[type TITLE here]
Download
Report
Transcript [type TITLE here]
Advanced Network Based IPS Evasion Techniques
Antti Levomäki, Christian Jalio, Olli-Pekka Niemi
28 October 2009
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hack.Lu 2009
Introduction
Intrusion Prevention Systems should protect vulnerable
hosts from remote exploits
Exploits can apply multiple evasion method to bypass the
detection of Intrusion Prevention Systems and break into
the remote system
Copyright © 2009 Stonesoft Corporation. All rights reserved.
There are hacking tools which apply multiple evasion
techniques
However, these tools are more exploit oriented and not
evasion oriented
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Known Evasions Implemented various testing tools…
IP Fragmentation with manipulated fragment size and order
TCP segmentation with manipulated segment size and order
SMB Fragmentation
SMB Transaction Write Method
MSRPC Multibind (bind to multiple ”unnecessary or non-existent”
context + the vulnerable context
MSRPC fragmentation
MSRPC encryption
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Not So Known Evasions, Implemented in ???
IP Random Options
TCP Time Wait
TCP Urgent Pointer
SMB Write/Read Padding
SMB Transaction Method fragmentation
SMB Session Mixing
MSRPC Alter Context
MSRPC Object Reference
MSRPC Endian Manipulation
Copyright © 2009 Stonesoft Corporation. All rights reserved.
The Power of Evasion Methods
IPS signatures can be evaded completely if the
protocol stacks do not understand the evasions
and normalize the traffic
Example: SMB and MSRPC signatures should not
worry about fragmentation, padding , extra
methods or other randomizations
Copyright © 2009 Stonesoft Corporation. All rights reserved.
IP
Random Options
Fill IP Packet with random Options
If the target host and the IPS device disagree
about the validity of the packet, the target
host may see different data than the IPS
Copyright © 2009 Stonesoft Corporation. All rights reserved.
TCP Evasion
TCP Time Wait
Open and close a TCP connection. Open a new TCP-
connection to the same service using the same TCPsource port.
According the TCP RFC, the TCP client MUST wait ”TIME-Wait
Delay” amount of seconds before reusing a port.
If the attacker uses his own TCP/IP Stack, he can open
and close a TCP-connection and immediately open a
new TCP connection using the same source port.
The IPS stack should handle new connections as new
connections regardless of the TIME-Wait-Delay
Copyright © 2009 Stonesoft Corporation. All rights reserved.
TCP Evasion
TCP Urgent Pointer
Insert one byte into a TCP-stream.
TCP-Server chooses whether to use or discard the
added byte.
An IPS device inspection can be evaded by clever
use of the urgent pointer.
Example
TCP Stream: GETP /
IPS sees:
GETP /
Apache sees: GET /
(P is urgent data)
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Evasion
SMB Session Mixing
It is possible to use multiple resources over the
same SMB-session within the single TCPconnection at same time.
Simultaneously read and write into multiple files
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Evasion
SMB Write/Read Padding
The write and read commands have an offset
pointer that can be used for padding.
All data after the SMB header till the pointed
byte should be discarded.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Evasion
SMB Transaction Method
SMB Trans Act Write Method
The SMB Protocol allows the fragmentation of
Transaction messages by using ”Transaction
secondary” messages.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Evasion
MSRPC Object Reference
MSRPC Object Reference
Adding an Object Reference (UUID) to an MSRPC
Request Header enlarges the header by 16 bytes,
and thus moves the MSRPC payload 16 bytes
forward.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Evasion
Alter Context
The client may change the current context
using the Alter Context Method. All
subsequent requests then go to the new
context
Example: The client binds to non vulnerable context
and then changes into a vulnerable context and
sends the exploit.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Endianness
MSRPC protocol allows both big- and littleendian encoding
Windows hosts normally use the little-endian
encoding
Hackers should use big endian for obvious reasons…
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Introducing Predator
Evasion Fuzzer
Use multiple random evasion techniques
simultaneously in multiple layers
Transmit the same payload until successful
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Evasions in Predator
Evasions for attack "CVE-2008-4250 “
IP fragmentation, --ip_frag:
8byte: Fragment IP payload into 8 byte fragments
16byte: Fragment IP payload into 16 byte fragments
24byte Fragment IP payload into 24 byte fragments
256byte Fragment IP payload into 256 byte fragments
random_order: Send fragments in a random order
out_of_order: Send one fragment out of order
fwd_overwrite Perform forward overwriting with fragments
last_first Send last fragment first
one_duplicate Send one duplicate fragment
IP evasion, --ip_evasion:
random_options: Send random IP options
Copyright © 2009 Stonesoft Corporation. All rights reserved.
TCP fragmentation, --tcp_frag:
1byte Fragment TCP payload into 1 byte segments
TCP evasion, --tcp_evasion:
time_wait Open a decoy connection and attack from same ip:port while in time-wait
urgent_ptr Insert meaningless data into 1 byte urgent segments
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB fragmentation, --smb_frag:
16byte Fragment SMB payload into 16 byte fragments
256byte Fragment SMB payload into 256 byte fragments
SMB evasion, --smb_evasion:
andx_connect Negotiate SMB session and connect to a tree connect an AndX
message
decoy_trees Open decoy SMB tree connects in the same TCP stream as the attack
read_offset Use random offsets in SMB read operations
pad_write_random Pad SMB write commands with a random sized block of random
data
pad_write_static Pad SMB write commands with a static sized block of random data
random_write_method Use a random SMB write method ( TRANSACT / WRITE )
write_offset Use random offsets in SMB write operation
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC fragmentation, --msrpc_
frag: 16byte Fragment MSRPC payload into 16 byte fragments
256byte Fragment MSRPC payload into 256 byte fragments
MSRPC evasion, --msrpc_evasion:
big_endian Communicate in big endian format
random_object: Add a random object reference to MSRPC requests
alter_context: Bind to a random context and then alter to the correct
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hunting High and Low
Initializing IPForge based on the configuration..
Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB fragstyle: 16byte, MSRPC evasion:
random_object}
Exploit run 2: SMB evasion: read_offset, MSRPC evasion: big_endian,random_object,alter_context}
Exploit run 3: SMB evasion: decoy_trees,pad_write_static, MSRPC evasion: random_object,alter_context}
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hunting High and Low
Initializing IPForge based on the configuration..
Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB
evasion:andx_connect,pad_write_static,random_write_method,write_offset, MSRPC evasion:
alter_context}
Exploit run 2: TCP evasion: time_wait, SMB evasion: decoy_trees,read_offset,pad_write_static
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Copyright © 2009 Stonesoft Corporation. All rights reserved.
DEMO
Copyright © 2009 Stonesoft Corporation. All rights reserved.
www.stonesoft.com
Slide 24
Copyright © 2009 Stonesoft Corporation. All rights reserved.