IDS Evasion • Chapter 16 713 Summary Signature-based IDS sensors have many variables to account for when attempting to analyze and interpret network data. Many challenges continue to elude these systems.The lack of information that is available for inspection is difficult to overcome. However, the rate at which many IDS sensors have been maturing is quite promising; Gigabit speeds and flexible architectures supported by an ever- growing security community push forward to configure systems that are capable of detecting all but the most obtuse and infrequent attack scenarios. At every layer of the network stack there are difficulties with maintaining a consistent view of network traffic, as well as the effect of every packet being trans- mitted. It is quite clear that an attacker has certain advantages, being able to hide in a sea of information while being the only one aware of their true intension. Packet layer evasions have been well documented throughout the past several years. IDS vendors are quite aware of the many issues surrounding packet acquisi- tion and analysis. Most networks are beginning to filter “suspicious” packets in any case—that is, any types with options and excessive fragmentations. Perhaps in the coming years, network layer normalizations will become commonplace and many of these evasion possibilities will evaporate. The difficulty with analyzing the application layer protocols continues to cause ongoing headaches. Some proxy solutions have begun to take hold, but the bottleneck that these systems cause is often too great.They also suffer from sim- ilar issues as IDSs, unable to identify classes of attacks that they were not origi- nally intended for. It is quite acceptable to quash malformed TCP/IP packets in the case of an error; a legitimate end system would eventually retransmit.The same is not true for higher layers; a NIDS may have an extremely limited understanding of appli- cation protocols and the information they transmit. Polymorphic attacks present a significant challenge that cannot be easily solved with a purely signature-based system.These attacks may exist in virtually limitless combinations. IDS evasion will continue to be a way of life on the Internet.There is an ever-renewing tide of tools and techniques that are developed and refined (even- tually raising the everyday script kiddie into a more advanced skill set) to make the job of detection more difficult. One should continually monitor and investi- gate network activity to gain an understanding of what to expect during day-to- day operations. www.syngress.com 194_HPYN2e_16.qxd 2/15/02 12:07 PM Page 713 714 Chapter 16 • IDS Evasion Solutions Fast Track Understanding How Signature-Based IDSs Work ; The capabilities of a network intrusion detection system (NIDS) are defined by a signature database.This enforces the requirement for repeated updates to combat the frequency of new vulnerabilities. ; Most NIDSs do not alert even to slight variations of the defined signatures.This affords an attacker the ability to vary their attack to evade a signature match. ; Attackers will continue to vary their evasion techniques such that the processing required to monitor and detect is greatly increased.This would contribute to denial of service (DoS) attacks and evasion possibilities. Using Packet Level Evasion ; Many vendors implement Transmission Control Protocol/Internet Protocol (TCP/IP) with slight variations.A NIDS has a difficult time in constructing a view of network communications as they appear to other systems.This inconsistent view is what allows an attacker to evade detection. ; Hosts may not adhere to Request for Comments (RFC) specifications and allow some packets where the NIDS may not. ; NIDSs do not have enough information from the wire to reconstruct TCP/IP communications.With the options and states available in a TCP/IP stack, some ambiguities form as to how a host would interpret information; there is an insufficiency of information transmitted between systems when communicating. ; Fragrouter and congestant are effective evasion tools.They implement a number of documented NIDS evasion techniques. www.syngress.com 194_HPYN2e_16.qxd 2/15/02 12:07 PM Page 714 IDS Evasion • Chapter 16 715 Using Application Protocol Level Evasion ; Application protocols are verbose and rich in function.There are many subtle, antiquated and obscure application nuances that make effective application protocol decoding difficult.An attacker may compromise even the slightest oversight. ; Applications tend to allow for slight variation; developers intentionally build in error-correcting cases that attempt to make sense of any request, no matter how malformed.With a lack of strict compliance to defined specifications, it is difficult for the NIDS to determine the behavior of a network application. ; Multiple encoding options exist for data representation. Unicode, uuencoded, or hex-encoded options exist in many application protocols. These alternate representations complicate the development of detection engines. Using Code Morphing Evasion ; There is always more than one way to do something.When detection hinges on the identification of application code, there are many alternatives to code generation. ; Most exploits will vary from host to host.Variations can be incorporated even when restrictions are placed on the length or type of codes possible. www.syngress.com 194_HPYN2e_16.qxd 2/15/02 12:07 PM Page 715 716 Chapter 16 • IDS Evasion Q: How many IDSs do I need to make them more effective? A: All networks are different and require varying levels of monitoring.Your par- ticular risk tolerance should help you find this out, though.A network that desires a high level of assurance that it is detecting many intrusion events should have at least one sensor per network segment (Layer 2). It is also desirable to have multiple vendor types implemented when an even higher level of security is needed (one vendor’s strengths would hopefully fill in gaps from another). Q: Aren’t these techniques too advanced for most attackers? A: Just like most other technologies, attack methodologies and techniques are eventually turned into boilerplate applications that anybody can wield.The layout of the virtual battlefield may change in an instant.The next big worm might wield these techniques, and force a sea-change in the IDS market. Q: Where can I get information about new evasion attacks? A: The “underground” scene is typically the catalyst for advancements in security technologies. Frequent online publications can be used to get a feel for where useful information may come from.There is no single source for where all new papers are distributed. Check out the following sites, to start: ■ antisec (http://anti.security.is) ■ Phrack (www.phrack.org) ■ Packetstorm (http://packetstormsecurity.org) ■ Technotronic (www.technotronic.com) www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 194_HPYN2e_16.qxd 2/15/02 12:07 PM Page 716 IDS Evasion • Chapter 16 717 Q: What do I do if I am inundated with alerts? A: Secure systems rely on compartmentalization to attempt to contain intruders. If you see that you are being attacked at an abnormal pace, isolate and sepa- rate the troubled systems and try to identify if there are some hosts with well- known vulnerabilities or exposures. Correlate your logs and IDS events to give you a better picture of what may be going on. Do not rely on authori- ties and the network administrators of the attacking networks; they are usually far too overworked or uninterested to give a respectable amount of support. Q: How do I know that my IDSs are working? A: Ongoing auditing and testing should be done to ensure that networking sys- tems are properly implemented. Independent reviewers should always be a part of secure systems to ensure that a fresh set of eyes is evaluating a network architecture and IDS implementation. www.syngress.com 194_HPYN2e_16.qxd 2/15/02 12:07 PM Page 717 194_HPYN2e_16.qxd 2/15/02 12:07 PM Page 718 Automated Security Review and Attack Tools Solutions in this chapter: ■ Learning about Automated Tools ■ Using Automated Tools for Penetration Testing ■ Knowing When Tools Are Not Enough Chapter 17 719 ; Summary ; Solutions Fast Track ; Frequently Asked Questions 194_HPYN2e_17.qxd 2/15/02 9:31 AM Page 719 720 Chapter 17 • Automated Security Review and Attack Tools Introduction Collecting and tying together your own set of security scanning tools can be time consuming. Even if you do spend the time, they might not work together as well as you’d like or offer all of the features you need. Integrated tools are avail- able—some commercial, some free—that can provide the features you need. The automated tools fall into two categories.The first category will attempt to identify vulnerabilities on a system based on a list of known vulnerabilities, some- times called checks or signatures, without actually exploiting them.This category has been around the longest, and many of the security software vendors offer such a product.They are usually called a vulnerability assessment tool or a remote vulner- ability scanner.The second category is tools that will attempt to exploit security holes, and in some cases, use the newly compromised victim to further penetrate into a network.This category is newer, and in fact, tools have only been announced and are not yet available to the public.The first category is primarily intended for security administrators to evaluate their network for vulnerabilities. The second category is intended for use primarily by penetration testers. These automated tools can be a great help, especially when many hosts must be evaluated for weaknesses. Of course, the tools are not all-powerful, and will ultimately require a knowledgeable human to interpret the results. Like any set of signatures, these tools can report both false positives and false negatives. If you are attempting to perform a penetration test, the false negatives can be especially troublesome.A knowledgeable penetration tester operating and interpreting one of these automated tools may accomplish a great deal. In this chapter, we examine some of the tools that are available, both com- mercial and free.We also discuss where the tools are headed in the near future. Learning about Automated Tools Automated scanning tools vary in how they function. Some tools have the ability to scan hosts externally without credentials, whereas others must scan hosts from inside the corporate network with the necessary credentials (usually administrator or root).Additionally, some tools are quite intrusive, as they attempt to exploit the actual vulnerabilities it scans for; others are unobtrusive and attempt to identify vulnerable hosts by checking for various signs of patches being installed (for example, specific files installed by a vendor patch).The jury is still out on which tools perform the best—see the sidebar “Automated Tools: Product Reviews” for a list of various product reviews. www.syngress.com 194_HPYN2e_17.qxd 2/15/02 9:31 AM Page 720 www.syngress.com Scanning tools use a number of checks or scan signatures to test each host. Most scanners, both commercial and freeware, support a scripting language that is Automated Security Review and Attack Tools • Chapter 17 721 Automated Tools: Product Reviews The following links are various reviews on a lot of the automated tools available today. Many of these reviews share the opinion that the unob- trusive tools do not test the effectiveness of a patch but only its exis- tence. This certainly has been true in some cases where a vendor patch has not properly addressed an issue and testing for the mere existence of the patch would still leave the system vulnerable. You can find product reviews at the following Web sites: ■ A comparative review of most of the commonly used scanners www.nwc.com/1201/1201f1b1.html ■ A comprehensive review of multiple scanners www.westcoast.com/securecomputing/2001_07/testc/ prod2.html ■ A comparative review of some of the more popular com- mercial scanners www.infosecuritymag.com/articles/ january01/features1.shtml ■ A “Best Buy” review from Info Security www.westcoast.com/asiapacific/articles/2000_07/ testc/testc.html ■ Network Associates (NAI) CyberCop Scanner 5.5 www.secadministrator.com/Articles/Index.cfm?ArticleID=9203 ■ Axent (now Symantec) NetRecon 3.0 www.secadministrator.com/Articles/Index.cfm?ArticleID=9204 ■ ISS Internet Scanner 6.1 www.secadministrator.com/ Articles/Index.cfm?ArticleID=9205 ■ BindView HackerShield (now BV-Control for Internet Security) www.secadministrator.com/Articles/ Index.cfm?ArticleID=9206 ■ Webtrends (now NetIQ) Scanner 3.0 www.secadministrator.com/Articles/Index.cfm?ArticleID=9207 Tools & Traps… 194_HPYN2e_17.qxd 2/15/02 9:31 AM Page 721 722 Chapter 17 • Automated Security Review and Attack Tools easy to use and understand. Even someone with minor programming skills can understand how a check works and exactly what it is looking for.The following is an example of how one of the freeware scanners, Nessus, scans for hosts that are vulnerable to the Internet Information Server (IIS) Directory Traversal Vulnerability (CVE ID 2000-0884). The full Nessus plug-in is available at http://cvs.nessus.org/cgi-bin/ cvsweb.cgi/nessus-plugins/scripts/iis_dir_traversal.nasl. script_description(english:desc["english"]); summary["english"] = "Determines if arbitrary commands can be executed thanks to IIS"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001 H D Moore"); family["english"] = "CGI abuses"; script_family(english:family["english"]); script_dependencie("find_service.nes", "http_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/iis"); exit(0); } port = get_kb_item("Services/www"); if(!port)port = 80; dir[0] = "/scripts/"; dir[1] = "/msadc/"; dir[2] = "/iisadmpwd/"; dir[3] = "/_vti_bin/"; # FP dir[4] = "/_mem_bin/"; # FP dir[5] = "/exchange/"; # OWA dir[6] = "/pbserver/"; # Win2K dir[7] = "/rpc/"; # Win2K dir[8] = "/cgi-bin/"; www.syngress.com 194_HPYN2e_17.qxd 2/15/02 9:31 AM Page 722 [...]... must-have Your own custom scripts or other tools will be required if your desire is to actually penetrate the host and internal network Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your. .. thorough results, and no matter what commercial tool you choose, your second scanner should be Nessus.You can find Nessus at www.nessus.org Figure 17.3 Nessus Performing a Scan Security Administrators Integrated Network Tool (SAINT) SAINT is an updated version of one of the first vulnerability scanners, Security Administrator Tool for Analyzing Networks (SATAN) SATAN was released back in 1995 and checked... to assist you in making a decision If the salesperson cannot answer your questions sufficiently, ask to speak to one of the product engineers My experience with vendors has usually been good as they are happy to help and answer any of your questions, but be wary of the marketingspeak Make your own decision as to what product will fit your needs False positive rates are probably the most annoying issue... solve all of your security problems Indulge me if you will, I want to share an experience that happened to me back when I was an internal security person for a large outsourcing organization One of our newer clients, which had a large distributed network consisting of multiple operating systems and platforms, decided to bring in a third-party consultant to perform a penetration test on the network. This... because no one product is a complete fit for every network. When deciding on a vulnerability scanner, you need to take the time to thoroughly evaluate each product for your specific needs and environment Almost all product vendors will offer you a free demonstration copy of their software—take them up on this offer.The worst-case scenario is that you will find yourself being phoned by their sales people to... lists all of the commercial and freeware security scanning tools? A: A good, but a little out of date, site is Talisker’s Network Intrusion page at www.networkintrusion.co.uk Additionally, Security Focus (www.securityfocus.com) also keeps a large list of the various tools Q: What is your favorite commercial vulnerability scanner? A: It depends on the environment and the engagement I am on I have used... Fortunately, most of the commercial scanners are very noisy on networks and typically leave numerous footprints in system logs Some, like CyberCop Scanner, will attempt to send a message to the console stating, “You are being scanned by CyberCop” Any black hat worth his CPU would know better than to use a commercial scanning tool to attempt to break into a network They will almost definitely be noticed if they... 194_HPYN2e_17.qxd 2/15/02 9:31 AM Page 725 Automated Security Review and Attack Tools • Chapter 17 scanned and the network it is attached to.The information obtained could be used in conjunction with other vulnerabilities or even with simple commands to further penetrate the system and the network it is attached to Many consulting organizations that perform penetration testing already have tools that... various *NIX systems and was created by Fyodor Not only is it your basic port scanner, but it also incorporates other useful options, such as the capability to perform multiple types of port scans and www.syngress.com 194_HPYN2e_17.qxd 2/15/02 9:31 AM Page 733 Automated Security Review and Attack Tools • Chapter 17 to use decoys to attempt to hide your scanning activity Nmap has the capability to identify,... ICMP PING requests NmapNT (www.eeye.com/html/Research/ Tools/nmapnt.html) is the version of Nmap that eEye ported over to run on the Windows NT and Windows 2000 platform If all you need is a sweep of your network identifying systems and what services are bound to ports, Nmap is the tool for you Whisker Whisker, created by Rain Forest Puppy (RFP), is a simple Common Gateway Interface (CGI) vulnerability . them more effective? A: All networks are different and require varying levels of monitoring .Your par- ticular risk tolerance should help you find this out, though.A network that desires a high. exposures. Correlate your logs and IDS events to give you a better picture of what may be going on. Do not rely on authori- ties and the network administrators of the attacking networks; they are. as they are happy to help and answer any of your questions, but be wary of the marketingspeak. Make your own deci- sion as to what product will fit your needs. False positive rates are probably