, de-synchronized
web attacks with the occasional bad checksum
NIDS - ‘Slow Roll’
• Port scans and sweeps– Obvious: incremental destination
ports– Trivial: randomized ports– Sweep: one port and many addresses– Stealthy: random ports and addresses
over time
IP addresses
Ports
Port sweepPort scan
Plotting all destinationports from one source IPto a target network …
IP addresses
Ports
random Simple port walk
Still maps outa network withone IP address
MASTER
SLAVESSLAVES
Target sees trafficfrom many addresses
HIDS - Identifying
• Almost always after on a system ...
• Is there anything in the system logs?• What ports are open?• What is running out of CRON?• What is in the NT registry?• What programs are running?
HIDS - Logs
• Simple log deletion may be possible• Simple log altering may also be
possible– replace IP addresses to mislead– delete key logs
• Logging may be disabled or intercepted– Removing syslog from services
Generic - Social
• Physical access• Obtaining “official” access• Getting others to hack/scan site for
you– IRC & chat groups– Hacker challengers
• Run the IDS ……
Generic - DOS
• Find the main ‘server’• Kill it
– IP Bomb– Port bomb– IDS DOS
• Find the clients
Contact Information
• rgula@securitywizards.com• http://www.securitywizards.com
Recommended