Bypassing Intrusion Detection

SystemsRon Gula, Founder

Network Security Wizards

Ron Gula

• Wrote the Dragon IDS• Tested, deployed and operated NIDS

for major Internet company• Designed a DOD network honeypot• Technical expert for major IW

exercises• Penetration tested many networks• Still learning ...

Why this talk?

• IDS solutions are not perfect• IDS administrators are not perfect• Security is a process!

– Not a person!– Not a product!– Intrusion detection is part of

security !!!

Topics

• NIDS, HIDS, FW and HP Technology• Technical Bypass Techniques• Practical Bypass Techniques• Conclusions

Network IDS• Searches for patterns in packets• Searches for patterns of packets• Searches for packets that shouldn't be

there• May ‘understand’ a protocol for effective

pattern searching and anomaly detection• May passively log, alert with SMTP/SNMP

or have real-time GUI

Network IDS Limitations

• Obtaining packets - topology & encryption

• Number of signatures• Quality of signatures• Performance• Network session integrity• Understanding the observed protocol• Disk storage

/cgi-bin/phf

Jane usedthe PHFattack!

NMAP

Jane dida portsweep!

Host Based IDS

• Signature log analysis– application and system

• File integrity checking– MD5 checksums

• Enhanced Kernel Security– API access control– Stack security

• Network Monitoring Hybrids

Host Based IDS Limitations

• Places load on system• Disabling system logging• Kernel modifications to avoid file

integrity checking (and other stuff)• Management overhead• Network IDS Limitations

messages

xfer

access_log

secure

sendmail

messages

xfer

access_log

secure

sendmail

OneSecurity

Log

Firewalls as an IDS

• Excellent source of network probe, attack and misuse information

• Detect policy deviations based on access control lists

• Some have “NIDS” capabilities

Network Honeypots

• Sacrificial system(s) or sophisticated simulations

• Any traffic to the honeypot is considered suspicious

• If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

honeypot HTTP DNS

Firewall

Technical Bypass Techniques

• NIDS– fragmentation– TCP un-sync– Low TTL– ‘Max’ MTU– HTTP Protocol– Telnet Protocol

• HIDS– Kernel Hacks– Bypassing stack

protection– Library Hacks– HTTP Logging

insertiontechniques

NIDS

FRAGMENT QUEUE SESSION QUEUE

IP #1

IP #2

IP #3

Session #1

Session #2

Session #3

NIDS

FRAGMENT QUEUE SESSION QUEUE

IP #1

IP #2

IP #3

Session #1

Session #2

Session #3

Bypassing NIDS - Fragmentation

• NIDS must reconstruct fragments– Maintain state = drain on resources– Must overwrite correctly = more drain on

resources

• Target server correctly de-frags• Attack #1 - just fragment• Attack #2 - frag with overwrite• Attack #3 - start an attack, follow with

many false attacks, finish the first attack

Bypassing NIDS - TCP un-sync

• Inject a packet with a bad TCP checksum– fake ‘FIN’ packet

• Inject a packet with a weird TCP sequence number– step up– wrapping numbers

Bypassing NIDS - Low TTL

NIDS

123

WWW

Bypassing NIDS - Max ‘MTU’

NIDSWWW

Segment withMTU = 1300

1350 bytepacket with

DF = 1

Bypassing NIDS - HTTP Proto

• ‘/’ padding: “/cgi-bin///phf”• Self referencing directories: “/cgi-

bin/./phf”• URL Encoding: “%2fcgi-bin/phf”• Reverse Traversal: “/cgi-bin/here/../phf”• TAB instead of spaces removal• DOS/Win syntax: “/cgi-bin\phf”• Null method: “GET%00/cgi-bin/phf”

Bypassing NIDS - Telnet Proto

• Strip out Telnet codes• Automatic proxies which add

random characters followed by backspace– “su X{backspace}root”

Bypassing NIDS - Resources • Tools

– Whisker - Rain Forest Puppy http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2

– Fragrouter - Dug Song http://www.anzen.com/research/nidsbench/

– Congestant - horizon, Phrack 54

• Papers– “Insertion, Evasion and Denial of Service: Eluding Network

Intrusion Detection”, Tom Ptacek, Timothy Newsham http://secinf.net/info/ids/idspaper/idspaper.html

– Bro information: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

Bypassing HIDS - Kernel Hacks

• Windows NT– 4 byte patch that removes all security

restrictions from objects within the NT domain.– Could use access to disable or manipulate HIDS

• Linux - “itfs.c” - kernel module

- not in /proc/modules- hides a sniffer- hides files- hides processes

- redirects execve()- socket backdoor- magic setuid gets root

Bypassing HIDS - Stack Protection

• Stackguard– A ‘canary’ is placed next to return address– Program halts and logs if canary is altered– Canary can be random or terminating– Bypass: overwrite return address without

touching canary– Fix: XOR the return address and the canary– Point: Yet another example of an arms race

Bypassing HIDS - Library Hacks

• Environment variables which redirect shared library locations

• Library has a ‘wrapper’ run by a privileged program

• Two choices– Provide certain APIs with original copies of

Trojan files– Redirect certain APIs to completely

different files

Bypassing HIDS - HTTP Logging

• The anti-NIDS HTTP techniques also may work for host based IDS tools which do log analysis

Bypassing HIDS - Resources

• Phrack 51– “Shared Library Redirection

Techniques”,halflife,<halflife@infonexus.com> – “Bypassing Integrity Checking

Systems”,halflife,<halflife@infonexus.com>• Phrack 52

– “Weakening the Linux Kernel”, plaguez <dube0866@eurobretagne.fr>

• Phrack 55– “A real NT Rootkit, patching the NT Kernel”, Greg Hoglund

<hoglund@ieway.com>

• Phrack 56– “Shared Library Call Redirection via ELF PLT Infection”, Silvio Cesare– “Backdooring Binary Objects”, <klog@promisc.org>– “Bypassing Stackguard and Stackshield”, Bulba & Kil3r <lam3rz@hert.org>

• Stackguard - http://www.immunix.org/documentation.html

Practical Bypass Techniques

• NIDS– identifying– avoiding– overwhelming– “slow roll”– “distributed

scanning”

• HIDS– identifying– log deletion– log modification

• Generic– Social– DOS

NIDS - Identifying

• Is it in DNS?• Does it shoot down connections?• Is the sniffing interface detectable?• Is it running on a big red box

labeled “IDS”?• Can the alert messages be

observed?

NIDS - Identifying

• Any open ports that match a known IDS?

• Has the target posted to an IDS saying, “We use product XYZ?”

• Do they have a “This site protected by XYZ” message on their web site?

NIDS - Avoiding

• Are there other routes into the network?– Is there an encrypted path?– Modem dial in?– Alternate transport layer? (GRE ???)

• Is there an attack not detected by the IDS?

• Is there a technical bypass technique that is not detected by the IDS?

NIDS - Overwhelming• Send as many false attacks as possible

while still doing the real attack– May overload console– May drop packets– Admins may not believe there is a threat

• Send packets that “cost” the NIDS CPU cycles to process– Fragmented, overlapping, de-synchronized

web attacks with the occasional bad checksum

NIDS - ‘Slow Roll’

• Port scans and sweeps– Obvious: incremental destination

ports– Trivial: randomized ports– Sweep: one port and many addresses– Stealthy: random ports and addresses

over time

IP addresses

Ports

Port sweepPort scan

Plotting all destinationports from one source IPto a target network …

IP addresses

Ports

random Simple port walk

Still maps outa network withone IP address

MASTER

SLAVESSLAVES

Target sees trafficfrom many addresses

HIDS - Identifying

• Almost always after on a system ...

• Is there anything in the system logs?• What ports are open?• What is running out of CRON?• What is in the NT registry?• What programs are running?

HIDS - Logs

• Simple log deletion may be possible• Simple log altering may also be

possible– replace IP addresses to mislead– delete key logs

• Logging may be disabled or intercepted– Removing syslog from services

Generic - Social

• Physical access• Obtaining “official” access• Getting others to hack/scan site for

you– IRC & chat groups– Hacker challengers

• Run the IDS ……

Generic - DOS

• Find the main ‘server’• Kill it

– IP Bomb– Port bomb– IDS DOS

• Find the clients

Contact Information

• rgula@securitywizards.com• http://www.securitywizards.com