440 likes | 934 Vues
Bypassing Intrusion Detection Systems. Ron Gula, Founder Network Security Wizards. Ron Gula. Wrote the Dragon IDS Tested, deployed and operated NIDS for major Internet company Designed a DOD network honeypot Technical expert for major IW exercises Penetration tested many networks
E N D
Bypassing Intrusion Detection Systems Ron Gula, Founder Network Security Wizards
Ron Gula • Wrote the Dragon IDS • Tested, deployed and operated NIDS for major Internet company • Designed a DOD network honeypot • Technical expert for major IW exercises • Penetration tested many networks • Still learning ...
Why this talk? • IDS solutions are not perfect • IDS administrators are not perfect • Security is a process! • Not a person! • Not a product! • Intrusion detection is part of security !!!
Topics • NIDS, HIDS, FW and HP Technology • Technical Bypass Techniques • Practical Bypass Techniques • Conclusions
Network IDS • Searches for patterns in packets • Searches for patterns of packets • Searches for packets that shouldn't be there • May ‘understand’ a protocol for effective pattern searching and anomaly detection • May passively log, alert with SMTP/SNMP or have real-time GUI
Network IDS Limitations • Obtaining packets - topology & encryption • Number of signatures • Quality of signatures • Performance • Network session integrity • Understanding the observed protocol • Disk storage
Jane used the PHF attack! /cgi-bin/phf
Jane did a port sweep! NMAP
Host Based IDS • Signature log analysis • application and system • File integrity checking • MD5 checksums • Enhanced Kernel Security • API access control • Stack security • Network Monitoring Hybrids
Host Based IDS Limitations • Places load on system • Disabling system logging • Kernel modifications to avoid file integrity checking (and other stuff) • Management overhead • Network IDS Limitations
messages xfer access_log secure sendmail
messages xfer One Security Log access_log secure sendmail
Firewalls as an IDS • Excellent source of network probe, attack and misuse information • Detect policy deviations based on access control lists • Some have “NIDS” capabilities
Network Honeypots • Sacrificial system(s) or sophisticated simulations • Any traffic to the honeypot is considered suspicious • If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
Firewall honeypot HTTP DNS
NIDS fragmentation TCP un-sync Low TTL ‘Max’ MTU HTTP Protocol Telnet Protocol HIDS Kernel Hacks Bypassing stack protection Library Hacks HTTP Logging Technical Bypass Techniques insertion techniques
IP #1 Session #1 IP #2 Session #2 IP #3 Session #3 FRAGMENT QUEUE SESSION QUEUE NIDS
IP #1 Session #1 IP #2 Session #2 IP #3 Session #3 FRAGMENT QUEUE SESSION QUEUE NIDS
Bypassing NIDS - Fragmentation • NIDS must reconstruct fragments • Maintain state = drain on resources • Must overwrite correctly = more drain on resources • Target server correctly de-frags • Attack #1 - just fragment • Attack #2 - frag with overwrite • Attack #3 - start an attack, follow with many false attacks, finish the first attack
Bypassing NIDS - TCP un-sync • Inject a packet with a bad TCP checksum • fake ‘FIN’ packet • Inject a packet with a weird TCP sequence number • step up • wrapping numbers
Bypassing NIDS - Low TTL WWW NIDS 3 2 1
Bypassing NIDS - Max ‘MTU’ Segment with MTU = 1300 WWW NIDS 1350 byte packet with DF = 1
Bypassing NIDS - HTTP Proto • ‘/’ padding: “/cgi-bin///phf” • Self referencing directories: “/cgi- bin/./phf” • URL Encoding: “%2fcgi-bin/phf” • Reverse Traversal: “/cgi-bin/here/../phf” • TAB instead of spaces removal • DOS/Win syntax: “/cgi-bin\phf” • Null method: “GET%00/cgi-bin/phf”
Bypassing NIDS - Telnet Proto • Strip out Telnet codes • Automatic proxies which add random characters followed by backspace • “su X{backspace}root”
Bypassing NIDS - Resources • Tools • Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2 • Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/ • Congestant - horizon, Phrack 54 • Papers • “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html • Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
Bypassing HIDS - Kernel Hacks • Windows NT • 4 byte patch that removes all security restrictions from objects within the NT domain. • Could use access to disable or manipulate HIDS • Linux - “itfs.c” - kernel module • - not in /proc/modules • - hides a sniffer • - hides files • - hides processes • - redirects execve() • - socket backdoor • - magic setuid gets root
Bypassing HIDS - Stack Protection • Stackguard • A ‘canary’ is placed next to return address • Program halts and logs if canary is altered • Canary can be random or terminating • Bypass: overwrite return address without touching canary • Fix: XOR the return address and the canary • Point: Yet another example of an arms race
Bypassing HIDS - Library Hacks • Environment variables which redirect shared library locations • Library has a ‘wrapper’ run by a privileged program • Two choices • Provide certain APIs with original copies of Trojan files • Redirect certain APIs to completely different files
Bypassing HIDS - HTTP Logging • The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis
Bypassing HIDS - Resources • Phrack 51 • “Shared Library Redirection Techniques”,halflife,<halflife@infonexus.com> • “Bypassing Integrity Checking Systems”,halflife,<halflife@infonexus.com> • Phrack 52 • “Weakening the Linux Kernel”, plaguez <dube0866@eurobretagne.fr> • Phrack 55 • “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund <hoglund@ieway.com> • Phrack 56 • “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare • “Backdooring Binary Objects”, <klog@promisc.org> • “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <lam3rz@hert.org> • Stackguard - http://www.immunix.org/documentation.html
NIDS identifying avoiding overwhelming “slow roll” “distributed scanning” HIDS identifying log deletion log modification Generic Social DOS Practical Bypass Techniques
NIDS - Identifying • Is it in DNS? • Does it shoot down connections? • Is the sniffing interface detectable? • Is it running on a big red box labeled “IDS”? • Can the alert messages be observed?
NIDS - Identifying • Any open ports that match a known IDS? • Has the target posted to an IDS saying, “We use product XYZ?” • Do they have a “This site protected by XYZ” message on their web site?
NIDS - Avoiding • Are there other routes into the network? • Is there an encrypted path? • Modem dial in? • Alternate transport layer? (GRE ???) • Is there an attack not detected by the IDS? • Is there a technical bypass technique that is not detected by the IDS?
NIDS - Overwhelming • Send as many false attacks as possible while still doing the real attack • May overload console • May drop packets • Admins may not believe there is a threat • Send packets that “cost” the NIDS CPU cycles to process • Fragmented, overlapping, de-synchronized web attacks with the occasional bad checksum
NIDS - ‘Slow Roll’ • Port scans and sweeps • Obvious: incremental destination ports • Trivial: randomized ports • Sweep: one port and many addresses • Stealthy: random ports and addresses over time
Plotting all destination ports from one source IP to a target network … P o r t s Port scan Port sweep IP addresses
random Simple port walk Still maps out a network with one IP address P o r t s IP addresses
MASTER SLAVES SLAVES Target sees traffic from many addresses
HIDS - Identifying • Almost always after on a system ... • Is there anything in the system logs? • What ports are open? • What is running out of CRON? • What is in the NT registry? • What programs are running?
HIDS - Logs • Simple log deletion may be possible • Simple log altering may also be possible • replace IP addresses to mislead • delete key logs • Logging may be disabled or intercepted • Removing syslog from services
Generic - Social • Physical access • Obtaining “official” access • Getting others to hack/scan site for you • IRC & chat groups • Hacker challengers • Run the IDS ……
Generic - DOS • Find the main ‘server’ • Kill it • IP Bomb • Port bomb • IDS DOS • Find the clients
Contact Information • rgula@securitywizards.com • http://www.securitywizards.com