Bypassing
Intrusion Detection Systems
Ron Gula, Founder
Network Security Wizards
Ron Gula
• Wrote the Dragon IDS
• Tested, deployed and operated NIDS for
major Internet company
• Designed a DOD network honeypot
• Technical expert for major IW exercises
• Penetration tested many networks
• Still learning ...
Why this talk?
• IDS solutions are not perfect
• IDS administrators are not perfect
• Security is a process!
– Not a person!
– Not a product!
– Intrusion detection is part of security !!!
Topics
•
•
•
•
NIDS, HIDS, FW and HP Technology
Technical Bypass Techniques
Practical Bypass Techniques
Conclusions
Network IDS
• Searches for patterns in packets
• Searches for patterns of packets
• Searches for packets that shouldn't be
there
• May ‘understand’ a protocol for effective
pattern searching and anomaly detection
• May passively log, alert with SMTP/SNMP
or have real-time GUI
Network IDS Limitations
•
•
•
•
•
•
•
Obtaining packets - topology & encryption
Number of signatures
Quality of signatures
Performance
Network session integrity
Understanding the observed protocol
Disk storage
Jane used
the PHF
attack!
/cgi-bin/phf
Jane did
a port
sweep!
NMAP
Host Based IDS
• Signature log analysis
– application and system
• File integrity checking
– MD5 checksums
• Enhanced Kernel Security
– API access control
– Stack security
• Network Monitoring Hybrids
Host Based IDS Limitations
• Places load on system
• Disabling system logging
• Kernel modifications to avoid file
integrity checking (and other stuff)
• Management overhead
• Network IDS Limitations
messages
xfer
access_log
secure
sendmail
messages
xfer
access_log
secure
sendmail
One
Security
Log
Firewalls as an IDS
• Excellent source of network probe,
attack and misuse information
• Detect policy deviations based on
access control lists
• Some have “NIDS” capabilities
Network Honeypots
• Sacrificial system(s) or sophisticated
simulations
• Any traffic to the honeypot is
considered suspicious
• If a scanner bypassed the NIDS, HIDS
and firewalls, they still may not know
that a Honeypot has been deployed
Firewall
honeypot
HTTP
DNS
Technical Bypass Techniques
• NIDS
–
–
–
–
–
–
fragmentation
TCP un-sync
Low TTL
‘Max’ MTU
HTTP Protocol
Telnet Protocol
• HIDS
– Kernel Hacks
– Bypassing stack
protection
– Library Hacks
– HTTP Logging
insertion
techniques
IP #1
Session #1
IP #2
Session #2
IP #3
Session #3
FRAGMENT QUEUE
SESSION QUEUE
NIDS
IP #1
Session #1
IP #2
Session #2
IP #3
Session #3
FRAGMENT QUEUE
SESSION QUEUE
NIDS
Bypassing NIDS - Fragmentation
• NIDS must reconstruct fragments
– Maintain state = drain on resources
– Must overwrite correctly = more drain on
resources
•
•
•
•
Target server correctly de-frags
Attack #1 - just fragment
Attack #2 - frag with overwrite
Attack #3 - start an attack, follow with
many false attacks, finish the first attack
Bypassing NIDS - TCP un-sync
• Inject a packet with a bad TCP
checksum
– fake ‘FIN’ packet
• Inject a packet with a weird TCP
sequence number
– step up
– wrapping numbers
Bypassing NIDS - Low TTL
WWW
NIDS
3
2
1
Bypassing NIDS - Max ‘MTU’
WWW
Segment with
MTU = 1300
NIDS
1350 byte
packet with
DF = 1
Bypassing NIDS - HTTP Proto
•
•
•
•
•
•
•
‘/’ padding: “/cgi-bin///phf”
Self referencing directories: “/cgi-bin/./phf”
URL Encoding: “%2fcgi-bin/phf”
Reverse Traversal: “/cgi-bin/here/../phf”
TAB instead of spaces removal
DOS/Win syntax: “/cgi-bin\phf”
Null method: “GET%00/cgi-bin/phf”
Bypassing NIDS - Telnet Proto
• Strip out Telnet codes
• Automatic proxies which add random
characters followed by backspace
– “su X{backspace}root”
Bypassing NIDS - Resources
• Tools
– Whisker - Rain Forest Puppy
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
– Fragrouter - Dug Song
http://www.anzen.com/research/nidsbench/
– Congestant - horizon, Phrack 54
• Papers
– “Insertion, Evasion and Denial of Service: Eluding Network
Intrusion Detection”, Tom Ptacek, Timothy Newsham
http://secinf.net/info/ids/idspaper/idspaper.html
– Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
Bypassing HIDS - Kernel Hacks
• Windows NT
– 4 byte patch that removes all security
restrictions from objects within the NT domain.
– Could use access to disable or manipulate HIDS
• Linux - “itfs.c” - kernel module
-
not in /proc/modules - redirects execve()
hides a sniffer
- socket backdoor
- magic setuid gets root
hides files
hides processes
Bypassing HIDS - Stack Protection
• Stackguard
– A ‘canary’ is placed next to return address
– Program halts and logs if canary is altered
– Canary can be random or terminating
– Bypass: overwrite return address without
touching canary
– Fix: XOR the return address and the canary
– Point: Yet another example of an arms race
Bypassing HIDS - Library Hacks
• Environment variables which redirect
shared library locations
• Library has a ‘wrapper’ run by a
privileged program
• Two choices
– Provide certain APIs with original copies of
Trojan files
– Redirect certain APIs to completely
different files
Bypassing HIDS - HTTP Logging
• The anti-NIDS HTTP techniques also
may work for host based IDS tools
which do log analysis
Bypassing HIDS - Resources
•
•
Phrack 51
– “Shared Library Redirection Techniques”,halflife,<halflife@infonexus.com>
– “Bypassing Integrity Checking Systems”,halflife,<halflife@infonexus.com>
Phrack 52
– “Weakening the Linux Kernel”, plaguez <dube0866@eurobretagne.fr>
•
Phrack 55
– “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund <hoglund@ieway.com>
•
Phrack 56
– “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare
– “Backdooring Binary Objects”, <klog@promisc.org>
– “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <lam3rz@hert.org>
•
Stackguard - http://www.immunix.org/documentation.html
Practical Bypass Techniques
• NIDS
–
–
–
–
–
identifying
avoiding
overwhelming
“slow roll”
“distributed
scanning”
• HIDS
– identifying
– log deletion
– log modification
• Generic
– Social
– DOS
NIDS - Identifying
•
•
•
•
Is it in DNS?
Does it shoot down connections?
Is the sniffing interface detectable?
Is it running on a big red box labeled
“IDS”?
• Can the alert messages be observed?
NIDS - Identifying
• Any open ports that match a known
IDS?
• Has the target posted to an IDS saying,
“We use product XYZ?”
• Do they have a “This site protected by
XYZ” message on their web site?
NIDS - Avoiding
• Are there other routes into the network?
– Is there an encrypted path?
– Modem dial in?
– Alternate transport layer? (GRE ???)
• Is there an attack not detected by the
IDS?
• Is there a technical bypass technique that
is not detected by the IDS?
NIDS - Overwhelming
• Send as many false attacks as possible
while still doing the real attack
– May overload console
– May drop packets
– Admins may not believe there is a threat
• Send packets that “cost” the NIDS CPU
cycles to process
– Fragmented, overlapping, de-synchronized web
attacks with the occasional bad checksum
NIDS - ‘Slow Roll’
• Port scans and sweeps
– Obvious: incremental destination ports
– Trivial: randomized ports
– Sweep: one port and many addresses
– Stealthy: random ports and addresses over
time
Plotting all destination
ports from one source IP
to a target network …
P
o
r
t
s
Port scan
Port sweep
IP addresses
random
Simple port walk
Still maps out
a network with
one IP address
P
o
r
t
s
IP addresses
MASTER
SLAVES
SLAVES
Target sees traffic
from many addresses
HIDS - Identifying
• Almost always after on a system ...
•
•
•
•
•
Is there anything in the system logs?
What ports are open?
What is running out of CRON?
What is in the NT registry?
What programs are running?
HIDS - Logs
• Simple log deletion may be possible
• Simple log altering may also be possible
– replace IP addresses to mislead
– delete key logs
• Logging may be disabled or intercepted
– Removing syslog from services
Generic - Social
• Physical access
• Obtaining “official” access
• Getting others to hack/scan site for you
– IRC & chat groups
– Hacker challengers
• Run the IDS ……
Generic - DOS
• Find the main ‘server’
• Kill it
– IP Bomb
– Port bomb
– IDS DOS
• Find the clients
Contact Information
• rgula@securitywizards.com
• http://www.securitywizards.com