Antti Levomäki Christian Jalio Olli Pekka Niemi 28 October 2009 Intrusion Prevention Systems should protect vulnerable hosts from remote exploits Exploits can apply multiple evasion method to bypass the detection of Intrusion Prevention Systems and break into the remote sy ID: 276861
Download Presentation The PPT/PDF document "Advanced Network Based IPS Evasion Techn..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Advanced Network Based IPS Evasion Techniques
Antti Levomäki, Christian Jalio, Olli-Pekka Niemi
28 October 2009Slide2
Intrusion Prevention Systems should protect vulnerable hosts from remote exploits
Exploits can apply multiple evasion method to bypass the detection of Intrusion Prevention Systems and break into the remote system Hack.Lu 2009
IntroductionSlide3
There
are hacking tools which apply multiple evasion techniques However, these tools are more exploit oriented and not evasion orientedSlide4
IP Fragmentation with manipulated fragment size and order
TCP segmentation with manipulated segment size and orderSMB Fragmentation SMB Transaction Write Method MSRPC Multibind (bind to multiple ”unnecessary or non-existent” context + the vulnerable contextMSRPC fragmentation
MSRPC
encryption
Known Evasions Implemented various testing tools…Slide5
IP Random Options
TCP Time WaitTCP Urgent PointerSMB Write/Read PaddingSMB Transaction Method fragmentation SMB Session MixingMSRPC Alter Context MSRPC Object ReferenceMSRPC Endian
Manipulation
Not So Known Evasions, Implemented in ???Slide6
IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic
Example: SMB and MSRPC signatures should not worry about fragmentation, padding , extra methods or other randomizationsThe Power of Evasion MethodsSlide7
Fill IP Packet with random Options
If the target host and the IPS device disagree about the validity of the packet, the target host may see different data than the IPSIPRandom OptionsSlide8
Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port.
According the TCP RFC, the TCP client MUST wait ”TIME-Wait Delay” amount of seconds before reusing a port.If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port.The IPS stack should handle new connections as new connections regardless of the TIME-Wait-Delay
TCP Evasion
TCP Time WaitSlide9
I
nsert one byte into a TCP-stream. TCP-Server chooses whether to use or discard the added byte.An IPS device inspection can be evaded by clever use of the urgent pointer. ExampleTCP Stream: GETP / (P is urgent data)IPS sees: GETP /Apache sees: GET /
TCP
Evasion
TCP
Urgent
PointerSlide10
It is possible to use multiple resources over the same SMB-session within the single TCP-connection at same time.
Simultaneously read and write into multiple files SMB EvasionSMB
Session
MixingSlide11
The write and read commands have an offset pointer that can be used for padding.
All data after the SMB header till the pointed byte should be discarded.SMB Evasion
SMB Write/Read PaddingSlide12
SMB Trans Act Write Method
The SMB Protocol allows the fragmentation of Transaction messages by using ”Transaction secondary” messages. SMB Evasion
SMB
Transaction
MethodSlide13
MSRPC Object Reference
Adding an Object Reference (UUID) to an MSRPC Request Header enlarges the header by 16 bytes, and thus moves the MSRPC payload 16 bytes forward. MSRPC Evasion
MSRPC Object Reference Slide14
The client may change the current context using the Alter Context Method. All subsequent request
s then go to the new contextExample: The client binds to non vulnerable context and then changes into a vulnerable context and sends the exploit.
MSRPC
Evasion
Alter
ContextSlide15
MSRPC protocol allows both big- and little-
endian encodingWindows hosts normally use the little-endian encodingHackers should use big endian for obvious reasons…MSRPC EndiannessSlide16
Introducing Predator
Evasion Fuzzer Use multiple random evasion techniques simultaneously in multiple layersTransmit the
same payload
until
successfulSlide17
Evasions in Predator
Evasions for attack "CVE-2008-4250 “IP fragmentation, --ip_frag: 8byte: Fragment IP payload into 8 byte fragments
16byte: Fragment IP payload into 16 byte fragments
24byte
Fragment IP payload into 24 byte fragments
256byte
Fragment IP payload into 256 byte fragments
random_order
: Send fragments in a random order
out_of_order
: Send one fragment out of order
fwd_overwrite
Perform forward overwriting with fragments
last_first
Send last fragment first
one_duplicate
Send one duplicate fragment
IP
evasion, --
ip_evasion
:
random_options
: Send
random IP options Slide18
TCP fragmentation, --
tcp_frag: 1byte Fragment TCP payload into 1 byte segments
TCP
evasion, --
tcp_evasion
:
time_wait
Open a decoy connection and attack from same
ip:port
while in time-wait
urgent_ptr
Insert meaningless data into 1 byte urgent segments Slide19
SMB fragmentation,
--smb_frag: 16byte Fragment SMB payload into 16 byte fragments 256byte
Fragment SMB payload into 256 byte fragments
SMB
evasion,
--
smb_evasion
:
andx_connect
Negotiate SMB session and connect to a tree connect an
AndX
message
decoy_trees
Open decoy SMB tree connects in the same TCP stream as the attack
read_offset
Use random offsets in SMB read operations
pad_write_random
Pad SMB write commands with a random sized block of random data
pad_write_static
Pad SMB write commands with a static sized block of random data
random_write_method
Use a random SMB write method ( TRANSACT / WRITE )
write_offset
Use random offsets in SMB write operationSlide20
MSRPC fragmentation, --
msrpc_frag: 16byte Fragment MSRPC payload into 16 byte fragments 256byte Fragment MSRPC payload into 256 byte fragments
MSRPC evasion, --
msrpc_evasion
:
big_endian
Communicate in big
endian
format
random_object
:
Add a random object reference to MSRPC requests
alter_context
:
Bind to a random context and then alter to the correctSlide21
Hunting High and Low
Initializing IPForge based on the configuration..Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP
fragstyle
: 1byte, TCP evasion:
urgent_ptr
, SMB
fragstyle
: 16byte, MSRPC evasion:
random_object
}
Exploit run 2: SMB evasion:
read_offset
, MSRPC evasion:
big_endian,random_object,alter_context
}
Exploit run 3: SMB evasion:
decoy_trees,pad_write_static
, MSRPC evasion:
random_object,alter_context
}
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>Slide22
Hunting High and Low
Initializing IPForge based on the configuration..Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101Exploit run 1: TCP
fragstyle
: 1byte, TCP evasion:
urgent_ptr
, SMB evasion:andx_connect,pad_write_static,random_write_method,write_offset, MSRPC evasion:
alter_context
}
Exploit run 2: TCP evasion:
time_wait
, SMB evasion:
decoy_trees,read_offset,pad_write_static
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>Slide23
DEMOSlide24