At this point in this book you have seen quite a number of ways to break into a computer system, network, or organization. The problem is that though a lot of these attacks are effective at getting information and other items from a target, they can be detected or thwarted. Today’s networks and environments employ a range of defensive and detective measures designed to deal with such attacks.
Today’s corporations employ many defensive measures, each with its own way of putting a stop to your attack. Intrusion detection systems (IDSs), intrusion prevention systems (IPSs), firewalls, honeypots, and others form potent obstacles to your activities. Although these devices are formidable they are not insurmountable, so you need to first learn how they work and then see what you can do to overcome the obstacles or just get around them altogether. This chapter focuses on these systems and how to deal with them.
Before we delve into the various evasion techniques you can use to get around a defender’s defensive and detective mechanisms, you must learn how they work. We’ll look at each of these systems and show what they are designed to defend against and how they detect or stop an attack.
An intrusion detection system (IDS) is an application or device used to gather and analyze information that passes across a network or host. An IDS is designed to analyze, identify, and report on any violations or misuse of a network or host.
Let’s take a close look at how an IDS works. An IDS is used to monitor and protect networks by detecting malicious activity and reporting it to a network administrator. Once activities of this type are detected, an administrator is alerted.
Here are some things to keep in mind as we go forward. An IDS:
In practice there are four types of IDSs, each offering unique capabilities that the others do not. We’ll first discuss the types available and where each fits in; then we’ll delve deeper into each.
The main purpose of an IDS is to detect and alert an administrator about an attack. The administrator can then determine, based on the information received from the IDS, what action to take.
An IDS functions in the following way:
So what mechanisms allow an IDS to determine what is an attack and what is not? What works with the rule engine? Well, one of three methods will be used: signature, protocol, or anomaly detection.
The first form of detection or recognition is based on signature; this method is also sometimes called misuse detection. The system compares traffic to known models and when matches are found it reports the attack.
Although these problems may seem to bar the implementation of such systems, or at least cause some concern, this type of IDS is widely deployed.
Anomaly detection is different from signature detection in how it detects potential attacks. In this system, any activity that matches something in the database is considered an anomaly. Additionally, any deviation from normal activity is regarded as an attack and triggers further action. Unlike the signature-based system, this type of system must be set up to understand what normal activity on a network is so that it can detect deviations from this baseline. If the system is not configured as to what normal behavior on a network is supposed to be, false positives and negatives can easily become a problem.
The third type of detection used by IDS systems is protocol anomaly detection. It is based on the anomalies that are specific to a given protocol. To determine what anomalies are present, the system uses known specifications for a protocol and then uses that as a model to compare traffic against. Through use of this design, new attacks may be discovered.
This method can detect new attacks before normal anomaly detection or signature detection can. The detection method relies on the use or misuse of the protocol and not the rapidly changing attack method. Unlike the prior two methods, protocol anomaly detection does not require signature updates to be downloaded. Alarms in this type of system are typically presented differently from others, and thus the manufacturers’ guides should be consulted as each may be different.
So what type of activities are indications of a potential attack? What type of actions can an IDS respond to? Let’s take a look at activities that may indicate an intrusion has occurred.
What is an indicator of an attack on a host? A wide range of activities could be construed as an attack:
suid
or sgid
on a Linux system.filename.exe.exe.
This is not an exhaustive list. As attackers evolve, so do the attacks that may be used against a target.
Indications of a potential network attack or intrusion include the following:
Other signs can appear that may indicate the presence of an intruder or potential intrusion in progress:
Firewalls are another protective device for networks that stand in the way of a penetration tester or attacker. Firewalls represent a barrier or logical delineation between two zones or areas of trust. In its simplest form an implementation of a firewall represents the barrier between a private and a public network, but things can get much more complicated from there as you’ll see in this section.
When discussing firewalls, it is important to understand how they work and their placement on a network. A firewall is a collection of programs and services located at the choke point (or the location where traffic enters and exits the network). It is designed to filter all traffic flowing in and out and determine if that traffic should be allowed to continue. In many cases the firewall is placed in such a way as to be distanced from important resources so that in the case of compromise key resources are not adversely impacted. If enough care and planning are taken along with a healthy dose of testing, only traffic that is explicitly allowed to pass will be able to do so, with all other traffic, dropped at the firewall.
Some details about firewalls to be aware of:
Not all firewalls or firewall setups are created equal, so you need to be familiar with each setup and how it works. Firewalls can be set up and arranged in several ways, each offering its own advantages and disadvantages. In this section we’ll cover each method.
A bastion host is intended to be the point through which traffic enters and exits the network. It is a computer system that hosts nothing other than what it needs to perform its defined role, which, in this case, is to protect resources from attack. This type of host has two interfaces: one connected to the public network and the other to the internal network.
This type of setup uses a single firewall with three built-in interfaces. The three interfaces are connected to the Internet, the DMZ (more on this in a moment), and the intranet. The obvious advantage of this setup is that the individual areas are separated from one another by virtue of the fact that each is connected to its own interface. This offers the advantage of preventing a compromise in one area from affecting one of the other areas.
A multihomed firewall refers to two or more networks. Each interface is connected to its own network segment logically and physically. A multihomed firewall is commonly used to increase efficiency and reliability of an IP network. In this case, more than three interfaces are present to allow for further subdividing the systems based on the specific security objectives of the organization.
A DMZ is a buffer zone between the public and private networks in an organization. It is used to act as not only a buffer zone, but also a way to host services that a company wishes to make publicly available without allowing direct access to their own internal network.
A DMZ is constructed through the use of a firewall. Three or more network interfaces are assigned specific roles such as internal trusted network, DMZ network, and external untrusted network (Internet).
Not all firewalls are the same, and you must know the various types of firewall and be able to understand how each works:
Packet Filtering Firewall This is perhaps the simplest form of firewall. It works at the network level of the OSI model. Typically these firewalls are built directly into a router as part of its standard feature set. This firewall compares the properties of a packet such as source and destination address, protocol, and port. If a packet doesn’t match a defined rule, it is dropped. If the packet matches a rule, it typically is allowed to pass.
Circuit-Level Gateway This is a more complex form of firewall that works at the session layer of the OSI model. A circuit-level firewall is able to detect whether a requested session is valid by checking the TCP handshaking between the packets. Circuit-level gateways do not filter individual packets.
Application-Level Firewall These firewalls analyze the application information to make decisions about whether to transmit the packets.
Stateful Multilayer Inspection firewall This firewall combines the aspects of the other three types. They filter packets at the network layer to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. The inability of the packet filter firewall to check the header of the packets to allow the passing of packets is overcome by stateful packet filtering.
To determine a type of firewall and even a brand, you can use your experience with port scanning and tools to build information about the firewall your target is running. By identifying certain ports, you can link the results to a specific firewall and from that point determine the type of attack or process to take in order to compromise or bypass the device.
Fortunately we you can perform banner grabbing with Telnet to identify the service running on a port. If you encounter a firewall that has specific ports running, that may help in identification. It is possible to banner grab and see what is reported back.
Another effective way to determine the configuration of a firewall is through firewalking. Firewalking may sound like a painful process and test of courage, but it is actually the process of probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets at the firewall. The key to making this successful is the fact that the packets are set to have one more hop in their time to live (TTL) in order to get them past the firewall or elicit a response stating otherwise.
To perform a firewalk against a firewall, you need three components:
Firewalking Host The system, outside the target network, from which the data packets are sent to the destination host, in order to gain more information about the target network
Gateway Host The system on the target network that is connected to the Internet, through which the data packet passes on its way to the target network
Destination Host The target system on the target network that the data packets are addressed to
Once you have used firewalking to gain information about the firewall and how it responds to traffic and probes, the next step is to plan your attack. You may find it possible to use tools such as packet crafters and port redirection to evade the configuration in place.
One of the more interesting systems you will encounter is a honeypot. A honeypot may sound like something out of a Winnie the Pooh book, but it is actually a device or system used to attract and trap attackers that are trying to gain access to a system. However, honeypots are far from being just a booby trap; they have also been used as research tools, as decoys, and just to gain information. They are not designed to address any specific security problem.
Because of the way honeypots are positioned, it is safe to assume that any and all interactions with the device are anything but benign in nature.
Honeypots are not all created equal. There are two main categories: high- and low-interaction varieties.
Low-interaction honeypots rely on the emulation of service and programs that would be found on a vulnerable system. If attacked, the system detects the activity and throws an error that can be reviewed by an administrator.
High-interaction honeypots are more complex than low-interaction ones in that they are no longer a single system that looks vulnerable but an entire network typically known as a honeynet. Any activity that happens in this tightly controlled and monitored environment is reported. One other difference in this setup is that in lieu of emulation, real systems with real applications are present.
Each of the devices covered in this chapter is designed to stop or slow down an attack. Since you, as a penetration tester, are trying to test a system, you must be able to get around these devices if possible or at least know how to attempt to do so. In this section we discuss the various mechanisms available, how they work, and what devices they are designed to deal with.
Another mechanism for getting around an IDS is to attack the IDS directly or exploit a weakness in the system via a DoS attack. A DoS or DDoS attack overwhelms or disables a target in such a way as to make it temporarily or permanently unavailable. Through the consumption of vital system resources, the overall performance of the target is adversely impacted, making it less able, or completely unable, to respond to legitimate traffic, or at least not function to the best of its ability.
If we target an IDS with a DoS attack, something interesting happens: The IDS functions erratically or not at all. To understand this, think of what an IDS is doing and how many resources it needs to do so. An IDS is sniffing traffic and comparing that traffic to rules, which takes a considerable amount of resources to perform. If these resources can be consumed by another event, then it can have the effect of changing the behavior of the IDS. By using enumeration and system hacking methods it is possible for an attacker to identify which resources are under load or are vital to the proper functioning of the IDS. Once those resources are identified, the attacker can clog up or consume the resources to make the IDS not function properly or become occupied by useless traffic.
Because an IDS can rely on being able to observe or read information, the process of obscuring or obfuscating code can be an effective evasion technique. This technique relies on manipulating information in such a way that the IDS cannot comprehend or understand it but the target can. This can be accomplished via manual manipulation of code or through the use of an obfuscator. One example that has been successful against older IDSs is the use of Unicode. By changing standard code such as HTTP requests and responses to their Unicode equivalents, you can produce code that the web server understands but the IDS may not.
Remember the story from your childhood of the boy who cried wolf? The shepherd boy in the story cried wolf so many times as a joke that when the wolf was actually attacking his flock no one believed him and his flock got eaten. The moral of the story is that liars are rewarded with disbelief from others even when they tell the truth. How does this apply to our IDS discussion? Essentially the same way as the boy in the story: An attacker can target the IDS with an actual attack, causing it to react to the activity and alert the system owner. If done repeatedly, the owner of the system will see log files full of information that says an attack is happening, but no other evidence suggests the same. Eventually the system owner may start to ignore these warnings, or what they perceive to be false positives, and become lax in their observations. Thus an attacker can strike at their actual target in plain sight.
The type of evasion technique known as session splicing is an IDS evasion technique that exploits how some types of IDSs don’t reassemble or rebuild sessions before analyzing traffic. Additionally, it is possible to fool some systems by fragmenting packets or tampering with the transmission of packets in such a way that the IDS cannot analyze them and instead forwards them to the target host.
The TCP protocol uses flags on packets to describe the status of the packet. Knowledge of these flags can yield benefits such as evasion techniques for IDSs.
RST is one of the many flags used to end two-way communications between endpoints. In addition to these flags, checksums are used to verify the integrity of the packet to ensure that what was received is what was sent originally. An attacker can use alteration of this checksum to cause the IDS to not process the packet. What happens with some IDSs is that upon receipt of an invalid checksum, processing stops and the traffic passes unimpeded by the IDS without raising an alert.
The URG flag is used to mark data as being urgent in nature. Although it is used to indicate which information is of an urgent nature, all information that flows before it is ignored in order to process the urgent data. Some IDSs do not take this previous data into account and let it pass unimpeded, letting an attack potentially pass without hindrance.
Some IDSs cannot process encrypted traffic and therefore will let it pass. In fact, of all the evasion techniques, encryption is one of the most effective.
Earlier you learned what a firewall is capable of doing and the different types that exist. So how does an attacker evade these devices? A handful of techniques are available.
One effective way an attacker can evade a firewall is to appear as something else, such as a trusted host. Using spoofing to modify address information, the attacker can make the source of an attack appear to come from someplace else rather than the malicious party.
Using this technique, the sender of the packet designates the route that a packet should take through the network in such a way that the designated route should bypass the firewall node. Using this technique, the attacker can evade the firewall restrictions.
Through the use of source routing, it is entirely possible for the attacker or sender of a packet to specify the route they want it to take instead of leaving such choices up to the normal routing process. In this process the origin or source of a packet is assumed to have all the information it needs about the layout of a network and can therefore specify its own best path for getting to its destination.
By employing source routing, an attacker may be able to reach a system that would not normally be reachable. These systems could include those with private IP addresses or those that are protected under normal conditions from the Internet. The attacker may even be able to perform IP spoofing, further complicating detection and tracing of the attack by making the packet’s origin unknown or different from its actual origin.
Fortunately, the easiest way to prevent source routing is to configure routers to ignore any source routing attempts on the privately controlled network.
The attacker uses the IP fragmentation technique to create extremely small fragments and force the TCP header information into the next fragment. This may result in a case where the TCP flags field is forced into the second fragment, while filters can check these flags only in the first octet. Thus the IDS ignores the TCP flags.
A mechanism that is effective in some cases at evading or bypassing a firewall is the use of an IP address in place of a URL. Since some firewalls only look at URLs instead of the actual IP address, use of the address to access a website can allow an attacker to bypass the device.
Other mechanisms that are somewhat similar to this technique are using website anonymizers and using open public proxy servers to get around the firewalls or website restrictions of a company.
Yet another method to bypass or evade a firewall is through the use of ICMP tunneling. ICMP can be used to bypass a firewall through a little-known part of the RFC 792 specification (responsible for defining the operation of ICMP). The ICMP protocol defines the format and structure of the packet, but not what the packet carries as part of its data portion. Due to this ambiguous definition of the data portion, the contents can be completely arbitrary, thus allowing for a diverse range of items to be included within the data section. This section can include information regarding applications that can open a covert channel or plant malware. The end result can be that an organization’s firewalls can be opened.
One tool that is effective at performing this type of task is Loki, which has the ability to tunnel commands within an ICMP echo packet. Other similar tools are ncovert and 007shell, both of which allow for the crafting of packets that can be used to bypass a firewall.
Pursuing a variation of a theme, you can also use ACK tunneling to bypass the scrutiny of a firewall. ACK tunneling exploits the fact that some firewalls do not check packets that have the ACK bit configured. The reason for this lapse is that the ACK packet is used to respond to previous, and assumed legitimate, traffic that has already been approved.
An attacker can leverage this by sending packets with the ACK flag set using a tool such as AckCmd.
An additional variation of the tunneling method involves exploiting the HTTP protocol. This method may be one of the easiest ones to use mainly due to the fact that the HTTP protocol is already allowed through many firewalls as part of normal operation. HTTP traffic is considered normal due to the requirement for just about every company to have Internet access or provide access to resources such as web servers and web applications to the public and as such it does not appear abnormal.
One tool that may be used to exploit this situation is HTTPTunnel, which uses a client-server architecture to facilitate its operation.
With so many techniques and mechanisms at your disposal, you can now test your defensive and monitoring capabilities.
The following are the general steps and process for testing the integrity and capability of a firewall, whether it is based on hardware or software:
Much like testing a firewall, there is a general process for testing an IDS. It tends to be something like the following:
It is important for you to remember that not every attack will work when testing a firewall or IDS, but you should still log the results and make note of the way the devices respond. When testing is completed, compare and analyze the results to see if you can determine any patterns or behavior that may indicate the nature of the environment or vulnerabilities present.
In this chapter we looked at firewalls, IDSs, and honeypots as mechanisms used to defend a network as well as something to evade as an attacker. You saw that the problem is that whereas many attacks are effective at getting information, they can be thwarted by using any of the systems we have covered. In fact, today’s networks and environments employ a range of defensive and detective measures designed to deal with such attacks.
Today’s corporations use many defensive measures, each with its own way of putting a stop to attacks. Systems such as intrusion detection systems, intrusion prevention systems, firewalls, honeypots, and others form very potent adversaries and obstacles to your activities. Although these devices are formidable they are not insurmountable, so you must first learn how they work and then see what you can do to overcome the obstacles or just get around them altogether.
Understand the different types of firewalls. Know that not all firewalls are the same and that each operates a little differently. For example, packet filtering firewalls work at the network level and are commonly found embedded in routers, whereas stateful firewalls are devices unto themselves.
Know the differences between HIDSs and NIDSs. Understand that an HIDS and an NIDS are not the same and do not monitor the same type of activity. An NIDS monitors traffic on a network, but diminishes in effectiveness where a host is concerned. An HIDS has diminishing capability outside of a specific host.
Understand the role of a honeypot. A honeypot is a tool used to attract an attacker for the purpose of research, acting as a decoy, or to gain intelligence as to what types of attacks you may be facing and how well your defenses are working.
An HIDS is used to monitor activity on which of the following?
Which of the following can be used to identify a firewall?
An NIDS is based on technology similar to which of the following:
Which of the following can be used to evade an IDS?
Altering a checksum of a packet can be used to do what?
Firewalking is done to accomplish which of the following?
An attacker can use _________ to find information about a firewall.
A _________ is used to attack an IDS.
Which of the following uses a database of known attacks?
An anomaly-based NIDS is designed to look for what?
Multihomed firewall has a minimum of how many network connections?
DMZ is created with which of the following?
A firewall is used to separate which of the following?
SMTP is used to perform which function?
Which ports does SNMP use to function?
HTTP is typically open on which port in a firewall?
What is a system used as a chokepoint for traffic?
At which layer of the OSI model does a packet filtering firewall work?
What type of firewall analyzes the status of traffic?
What can be used instead of a URL to evade some firewalls?
18.220.163.91