Upload
nehemiah-housman
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Advanced Network Based IPS Evasion Techniques
Antti Levomäki, Christian Jalio, Olli-Pekka Niemi
28 October 2009
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Intrusion Prevention Systems should protect vulnerable hosts from remote exploits
Exploits can apply multiple evasion method to bypass the detection of Intrusion Prevention Systems and break into the remote system
Hack.Lu 2009
Introduction
Copyright © 2009 Stonesoft Corporation. All rights reserved.
There are hacking tools which apply multiple evasion techniques
However, these tools are more exploit oriented and not evasion oriented
Copyright © 2009 Stonesoft Corporation. All rights reserved.
IP Fragmentation with manipulated fragment size and order
TCP segmentation with manipulated segment size and order
SMB Fragmentation SMB Transaction Write Method MSRPC Multibind (bind to multiple ”unnecessary or non-
existent” context + the vulnerable context MSRPC fragmentation MSRPC encryption
Known Evasions Implemented various testing tools…
Copyright © 2009 Stonesoft Corporation. All rights reserved.
IP Random Options TCP Time Wait TCP Urgent Pointer SMB Write/Read Padding SMB Transaction Method fragmentation SMB Session Mixing MSRPC Alter Context MSRPC Object Reference MSRPC Endian Manipulation
Not So Known Evasions, Implemented in ???
Copyright © 2009 Stonesoft Corporation. All rights reserved.
IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic
Example: SMB and MSRPC signatures should not worry about fragmentation, padding , extra methods or other randomizations
The Power of Evasion Methods
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Fill IP Packet with random Options If the target host and the IPS device
disagree about the validity of the packet, the target host may see different data than the IPS
IP
Random Options
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port. According the TCP RFC, the TCP client MUST wait ”TIME-
Wait Delay” amount of seconds before reusing a port.
If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port. The IPS stack should handle new connections as
new connections regardless of the TIME-Wait-Delay
TCP Evasion
TCP Time Wait
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Insert one byte into a TCP-stream. TCP-Server chooses whether to use or discard
the added byte. An IPS device inspection can be evaded by
clever use of the urgent pointer. Example
TCP Stream: GETP / (P is urgent data) IPS sees: GETP / Apache sees: GET /
TCP Evasion
TCP Urgent Pointer
Copyright © 2009 Stonesoft Corporation. All rights reserved.
It is possible to use multiple resources over the same SMB-session within the single TCP-connection at same time. Simultaneously read and write into
multiple files
SMB Evasion
SMB Session Mixing
Copyright © 2009 Stonesoft Corporation. All rights reserved.
The write and read commands have an offset pointer that can be used for padding.
All data after the SMB header till the
pointed byte should be discarded.
SMB Evasion
SMB Write/Read Padding
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Trans Act Write Method The SMB Protocol allows the
fragmentation of Transaction messages by using ”Transaction secondary” messages.
SMB Evasion
SMB Transaction Method
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Object Reference Adding an Object Reference (UUID) to an
MSRPC Request Header enlarges the header by 16 bytes, and thus moves the MSRPC payload 16 bytes forward.
MSRPC Evasion
MSRPC Object Reference
Copyright © 2009 Stonesoft Corporation. All rights reserved.
The client may change the current context using the Alter Context Method. All subsequent requests then go to the new context Example: The client binds to non
vulnerable context and then changes into a vulnerable context and sends the exploit.
MSRPC Evasion
Alter Context
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC protocol allows both big- and little- endian encoding Windows hosts normally use the little-
endian encoding Hackers should use big endian for obvious
reasons…
MSRPC Endianness
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Introducing Predator
Evasion Fuzzer Use multiple random evasion techniques
simultaneously in multiple layers
Transmit the same payload until successful
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Evasions in Predator
Evasions for attack "CVE-2008-4250 “ IP fragmentation, --ip_frag:
8byte: Fragment IP payload into 8 byte fragments 16byte: Fragment IP payload into 16 byte fragments 24byte Fragment IP payload into 24 byte fragments 256byte Fragment IP payload into 256 byte fragments random_order: Send fragments in a random order out_of_order: Send one fragment out of order fwd_overwrite Perform forward overwriting with fragments last_first Send last fragment first one_duplicate Send one duplicate fragment
IP evasion, --ip_evasion: random_options: Send random IP options
Copyright © 2009 Stonesoft Corporation. All rights reserved.
TCP fragmentation, --tcp_frag: 1byte Fragment TCP payload into 1 byte segments
TCP evasion, --tcp_evasion: time_wait Open a decoy connection and attack from same ip:port
while in time-wait urgent_ptr Insert meaningless data into 1 byte urgent segments
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB fragmentation, --smb_frag: 16byte Fragment SMB payload into 16 byte fragments 256byte Fragment SMB payload into 256 byte fragments
SMB evasion, --smb_evasion: andx_connect Negotiate SMB session and connect to a tree connect an
AndX message decoy_trees Open decoy SMB tree connects in the same TCP stream as
the attack read_offset Use random offsets in SMB read operations pad_write_random Pad SMB write commands with a random sized block
of random data pad_write_static Pad SMB write commands with a static sized block of
random data random_write_method Use a random SMB write method ( TRANSACT /
WRITE ) write_offset Use random offsets in SMB write operation
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC fragmentation, --msrpc_ frag: 16byte Fragment MSRPC payload into 16 byte fragments 256byte Fragment MSRPC payload into 256 byte fragments
MSRPC evasion, --msrpc_evasion: big_endian Communicate in big endian format random_object: Add a random object reference to MSRPC requests alter_context: Bind to a random context and then alter to the correct
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hunting High and Low
Initializing IPForge based on the configuration..
Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB fragstyle: 16byte, MSRPC evasion: random_object}
Exploit run 2: SMB evasion: read_offset, MSRPC evasion: big_endian,random_object,alter_context}
Exploit run 3: SMB evasion: decoy_trees,pad_write_static, MSRPC evasion: random_object,alter_context}
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hunting High and Low
Initializing IPForge based on the configuration..
Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB evasion:andx_connect,pad_write_static,random_write_method,write_offset, MSRPC evasion: alter_context}
Exploit run 2: TCP evasion: time_wait, SMB evasion: decoy_trees,read_offset,pad_write_static
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Copyright © 2009 Stonesoft Corporation. All rights reserved.
DEMO
Copyright © 2009 Stonesoft Corporation. All rights reserved.Slide 24
www.stonesoft.com