In this chapter, we will learn about Intrusion Detection Systems, ways to detect an intrusion, and various types of Intrusion Detection Systems. This chapter focuses on firewalls, types of firewalls, honeypots, and types of honeypots. This chapter covers firewall evading tools and firewall and IDS penetration testing. 16.1 Understand Intrusion Detection Systems (IDS) Exam Focus: Understand Intrusion Detection Systems (IDS). Objective includes: Understand Intrusion Detection Systems (IDS). Learn ways to detect an intrusion. Acquire knowledge on various types of Intrusion Detection Systems. Intrusion Detection System An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and manipulating computer systems locally, through the Internet or through an intranet. It can detect several types of attacks and malicious behaviors that can compromise the security of a network and its computers. This includes network attacks against vulnerable services, unauthorized logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks that originate from within a system. In most cases, an IDS has three main components: Sensors, Console, and Engine. Sensors generate security events. A console is used to alert and control sensors and to monitor events. An engine is used to record events and to generate security alerts based on received security events. In many IDS implementations, these three components are combined into a single device. The following is the working of an IDS: Types of IDS The following are the types of IDS: Network-based IDS: A Network-based Detection System (NIDS) analyzes data packets flowing through a network. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. It is responsible for detecting anomalous or inappropriate data that may be considered 'unauthorized' on a network. An NIDS captures and inspects all data traffic, regardless of whether it is permitted for checking or not. Host-Based IDS: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to be monitored. HIDS monitors only the data that is directed to or originating from that particular system on which HIDS is installed. Besides network traffic for detecting attacks, it can also monitor other parameters of the system such as running processes, file system access and integrity, and user logins for identifying malicious activities. BlackICE Defender and Tripwire are good examples of HIDS. Tripwire is an HIDS tool that automatically calculates the cryptographic hashes of all system files as well as any other files that a network administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected. Log file monitoring: It is generally a program that parses log files after the occurrence of an event such as failed log in attempts. File integrity checking: It checks for Trojan horses, or files that have otherwise been modified, indicating that an intruder has already been there. Types of IDS responses The following are the different types of responses generated by an IDS: 1. True Positive: A valid anomaly is detected, and an alarm is generated. 2. True Negative: No anomaly is present, and no alarm is generated. 3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored and not used. 4. False Negative: A valid anomaly is present, and no alarm is generated. IDS detection methods The following are IDS detection methods: Statistical Anomaly Detection: The Statistical Anomaly Detection method, also known as behavior-based detection, compares the current system operating characteristics on many base-line factors such as CPU utilization, file access activity and disk usages, etc. In this method, the Intrusion Detection System provides the facility for either a Network Administrator to make the profiles of authorized activities or place the IDS in learning mode so that it can learn what is to be added as normal activity. A large amount of time needs to be dedicated to ascertain whether the IDS is producing few false negatives or not. Hence, the main drawback of an IDS is that if an attacker slowly changes his activities over time, the IDS might be fooled into accepting the new behavior. Pattern Matching Detection: The Pattern Matching IDS, also known as knowledgebased or signature-based IDS, is mainly based on a database of known attacks. These known attacks are loaded into the IDS as signatures. When this happens, the IDS begins to guard the network. These signatures are usually given a number or name so that the network administrator can easily identify the occurring attack. Alerts from this IDS can be triggered for fragmented IP packets, streams of SYN packets (DoS), or any malformed Internet Control Message Protocol (ICMP) packets. The main disadvantage of the Pattern Matching System is that such an IDS can only trigger on signatures that are stored in the database of the IDS. However, any new or any obfuscated attack performed by an attacker will be undetected. Protocol Detection Method: In the Protocol Detection Method, an IDS keeps state information and can detect abnormal activities of protocols such as IP, TCP, and UDP protocols. If there is any violation in an incoming protocol rule, the IDS sends an alert message to the Network Administrator. Such an IDS is usually installed on the Web server and monitors the communication between a user and the system on which it is installed. Ways to detect an intrusion The following ways are used to detect an intrusion: Signature recognition: It is also referred to as misuse detection. It tries to recognize events that misuse a system. Anomaly detection: It detects the intrusion depending on the fixed behavioral characteristics of the users and components in a computer system. Protocol anomaly detection: It involves building of models on TCP/IP protocols using their specifications. Indications of intrusions The following are indications of file system intrusions: Presence of new, unfamiliar files, or programs Changes in file permissions Unexplained changes in the size of the file Rogue files on the system that do not correspond to the master list of signed files Unfamiliar file names in directories Missing files The following are indications of network intrusions: Repeated probes of the available services on the machines Connections from unusual locations Repeated log in attempts from remote host Arbitrary data in log files, indicating an attempt of creating either a Denial of Service or a crash service The following are indications of system intrusions: Modifications to system software and configuration files Gaps in the system accounting Unusually slow system performance Crashing or rebooting of system Short or incomplete logs Missing logs or logs with incorrect permissions or ownership Unfamiliar processes Unusual graphic displays or test messages Snort Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which snort can be configured are as follows: Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing snort to analyze network traffic for matches against a userdefined rule set. Working of snort The following image shows the working of snort: Decoder performs the following functions: It saves the captured packets into heap. It identifies link level protocols. It decodes IP. Detection Engine matches packet against rules previously charged into memory since snort initialization. Output Plug-ins format the notifications for a user so that the user can access them in different ways. Snort rules Snort's rule engine enables a user to write rules in order to meet the requirements of the network. Snort rules are useful in differentiating between normal Internet activities and malicious activities. Snort rules must be included on a single line. Rules on multiple lines are not handled by the snort rule parser. Rule header and rule options are two logical parts of snort rules. Rule header identifies rule's actions such as alerts, log, pass, activate, dynamic, etc. Rule options identifies rule's alert messages. Rule action: The rule header stores the complete information of a packet and finds the action that is to be carried out and what rule to be applied. When the rule action finds a packet that matches the rule criteria, it alerts snort. The following actions are available in snort: 1. Alert: The selected alert method is used to generate an alert. 2. Log: The packet is logged. 3. Pass: The packet is dropped. IP protocols: TCP, UDP, and ICMP are available IP protocols that that are supported by snort for suspicious behavior. Direction operator: It indicates the direction of the traffic. The traffic can flow either in one direction or bi-directionally. The following is an example of snort rules using the bidirectional operator: log !192.168.1.0/24 any <> 192.168.1.0/24 23 IP addresses: The "any" keyword is used to identify any IP address. Addresses that are formed by straight numeric IP address is accepted by snort. Netmask is applied to the rule's address and to incoming packets that are verified against the rule by a CIDR block. Port numbers: Port numbers can be listed in various ways, including "any" ports, static port definitions, ranges, and by negation. The range operator ":" is used to indicate port ranges. The following is an example of Port Negation: log tcp any any -> 192.168.1.0/24 !6000:6010 Tipping Point Tipping Point IPS is an inline device. It is placed seamlessly and transparently into the network. Each packet is thoroughly inspected in order to determine whether they are malicious or legitimate. It delivers performance, application, and infrastructure protection at gigabit speeds via total packet inspection. Intrusion detection tools The following are intrusion detection tools: Security Network Intrusion Prevention System Strata Guard Peek & Spy CRCMd5 Data Validation Cisco IDS 4250 Appliance DiskSearch 32 INTOUCH INSA-Network Security Agent IDP8200 OSSEC AIDE (Advanced Intrusion Detection Environment Netifera Tripwire eXpert-BSM SNARE (System iNtrusion Analysis & Reporting Environment) Cisco Intrusion Detection Vanguard Enforcer Tripwire Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes made by an intruder. The tripwire utility can be used to check the file size, the file signature, and the integrity of a file. Tripwire is a tool that automatically calculates the cryptographic hashes of all system files as well as any other file that a network administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected. BlackICE Defender BlackICE Defender is a Host-Based Intrusion Detection System (HIDS). It provides a firewall that detects, reports, and blocks all suspected access attempts. It provides a notification by flashing tray icons when any intrusion is detected. It also provides detailed information regarding the different types of attacks that can harm the security of the network. IPS Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks that use particular patterns of messages, and other factors. The IPS tools sit in the packet's forwarding path and then rate and report each potential threat by analyzing the traffic. The IPS tool has the ability to react and filter the traffic. There are two types of IPS: Anti-x Host intrusion prevention system (HIPS) Network intrusion prevention system (NIPS) Anti-x is a component of Cisco Adaptive Security Appliance (ASA). Anti-x provides in-depth security design that prevents various types of problems such as viruses. The security provided by the tool includes the following: Anti-virus: It scans network traffic and prevents the transmission of known viruses. It detects viruses through their virus signatures. Anti-spyware: It scans network traffic and prevents the transmission of spyware programs. As spyware does a lot of damage, this tool becomes very critical for any organization. Spyware eats a lot of precious bandwidth too. Anti-spam: It deletes and segregates all junk e-mails before forwarding them to users. It examines all e-mails that arrive in the network. Anti-phishing: It prevents phishing attacks from reaching network users. URL filtering: It filters Web traffic based on URL to prevent users from connecting to inappropriate sites. E-mail filtering: Apart from providing anti-spamming feature, it also filters e-mails containing offensive material, potentially protecting an organization from lawsuits. Cisco ASA appliance can be configured for network-based role for all functions of Anti-x. 16.2 Understand what is a firewall, types of firewalls, and identify firewall identification techniques Exam Focus: Understand what is a firewall, types of firewalls, and identify firewall identification techniques. Objective includes: Understand what is a firewall. Types of firewalls. Identify firewall identification techniques. Firewall A firewall is a combination of software and hardware that prevents data packets from coming in or going out of a specified network or computer. It is used to separate an internal network from the Internet. It analyzes all the traffic between a network and the Internet, and provides centralized access control on how users should use the network. A firewall can also perform the following functions: Block unwanted traffic. Direct the incoming traffic to more trustworthy internal computers. Hide vulnerable computers that are exposed to the Internet. Log traffic to and from the private network. Hide information, such as computer names, network topology, network device types, and internal user IDs from external users. The firewall is placed at the junction point or gateway between the two networks. It may be concerned with the type of traffic or with the source or destination addresses and ports. The firewall architecture includes bastion host, screened subnet, and multi-homed firewall. Bastion host A bastion host is a computer that must be made secure because it is accessible from the Internet, and hence is more vulnerable to attacks. A bastion host is placed at the protected network's point of penetration, often in front of the screening router. It provides security to an internal network against unauthorized access and misuse. Screened subnet A screened subnet is a firewall architecture that offers additional advantages over the bastion host architecture. This architecture uses a single firewall with three network cards (commonly referred to as a triple homed firewall). An example of this topology is shown in the figure below: The screened subnet provides a solution that allows organizations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarized Zone (DMZ), which is separated from both the Internet and the trusted network by a firewall. Therefore, if a malicious user does manage to compromise the firewall, he does not have access to the Intranet (providing that the firewall is properly configured). Multi-homed firewall In a multi-homed firewall, more than three interfaces are available that permit further subdivision of system on the basis of specific security objectives of an organization. Demilitarized zone A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes external services of an organization to a larger network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external networks, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients. In a DMZ configuration, most computers on the LAN run behind a firewall connected to a public network such as the Internet. Types of firewalls The following are the types of firewalls: Packet filtering firewall: Packet filtering firewalls work on the first three layers of the OSI reference model, which means that all the work is done between the network and physical layers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. In a software firewall, packet filtering is done by a program called a packet filter. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides to prevent it from passing (called DROP) or allow it to pass (called ACCEPT). A packet filter passes or blocks packets at a network interface based on source and destination addresses, ports, or protocols. The process is used in conjunction with packet mangling and Network Address Translation (NAT). Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion. This type of firewall can be best used for network perimeter security. Circuit-level gateway firewall: Circuit-level gateways work at the session layer of the OSI model or the TCP layer of the TCP/IP. They determine whether a requested session is legitimate or not by monitoring TCP handshaking between packets. Information passed to a remote computer via a circuit level gateway appears to have originated from the gateway. Circuit-level gateways hide information regarding the private network that they protect. They do not filter individual packets. Application-level firewall: Application-level gateways can filter packets at the application layer of the OSI model. Services for which there is no proxy cannot be accessed by incoming or outgoing packets. Any FTP, gopher, telnet, or other traffic will not be allowed by an application-level gateway that is configured as a Web proxy. The application-level gateway can filter application specific commands, such as http:post and get, as it examines packets at the application layer. Stateful multilayer inspection firewall: The stateful multilayer inspection firewall combines the aspects of the other three types of firewalls. It filters packets at the network layer in order to find whether session packets are legitimate and evaluate the contents of packets at the application layer. Firewall identification techniques The following are firewall identification techniques: Port scanning: An attacker uses port scanning to determine ports that are available. Port scanning involves sending a message to each port, one at a time. Whether the port is used or not can be indicated by the kind of response received, and the port can therefore be probed for weakness. Simple port scans can be used by some firewalls to uniquely identify themselves. Banner grabbing: Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. An intruder however can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25, respectively. Tools commonly used to perform banner grabbing are Telnet, which is included with most operating systems, and Netcat. Banner grabbing is a simple method of OS detection. It is useful in detecting services run by firewalls. FTP, telnet, and Web servers are three main services which send out banners. The following is an example of SMTP banner grabbing: telnetmail.targetcompany.org 25 Firewalking: Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expiration one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective. Some important firewalls The following are some important firewalls: Check Point Firewall Software eScan Enterprise Jetico Personal Firewall ZoneAlarm Pro Novell BorderManager FireWall-1 Jetico Personal Firewall InstaGate ZoneAlarm Pro AccessMaster NetWall 16.3 Understand honeypot Exam Focus: Understand a honeypot. Objective includes: Understand a honeypot. Assess various types of honeypots. Understand how to set up a honeypot. Honeypot A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason that a honeypot has low security permissions. A honeypot is used to gain information about the intruders and their attack strategies. Types of honeypots The following are the types of honeypots: Low-interaction honeypot: It emulates services and programs that would be found on an individual's system. The honeypot will simply generate an error if the attacker does something that the emulation does not expect. The low-interaction honeypot captures limited amount of information. High-interaction honeypot: It offers a vast amount of information about attackers. It provides an attacker access to the real operating system without any restriction. A highinteraction honeypot is a powerful weapon that provides opportunities to discover new tools, to identify new vulnerabilities in the operating system, and to learn how blackhats communicate with one another. Advantages and disadvantages of honeypots Honeypots have several advantages, which are as follows: Small set of data: Honeypots collect small amounts of data, but almost all of this data is about real attacks or unauthorized activity. Reduced false positives: Honeypots almost detect or capture attacks or unauthorized activities that reduce false positives. False negatives: Honeypots detect and record any unseen or unnoticed attacks or behavior. Cost effective: Honeypots only interact with malicious activity. So there is no need for high performance resources. Honeypots also have some disadvantages, which are as follows: Limited View: Honeypots can only see activities that interact with them. They cannot see or capture any attacks directed against existing systems. Discovery and Fingerprinting: Honeypots can be easily detected and fingerprinted by several tools. Risk of takeover: Since there are many security holes in honeypots, a malicious attacker can take over the honeypot and can use it to gain access and hack other networks. Set up a honeypot Take the following steps to set up a honeypot: 1. Download or purchase honeypot software. The following are some of the programs available for Linux systems: o Tiny Honeypot o LaBrea o Honeyd KFSensor is software that operates with Windows. 2. Install a honeypot onto the computer by logging in as an administrator on the computer. 3. Install the software on the computer. Select the "Full Version" to ensure that every feature of the program is installed. 4. Place the honeypot software in the "Program Files" folder. Once you have chosen the folder, click "OK". The program will install. 5. Restart the computer for the honeypot to work. 6. Check the items that you want the honeypot to look for, including services, applications and Trojans, and name your domain by configuring the honeypot. Honeypot tools The following are honeypot tools: NetBait Single-honeypot LaBrea Tarpit Kojoney Sendmail SPAM Trap HoneyBOT PatriotBox Google Hack Honeypot KFSensor KFSensor is a Windows-based honeypot Intrusion Detection System (IDS). It acts as a honeypot to attract and log potential hackers by simulating vulnerable system services and Trojans. It has highly configurable features of detailed logging, analysis of attack, and security alerts. When using the KFSensor, a user can create different types of scenarios, such as what action should be taken when access to a honeypot is attempted. KFSensor contains many innovative and unique features, such as remote management, a Snort compatible signature engine, and emulations of real servers (e.g. FTP, POP3, HTTP, Telnet and SMTP) to deceive the hacker and gain more valuable information about his motives. The following are features of KFSensor: GUI based management console Remote management Snort compatible signature engine Emulations of Windows networking protocols Export logs in multiple formats Denial of Service attack protection Specter Specter is a commercial honeypot-based intrusion detection system. Specter is developed and sold by the Swiss company Netsec. It is used to lure hackers away from the production machines by simulating a vulnerable computer to an interesting target. It offers common Internet services such as SMTP, FTP, POP3, HTTP, and TELNET. These services appear perfectly normal to the attackers; however, in reality, these services are traps for the attackers to mess around and leave traces, without even knowing that they are connected to a decoy system. A Specter system consists of a dedicated PC and the Specter software that is connected to the network where attacks are expected to occur. It can also be installed on internal networks to find suspicious activities within an organization. It is designed for commercial organizations, including small and large enterprises. 16.4 Examine evading IDS, understand evading firewalls, and learn detecting honeypots Exam Focus: Examine evading IDS, understand evading firewalls, and learn detecting honeypots. Objective includes: Examine evading IDS. Understand evading firewalls. Learn detecting honeypots. Evasion attack An evasion attack is one in which an IDS rejects a malicious packet but the host computer accepts it. Since the IDS has rejected it, it does not check the contents of the packet. Hence, using this technique, an attacker can exploit the host computer. In many cases, it is quite simple for an attacker to send such data packets that can easily perform evasion attacks on IDSs. The attacker sends portions of the request in packets that are mistakenly rejected by the IDS. This allows the removal of parts of the stream from the ID system's view. For example, the IDS cannot detect the attack if the malicious sequence is sent byte-by-byte and one byte is rejected by the IDS. Denial of Service attack Central logging servers are employed by many IDSs. Central logging servers are used exclusively for storing IDS alert logs. The central server is used to centralize alert data; hence, it can be viewed as a whole rather than on a system-by-system basis. Attackers can slow the central server down or even crash it using a DoS attack if they know the central log server's IP address. Attacks can go unnoticed after the server is shut down as the alert data is no longer being used. An attacker can do the following using this evasion technique: Cause the device to lock up. Cause a personnel to be unable to investigate all the alarms. Consume the device's processing power and permit attacks to sneak by. Fill up disk space causing attacks to not be logged. Cause more alarms that management systems can handle. Obfuscating An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS Web server would decode and become attacked. Polymorphic code is another means to circumvent signature-based IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature. Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted. Session splicing IDS evasion technique In the session splicing IDS evasion technique, an attacker delivers data in multiple small sized packets. Hence, it becomes very difficult for an IDS to detect the attack signatures of such attacks. For example, consider the following snort signature for detecting session splicing: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC whisker splice attack"; content: "|20|"; flags: A+; dsize: 1;reference:arachnids,296; classtype:attempted-recon; sid:1104; rev:1;) This rule detects traffic destined to port 80 with the ack flag set, a space (hex 20) in the payload, and a dsize of 1. Although this signature accurately detects session splicing, this method can be modified to evade the IDS. To evade this rule, an attacker can send abnormally small packets. For example, an attacker can send very small sized packets with durations of 15 minutes per packet to the IIS Web server. Since an IIS session remains alive for a long time, the IDS may be tricked into accepting them as regular packet transformations. Fragmentation overlap IDS evasion method In this approach, an attacker sends packets in such a manner that one packet fragment overlaps data from a previous fragment. The information is organized in the packets in such a manner that when the victim's computer reassembles the packets, an attack string is executed on the victim's computer. Since the attacking string is in a fragmented form, the IDS is unable to detect it. Fragmentation overwrite IDS evasion method In this approach, an attacker sends packets in such a manner that one packet fragment overwrites data from a previous fragment. The information is organized into packets in such a manner that when the victim's computer reassembles the packets, an attack string is executed on the victim's computer. Since the attacking string is in a fragmented form, the IDS becomes unable to detect it. Unicode evasion technique Unicode is a character representation that gives each character a unique identifier for each written language. This facilitates the uniform computer representation of each language. There can be multiple representations of a single character; hence, Unicode is problematic for the IDS technology. For example, "\" can be represented as 5C, C19C and E0819C, this makes writing pattern matching signatures very difficult. Fragmentation attack The fragmentation reassembly timeout of the victim is more than the IDS fragmentation reassembly timeout. Suppose 15 seconds is the IDS fragmentation reassembly timeout and the system is monitoring Linux hosts. Linux hosts have a default fragmentation reassembly timeout of 30 seconds. The attacker can send the second fragment with a delay of 15 seconds but still within 30 seconds after sending the first fragment. Now, the victim reassembles the fragments. At the IDS, the fragmentation reassembly timeout parameter kicks in and a timeout takes place. As the IDS has already lost the first fragment due to time out, the second fragment received by the IDS will be dropped. Hence, the victim will reassemble the fragments and will be attacked, whereas the IDS will not make any noise or produce alerts. IP address spoofing The attacker can use IP address spoofing to gain an unauthorized access to a computer or network. In this attack, the attacker spoofs the IP address of the machine and makes it appear that the messages are coming from a trusted machine. The attacker modifies the address information in the IP packet header and the source address bit field in order to bypass the firewall. Suppose there are three hosts named HostA, HostB, and HostC. HostC is a trusted machine of HostB. HostA wants to send some packets to HostB. HostA changes the IP addresses of these packets to impersonate itself to be HostC. HostB thinks that these packets are sent from HostC, but in reality they are sent from HostA. Time-to-live attacks In time-to-live attacks, an attacker is required to have a prior knowledge of the topology of the victim's network. Tools such as traceroute can be used to obtain this information. A traceroute gives information on the number of routers between the attacker and the victim. The attacker is assumed to have the prior information of the router present between the IDS and the victim. He breaks the information into three fragments. The attacker sends fragment 1 with a large TTL value and both the IDS and the victim receives fragment 1 with a large TTL value. The attacker then sends second fragment with TTL value of 1 and false payload. The IDS receives this fragment. As the TTL value is now reduced to zero, the router discards the fragment. Now, the IDS has only fragment 2 as it has already performed a reassembly and the stream has been flushed. The attacker finally sends the second fragment with a valid payload. The victim performs a reassembly on fragments (1,2, 3) and gets the attack. The attacker then sends fragment 3 with a valid TTL. This makes the IDS perform a TCP-reassembly on fragments (1, 2', 3). The victim will still wait for the second fragment. Invalid RST packets Checksums are used by the TCP protocol in order to ensure that there is reliable communication. To every transmitted segment, a checksum is added, and at the receiving end, the checksum is checked. The packet is dropped at the receiving end when the checksum differs from the checksum that the receiving host expects. To end two-way communication, the TCP protocol also uses an RST packet. Attackers can use invalid RST packets to elude detection by sending RST packets with an invalid checksum. Sending RST packets with an invalid checksum causes the IDS to stop processing the stream as the IDS thinks that the communication session has ended. However, the end host sees this packet and drops the packet if it is invalid after verifying the checksum value. Some IDS systems may stop reassembling the communication as they interpret this packet as an actual termination of the communication. Urgency flag The urgency flag is used within the TCP protocol for marking data as urgent. TCP uses an urgency pointer. The urgency pointer points to the beginning of urgent data within a packet. When the urgency flag is set, the following occurs: All data before the urgency pointer is ignored. The data to which the urgency pointer points is processed Attackers can place garbage data before the urgency pointer, and the IDS reads that data without considering the end host's urgency flag handling. This implies that the IDS has more data than can be actually processed by the end host. Attackers can evade IDSs when IDSs do not take into account the TCP protocol's urgency feature. ASCII shellcode ASCII shellcode includes only characters contained within the ASCII standard. It allows attackers to bypass commonly enforced character restrictions within string input code. Attackers also use ASCII shellcode to bypass IDS pattern matching signatures as strings are hidden within the shellcode in a similar fashion to polymorphic shellcode. As all assembly instructions cannot be converted directly to ASCII values, using ASCCI for shellcode limits what the shellcode can do under some circumstances. Other instructions or a combination of instructions that convert to ASCI character representation can be used to bypass this restriction. Application-layer attack Some form of compression is employed in many applications that deal with media such as images, video, and audio to send an application in a form much smaller than the original. This increases data transfer speed. The entire attack can take place within compressed data and the IDS will have no way to check the compressed file format for signatures when a flaw is found in these applications. Many IDSs look for particular conditions that lead to an attack. There are times when many different forms can be taken by the attack. For example, several different integer values can be used to exploit integer overflow vulnerabilities. Desynchronization - pre connection SYN The desynchronization - pre connection SYN attack calls bind in order to get the kernel to assign a local port to the socket before calling connect. In this attack, an initial SYN is sent before the real connection with an invalid TCP checksum. This attack will synchronize the sniffer/IDS to a bogus sequence number before the real connection takes place if the sniffer ignores subsequent SYNs in a connection and does not check the TCP checksum. Desynchronization - post connection SYN In desynchronization - post connection SYN, the IDS should be tried to be desynchronized from the actual sequence numbers that the kernel is honoring. A post connection SYN packet should be sent in the data stream, which will have divergent sequence numbers, but otherwise meet all the important criteria to be accepted by the target. As this SYN packet references an already established connection, the target host will ignore this SYN packet. The desynchronization - post connection SYN attack has the aim to get the IDS to resynchronize its notion of the sequence numbers to the new SYN packet. As it will be awaiting a different sequence number, it will then ignore the data that is legitimate part of the original stream. An RST packet should be sent with the new sequence number and close down its notion of the connection once succeeded in resynchronizing the IDS with a SYN packet. Encryption The most effective evasion attack occurs when the attacker has already established an encrypted session with the victim. Flooding The true attack traffic may go undetected when the attacker sends loads of unnecessary traffic to produce noise and if the IDS does not analyze the noise traffic. Session token generation The sender of the packets uses the session token generation mechanism to designate the route that a packet should take through the network. Each router will check the IP address of the designation and select the next node to forward the packets when the packets travel through the nodes in the network. Source routing allows a sender of a packet to partially or completely specify the route the packet takes through the network. Tiny fragment The tiny fragment attack involves sending an IP packet with the first fragment so small that it includes only the source and destination port information for TCP, not the TCP flags. The first fragment cannot be tested for this information if the access lists are established to drop or permit packets on the basis of TCP flags. As most network devices do not perform reassembly of packets that pass through them, they do not check the rest fragments and allow them to pass through. In this way, an attacker can get an illegitimate packet through to an end host using these devices. Bypass blocked sites using the IP address in place of URL Bypass blocked sites using the IP address in place of URL involves typing the IP address directly in browser's address bar instead of typing the blocked Website's domain name. For example, instead of typing www.facebook.com, type its IP address to access Facebook. Host2ip can be used to determine the IP address of that blocked Website. This method cannot be used to unblock or access the Website if the blocking software can track the IP address sent to the Web server. Bypass blocked sites using anonymous Website surfing sites Many Websites around the net enables a user to surf the Internet anonymously. Some Websites have options for encrypting the URLs of the Websites. The proxy Websites will show another IP address and hide the actual IP address. All proxy sites maintain a list of currently active proxy sites which enable users to browse the Web anonymously. This can prevent the Website from being blocked, thus permitting access to users. Proxy servers useful in unblocking the blocked Websites The following are some proxy servers that are useful in unblocking the blocked Websites: http://www.anonymizer.com http://anonymouse.com http://proxify.com http://bumsk.com http://dailybestlinks.com http://www.spysurfing.com http://alienproxy.com http://indianproxy.com Bypass a firewall using a proxy server The following steps should be taken to bypass a firewall using a proxy server: 1. Find an appropriate proxy server. 2. Go to LAN of Network Connections tab and click the LAN/Network Settings on the Tools menu of any Internet browser. 3. Select "use a proxy server for LAN" under Proxy server settings. 4. Type the IP address of the proxy server in the Address bar. 5. In the Port box, type the port number that is used by the proxy server for client connections. 6. Click to select the bypass proxy server for local addresses checkbox if you do not want the proxy server computer to be used when connected to a computer on the local network. 7. To close the LAN settings dialog box, click OK. 8. To close the Internet Options dialog box, click OK. Bypassing a firewall through the ICMP tunneling method Bypassing a firewall through the ICMP tunneling method permits tunneling a backdoor shell in the data portion of ICMP echo packets. RFC 792 delineates ICMP operation. It does not specify what should go in the data portion. The payload portion is arbitrary. Most firewalls do not examine the payload option. Hence, any data can be inserted in the payload portion of the ICMP packet, including a backdoor application. Keeping ICMP open on firewalls is useful for tools such as ping and traceroute. Loki ICMP tunneling is used to execute commands of choice when it is assumed that ICMP is allowed through a firewall. Loki ICMP executes commands of choice by tunneling them inside the payload of ICMP echo packets. Bypassing a firewall through the ACK tunneling method Bypassing a firewall through the ACK tunneling method permits a backdoor application with TCP packets with the ACK bit set. The ACK bit is used for acknowledging the receipt of a packet. As ACK bits are supposed to be used in response to legitimate traffic that is already being allowed through, some firewalls do not check packets with the ACK bit set. ACK tunneling can be implemented using tools such as AckCmd. Bypassing a firewall through the HTTP tunneling method Bypassing a firewall through the HTTP tunneling method can be implemented if the target company has a public Web server with port 80 used for HTTP traffic that is unfiltered on its firewall. The payload of an HTTP packet is not examined by many firewalls in order to confirm that it is legitimate HTTP traffic. Hence, traffic can be tunneled inside TCP port 80 as it is already allowed. This technique of tunneling traffic across TCP port 80 is used by tools such as HTTPTunnel. HTTPTunnel is a client/server application. The client application is known as htc. The server is hts. The server should be uploaded onto the target system and it should be told which port is redirected through TCP port 80. Bypassing a firewall through external systems Bypassing a firewall through external systems includes the following steps: 1. A legitimate user works with some external systems in order to access the corporate network. 2. An attacker steals the session ID and cookies after sniffing the network traffic. 3. The attacker accesses the corporate network by bypassing the firewall and gets Windows ID of the running Netscape 4.x/Mozilla process on the user's system. 4. The attacker issues an openURL() command to the found window. 5. User's Web browser connects with the WWW server of the attackers. 6. The attacker inserts malicious payload into the requested Web page. Hence, code of the attacker gets executed on the user's machine. Bypassing a firewall through the MITM attack Bypassing a firewall through the MITM attack includes the following steps: 1. 2. 3. 4. 5. 6. An attacker performs DNS server poisoning. User 1 requests for www.ucertify.com to the corporate DNS server. The corporate DNS server sends the IP address of the attacker. User 1 accesses the attacker's malicious server. The attacker connects with the real host and tunnels the user's HTTP traffic. The attacker inserts malicious payload into the requested Web page. Hence, code of the attacker gets executed on the user's machine. Insertion attack In an insertion attack, an IDS accepts a packet and assumes that the host computer will also accept it. But in reality, when a host system rejects the packet, the IDS accepts the attacking string that will exploit vulnerabilities in the IDS. Such attacks can badly infect IDS signatures and IDS signature analysis. When NIDS is less strict in processing packets, the IDS attack takes place. The insertion attack is used to defeat signature analysis and send request, but hides its content on the IDS with additional data. This makes the request appear harmless. Polymorphic shell code attack In a polymorphic shell code attack, the attacker sends malicious data which continuously changes its signature. The signature is changed by the attacking payload sent by the attacker. Since the new signature of the data does not match the old signature entered into the IDS signature database, the IDS becomes unable to point out the malicious data. Such data can harm the network as well as the IDS. ADMutate ADMutate is an online tool that performs polymorphic shell code attacks. It generates a buffer overflow exploit by transforming an attack shell code so that the new attack shell code cannot be recognized by any Intrusion Detection Systems. When the transformed code arrives at the server, it reassembles itself and executes as an attacking code. Detect honeypots Attackers can probe the services running on the system to determine the presence of honeypots. Attackers craft malicious probe to scan for the following services: HTTP over SSL (HTTPS) SMTP over SSL (SMPTS) IMAP over SSL (IMAPS) Send-safe Honeypot, Hunter, Nessus, and Hping are tools that can be used to probe honeypots. The presence of a honeypot is indicated by ports that show a particular service running but deny a three-way handshake connection. Send-Safe Honeypot Hunter Send-Safe Honeypot Hunter is a tool used to check list of HTTPS and SOCKS proxies for honeypots. The following are features of Send-Safe Honeypot Hunter: It is used to check lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports. It is used to check several remote or local proxylists at once. It can upload "Valid proxies" and "All except honeypots" files to FTP. It can process proxylists automatically at every specified period of time. It may be used for validating of usual proxylist. tcp-over-dns tcp-over-dns includes a special dns server and a special dns client. The client and server operate in tandem in order to provide a TCP and tunnel through the standard DNS protocol. 16.5 Identify firewall evading tools Exam Focus: Identify firewall evading tools. Objective includes: Identify firewall evading tools. Analyze a firewall and IDS penetration testing. Firewall evasion tools The following are firewall evasion tools: Snare Agent Atelier Web Firewall Tester AckCmd Tomahawk Your Freedom TCPOpera Covert TCP Traffic IQ Gateway Packet fragment generators The following are packet fragment generators: Blast MGEN Toolset Ettercap Net::RawIP hping2 SING Libnet Nconvert Fragroute Fragroute is a tool that is used to fragment packets before transmission. It can intercept, modify, or rewrite traffic that is destined for any specific host and can be used to perform attacks such as fragmentation, overlap, overwrite, etc. This tool is used for testing vulnerability in IDSs and firewalls. It is also used by attackers for evading an IDS since, in most of the cases, fragmented packets can bypass IDSs and firewalls. Countermeasures taken while using an IDS and a firewall The following countermeasures are taken while using an IDS and a firewall: A switch port interface associated with a system from which attacks are being launched should be administratively shut down. In order to defend against the polymorphic shellcode problem, look for the nop opcode other than 0x90. Bifurcating analysis should be performed. In this analysis, the monitor deals with ambiguous traffic streams. The monitor instantiates separate analysis threads for each possible interpretation of the ambiguous traffic. Security vulnerability awareness should be maintained as soon as possible, and the IDS should be wisely chosen on the basis of the network topology and network traffic received. TCP RST packets should be generated to tear down malicious TCP sessions. Any of several available ICMP error code packets should be issued in response to malicious UDP traffic. You should interact with the external firewall or router in order to add a general rule for blocking all communication from individual IP addresses or entire networks. A traffic normalizer should be implemented. You should ensure that IDSs normalize fragmented packets and permit those packets to be reassembled in the proper order. This enables the IDS to look at the information just as the end host will see it. The IDS system and firewall software should be regularly updated. The TTL value should be changed to a large value. This ensures that the end host always receives the packets. In such a case, attackers cannot slip information to the IDS. As a result, the data never reaches the host and leaves the end host with the malicious payload. Firewall/IDS penetration testing Firewall/IDS penetration testing is needed due to the following reasons: Checking if the firewall/IDS properly enforces the firewall/IDS policy of the organization Checking if the firewall/IDS and components within the network properly enforces the network security policy of the organization Determining how well the firewall/IDS provides protection against externally initiated attacks Checking the effectiveness of the network's security perimeter Checking how much information about a network is available from outside a network Checking the firewall/IDS for potential breaches of security that can be exploited Evaluating the correspondence of firewall/IDS rules with respect to the actions performed by them Verifying whether the security policy is correctly enforced by a sequence of firewall/IDS rules or not Firewall penetration testing Take the following steps for firewall penetration testing: 1. Gain unauthorized access to a computer or a network by performing IP address spoofing. 2. Perform a fragmentation attack in order to force the TCP header information into the next fragment to bypass the firewall. 3. Use proxy servers that block the actual IP address and display another thereby allowing access to the blocked Website. 4. Perform ICMP tunneling in order to tunnel a backdoor application in the data portion of ICMP echo packets. 5. Perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with TCP packets with the ACK bit set. IDS penetration testing Take the following steps for IDS penetration testing: 1. Encode attack packets that the IDS will not detect but an IIS Web server will decode and become attacked by using the obfuscating technique. 2. Use a false positive generation technique in order to create a good deal of log noise to blend real attacks with the false. 3. Perform the session splicing technique to stop the IDS by keeping the session active longer than the IDS will spend on reassembling it. 4. Perform the Unicode evasion technique in order to evade IDS as it is possible to have multiple representations of a single character. 5. Perform the fragmentation attack with the IDS fragmentation reassembly timeout less and more than that of the victim. 6. Perform the overlapping fragment technique in order to craft a series of packets with TCP sequence numbers. 7. Perform the invalid RST packets technique in order to evade detection by sending RST packets with an invalid checksum that causes an IDS to stop processing the stream. 8. Perform the urgency flag evasion technique in order to evade IDSs as some IDSs do not consider the TCP protocol's urgency feature. 9. Perform the polymorphic shellcode technique in order to hide the shellcode by encrypting it in a simplistic form. 10. Perform the ASCII shellcode technique in order to bypass IDS pattern matching signatures as strings are hidden within the shellcode as in a polymorphic shellcode. 11. Perform application layer attacks as many IDSs will have no way to check the compressed file format for signatures. 12. Set up an encrypted session with the victim or send loads of unnecessary traffic to produce noise that cannot be analyzed by the IDS. Chapter Summary In this chapter, we learned about Intrusion Detection Systems, ways to detect an intrusion, and various types of Intrusion Detection Systems. This chapter focused on firewalls, types of firewalls, honeypots, and types of honeypots. This chapter also covered firewall evading tools and firewall and IDS penetration testing. Glossary ADMutate ADMutate is an online tool used to perform polymorphic shell code attacks" with An online tool to perform polymorphic shell code attacks. Demilitarized zone A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes external services of an organization to a larger network, usually the Internet. Evasion attack An evasion attack is one in which an IDS rejects a malicious packet but the host computer accepts it. Firewall A firewall is a combination of software and hardware that prevents data packets from coming in or going out of a specified network or computer. Fragroute Fragroute is a tool used for fragmenting packets before transmission. HIDS A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces. Honeypot A honeypot is used to gain information about the intruders and their attack strategies. Intrusion Detection System An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and manipulating computer systems locally, through the Internet or through an intranet. KFSensor KFSensor is a Windows-based honeypot Intrusion Detection System. NIDS A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity, such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. PIDS A protocol-based intrusion detection system (PIDS) is an intrusion detection system, which is typically installed on a Web server, and is used in the monitoring and analysis of the protocol in use by the computing system. Snorts Snort is a sniffer tool that operates as a network sniffer. It logs the activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). Stateful firewall A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. Tripwire Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes made by an intruder.