Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Foolin an IDS ?

from [Maynor, David (ISS Atlanta)] Network Security [Permanent Link]
Subject: RE: Foolin an IDS ?
Date: Wed, 1 Dec 2004 16:49:19 -0500 
The phrack article deal mostly with host based IDS/IPS evasion. The
paper Eric mentioned from Newsham and Ptacek is a great starting point
in the network based world. Aside from papers and tools like fragroute
take a look at the stuff Dave Aitel has written on the subject. Dave has
a version of CANVAS called the Canvas Reference Implementation that
implements newer idea in IDS/IPS evasion.

You can find it here:
http://www.immunitysec.com/products-canvas-cri.shtml

And the presentation he did on it:
http://www.immunitysec.com/resources-papers.shtml

Aside from looking at this the best way to learn to evade IDS/IPS is an
understanding of the protocols that they are protecting. This doesn't
mean just TCP/UDP; this also means things like MSRPC, HTTP, SSL and
such.

If you want to start looking at this from a programming point of view
the easiest way to start evading systems is with RPC fragmentation. If
the IDS/IPS vendor doesn't implement a decent protocol parser it's just
a matter of breaking certain RPC attacks in multiple packets. This
evades systems because more times than not the signature writers look
for calls to a certain GUID. If you need to read up on GUIDs look here: 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc
/guid.asp 

So if the GUID is split between two packets a lot of IDS/IPS will miss
it.
This is a case with the ISYSTEMACTIVATOR GUID that Blaster bound to.
This may seem simple but a lot of protocols support fragmentation that
is not widely known or even understood.  

Another RPC related flaw is multiple binds. You can send a bind request
for multiple GUIDs at one time. A lot of the IDS/IPS vendors will only
parse the first bind request in the packet missing the 2nd or 3rd or
4th. So an evasion scenario would be to build a packet that first binds
to a harmless interface then binds to the vulnerable interface. That
will often get missed.

Since a lot of IDS/IPS vendors look for binary patters, "bit flipping"
is a simple way to evade badly written signatures. Any example would be
an attack that has the word BAD in it. Depending on the byte order BAD
might look like 
|42 41 44| in a sniffer like ethereal. Depending on the protocol you
might be able to set your own byte order and instead of |42 41 44| it
looks like |44 41 42| on the wire. This would evade a sig looking for
only a certain byte order. 

These are only a few examples off the top of my head but there are many
more. Now before anybody chimes in, these techniques work on signature
based IDS/IPS. Somebody may be quick to point out anomaly based system
won't suffer from these evasions. This is true, but for anomaly based
systems there are a whole different set of evasions. 

-----Original Message-----
From: Eric Hines [mailto:eric.hines@appliedwatch.com] 
Sent: Tuesday, November 30, 2004 11:37 AM
To: 'Sec Traq'; focus-ids@securityfocus.com
Subject: RE: Foolin an IDS ?

There is a pretty well known paper written by Ptacek and Newsham
"Intrusion
Detection System Insertion, Evasion, and Denial of ServicE" that
outlines
multiple techniques for eluding IDS':
http://secinf.net/info/ids/idspaper/idspaper.html

A tool was created based on the techniques outlined in this paper called
Fragroute by Dug Song which illegaly fragments your outbound packets to
a
destination host based on how you tell it to fragment the traffic.
"fragroute intercepts, modifies, and rewrites egress traffic destined
for a
specified host, implementing most of the attacks described in the Secure
Networks "Insertion, Evasion, and Denial of Service: Eluding Network
Intrusion Detection" paper of January 1998. It features a simple ruleset
language to delay, duplicate, drop, fragment, overlap, print, reorder,
segment, source-route, or otherwise monkey with all outbound packets
destined for a target host, with minimal support for randomized or
probabilistic behaviour. "
http://monkey.org/~dugsong/fragroute/ 

I'd also recommend reading about and researching payload encryptors like
ADMmutate written by ADM. "In a nutshell, this API can mask buffer
overflow
exploit signatures from Network IDS systems so that they are more
difficult
to detect."
README: http://www.ktwo.ca/readme.html
Homepage: http://www.ktwo.ca/security.html

HTH.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, Inc.

------------------------------------------------------------------------

1134 N. Main St.                     Tel: (877) 262-7593 x327
Algonquin, IL                        Fax: (877) 262-7593
60102                                Mobile: (847) 456-6785
http://www.appliedwatch.com          Email: eric.hines@appliedwatch.com
------------------------------------------------------------------------
"Redefining Open Source Enterprise Management"
------------------------------------------------------------------------



-----Original Message-----
From: Sec Traq [mailto:sectraq@gmail.com] 
Sent: Saturday, November 27, 2004 4:44 PM
To: focus-ids@securityfocus.com
Subject: Foolin an IDS ?



Hi,

I have read a couple of papers on how to fool and IDS. One of them from
phrack. I find the subject really interesting and am considering it as
an
MSc. project, but i need more advanced and technical papers. If any1
could
advice ur help would be appriciated.

Thnx

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  psad-1.4.0 release, Michael Rash
Next by Date:  Re: IDS, IPS and encrypted traffic, Jet
Previous by Thread:  RE: Foolin an IDS ?, Shaiful
Next by Thread:  Re: Foolin an IDS ?, Zyzio
Indexes:  [Date] [Thread] [Top] [All Lists]