Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2009 Stonesoft Corporation. All rights reserved. Advanced Network Based IPS Evasion Techniques Antti Levomäki, Christian Jalio, Olli-Pekka.

Similar presentations


Presentation on theme: "Copyright © 2009 Stonesoft Corporation. All rights reserved. Advanced Network Based IPS Evasion Techniques Antti Levomäki, Christian Jalio, Olli-Pekka."— Presentation transcript:

1 Copyright © 2009 Stonesoft Corporation. All rights reserved. Advanced Network Based IPS Evasion Techniques Antti Levomäki, Christian Jalio, Olli-Pekka Niemi 28 October 2009

2 Copyright © 2009 Stonesoft Corporation. All rights reserved.  Intrusion Prevention Systems should protect vulnerable hosts from remote exploits  Exploits can apply multiple evasion method to bypass the detection of Intrusion Prevention Systems and break into the remote system Hack.Lu 2009 Introduction

3 Copyright © 2009 Stonesoft Corporation. All rights reserved.  There are hacking tools which apply multiple evasion techniques  However, these tools are more exploit oriented and not evasion oriented

4 Copyright © 2009 Stonesoft Corporation. All rights reserved.  IP Fragmentation with manipulated fragment size and order  TCP segmentation with manipulated segment size and order  SMB Fragmentation  SMB Transaction Write Method  MSRPC Multibind (bind to multiple ”unnecessary or non-existent” context + the vulnerable context  MSRPC fragmentation  MSRPC encryption Known Evasions Implemented various testing tools…

5 Copyright © 2009 Stonesoft Corporation. All rights reserved.  IP Random Options  TCP Time Wait  TCP Urgent Pointer  SMB Write/Read Padding  SMB Transaction Method fragmentation  SMB Session Mixing  MSRPC Alter Context  MSRPC Object Reference  MSRPC Endian Manipulation Not So Known Evasions, Implemented in ???

6 Copyright © 2009 Stonesoft Corporation. All rights reserved.  IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic  Example: SMB and MSRPC signatures should not worry about fragmentation, padding, extra methods or other randomizations The Power of Evasion Methods

7 Copyright © 2009 Stonesoft Corporation. All rights reserved.  Fill IP Packet with random Options  If the target host and the IPS device disagree about the validity of the packet, the target host may see different data than the IPS IP Random Options

8 Copyright © 2009 Stonesoft Corporation. All rights reserved.  Open and close a TCP connection. Open a new TCP- connection to the same service using the same TCP- source port.  According the TCP RFC, the TCP client MUST wait ”TIME-Wait Delay” amount of seconds before reusing a port.  If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port.  The IPS stack should handle new connections as new connections regardless of the TIME-Wait-Delay TCP Evasion TCP Time Wait

9 Copyright © 2009 Stonesoft Corporation. All rights reserved.  Insert one byte into a TCP-stream.  TCP-Server chooses whether to use or discard the added byte.  An IPS device inspection can be evaded by clever use of the urgent pointer.  Example  TCP Stream: GETP / (P is urgent data)  IPS sees: GETP /  Apache sees: GET / TCP Evasion TCP Urgent Pointer

10 Copyright © 2009 Stonesoft Corporation. All rights reserved.  It is possible to use multiple resources over the same SMB-session within the single TCP- connection at same time.  Simultaneously read and write into multiple files SMB Evasion SMB Session Mixing

11 Copyright © 2009 Stonesoft Corporation. All rights reserved.  The write and read commands have an offset pointer that can be used for padding.  All data after the SMB header till the pointed byte should be discarded. SMB Evasion SMB Write/Read Padding

12 Copyright © 2009 Stonesoft Corporation. All rights reserved.  SMB Trans Act Write Method  The SMB Protocol allows the fragmentation of Transaction messages by using ”Transaction secondary” messages. SMB Evasion SMB Transaction Method

13 Copyright © 2009 Stonesoft Corporation. All rights reserved.  MSRPC Object Reference  Adding an Object Reference (UUID) to an MSRPC Request Header enlarges the header by 16 bytes, and thus moves the MSRPC payload 16 bytes forward. MSRPC Evasion MSRPC Object Reference

14 Copyright © 2009 Stonesoft Corporation. All rights reserved.  The client may change the current context using the Alter Context Method. All subsequent requests then go to the new context  Example: The client binds to non vulnerable context and then changes into a vulnerable context and sends the exploit. MSRPC Evasion Alter Context

15 Copyright © 2009 Stonesoft Corporation. All rights reserved.  MSRPC protocol allows both big- and little- endian encoding  Windows hosts normally use the little-endian encoding  Hackers should use big endian for obvious reasons… MSRPC Endianness

16 Copyright © 2009 Stonesoft Corporation. All rights reserved. Introducing Predator  Evasion Fuzzer  Use multiple random evasion techniques simultaneously in multiple layers  Transmit the same payload until successful

17 Copyright © 2009 Stonesoft Corporation. All rights reserved. Evasions in Predator  Evasions for attack "CVE “  IP fragmentation, --ip_frag:  8byte: Fragment IP payload into 8 byte fragments  16byte: Fragment IP payload into 16 byte fragments  24byte Fragment IP payload into 24 byte fragments  256byte Fragment IP payload into 256 byte fragments  random_order: Send fragments in a random order  out_of_order: Send one fragment out of order  fwd_overwrite Perform forward overwriting with fragments  last_first Send last fragment first  one_duplicate Send one duplicate fragment  IP evasion, --ip_evasion:  random_options: Send random IP options

18 Copyright © 2009 Stonesoft Corporation. All rights reserved.  TCP fragmentation, --tcp_frag:  1byte Fragment TCP payload into 1 byte segments  TCP evasion, --tcp_evasion:  time_wait Open a decoy connection and attack from same ip:port while in time-wait  urgent_ptr Insert meaningless data into 1 byte urgent segments

19 Copyright © 2009 Stonesoft Corporation. All rights reserved.  SMB fragmentation, --smb_frag:  16byte Fragment SMB payload into 16 byte fragments  256byte Fragment SMB payload into 256 byte fragments  SMB evasion, --smb_evasion:  andx_connect Negotiate SMB session and connect to a tree connect an AndX message  decoy_trees Open decoy SMB tree connects in the same TCP stream as the attack  read_offset Use random offsets in SMB read operations  pad_write_random Pad SMB write commands with a random sized block of random data  pad_write_static Pad SMB write commands with a static sized block of random data  random_write_method Use a random SMB write method ( TRANSACT / WRITE )  write_offset Use random offsets in SMB write operation

20 Copyright © 2009 Stonesoft Corporation. All rights reserved.  MSRPC fragmentation, --msrpc_  frag: 16byte Fragment MSRPC payload into 16 byte fragments  256byte Fragment MSRPC payload into 256 byte fragments  MSRPC evasion, --msrpc_evasion:  big_endian Communicate in big endian format  random_object: Add a random object reference to MSRPC requests  alter_context: Bind to a random context and then alter to the correct

21 Copyright © 2009 Stonesoft Corporation. All rights reserved. Hunting High and Low Initializing IPForge based on the configuration.. Started at IP , MAC de:ad:01:00:01:02. Attacking against Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB fragstyle: 16byte, MSRPC evasion: random_object} Exploit run 2: SMB evasion: read_offset, MSRPC evasion: big_endian,random_object,alter_context} Exploit run 3: SMB evasion: decoy_trees,pad_write_static, MSRPC evasion: random_object,alter_context} Microsoft Windows XP [Version ] (C) Copyright Microsoft Corp. C:\WINDOWS\system32>

22 Copyright © 2009 Stonesoft Corporation. All rights reserved. Hunting High and Low Initializing IPForge based on the configuration.. Started at IP , MAC de:ad:01:00:01:02. Attacking against Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB evasion:andx_connect,pad_write_static,random_write_method,write_offset, MSRPC evasion: alter_context} Exploit run 2: TCP evasion: time_wait, SMB evasion: decoy_trees,read_offset,pad_write_static Microsoft Windows XP [Version ] (C) Copyright Microsoft Corp. C:\WINDOWS\system32>

23 Copyright © 2009 Stonesoft Corporation. All rights reserved. DEMO

24 Copyright © 2009 Stonesoft Corporation. All rights reserved.Slide 24


Download ppt "Copyright © 2009 Stonesoft Corporation. All rights reserved. Advanced Network Based IPS Evasion Techniques Antti Levomäki, Christian Jalio, Olli-Pekka."

Similar presentations


Ads by Google