1. Bypassing Intrusion Detection Systems Ron Gula, Founder Network Security Wizards

2. Ron Gula Wrote the Dragon IDS Tested, deployed and operated NIDS for major Internet company Designed a DOD network honeypot Technical expert for major IW exercises Penetration tested many networks Still learning...

3. Why this talk? IDS solutions are not perfect IDS administrators are not perfect Security is a process! –Not a person! –Not a product! –Intrusion detection is part of security !!!

4. Topics NIDS, HIDS, FW and HP Technology Technical Bypass Techniques Practical Bypass Techniques Conclusions

5. Network IDS Searches for patterns in packets Searches for patterns of packets Searches for packets that shouldn't be there May ‘understand’ a protocol for effective pattern searching and anomaly detection May passively log, alert with SMTP/SNMP or have real-time GUI

6. Network IDS Limitations Obtaining packets - topology & encryption Number of signatures Quality of signatures Performance Network session integrity Understanding the observed protocol Disk storage

7. /cgi-bin/phf Jane used the PHF attack!

8. NMAP Jane did a port sweep!

9. Host Based IDS Signature log analysis –application and system File integrity checking –MD5 checksums Enhanced Kernel Security –API access control –Stack security Network Monitoring Hybrids

10. Host Based IDS Limitations Places load on system Disabling system logging Kernel modifications to avoid file integrity checking (and other stuff) Management overhead Network IDS Limitations

11. messages xfer access_log secure sendmail

12. messages xfer access_log secure sendmail One Security Log

13. Firewalls as an IDS Excellent source of network probe, attack and misuse information Detect policy deviations based on access control lists Some have “NIDS” capabilities

14. Network Honeypots Sacrificial system(s) or sophisticated simulations Any traffic to the honeypot is considered suspicious If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

15. honeypotHTTPDNS Firewall

16. Technical Bypass Techniques NIDS –fragmentation –TCP un-sync –Low TTL –‘Max’ MTU –HTTP Protocol –Telnet Protocol HIDS –Kernel Hacks –Bypassing stack protection –Library Hacks –HTTP Logging insertion techniques

17. NIDS FRAGMENT QUEUESESSION QUEUE IP #1 IP #2 IP #3 Session #1 Session #2 Session #3

18. NIDS FRAGMENT QUEUESESSION QUEUE IP #1 IP #2 IP #3 Session #1 Session #2 Session #3

19. Bypassing NIDS - Fragmentation NIDS must reconstruct fragments –Maintain state = drain on resources –Must overwrite correctly = more drain on resources Target server correctly de-frags Attack #1 - just fragment Attack #2 - frag with overwrite Attack #3 - start an attack, follow with many false attacks, finish the first attack

20. Bypassing NIDS - TCP un-sync Inject a packet with a bad TCP checksum –fake ‘FIN’ packet Inject a packet with a weird TCP sequence number –step up –wrapping numbers

21. Bypassing NIDS - Low TTL NIDS 123 WWW

22. Bypassing NIDS - Max ‘MTU’ NIDSWWW Segment with MTU = 1300 1350 byte packet with DF = 1

23. Bypassing NIDS - HTTP Proto ‘/’ padding: “/cgi-bin///phf” Self referencing directories: “/cgi-bin/./phf” URL Encoding: “%2fcgi-bin/phf” Reverse Traversal: “/cgi-bin/here/../phf” TAB instead of spaces removal DOS/Win syntax: “/cgi-bin\phf” Null method: “GET%00/cgi-bin/phf”

24. Bypassing NIDS - Telnet Proto Strip out Telnet codes Automatic proxies which add random characters followed by backspace –“su X{backspace}root”

25. Bypassing NIDS - Resources Tools –Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2 –Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/ –Congestant - horizon, Phrack 54 Papers –“Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html –Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

26. Bypassing HIDS - Kernel Hacks Windows NT –4 byte patch that removes all security restrictions from objects within the NT domain. –Could use access to disable or manipulate HIDS Linux - “itfs.c” - kernel module - not in /proc/modules - hides a sniffer - hides files - hides processes - redirects execve() - socket backdoor - magic setuid gets root

27. Bypassing HIDS - Stack Protection Stackguard –A ‘canary’ is placed next to return address –Program halts and logs if canary is altered –Canary can be random or terminating –Bypass: overwrite return address without touching canary –Fix: XOR the return address and the canary –Point: Yet another example of an arms race

28. Bypassing HIDS - Library Hacks Environment variables which redirect shared library locations Library has a ‘wrapper’ run by a privileged program Two choices –Provide certain APIs with original copies of Trojan files –Redirect certain APIs to completely different files

29. Bypassing HIDS - HTTP Logging The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis

30. Bypassing HIDS - Resources Phrack 51 –“Shared Library Redirection Techniques”,halflife, –“Bypassing Integrity Checking Systems”,halflife, Phrack 52 –“Weakening the Linux Kernel”, plaguez Phrack 55 –“A real NT Rootkit, patching the NT Kernel”, Greg Hoglund Phrack 56 –“Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare –“Backdooring Binary Objects”, –“Bypassing Stackguard and Stackshield”, Bulba & Kil3r Stackguard - http://www.immunix.org/documentation.html

31. Practical Bypass Techniques NIDS –identifying –avoiding –overwhelming –“slow roll” –“distributed scanning” HIDS –identifying –log deletion –log modification Generic –Social –DOS

32. NIDS - Identifying Is it in DNS? Does it shoot down connections? Is the sniffing interface detectable? Is it running on a big red box labeled “IDS”? Can the alert messages be observed?

33. NIDS - Identifying Any open ports that match a known IDS? Has the target posted to an IDS saying, “We use product XYZ?” Do they have a “This site protected by XYZ” message on their web site?

34. NIDS - Avoiding Are there other routes into the network? –Is there an encrypted path? –Modem dial in? –Alternate transport layer? (GRE ???) Is there an attack not detected by the IDS? Is there a technical bypass technique that is not detected by the IDS?

35. NIDS - Overwhelming Send as many false attacks as possible while still doing the real attack –May overload console –May drop packets –Admins may not believe there is a threat Send packets that “cost” the NIDS CPU cycles to process –Fragmented, overlapping, de-synchronized web attacks with the occasional bad checksum

36. NIDS - ‘Slow Roll’ Port scans and sweeps –Obvious: incremental destination ports –Trivial: randomized ports –Sweep: one port and many addresses –Stealthy: random ports and addresses over time

37. IP addresses PortsPorts Port sweep Port scan Plotting all destination ports from one source IP to a target network …

38. IP addresses PortsPorts randomSimple port walk Still maps out a network with one IP address

39. MASTER SLAVES Target sees traffic from many addresses

40. HIDS - Identifying Almost always after on a system... Is there anything in the system logs? What ports are open? What is running out of CRON? What is in the NT registry? What programs are running?

41. HIDS - Logs Simple log deletion may be possible Simple log altering may also be possible –replace IP addresses to mislead –delete key logs Logging may be disabled or intercepted –Removing syslog from services

42. Generic - Social Physical access Obtaining “official” access Getting others to hack/scan site for you –IRC & chat groups –Hacker challengers Run the IDS ……

43. Generic - DOS Find the main ‘server’ Kill it –IP Bomb –Port bomb –IDS DOS Find the clients

44. Contact Information rgula@securitywizards.com http://www.securitywizards.com