RE: Dreaming of Summer, IDS compromise, and other things

[Rodney Thayer <rodney () canola-jones com>]

I was involved in this year's and last year's IDS review for Network World.
Most of the IDS vendors we looked at had out of band management.  They also
tended to be fairly sloppy about how well they defended their management
interface -- they commit the usual sins (out of rev software, use of cleartext,
etc.etc.)  Therefore, the concept of compromising an IDS seems perfectly
reasonable to me.  The tap interfaces wouldn't work, but that doesn't matter
because those don't run TCP/IP, per se.  And of course if they have a 
management
LAN, you would "only" have access to the other sensitive gear on the management
LAN, but that should be sufficient entertainment for many of you ;-)

And, just to make sure you know I'm trying to stay on topic, one of the
ways I now evaluate an IDS is to threaten to run Canvas against their
management interface, and measure how badly the vendor starts shaking ;-)

At 01:01 PM 12/9/2003 -0800, Kohlenberg, Toby wrote:
>While they frequently watch network traffic from a tap, almost all NIDS also
>use a separate connection to allow them to be monitored/managed remotely.
>Your payload would probably not be able to be very small but given a little
>creativity in exploring the IDS you compromised, you could probably find at
>least a partial way out of the network.
>
>On a side-note, the problem with modifying the packet capture engine is 
knowing
>which one they are using. If you just mean inserting a shim in the stack, 
then
>you run into problems of ensuring you are capture packets below the IDS 
so that
>you can remove the ones you don't want it to see.
>
>toby
>
>-----Original Message-----
>From: dailydave-bounces () lists immunitysec com
>[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Halvar Flake
>Sent: Sunday, December 07, 2003 12:42 PM
>To: David Maynor
>Cc: PBrass () iss net; dailydave () lists immunitysec com
>Subject: RE: [Dailydave] Dreaming of Summer
>
>
>> Add a shim to the packet capture engine. Before the captured packet gets
>> set up the stack for traditonal protocol decodes you can check for
>> conditions like the seq number matches a predefined set and if it does
>> you can readsomething like the window size and translate that into a
>> part of a command. If a packet like this is captured it woun't get
>> flagged by the IDS becasue it never makes it to the IDS analysis phase.
>> Command response is done by the same shim via packet injection. This
>> would require some device driver foo. This would not work well if the
>> IDS supplies its own network card driver.
>
>The installations I've seen so far lack any ability to talk back to the
>network for use of a cable without the appropriate wires -- but then
>again I am no expert on this.
>
>Cheers,
>Halvar
>
>--
>+++ GMX - die erste Adresse für Mail, Message, More +++
>Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
>
>
>_______________________________________________
>Dailydave mailing list
>Dailydave () lists immunitysec com
>http://www.immunitysec.com/mailman/listinfo/dailydave
>_______________________________________________
>Dailydave mailing list
>Dailydave () lists immunitysec com
>http://www.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave