RE: Foolin an IDS ?

[Mark Teicher <mht3 () earthlink net>]

Most IDS/IPS Vendors today account for the papers mentioned.  Test 
methodologies for IDS/IPS technologies has mutated a bit.  Some IDS/IPS 
vendors utilize various commercial and non-commercial tools to test their 
products, The issue at hand is how does one separate out true IPS evasion 
techniques to validate IPS based attacks only.


At 02:49 PM 12/1/2004, Maynor, David (ISS Atlanta) wrote:
> The phrack article deal mostly with host based IDS/IPS evasion. The
> paper Eric mentioned from Newsham and Ptacek is a great starting point
> in the network based world. Aside from papers and tools like fragroute
> take a look at the stuff Dave Aitel has written on the subject. Dave has
> a version of CANVAS called the Canvas Reference Implementation that
> implements newer idea in IDS/IPS evasion.
>
> You can find it here:
> http://www.immunitysec.com/products-canvas-cri.shtml
>
> And the presentation he did on it:
> http://www.immunitysec.com/resources-papers.shtml
>
> Aside from looking at this the best way to learn to evade IDS/IPS is an
> understanding of the protocols that they are protecting. This doesn't
> mean just TCP/UDP; this also means things like MSRPC, HTTP, SSL and
> such.
>
> If you want to start looking at this from a programming point of view
> the easiest way to start evading systems is with RPC fragmentation. If
> the IDS/IPS vendor doesn't implement a decent protocol parser it's just
> a matter of breaking certain RPC attacks in multiple packets. This
> evades systems because more times than not the signature writers look
> for calls to a certain GUID. If you need to read up on GUIDs look here:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc
> /guid.asp
>
> So if the GUID is split between two packets a lot of IDS/IPS will miss
> it.
> This is a case with the ISYSTEMACTIVATOR GUID that Blaster bound to.
> This may seem simple but a lot of protocols support fragmentation that
> is not widely known or even understood.
>
> Another RPC related flaw is multiple binds. You can send a bind request
> for multiple GUIDs at one time. A lot of the IDS/IPS vendors will only
> parse the first bind request in the packet missing the 2nd or 3rd or
> 4th. So an evasion scenario would be to build a packet that first binds
> to a harmless interface then binds to the vulnerable interface. That
> will often get missed.
>
> Since a lot of IDS/IPS vendors look for binary patters, "bit flipping"
> is a simple way to evade badly written signatures. Any example would be
> an attack that has the word BAD in it. Depending on the byte order BAD
> might look like
> |42 41 44| in a sniffer like ethereal. Depending on the protocol you
> might be able to set your own byte order and instead of |42 41 44| it
> looks like |44 41 42| on the wire. This would evade a sig looking for
> only a certain byte order.
>
> These are only a few examples off the top of my head but there are many
> more. Now before anybody chimes in, these techniques work on signature
> based IDS/IPS. Somebody may be quick to point out anomaly based system
> won't suffer from these evasions. This is true, but for anomaly based
> systems there are a whole different set of evasions.
>
> -----Original Message-----
> From: Eric Hines [mailto:eric.hines () appliedwatch com]
> Sent: Tuesday, November 30, 2004 11:37 AM
> To: 'Sec Traq'; focus-ids () securityfocus com
> Subject: RE: Foolin an IDS ?
>
> There is a pretty well known paper written by Ptacek and Newsham
> "Intrusion
> Detection System Insertion, Evasion, and Denial of ServicE" that
> outlines
> multiple techniques for eluding IDS':
> http://secinf.net/info/ids/idspaper/idspaper.html
>
> A tool was created based on the techniques outlined in this paper called
> Fragroute by Dug Song which illegaly fragments your outbound packets to
> a
> destination host based on how you tell it to fragment the traffic.
> "fragroute intercepts, modifies, and rewrites egress traffic destined
> for a
> specified host, implementing most of the attacks described in the Secure
> Networks "Insertion, Evasion, and Denial of Service: Eluding Network
> Intrusion Detection" paper of January 1998. It features a simple ruleset
> language to delay, duplicate, drop, fragment, overlap, print, reorder,
> segment, source-route, or otherwise monkey with all outbound packets
> destined for a target host, with minimal support for randomized or
> probabilistic behaviour. "
> http://monkey.org/~dugsong/fragroute/
>
> I'd also recommend reading about and researching payload encryptors like
> ADMmutate written by ADM. "In a nutshell, this API can mask buffer
> overflow
> exploit signatures from Network IDS systems so that they are more
> difficult
> to detect."
> README: http://www.ktwo.ca/readme.html
> Homepage: http://www.ktwo.ca/security.html
>
> HTH.
>
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, Inc.
>
> ------------------------------------------------------------------------
>
> 1134 N. Main St.                     Tel: (877) 262-7593 x327
> Algonquin, IL                        Fax: (877) 262-7593
> 60102                                Mobile: (847) 456-6785
> http://www.appliedwatch.com          Email: eric.hines () appliedwatch com
> ------------------------------------------------------------------------
> "Redefining Open Source Enterprise Management"
> ------------------------------------------------------------------------
>
>
>
> -----Original Message-----
> From: Sec Traq [mailto:sectraq () gmail com]
> Sent: Saturday, November 27, 2004 4:44 PM
> To: focus-ids () securityfocus com
> Subject: Foolin an IDS ?
>
>
>
> Hi,
>
> I have read a couple of papers on how to fool and IDS. One of them from
> phrack. I find the subject really interesting and am considering it as
> an
> MSc. project, but i need more advanced and technical papers. If any1
> could
> advice ur help would be appriciated.
>
> Thnx
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
> --
>
>
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
> --
>
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------