IDS mailing list archives
RE: Foolin an IDS ?
From: Mark Teicher <mht3 () earthlink net>
Date: Sat, 04 Dec 2004 06:40:03 -0700
Most IDS/IPS Vendors today account for the papers mentioned. Test methodologies for IDS/IPS technologies has mutated a bit. Some IDS/IPS vendors utilize various commercial and non-commercial tools to test their products, The issue at hand is how does one separate out true IPS evasion techniques to validate IPS based attacks only.
At 02:49 PM 12/1/2004, Maynor, David (ISS Atlanta) wrote:
The phrack article deal mostly with host based IDS/IPS evasion. The paper Eric mentioned from Newsham and Ptacek is a great starting point in the network based world. Aside from papers and tools like fragroute take a look at the stuff Dave Aitel has written on the subject. Dave has a version of CANVAS called the Canvas Reference Implementation that implements newer idea in IDS/IPS evasion. You can find it here: http://www.immunitysec.com/products-canvas-cri.shtml And the presentation he did on it: http://www.immunitysec.com/resources-papers.shtml Aside from looking at this the best way to learn to evade IDS/IPS is an understanding of the protocols that they are protecting. This doesn't mean just TCP/UDP; this also means things like MSRPC, HTTP, SSL and such. If you want to start looking at this from a programming point of view the easiest way to start evading systems is with RPC fragmentation. If the IDS/IPS vendor doesn't implement a decent protocol parser it's just a matter of breaking certain RPC attacks in multiple packets. This evades systems because more times than not the signature writers look for calls to a certain GUID. If you need to read up on GUIDs look here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc /guid.asp So if the GUID is split between two packets a lot of IDS/IPS will miss it. This is a case with the ISYSTEMACTIVATOR GUID that Blaster bound to. This may seem simple but a lot of protocols support fragmentation that is not widely known or even understood. Another RPC related flaw is multiple binds. You can send a bind request for multiple GUIDs at one time. A lot of the IDS/IPS vendors will only parse the first bind request in the packet missing the 2nd or 3rd or 4th. So an evasion scenario would be to build a packet that first binds to a harmless interface then binds to the vulnerable interface. That will often get missed. Since a lot of IDS/IPS vendors look for binary patters, "bit flipping" is a simple way to evade badly written signatures. Any example would be an attack that has the word BAD in it. Depending on the byte order BAD might look like |42 41 44| in a sniffer like ethereal. Depending on the protocol you might be able to set your own byte order and instead of |42 41 44| it looks like |44 41 42| on the wire. This would evade a sig looking for only a certain byte order. These are only a few examples off the top of my head but there are many more. Now before anybody chimes in, these techniques work on signature based IDS/IPS. Somebody may be quick to point out anomaly based system won't suffer from these evasions. This is true, but for anomaly based systems there are a whole different set of evasions. -----Original Message----- From: Eric Hines [mailto:eric.hines () appliedwatch com] Sent: Tuesday, November 30, 2004 11:37 AM To: 'Sec Traq'; focus-ids () securityfocus com Subject: RE: Foolin an IDS ? There is a pretty well known paper written by Ptacek and Newsham "Intrusion Detection System Insertion, Evasion, and Denial of ServicE" that outlines multiple techniques for eluding IDS': http://secinf.net/info/ids/idspaper/idspaper.html A tool was created based on the techniques outlined in this paper called Fragroute by Dug Song which illegaly fragments your outbound packets to a destination host based on how you tell it to fragment the traffic. "fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. " http://monkey.org/~dugsong/fragroute/ I'd also recommend reading about and researching payload encryptors like ADMmutate written by ADM. "In a nutshell, this API can mask buffer overflow exploit signatures from Network IDS systems so that they are more difficult to detect." README: http://www.ktwo.ca/readme.html Homepage: http://www.ktwo.ca/security.html HTH. Best Regards, Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, Inc. ------------------------------------------------------------------------ 1134 N. Main St. Tel: (877) 262-7593 x327 Algonquin, IL Fax: (877) 262-7593 60102 Mobile: (847) 456-6785 http://www.appliedwatch.com Email: eric.hines () appliedwatch com ------------------------------------------------------------------------ "Redefining Open Source Enterprise Management" ------------------------------------------------------------------------ -----Original Message----- From: Sec Traq [mailto:sectraq () gmail com] Sent: Saturday, November 27, 2004 4:44 PM To: focus-ids () securityfocus com Subject: Foolin an IDS ? Hi, I have read a couple of papers on how to fool and IDS. One of them from phrack. I find the subject really interesting and am considering it as an MSc. project, but i need more advanced and technical papers. If any1 could advice ur help would be appriciated. Thnx ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: Foolin an IDS ? Jose Costa (Dec 01)
- <Possible follow-ups>
- Re: Foolin an IDS ? Jose Nazario (Dec 01)
- Re: Foolin an IDS ? Graeme Connell (Dec 01)
- RE: Foolin an IDS ? Eric Hines (Dec 01)
- RE: Foolin an IDS ? Shaiful (Dec 02)
- RE: Foolin an IDS ? Maynor, David (ISS Atlanta) (Dec 02)
- Re: Foolin an IDS ? Zyzio (Dec 03)
- Message not available
- RE: Foolin an IDS ? Mark Teicher (Dec 06)
- Re: Foolin an IDS ? Thomas Ptacek (Dec 07)
- Re: Foolin an IDS ? Pukhraj Singh (Dec 27)
- RE: Foolin an IDS ? Maynor, David (ISS Atlanta) (Dec 06)