CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots PDF

Evading IDS, Firewalls, and Honeypots
Module 17
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Evad in g IDS, Firew alls, and Honeypots

Module 17
Engineered by Hackers. Presented by Professionals.
CEH
E t h ic a l H a c k in g
a n d
C o u n te r m e a s u r e s
v 8
Module 17: Evading IDS, Firewalls, and Honeypots Exam 312-50
Module 17 Page 2550
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
R u s s ia n S e r v ic e R e n ts A c c e s s T o H a cke d C o rpo rate P Cs
October 23, 2012 12:30 PM
Service provides stolen remote desktop protocol credentials, letting buyers remotely log in to corporate servers and PCs, bypassing numerous security defenses. Want to infiltrate a business? An online service sells access credentials for some of the world's biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server or PC located inside a corporate firewall. That finding comes by way of a new report from information security reporter Brian Krebs, who's discovered a Russian-language service that traffics in stolen Remote Desktop Protocol (RDP) credentials. RDP is a proprietary Microsoft standard that allows for a remote computer to be controlled via a graphical user interface. The RDP-renting service, dubbed Dedicatexpress.com, uses the tagline "The whole world in one service" and is advertised on multiple underground cybercrime forums. It serves as an online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide.
h ttp ://w w w .in fo rm a tio n w e e k .co m
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r it y
N e w s
R u ssia n S ervice R ents A ccess To H ac k ed C o rp o rate PCs

Source: http: //w ww .i nfo rm at ion we ek. co m Service provides stolen r e m o t e d e s k to p protocol credentials, letting buyers remotely log in to co rpo ra te servers and PCs, bypassing n u m ero us security defenses. Want to infiltrate a business? An online service sells access credentials for s om e of th e world's biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server or PC located inside a co rp or a te firewall. That finding comes by way of a new repor t from information security repo rt er Brian Krebs, who's discovered a Russian-language service th at traffics in stolen Remote Desktop Protocol (RDP) credentials. RDP is a proprietary Microsoft s tandard th at allows for a re m o t e c o m p u t e r to be controlled via a graphical use r interface. The RDP-renting service, du b b e d Dedicatexpress.com, uses t h e tagline "The whole world in one service" and is advertised on multiple unde rgr oun d cybercrime forums. It serves as an online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide.
Module 17 Page 2551
Here's how Dedicatexpress.com works: Hackers submit their stolen RDP credentials to th e service, which pays t h e m a commission for every rental. According to a screen grab published by Krebs, t h e to p submitters a re "lopster," with 12,254 rentals, followed by "_sz_", with 6,645 rentals. Interestingly, submitters can restrict wh a t t h e machines may be used f o r - f o r example, specifying th at machines aren 't t o be used t o run online gambling op erations or PayPal scams, or t h a t th ey can't be run with administrator-level credentials. New users pay $20 t o join th e site, after which they can search for available PC and server RDP credentials. Rental prices begin at just a few dollars and vary based on t h e machine's processor speed, upload and download bandwidth, and th e length of time t h a t t h e machine has been consistently available online. According t o Krebs, th e site's managers have said they w o n 't traffic in Russian RDP credentials, suggesting t h a t th e site's own er s are based in Russia and don't wish t o antagonize Russian authorities. According to security experts, Russian law e n fo r c e m e n t agencies typically turn a blind eye to cybercrime gangs operating inside their borders, providing they do n't target Russians, and t h a t t h e s e gangs in fact occasionally assist authorities. W hen reviewing t h e Dedicatexpress.com service, Krebs said he quickly discovered th at access was being rented, for $4.55, to a system t h a t was listed in t h e Internet addres s space assigned to Cisco, and t h a t several machines in th e IP addres s range assigned t o Microsoft's managed hosting network we re also available for rent. In th e case of Cisco, th e RDP credentials-u s e rn a m e and p a s s w o r d - w e r e both "Cisco." Krebs r ep or ted t h a t a Cisco source told him th e machine in question was a "bad lab machine." As th e Cisco case highlights, poor u s e rn a m e and password combinations, combined with re m o te -c on tro l applications, give attackers easy access t o co rp or a te networks. Still, even complex us e rn a m es and passwords may not stop attackers. Since Dedicatexpress.com was foun ded in 2010, it's offered access to a b o u t 300,000 different systems in total, according to Krebs. Interestingly, 2010 was t h e s a m e year th at security researchers first discovered t h e Georbot Trojan application, which scans PCs for signs t h a t remote-control software has be en installed and t h e n captures and transmits related credentials to attackers. Earlier this year, security researchers at ESET found th at wh en a Geor bot-infected PC was unable to contact its designated comman d-an d-co ntro l server to receive instructions or transmit stolen data, it instead con tac te d a server based in th e country of Georgia. W hen it co m e s to built-in r e m o t e access t o Windows machines, RDP technology was first included in t h e W in d o w s XP P r o f e s s io n a l - b u t not H om e -v e r s io n of th e operating system, and it has be en included in every edition of Windows released since then. The current software is du bb e d Remote Desktop Services (for servers) and Rem ote Desktop Connection (for clients). Might W in do w s 8 security i m p r o v e m e n ts help prevent unauthorized people from logging onto PCs using stolen r e m o t e desktop protocol credentials? That's not likely, since Microsoft's new operating s y s t e m - s e t to d e b u t later this w e e k - in c lu d e s th e latest version, Rem ote Desktop Protocol 8.0, built in.
Module 17 Page 2552
Microsoft has also released a free Windows 8 Remote Desktop application, filed in th e "productivity" section of Windows Store. According to Microsoft, "the new Metro-style Remote Desktop ap p enables you t o conveniently access your PC and all of your co rpo ra te resour ces from anywhere." "As many of you already know, a salient feat ure of Windows Server 2012 and Windows 8 is th e ability to deliver a rich user experience for r e m o t e desktop users on corpo rate LAN and WAN networks," read a recent blog post from Sh a n m u g a m Kulandaivel, a senior program man ag er in Microsoft's Rem ote Desktop Virtualization te a m . Despite such capabilities now being built into n u m er o u s operating syste ms-in clud ing Linux and Mac OS X - m a n y security experts r e c o m m e n d deactivating or removing such tools wh en they 're not need ed. "Personally, I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one's software footprint and related attack surface," said Wolfgang Kandek, CTO of Qualys. He m ad e t h o s e c o m m e n ts earlier this year, after th e source code for Symantec's pcAnywhere Windows remot e-a cce ss software was leaked to t h e Internet by hacktivists. Security experts w e r e concer ne d th at attackers might discover an exploitable zeroday vulnerability in th e remot e-acc ess code, which would allow t h e m to remotely access any machine th at had t h e software installed.
Copyright 2012 UBM Tech By Mathew J.Schwartz

http://www.inforrr 1ationweek.com/securitv/attacks/russian-service-rents-access-to-hackedc/240009580
Module 17 Page 2553
M odule O bjectives
J J J J J J J J J Ways to Detect an Intrusion Types of Intrusion Detection Systems General Indications of Intrusions Firewall Architecture Types of Firewall Firewall Identification How to Set Up a Honeypot Intrusion Detection Tools How Snort Works J J J J J J J J J Firewalls Honeypot Tools Evading IDS Evading Firewalls Detecting Honevoots Firewall Evasion Tools Packet Fragment Generators Countermeasures
C EH
Firewall/IDS Penetration Testing
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
o d u le
O b je c t iv e s
* Today, hacking and c o m p u t e r system attacks are c om m on , making th e impor tan ce of intrusion detection and active protection all th e m ore relevant. Intrusion detection systems (IDSes), intrusion prevention systems (IPSes), firewalls, and ho neypots are th e security mechanisms im p lem en ted to secure networks or systems. But attackers are able t o manage even t h e s e security mechanisms and trying to break into t h e legitimate system or netw ork with th e help of various evasion techniques. This module will familiarize you with: e e Ways t o Detect an Intrusion Types of Systems Intrusion Detection e e Firewalls Honeypot Tools Evading IDSes Evading Firewalls Detecting Honeypots Firewall Evasion Tools Packet Fragment G enerators Counte rme asu re s Firewall/IDS Penetration Testing
General Indications of Intrusions Firewall Architecture
Types of Firewalls e e Firewall Identification How to Set Up a Honeypot Intrusion Detection Tools
^1 dff0wP^10rl4W0rks
Ethical Hacking and Countermeasures Copyright by All Rights Reserved. Reproduction is Strictly
Module Flow
C EH
Copyright by EG-G*nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
o d u le
F lo w
To und ers ta nd IDSes, firewalls, and honeypots, evasion techniques used by th e attackers to break into t h e target network or system, it is necessary to un de rst an d th ese mechanisms and how they preve nt intrusions and offer protection. So, let us begin with basic IDS, firewall, and ho ne ypo t concepts.
(3 =
IDS, Firewall an d Ho ne yp ot Concepts
Detecting H one ypo ts
IDS, Firewall an d H o ne yp ot System
Firewall Evading Tools
Evading IDS
C o u n t e rm e a s u r e
Evading Firewall
Pe ne tra tio n Testing
This section introduces you with t h e basic IDS, firewall, and hon ey po t concepts.
Module 17 Page 2555
Intrusion Detection Systems (IDS) and their Placement

1111 2 .1 1 . 1U1
CEH
User j J J
Intranet
An intrusion detection system (IDS) gathers and analyzes information from within a com puter or a network, to identify the possible violations of security policy, including unauthorized access, as well as m isuse An ID S is also referred to as a "packet-sniffer," which intercepts packets traveling along various com m unication m edium s and protocols, usually TCP/IP The packets are analyzed after they are captured
_J The IDS filters traffic for signatures that m atch intrusions, and signals an alarm when a m atch is found
Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
In t r u s io n P la c e m
D e t e c t io n
S y s t e m
( ID S e s )
a n d
t h e ir
e n t
An intrusion detection system is used t o mo ni to r and p r o te c t n e tw o rk s or systems for malicious activities. To alert security personnel a b o u t intrusions, intrusion detection systems are highly useful. IDSes are used to monitor network traffic. An IDS checks for suspicious activities. It notifies th e administrator a b o u t intrusions immediately. Q An intrusion detection system (IDS) ga thers and analyzes information from within a co m p u t e r or a network, t o identify t h e possible violations of security policy, including un a ut hor ize d access, as well as misuse An IDS is also referred to as a "packet-sniffer," which intercepts packets traveling along various communication m ediums and protocols, usually TCP/IP The packets are analyzed after th ey a re captur ed An IDS evaluates a susp ecte d intrusion once it has taken place and signals an alarm
Module 17 Page 2556
User
Intranet FIGURE 17.1: Intrusion Detection Systems (IDSes) and their Placement
Module 17 Page 2557
How IDS Works
U rtifM
CEH
tUx*l lUckM
Signature file com parison
v * Anomaly Detection
- x
Alarm notifies admin and packet can be dropped
Action Rule
V b
Connections are cut down from that IP source
Stateful protocol analysis
<
Packet is dropped
S w itch
Copyright by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
H o w
a n
ID S
o r k s
The main purposes of IDSes are th at t h ey not only p r e v e n t intrusions but also alert th e a d m in is tr a to r imm edi ate ly w h e n t h e attack is still going on. The administrator could identify m e t h o d s and techni qu es being used by th e intruder and also th e source of attack. An IDS works in th e following way: Q IDSes have sensors to d e t e c t signa tures and s o m e advanced IDSes have behavioral activity detection t o d e te r m i n e malicious behavior. Even if signatures don't match this activity detection system can alert administrators a b o u t possible attacks. If th e signature matches, t he n it moves to t h e next step or the c on ne ct io ns are cut d o w n from t h a t IP source, th e packet is dro pp ed, and th e alarm notifies th e admin and th e packet can be dr opped. Once t h e signature is matched, t h en sensors pass on a n o m a l y dete cti on, w h e t h e r th e received packet or requ es t matches or not. If t h e packet passes th e an omaly stage, t h e n stateful protocol analysis is done. After th at thro ug h switch th e packets are passed on to t h e network. If anything mismatches again, th e connections are cut do wn from t h a t IP source, th e packet is dr opped, and th e alarm notifies th e admin and packet can be dropped.
Module 17 Page 2558
ID S P r e p r o c e s s o r
ID S
1V S ig n a tu refile c o m p a ris o n
Switch
FIGURE 17.2: How an IDS Works
Module 17 Page 2559
Ways to Detect an Intrusion /
CEH
S ig n a tu r e R e c o g n itio n
It is also known as misuse detection. Signature recognition tries to identify events that misuse a system
A n o m a ly D e te c tio n
Tl nr
It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system
P ro to c o l A n o m a ly D e te c tio n
In this type of detection, models are built to explore anomalies in the way vendors deploy the TCP/IP specification
a y s
to
D e t e c t
a n
In t r u s io n
An intrusion is d e te c te d in t h r e e ways.
S ig n atu re D etectio n
* Signature recognition is also known as misuse de tec tio n. It tries to identify events th at indicate an abu se of a system. It is achieved by creating models of intrusions. Incoming events are co m p a r ed with intrusion models t o make a detection decision. While creating signatures, t h e model must de te c t an attack without disturbing th e normal traffic on the system. Attacks, and only attacks, should match th e model or else false alarms can be gene rated . The simplest form of signature recognition uses simple pattern matching to c om pa r e th e network packets against binary signatures of known attacks. A binary signature may be defined for a specific portion of th e packet, such as th e TCP flags. Signature recognition can de tec t known attacks. However, t h e r e is a possibility th at ot her packets th at match might re pr e s en t th e signature, triggering bogus signals. Signatures can be customized so t h a t even well-informed users can c rea te th em . Signatures th at a re fo rm e d improperly may trigger bogus signals. In or der t o de tect misuse, th e n u m b e r of signatures required is huge. The more t h e signatures, t h e more
Module 17 Page 2560
attacks can be dete cte d, thou gh traffic may incorrectly match with t h e signatures, reducing th e pe rfor mance of t h e system. The bandwidth of th e network is co n su me d with t h e increase in th e signature da tabase. As th e signatures are co mp ar ed against t h o s e in t h e d ata ba se, th e r e is a probability that th e maximum n u m b e r of comparisons cannot be made, resulting in certain packets being dropped. New virus attacks such as A D M uta te and Nimda c rea te t h e need for multiple signatures for a single attack. Changing a single bit in s o m e attack strings can invalidate a signature and c rea te th e need for an entirely ne w signature. Despite problems with signatu re-based intrusion detection, such systems a re popular and work well w h e n configured correctly and mon itore d closely
A nom aly D etectio n

Anomaly detection is otherwise called " no t-u se de te c ti o n . Anomaly detection differs from t h e signature recognition model. The model consists of a d a ta b a s e of anomalies. Any event t h a t is identified with t h e d a t a b a s e in considered an anomaly. Any deviation from normal use is labeled an attack. Creating a model of normal use is th e most difficult task in creating an anomaly de tector. In t h e traditional m et h o d of anomaly detection, im po rta nt data is kept for checking variations in network traffic for t h e model. However, in reality, t h e r e is less variation in n e t w o r k traffic and t o o many statistical variations making t h e s e models imprecise; s o m e events labeled as anomalies might only be irregularities in network usage. In this type of approach, t h e inability t o instruct a model thoroughly on t h e normal network is of grave concern. These models should be trained on t h e specific network th at is to be policed.
P rotocol A nom aly D etectio n
Protocol anomaly detection is based on th e anomalies specific t o a protocol. This model is integrated into th e IDS mod el recently. It identifies th e TCP/IP protocol specific flaws in the network. Protocols are created with specifications, known as RFCs, for dictating proper use and communication. The protocol anomaly de te c to r can identify ne w attacks. There are new attack m e t h o d s and exploits t h a t violate protocol stan da rd s being discovered frequently. The pace at which th e malicious signature att a ck e r is growing is incredibly fast. But th e network protocol, in comparison, is well defined and changing slowly. Therefore, th e signature d a ta b a s e must be u p d a te d frequently t o d e te c t attacks. Protocol anomaly de tection systems are easier to use because they require no signature updates
Module 17 Page 2561
Protocol anomaly de tec tor s are different from t h e traditional IDS in how they present alarms. The best way to pr esent alarms is to explain which part of t h e state system was compromised. For this, th e IDS ope rat ors have to have a t ho rou gh knowledge of th e protocol design; th e best way is t h e d o c um e nt at io n provided by t h e IDS.
Module 17 Page 2562
Types of Intrusion Detection Systems

N e tw o rk -B a se d Intrusion D etectio n
These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion
CEH
H ost-B ased Intrusion Detection
IT.
These mechanisms usually include auditing for events that occur on a specific host These are not as common, due to the overhead they incur by having to monitor each system event
nwn
3 Log File M onitoring
Q These mechanisms are typically programs that parse log files after an event has already occurred, such as failed log in attempts /f V
File In te g rity C he ckin g

These mechanisms check for Trojan horses, or files that have otherwise been modified, indicating an intruder has already been there, for example, Tripwire
T y p e s
o f In t r u s io n
D e t e c t io n
S y s t e m
Basically ther e are four types of intrusion detection systems are available. They are:
N etw o rk -b ased In tru sio n D etectio n

The NIDS checks every packet entering t h e network for th e presen ce of a n o ma lie s and incorrect da ta. Unlike th e firewalls th at are confined to t h e filtering of data packets with vivid malicious co nten t, t h e NIDS checks every packet thoroughly. An NIDS c a p tu re s and inspects all traffic, regardless of w h e t h e r it is permitted. Based on th e content, at either t h e IP or application-level, an alert is gen era ted . Network-based intrusion detection systems t e n d to be more distributed t h an h o s t- b a s e d IDSes. The NIDS is basically designed t o identify th e anomalies at t h e router- and host-level. The NIDS audits t h e information contained in t h e data packets, logging information of malicious packets. A t h r e a t level is assigned to each risk after th e data packets are received. The t h re a t level enables t h e security t e a m to be on alert. These mechanisms typically consist of a black box t h a t is placed on t h e netw ork in t h e promiscuous mode, listening for pa tterns indicative of an intrusion.
H o st-b ased In tru sio n D etectio n

In t h e host-based system, t h e IDS analyzes each system's behavior. The HIDS can be installed on any system ranging from a de sktop PC t o a server. The HIDS is m o re versatile th an
Module 17 Page 2563
th e NIDS. One example of a host-based system is a program t h a t op e ra te s on a system and receives application or operating system audit logs. These programs are highly effective for detecting insider abuses. Residing on th e trust ed network systems themselves, they are close to th e network's a uth en tic ate d users. If o ne of t h e s e users a t t e m p t s unauthorized activity, hostbased systems usually de tec t and collect t h e mo st pertinent information promptly. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification. HIDSes are more focused on changing aspects of t h e local systems. HIDS is also m ore platform-centric, with more focus on t h e Windows OS, but t h e r e are ot her HIDSes for UNIX platforms. These mechanisms usually include auditing for events that occur on a specific host. These a re not as co mmo n, due t o th e ove rhead t he y incur by having to monitor each system event
Log F ile M o n ito rin g

A Log File Monitor (LFM) monitors log files crea ted by netw ork services. The LFT IDS searches th rough t h e logs and identifies malicious events. In a similar m a n n e r to NIDS, t h e s e systems look for pa tterns in t h e log files th at suggest an intrusion. A typical example would be parsers for HTTP serve r log files t h a t look for intruders w ho try well-known security holes, such as th e "phf" attack. An example is swatch. These mechanisms are typically programs t h a t parse log files after an event has already occurred, such as failed log in a t t e m p t s .
F ile In te g rity C h e c k in g
------- These mechanisms check for Trojan horses, or files th at have ot herwise been modified, indicating an intruder has already been there, for example, Tripwire.
1 PH
Module 17 Page 2564
System Integrity Verifiers (SIV)
CEH
J Tripwire is a System Integrity Verifiers (SIV) that monitors system files and detects changes by an intruder
+ Trxiwrt
R o o NedG roup 1 J
rJ
I Severity
D
0 J5
3y locator
^ AtJenU Hi J W J HI J w WJ Commerce Server Databeeo Server! Server* W*6 Server
0yT yo*
By Serve
'* M a n *
3.04c
jjByic-ato nH o c * G e v c6 0 M
j j '.oc# G0 oe 5C4e
W _ $ Desktop
N EM 5 T 2 -SYS j \ O J ' 6 0 ?0 1 .1 SYS jk J 1 &u CWWOWV 1 11 r* ewmoowsi MJLTRASVS t it! CWltOOWSI vfeya W ' 1 M N00W 9 Vpeecey* |M 0 d ^ h i CW alj UJ 'm d rn x ad k aya 1 ._ .J J V W W O O JV S W%*y 1 1 1 1C W DOW SV UMMDty* iti CW 1 P NSYS in cwwoowsv V
31 21 31 31 31 Jl 31 31 3j 3j r> ]
1 0 0 1 0 e 1 0 0 1 0 0 1 0 0 1 0 0 1 0 c 1 0 0 1 0 0 1 0 0 1 0 0
H a A a 8 A a A A A "H
* -J
_J
* ' , J By Service
_$
'ypo
hJ CWWOOW* 'CXGTHKSYS CW M N D O W Sl ill
h ttp :/ /w w w . trip w ire, com
n r
Copyright
by EC-CMHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
S y s t e m
In t e g r it y
V e r if ie r s
( S IV )
Source: http://www.tripwire.com A System Integrity Verifier (SIV) m o n i to rs sys tem files to de te r m i n e w h e t h e r an intruder has changed t h e files. An integrity monitor watches key system objects for changes. For example, a basic integrity monitor uses system files, or registry keys, t o track changes by an intruder. Although they have limited functionality, integrity monitors can add an additional layer of protection to ot her forms of intrusion dete cti on.
hmm
E
S 5 ( -to o t ,iooe Grouo 1 1
By Type By Locatr jS By Servce fiode Group 0eGroc fioae Group 8 3*3 8 335 8 3*0
Prem* fiesor*
element
Change lype r< tM ST S' J t J - J l
Current Verwor 31 3j S 20MS 4 1 52 . ev 4.2004 S S401 Ai . .
T Sevtnty IC O IC O 1 C 0 1 C 0 1 C 0 IC O IC O f A 9 3J A A A A A J
JfcJ fc]
I
.Zj
2 15
_ j
eJ a , * *
S J SI J :omnerce Server I Dataoese Server* I 1 * i Server
JfcJ C\WNOOWS\ UA.TRASVS
Jgl "ccilcehoo Qj
fg ,
a
J ffl
w Vfc Servers
bl u 51J
Jgl M odtfcabcn Jgl llcdil
3 1 3 1 3 1
a < : -
SJ > wY o r ti
0 W M **o n O C .
1 1* ill 51J
lV (A N O O l/ Y S V \hdmfiy ow* W i S S VM N O O W SV 'OXGTVKSYS
_j.J
& -co,-.- 31
& l . , ' 31
1 '
IC O IC O too
J -* 5
Jl
F IG U R E 17.3: System Integrity Verifiers (SIV ) Screenshot
Module 17 Page 2565
General Indications of Intrusions
C EH -
G e n e r a l
In d ic a t io n s
o f In t r u s io n s
Following are th e general indications of intrusions:
F ile S ystem In tru sio n s

By observing th e system files, you can identify t h e presen ce of an intruder. The system files record t h e activities of t h e system. Any modification or deletion in th e file attributes or th e file itself is a sign t h a t t h e system was a targe t of attack: If you find new, u n k n o w n file s/p ro gra ms on your system, t h e n th e r e is a possibility th at your system has been intruded. The system can be compro mise d t o t h e point th at it can in turn c o m p r o m is e o t h e r sys tem s in your network. When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When t h e intruder obtains th e Administrator privilege, he or she changes th e file permissions, for example, from Read-Only t o Write. Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all of your system files. Presence of rogue suid and sgid files on your Linux system th at do no t match your m aster list of suid and sgid files could indicate an attack.
Module 17 Page 2566
You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. Missing files are also sign of a probable intrusion/attack.
LJ 1 g
6
N etw ork In tru sio n s

Sudden increase in bandwidth co nsumption is an indication of intrusion. Repeated probes of t h e available services on your machines. Connection requests from IPs ot he r th an t h o s e in the network range are an indication th at an u n a u t h e n t i c a t e d us e r (intruder) is a tte m p tin g to con n ect to t h e network. You can identify r ep e a te d a t t e m p t s to log in from r e m o t e machines. Arbitrary log data in log files indicates a t t e m p t s of denial-of-service attacks, bandwidth consumption, and distributed denial-of-service attacks.
Module 17 Page 2567
General Indications of System Intrusions

Short or incomplete logs Unusual graphic displays or text messages Unusually slow system performance
CEH
Modifications to system software and configuration files
Missing logs or logs with incorrect permissions or ownership
System crashes or reboots
Gaps in the system accounting
Unfamiliar processes
G e n e r a l
In d ic a t io n s
o f S y s t e m
In t r u s io n s
To check w h e t h e r th e system is atta cke d, you need to check certain p a ra m e t e rs t h a t clearly indicate th e presence of an intruder on th e system. W hen an intruder a t t e m p t s t o break into t h e system, he or she a t t e m p t s to hide his or her presence by modifying certain system files and c onfigurations t h a t indicate intrusion. Certain signs of intrusion include: Q Q 9 9 System's failure in identifying valid user Active access to unus ed logins Logins during non-working hours New user accounts ot her th an th e accounts cre ate d Modifications to system softw are and configuration files using Administrator access and th e presence of hidden files Gaps in system audit files, which indicate th at t h e system was idle for t h a t particular time; he gaps actually indicate t h a t th e i ntruder has a t t e m p t e d t o erase t h e audit tracks
The s ystem's pe rfor mance de cre as es drastically, consuming CPU t ime Q System crashes suddenly and reb oots without user intervention
Module 17 Page 2568
6 Q
The system logs a re to o s hort and incomplete Timestamps of system logs are modified to include s trange inputs Permissions on t h e logs are changed, including th e ownership of th e logs System logs are deleted Systems pe rfor mance is abnormal, t h e system responds Unknown processes are identified on t h e system Unusual display of graphics, pop-ups, and text messages observed on th e system in unfamiliar ways
Module 17 Page 2569
Firew all
Firewalls are hardware and/or software designed to prevent unauthorized access to or from a private network
UftMM ilk,< 4 1 N M hM
CEH
Firewalls examine all messages entering or leaving the Intranet and blocks those that do not meet the specified security criteria
They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet Secure Private Local Area Network
Firewalls may be concerned with the type of traffic or with the source or destination addresses and ports
v ? =Specified traffic allowed * =Restricted unknown traffic
F ir e w
a lls
A firewall is a set of related programs located at t h e n e t w o r k g a te w a y server th at protects th e resources of a private network from users on o t h e r networks. Firewalls are a set of tools t h a t monitor th e flow of traffic b e tw e e n networks. A firewall, placed at th e network level and working closely with a router, filters all network packets t o d e te r m i n e w h e t h e r or not to forward t h e m tow ard their destinations. A firewall is often installed away from t h e rest of t h e network so t h a t no incoming requ es t can get directly t o a private network resource. If configured properly, systems on one side of th e firewall are pr otected from systems on th e ot her side of th e firewall. A firewall is an intrusion d e tec tio n m e c h a n is m . Firewalls are specific to an organization's security policy. The settings of th e firewalls can be ch anged t o make appropriate changes t o th e firewall functionality. Firewalls can be configured to restrict incoming traffic t o POP and SNMP and t o enable email access. Certain firewalls block t h e email services to secure against spam. Firewalls can be configured to check inbound traffic at a point called th e "cho ke p o i n t / w h e r e security audit is performed. The firewall can also act as an active " p h o n e tap" tool in identifying th e intruder's a t t e m p t to dial into th e m o d e m s within th e network
Module 17 Page 2570
th at is secured by firewall. The firewall logs consist of logging information t h a t reports to t h e administrator on all th e a t t e m p t s of various incoming services. Q The firewall verifies t h e incoming and outgoing traffic against firewall rules. It acts as a router to move data b e tw e e n networks. Firewalls man ag e access of private networks t o host applications. All th e a t t e m p t s to log in to t h e netw ork are identified for auditing. Unauthorized a tt e m p t s can be identified by e mb ed di ng an alarm th at is triggered wh en an unauthorized user a tt e m p t s t o login. Firewalls can filter packets based on address and types of traffic. They identify t h e source, destination addresses, and port nu m be rs while address filtering, and th ey identify types of network traffic w h e n protocol filtering. Firewalls can identify th e state and attributes of th e data packets.
Secure Private Local Area Network Public Network
/= Specified traffic allowed JOt =Restricted unknown traffic
FIGURE 17.4: Working of Firewall
Module 17 Page 2571
Firew all Architecture

Bastion Host:
S S Bastion host is a computer system designed and configured to protect network resources from attack Traffic entering or leaving the network passes through the firewall, it has two interfaces: 6 public interface directly connected to the Internet 6 private interface connected to the Intranet
CEH
Screened Subnet:
S 2 2 The screened subnet or DMZ (additional zone) contains hosts that offer public services The DMZ zone responds to public requests, and has no hosts accessed by the private network Private zone can not be accessed by Internet users
Multi-homed Firewall:
S In this case, a firewall with three or more interfaces is present that allows for further subdividing the systems based on the specific security objectives of the organization
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
F ir e w
a ll A r c h it e c t u r e
Firewall architecture consists of t h e following elements:
B astion ho st
The bastion host is designed for t h e pur pose of de fe ndi ng against attacks. It acts as a mediator b e tw e e n inside and outside networks. A bastion host is a co m p u t e r system designed and configured t o protect n e t w o r k res our ces from attack. Traffic entering or leaving t h e network passes thro ugh th e firewall, it has t w o interfaces: 0 Public interface directly co nn ect ed t o t h e Internet Private interface co nne cte d to t h e intranet
Intranet
F IG U R E 17.5: Bastion Host A rchitecture
Module 17 Page 2572
IU T>
Ill'll
S creen ed su b n et
A sc ree ne d s ub n e t is a network architecture t h a t uses a single firewall with thre e network interfaces. The first interface is used to co nnect t h e Internet, t h e second interface is used t o co nnect t h e DMZ, t h e third interface is used t o co nnect t h e intranet. The main advan tage with th e screen ed s u b n e t is it separ ate s t h e DMZ and Internet from th e intranet so t h a t w h e n th e firewall is comprom ised access t o t h e i ntranet w o n 't be possible. 6 The scree ne d s ub ne t or DMZ (additional zone) contains hosts t h a t offer public services Public zone is directly conne cted t o t h e Internet and has no hosts controlled by t h e organization Private zone has systems t h a t Internet users have no business accessing
FIGURE 17.6: Screened Subnet Architecture
J M u lti-h o m ed fire w all

A multi-homed firewall generally refers to t w o are m o re netw ork s. Each interface is co nne cte d to th e s e p a r a t e n e tw o r k s e g m e n t s logically and physically. A multi-homed firewall is used t o increase efficiency and reliability of an IP network. In this case, m o re than th re e interfaces are pr es e nt th at allow for further subdividing t h e s ystems based on t h e specific security objectives of t h e organization. [ J
Intranet
Internet
FIGURE 17.7: Multi-Homed Firewall Architecture
Module 17 Page 2573
DeMilitarized Zone (DMZ)
I C EH
DMZ is a network that serves as a buffer between the internal secure network and insecure Internet It can be created using firewall with three or more network interfaces assigned with specific roles such as Internal trusted network, DMZ network, and external un-trusted network (Internet)
Firewall
Intranet DMZ
D e m
ilit a r iz e d
Z o n e
( D M
Z )
The DMZ is a hos t c o m p u t e r or a n e tw o r k placed as a neutral network b e tw e e n a particular firm's internal, or private, netw ork and outside, or public, netw ork to prevent th e outside user from accessing th e co mp an y's private data. DMZ is a network th at serves as a buffer b e tw e e n th e internal secure n e tw o r k and insecure in te r n et It is created using a firewall with th re e or m ore network interfaces assigned with specific roles such as Internal t ru s te d network, DMZ network, and External un-trusted netw ork (Internet).
Module 17 Page 2574
FIGURE 17.8: Demilitarized Zone (DMZ)
Module 17 Page 2575
T yp es o f Firew all
CEH
Packet Filters
Circuit Level Gateways
Application Level Gateways

Stateful M ultilayer Inspection Firewalls
T y p e s
o f F ir e w
a lls
A firewall refers t o a h a r d w a r e device or a so ft w a r e p ro g ra m used in a system to prevent malicious information from passing through and allowing only t h e approved information. Firewalls are mainly categorized into four types: Q Q 6 Packet filters Circuit-level gateways Application-level gateways Stateful multilayer inspection firewalls
Module 17 Page 2576
Packet Filterin g Firew all

Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP), they are usually a part of a router In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded
Urti*W
CEH
itkM l lUckw
Depending on the packet and the criteria, the firewall can drop the packet and forward it, or send a m essage to the originator Rules can include the source and the destination IP address, the source and the destination port number, and the protocol used
= Traffic allowed based on source and destination IP address, packet type, and port number
X = Disallowed Traffic
P a c k e t
F ilt e r in g
F ir e w
a ll
A packet filtering firewall investigates each individual pa c ke t passing through it and makes a decision w h e t h e r to pass th e packet or drop it. As you can tell from their name, packet filter-based firewalls co nc en tra te on individual packets and analyze their he a d er information and which way they are directed. Traditional packet filters make t h e decision based on t h e following information: Source IP address: This is used t o check if t h e packet is coming from a valid source or not. The information ab ou t t h e source IP address can be found from t h e IP h e a d e r of th e packet, which indicates t h e source system address. Destination IP address: This is used t o check if th e packet is going t o th e correct destination and t o check if t h e destination accepts t h e s e types of packets. The information a bo ut th e destination IP address can be found from t h e IP he a d er of th e packet, which has t h e destination address. Source TCP/UDP port: This is used t o check t h e source po rt for th e packet. Destination TCP/UDP port: This is used to check th e destination port for t he services to be allowed and th e services t o be den ied .
Module 17 Page 2577
TCP cod e bits: Used to check w h e t h e r th e packet has a SYN, ACK, or o t h e r bits set for th e connection to be made.
Q Protocol in use: Used to check w h e t h e r t h e protocol th at t h e packet is carrying should be allowed. This is be cause s o m e networks do not allow t h e UDP protocol. Direction: Used to check w h e t h e r t h e packet is coming from th e packet filter firewall or leaving it. 6 Interface: Used to check w h e t h e r or not t h e packet is coming from an unreliable site.
Network 5 Application 4 TCP 3 Internet Protocol (IP} 2 Data Link 1 Physical ............... Firewall
xi if
FIGURE 17.9: Packet Filtering Firewall
= Traffic allowed based on source and destination IP address, packet type, and port num ber = Disallowed Traffic
Module 17 Page 2578
Circuit-Level Gateway Firew all
C EH
- Traffic a llo w e d based on ^ = D isallo w e d Traffic
session rules, such
as w h e n a session is in itiate d b y a recognized co m p u te r
C irc u it-le v e l G a te w a y F ire w a ll

Circuit-level gateways work at the session layer of the OSI model or the TCP layer of TCP/IP. A circuit-level gateway forwards data between the networks without verifying it. It blocks incoming packets into the host, but allows the traffic to pass through itself. Information passed to remote computers through a circuit-level gateway appears to have originated from the gateway, as the incoming traffic carries the IP address of the proxy (circuit-level gateway). A circuit-level gateway gives the controlled network connection to the network between the system, internal and external to it. For detecting whether or not a requested session is valid, it checks the TCP handshaking between the packets. Circuit-level gateways do not filter individual packets. Circuit-level gateways are relatively inexpensive and hide the information about the private network that they protect.
Module 17 Page 2579
5 Application 4 TCP 3 In te rn e t Protoco l (IP) 2 Data Link 1 Physical
Firewall
* ......
FIGURE 17.10: Circuit-level Gateway Firewall = Traffic allowed based on session rules, such as when a session is initiated by a recognized computer = Disallowed Traffic
Module 17 Page 2580
Application-Level Firewall
J Application-level gateways (proxies) can filter packets at the application layer of the OSI model J Incoming and outgoing traffic is restricted to services supported by proxy; all other service requests are denied
CEH
J Application-level gateways configured as a web proxy prohibit FTP, gopher, telnet, or other traffic J Application-level gateways examine traffic and filter on application-specific commands such as http:post and get
5 Application 4 TCP 3 Internet Protocol (IP) 2 Data Link 1 Physical
= T ra ffic a llo w e d based o n s p e c ifie d a p p lic a tio n s (such as a b ro w s e r) o r a p ro to c o l, such as FTP, o r c o m b in a tio n s = D isa llo w e d T ra ffic
A p p lic a tio n -le v e l F ire w a ll

Proxy/application-based firewalls concentrate on the Application layer rather than just the packets. These firewalls analyze the application information to make decisions about whether or not to transmit the packets. Q A proxy-based firewall asks for authentication to pass the packets as it works at the Application layer. 9 A content caching proxy optimizes performance by caching frequently accessed information instead of sending new requests for the same old data to the servers.
Module 17 Page 2581
Network In te rn e t 5 Application 4 TCP 3 In te rn e t Protoco l (IP) 2 Data Link 1 Physical

Firew all
FIGURE 17.11: Application-level Firewall
Module 17 Page 2582
Stateful M ultilayer Inspection Firewall

J J
CEH
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls They filter packets at the network layer, to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer
5 Application 4 TCP 3 Internet Protocol (IP) 2 Data Link 1 Physical
= Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules
= Disallowed Traffic
S ta te fu l M u ltila y e r I n s p e c tio n F ire w a ll

Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. The inability of the packet filter firewall to check the header of the packets to allow the passing of packets is overcome by stateful packet filtering. Q This type of firewall can remember the packets that passed through it earlier and make decisions about future packets based on memory 9 9 9 These firewalls provide the best of both packet filtering and application-based filtering Cisco PIX firewalls are stateful These firewalls tracks and log slots or translations
Module 17 Page 2583
Firewall
N etw ork
FIGURE 17.12: Stateful Multilayer Inspection Firewall ^ = Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules
- Disallowed Traffic
Module 17 Page 2584
Firew all Identification: Port Scanning
r Pftl -
Port scanning is used to identify open ports and services running on these ports
Open ports can be further probed to identify the version of services, which helps in finding vulnerabilities in these services
Some firewalls will uniquely identify themselves in response to simple port scans
For example: Check Point's FireWall-1 listens on TCP ports 256, 257, 258, and 259, NetGuard GuardianPro firewall listens on TCP 1500 and UDP 1501
F ire w a ll Id e n tific a tio n : P o rt S c a n n in g

Systematically scanning the ports of a computer is known as port scanning. Attackers use such methods to identify the possible vulnerabilities in order to compromise a network. It is one of the most popular methods that attackers use for investigating the ports used by the victims. A tool that can be used for port scanning is Nmap. A port scan helps the attacker find which ports are available (i.e., what service might be listening to a port); it consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness. Some firewalls will uniquely identify themselves using simple port scans. For example: Check Point's FireWall-1 listens on TCP ports 256, 257, 258, and 259 and Microsoft's Proxy Server usually listens on TCP ports 1080 and 1745.
Module 17 Page 2585
Firew all Identification: Firew alking
C EH
A technique that uses TTL values to determine gateway ACL filters and map networks by analyzing IP packet responses
Attackers send a TCP or UDP packet to the targeted firewall with a TTL set to one hop greater than that of the firewall
If the packet makes it through the gateway, it is forwarded to the next hop where the TTL equals one and elicits an ICMP "TTL exceeded in transit" to be returned, as the original packet is discarded
This method helps locate a firewall, additional probing permits fingerprinting and identification of vulnerabilities
F ire w a ll Id e n tific a tio n : F ire w a lk in g

Firewalking is a method used to collect information about remote networks that are behind firewalls. It probes ACLs on packet filtering routers/firewalls. It is same as that of tracerouting and works by sending TCP or UDP packets into the firewall that have a TTL set at one hop greater than the targeted firewall. If the packet makes it through the gateway, it is forwarded to the next hop where the TTL equals zero and elicits a TTL "exceeded in transit" message, at which point the packet is discarded. Using this method, access information on the firewall can be determined if successive probe packets are sent. Firewalk is the most well-known software used for firewalking. It has two phases: a network discovery phase and a scanning phase. It requires three hosts: Firewalking host: The firewalking host is the system, outside the target network, from which the data packets are sent, to the destination host, in order to gain more information about the target network. Gateway host: The gateway host is the system on the target network that is connected to the Internet, through which the data packet passes on its way to the target network. Destination host: The destination host is the target system on the target network that the data packets are addressed to.
Module 17 Page 2586
Firew all Identification: Banner Grabbing
(citifwd
c EH
ItkKJl NMkw
M ic r o s o ft
5 1 1 F ire w a ll Id e n tific a tio n : B a n n e r G ra b b in g

Banners are messages sent out by network services during the connection to the service. Banners announce which service is running on the system. Banner grabbing is a technique generally used by the attacker for OS detection. The attacker uses banner grabbing to discover services run by firewalls. The three main services that send out banners are FTP, Telnet, and web servers. Ports of services such as FTP, Telnet, and web servers should not be kept open, as they are vulnerable to banner grabbing. A firewall does not block banner grabbing because the connection between the attacker's system and the target system looks legitimate. An example of SMTP banner grabbing is: telnet mail.targetcompany.org 25. The syntax is:
" < s e r v ic e n a m e > < s e r v ic e r u n n in g > < p o r t n u m b e r> "
Banner grabbing is a mechanism that is tried and true for specifying banners and application information. For example, when the user opens a telnet connection to a known port on the target server and presses Enter a few times, if required, the following result is displayed: C:\>telnet www.corleone.com 80 HTTP/1.0 400 Bad Request Server: Netscape - Commerce/1.12
Module 17 Page 2587
This system works with many other common applications that respond on a set port. The information generated through banner grabbing can enhance the attacker's efforts to further compromise the system. With information about the version and the vendor of the web server, the attacker can further concentrate on employing platform-specific exploit techniques.
Module 17 Page 2588
Honeypot
CE H
A honeypot is an information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network
It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise
A honeypot can log port access attempts, or monitor an attacker's keystrokes. These could be early warnings of a more concerted attack
Honeypot
DMZ
#
Firewall
Internet
1
Attacker
Packet Filter
W eb Server
H oneypot A honeypot is a system that is intended to attract and trap people who try unauthorized or illicit utilization of the host system. Whenever there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with many different security applications. Some honeypots can be used to help prevent attacks; others can be used to detect attacks; while a few honeypots can be used for information gathering and research. Examples: Installing a system on the network with no particular purpose other than to log all attempted access. Q Installing an older unpatched operating system on a network. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the system and further track what the intruder attempts to do with the system once it is compromised. Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing him/her access to the network.
Module 17 Page 2589
Any existing system can be "honeypot-ized." For example, on WinNT, it is possible to rename the default administrator account and then create a dummy account called "administrator" with no password. WinNT allows extensive logging of a person's activities, so this honeypot tracks users who are attempting to gain administrator access and exploit that access.
Web Server FIGURE 17.13: Working of Honeypot
Module 17 Page 2590
Types of Honeypots
L o w -in te ra c tio n H o n e y p o ts
These honeypots simulate only a limited number of services and applications of a target system or network - Can not be compromised completely Generally, set to collect higher level information about attack vectors such as network probes and worm activities Ex: Specter, Honeyd, and
H ig h -in te ra c tio n H o n e y p o ts
These honeypots simulates all services and applications Can be completely compromised by attackers to get full access to the system in a controlled area Capture complete information about an attack vector such attack techniques, tools and intent of the attack
Ex: Symantec Decoy Server and Honeynets
Copyright by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
T y p e s of H o n e y p o ts
Honeypots are mainly divided into two types:
L o w -in teractio n H oneypot

They work by emulating services and programs that would be found on an individual's system. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error. They capture limited amounts of information, mainly transactional data and some limited interaction Ex: Specter, Honeyd, and KFSensor Honeyd is a low-interaction honeypot. It is open source and designed to run primarily on UNIX systems. Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs connections to any UDP or TCP port. In addition, the user can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring port 21 (TCP). When an attacker connects to the emulated service, not only does the honeypot detect and log the activity, but also it captures all of the attacker's interaction with the emulated service.
Module 17 Page 2591 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In the case of the emulated FTP server, an attacker's login and password can be potentially captured; the commands that were issued, what they were looking for, or their identity can be tracked. Most emulated services work the same way. They expect a specific type of behavior, and then are programmed to react in a predetermined way.
H ig h -in teractio n H oneypot

Honeynets are a prime example of a high-interaction honeypot. A honeynet is neither a product nor a software solution that the user installs. Instead, it is architecture, an entire network of computers designed to attack. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network, intended victims are placed and the network has real computers running real applications. The "bad guys" find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a honeynet. All of their activity, from encrypted SSH sessions to email and file uploads, is captured without them knowing it by inserting kernel modules on the victim's systems, capturing all of the attacker's actions. At the same time, the honeynet controls the attacker's activity. Honeynets do this by using a honeywall gateway. This gateway allows inbound traffic to the victim's systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim's systems, but prevents the attacker from harming other non-honeynet computers.
H o w to S et U p a H o n e y p o t
Follow the steps here to set up a honeypot: Step 1: Download or purchase honeypot software. Tiny Honeypot, LaBrea, and Honeyd are some of the programs available for Linux systems. KFSensor is software that works with Windows. Q Step 2: Log in as an administrator on the computer to install a honeypot onto the computer. Q Step 3: Install the software on your computer. Choose the "Full Version" to make sure every feature of the program is installed. Step 4: Place the honeypot software in the Program Files folder. Once you have chosen the folder, click"OK and the program will install. Q Step 5: Restart your computer for the honeypot to work. 9 Step 6: Configure the honeypot to check the items that you want the honeypot to watch for, including services, applications, and Trojans, and name your domain.
Module 17 Page 2592
M odule Flow
CEH
Copyright by EG-GoililCil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
Previously, we discussed the basic concepts of three security mechanisms: IDSes, firewalls, and honeypots. Now we will move on to detailed descriptions and functionalities of these security mechanisms.
IDS, Firewall and Honeypot Concepts
Detecting Honeypots
IDS, Firewall and Honeypot System
Firewall Evading Tools Countermeasure
1?
Evading IDS
Evading Firewall V
Penetration Testing
This section describes the intrusion detection system Snort.
Module 17 Page 2593
Intrusion D etection Tool: Snort

Snort is an open source network intrusion detection system, capable of performing realtime traffic analysis and packet logging on IP networks
CEH
Command Prompt
c:\Soort\b1n>nort -c c:\Sooxfc\efcc\snoxfc.conf -1 c:\Snort\log -i 2 = Initialiiation Coaplete = -*> Snort! < *oVersion 2.9.0.2-O D BC-KySQ L-Fle*RBSP-W IH 32 G R B (Build 9 2 ) * By Kartin Boejch The Snort T eam : httf://m nr.snort.ory/snort/snort-tea Copyright (C ) 1 9 9 8 -2 0 1 0 Soarcefire, Inc., et al. dsinf P C R H version: 8.10 201 0 -0 6 -2 5 Using ZLTB version: 1.2.3 Rules Hnfine: SFSHORTDHTBCTIOHHNGINB Version 1.12 <Bo!ld 1 8 > Preprocessor bject: SFSSLPP Version 1.1 <Build 4 > Preprocessor bject: SFSSB Version 1.1 < BaxId 3 > Ccaencinf packet processing (pid= 5896) 85: Session e!cee< led configured h i bytes to queue 1 0 4 8 5 7 6 using 1 0 4 8 9 7 9 bytes ( client qaeae). 192.168.168.7 1 1 6 1 6 > 92.46.53.163 8 0 (0) : !.*state 0*1 UTPlags Ban t i f for packet processing w as 5985.944000 seconds Snort processed 1 1 7 7 4 packets. Snort ran for 0 days 1 boars 3 9m inutes 4 5 seconds Pkta/hr: 1 1 7 7 4 Fkts/m in: 1 1 8 Pkts/c: 1 SS: Pruned session from cache that w as using 1 0 9 8 9 4 7 bytes (purge w hole cad 1*2.168.168.7 1 1 6 1 6> 92.46.53.163 8 0 (0) : Llstatr 0 *1 LW Plags 0.222003 1 4 7 4 9 0 1 1 7 7 4 ( 7.983%) 1 3 5 7 0 7 ( 92.011%) 1 3 5 7 1 6 ( 92.017%)
It can perform protocol analysis and content searching/matching, and is used to detect a
B B
Q
variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SM B probes, and OS fingerprinting attempts
It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture
Uses of Snort: Straight packet sniffer like tcpdump Packet logger (useful for network traffic debugging, etc.) Network intrusion prevention system
0( 0 .0 0 0 % ) h ttp :/ / w w w .s n o rt.o rg
% .
I n t r u s i o n D e t e c t i o n T o o l: S n o r t
Source: http://www.snort.orR
Snort is an open source network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting, attempts etc. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc.), or a full-blown network intrusion prevention system.
Module 17 Page 2594
Command Prompt
Snort . Comma n d s c : \ S n o r t \bin>snort -c c:\Snort\e t c \ s n o r t . c o n f -1 c : \ S nort\log -i 2 Initialization Compl e t e , > * Snort! < * o" )* V e r s i o n 2 . 9 .0. 2 - O D B C M y S Q L F l e x R E S P W I N32 GRE (Build 92) ,, B y Martin Roe s c h & Th e Snort Team: http://w w w . s n o r t . o r g / s n o r t / s n o r t ~ t e a m Copy r i g h t (C) 1998-2010 Sourcefire, Inc., e t a l . U s i n g FCRE version: 8.10 2010-06-25 U s i n g ZLIB version: 1.2.3 R u l e s Engine: SF S N ORT D E T E C T I O N E K O I N E V e r s i o n 1.12 < B u i l d 1 G> P r e p r o c e s s o r Object: SF_SS L P P V e r s i o n 1.1 < B u i l d 4> P r e p r o c e s s o r Object: SF_SSH V e rsion 1.1 < B u i l d 3> C o m m encing p a c k e t p r o c e s s i n g (pid=5896) S 5 : Session e x c e e d e d c o n f i g u r e d ma x b y t e s to q u e u e 1048576 u s i n g 1048979 b y t e s ( client q u e u e ) . 1 9 2 . 1 6 8.168.7 1 1 616 > 92.46.53.163 80 (0) : LW s t a t e 0x1 LWFlags 0x2003 *** Caught Int-Signal Run time for pac k e t p r o c e s s i n g was 5 9 85.944000 seconds Snort p r o c e s s e d 11774 packets. Snort ra n for 0 days 1 hours 3 9 minutes 45 seconds Pkts/hr: 11774 Pkts/min: 118 Pkts/sec: 1 S5: Pruned se s s i o n f r o m cache that was u s ing 1098947 b y tes (purge whole cache). 192.168.168.7 11616 - - > 9 2 . 4 6.53.163 80 (0) : LWstate 0x1 LWFlags 0x222003 Packet I/O Totals: Received: Analyzed: Dropped: Filtered: Outstanding: Injected:
147490 11774 135707
135716
0( 0 .0 0 0 % ) ( 92.017%) 0
( 7.983%) ( 92.011%)
FIGURE 17.14: Working of Snort in Command Promt
Module 17 Page 2595
How Snort Works
CEH
Urt1fw4 ilhiul lUtbM
Decoder: Saves the captured packets into a heap, identifies link level protocols, and decodes IP Detection Engine: It matches packets against rules previously saved in memory Output Plug-ins: These modules format notifications so operators can access in a variety of ways (console, extern flies, databases, etc.)
Rules Files: These are plain text files which contain a list of rules with a known syntax
Copyright by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
ft
A Q
H ow S no rt W o rk s
The following are the three essential elements of the Snort tool: Decoder: Saves the captured packets into heap, identifies link level protocols, and decodes IP.
Detection Engine: Matches packets against rules previously charged into memory since Snort initialization. Q Output Plug-ins: These modules format the notifications for the user to access them in different ways (console, extern files, databases, etc.).
Module 17 Page 2596
Reporting and Alerting Engine (ACID)
A V
* V
..>o mc o J -
Databases
Webservers
Decoder
Primary NIC
Adm inistrator
Base Detection Engine
NIC in Promicuous mode sniffing network traffic
Dynamic Loaded Libraries
Output Plugins
Rule Set
Rules Files: These are plain text files which contain a list of rules with a known syntax
FIGURE 17.15: How Snort Works
Module 17 Page 2597
Snort Rules
B B B Snort's rule engine enables custom rules to meet the needs of the network Snort rules help in differentiating between normal Internet activities and malicious activities Snort rules must be contained on a single line, the Snort rule parser does not handle rules on multiple lines B Snort rules come with two logical parts:
S
S Rule header: Identifies rule's actions such as alerts, log, pass, activate, dynamic, etc. Rule options: Identifies rule's alert messages
CEH
Exa m p le :
Rule Protocol Rule Port
v
A
Rule Action
y
"m o un td a c c e s s ":;)
j a l e r t i j t c p a ny ! - > : 1 9 2 . 1 6 8 . 1 . 0 / 2 4 : : l l l j ( c o n t e n t ::
A
Rule Format Direction
A
Rule IP address
A
Alert message
S nort R u le s
Snort uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing. Snort decodes all the packets passing through the network media to which it is attached by entering promiscuous mode. Based on the content of the individual packets and rules defined in the configuration file, an alert is generated. There are a number of rules that Snort allows the user to write. In addition, each of these Snort rules must describe the following: e Any violation of the security policy of the company that might be a threat to the security of the company's network and other valuable information
All the well-known and common attempts to exploit the vulnerabilities in the company's network 0 The conditions in which a user thinks that a network packet(s) is unusual, i.e., if the identity of the packet is not authentic
Snort rules, written for both protocol analysis and content searching and matching, should be robust and flexible. The rules should be "robust"; it means the system should keep a rigid check on the activities taking place on the network and notify the administrator of any potential intrusion attempt. The rules should be "flexible"; it means that the system must be compatible
enough to act immediately and take necessary remedial measures, according to the nature of the intrusion. Both flexibility and robustness can be achieved using an easy-to-understand and lightweight rule-description language that aids in writing simple Snort rules. There are two basic principles that must be kept in mind while writing Snort rules. They are as follows: No written rule must extend beyond a single line, so rules should be short, precise, and easy-to-understand. Each rule should be divided into two logical sections: The rule header The rule options The rule header contains the rule's action, the protocol, the source and destination IP addresses the source and destination port information, and the CIDR (Classless Inter-Domain Routing) block. The rule option section includes alert messages, in addition to information about which part of the packet should be inspected in order to determine whether the rule action should be taken. The following illustrates a sample example of a Snort rule:
Rule Protocol Rule Port
y y a le rt jitcp :any :->:192 .168 .1. 0/24j:lll {c o n t e n t | 00 01 86 a5 | "; msg: "mountd access"?) '1 ;
Module 17 Page 2599
Snort R ules: R ule A ctions and IP P rotocols

Rule A ctions
J The rule header stores the complete set of rules to identify a packet, and determines the action to be performed or what rule to be applied J J The rule action alerts Snort when it finds a packet that matches the rule criteria Three available actions in Snort:
6 6 Alert - Generate an alert using the selected alert method, and then log the packet Log - Log the packet Pass - Drop (ignore) the packet
IP Protocols
Three available IP protocols that Snort supports for suspicious behavior:
TCP II III UDP ICMP

S n o rt R u le s : R u le A c tio n s a n d IP P r o to c o ls
_______ I Source: http://manual.snort.org The rule header contains the information that defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort "what to do" when it finds a packet that matches the rule criteria. There are five available default actions in Snort: alert, log, pass, activate, and dynamic. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and drop. 6 Q Q 0 Q Alert - generate an alert using the selected alert method, and then log the packet Log - log the packet Pass ignore the packet Activate - alert and then turnon another dynamic rule
Dynamic - remain idle untilactivatedby an activate rule, then act as a log rule Drop - block and log the packet
Reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP
Module 17 Page 2600
Sdrop - block the packet but do not log it
The Internet protocol (IP) is used to send data from one system to another via the Internet. The IP supports unique addressing for every computer on a network. Data on the Internet protocol network is organized into packets. Each packet contains message data, source, destination, etc. Three available IP protocols that Snort supports for suspicious behavior: 6 TCP: TCP (transmission control protocol) is a part of the Internet Protocol. TCP is used to connect two different hosts and exchanges data between them. UDP: UDP, the acronym of User Datagram Protocol, is for broadcasting messages over a network. ICMP: The Internet Control Message protocol (ICMP) is a part of the Internet protocol. It is used by the operating systems in a network to send error messages, etc.
Module 17 Page 2601
Snort Rules: The D irection Operator and IP A ddresses

T h e Direction Operator
J
CEH
This operator indicates the direction of interest for the traffic; traffic can flow in either single direction or bi-directionally Example of a Snort rule using the Bidirectional Operator:
log >192.168.1.0/24 any < > 192.168.1.0/24 23
IIIIIIIIIIIIIIIIIIII
IP Addresses
J J J J
Identifies IP address and port that the rule applies to Use keyword " a n y to define any IP address Use numeric IP addresses qualified with a CIDR netmask Example IP Address Negation Rule:
a le rt " |00
tcp 01 86
!1 9 2 .1 6 8 .1 .0 / 2 4 a 5 | ; m sg:
any
->
1 9 2 .1 6 8 .1 .0 / 2 4 m ountd access1 ';)
111
(c o n te n t:
"e x te rn a l
S n o rt R u le s : A d d resses
The
D ire c tio n
O p e ra to r
and
IP
The direction operator $>$ indicates the orientation, or direction, of the traffic that the rule applies to. The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host. There is also a bidirectional operator, which is indicated with a $<>$ symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions. Also, note that there is no $<$- operator. In Snort versions before 1.8.7, the direction operator did not have proper error checking and many people used an invalid token. The reason the $<$ does not exist is so that rules always read consistently. The next fields in a Snort rule are used to specify the source and destination IP addresses and ports of the packet, as well as the direction in which the packet is traveling. Snort can accept a single IP address or a list of addresses. When specifying a list of IP address, you should separate each one with a comma and then enclose the list within square brackets, like this: [192.168.1.1,192.168.1.45,10.1.1.24]
Module 17 Page 2602
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
When doing this, be careful not to use any whitespace. You can also specify ranges of IP addresses using CIDR notation, or even include CIDR ranges within lists. Snort also allows you to apply the logical NOT operator (!) to an IP address or CIDR range to specify that the rule should match all but that address or range of addresses.
Module 17 Page 2603
Snort Rules: Port Numbers

Port numbers can be listed in different ways, including "any" ports, static port definitions, port ranges, and by negation
Port ranges are indicated with the range operator
Example of a Port Negation

lo g tcp any any -> 1 9 2 .1 6 8 .1 .0 / 2 4 !6 0 0 0 :6 0 1 0
Protocols
anyanyUDPLog <
IP address
92.168.1.0/24 1:1024
Log U D P traffic coming from an y port and d estination ports ranging from 1 to 1024 Log TCP traffic from any port going to ports less than or equal to 5000
anyanyTCPLog
<
192.168.1.0/24 :5000
anyTCPLog
:1024 <
192.168.1.0/24 400:
Log TCP traffic from th e w e ll know n ports and going to ports g re ater than or equal to 400
S nort R u le s : P o rt N u m b e r s
Port numbers may be specified in a number of ways, including any ports, static port definitions, ranges, and by negation. Any ports are a wildcard value, meaning literally any port. Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc. Port ranges are indicated with the range operator The range operator may be applied in a number of ways to take on different meanings. Example of Port Negation: log tcp any any -> 192.168.1.0/24 !6000:6010 1 Protocols
Log U D P any any ->
IP address
92.168.1.0/24 1:1024
Action
Log UDP traffic coming from any port and destination ports ranging from 1 to 1024 Log TCP traffic from any port going to ports less than or equal to S000 Log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 400
Log TCP any any ->
192.168.1.0/24 :5000
Log TCP any :1024 ->
192.168.1.0/24 400:
T A BLE 17.1: Po rt Num bers
Module 17 Page 2604
Intrusion D etection System : Tipping Point

e TippingPoint IPS is inserted seamlessly and transparently into the network, it is an in-line device 9 Each packet is thoroughly inspected to determine whether it is malicious or legitimate e It provides performance, application, and infrastructure protection at gigabit speeds through total packet inspection
IA c ^
CEH
XXXXXXXX - /itta c k s P e r A ctio ,

30 k k 3
2 0 10
5
k
Hon 1 6 :0 0 Mon 2 0 :0 0 Tue 0 0 :0 0 Tue 0 4 :0 0 Tue 0 8 :0 0 Tue 1 2 :0 0 Fro 2009/09/21 1 2 :2 2 :5 2 To 2 00 9/09/22 1 2 :2 2 :5 2
H P e r m it t e d B lo c k e d D is c a r d e d I n v a l i d G raph L a s t U p d a te d :
L a s t: 2 7 .3 9 k A vg: 1 3 .7 9 k L a s t: 0 .0 0 A vg: 0 .0 0 L a s t: 6 9 .3 8 Avg: 6 6.9 1 Tue 22 Sep 1 2 :2 0 :0 2 CEST 2009
M ax: M ax: M ax:
4 0 .3 8 k 8 1 .3 3
0 .0 0
XXXXXXXX - A ttack s P e r P ro to c o l
40 k 30 k
2 0 10
k k
Hor 1 6 :0 0
Mon 2 0 :0 0
Tue 0 0 :0 0
Tue 0 4 :0 0
Tue 0 8 :0 0
T ue 1 2 :0 0
rro 2 0 0 9/09/21 12:22:2 T o 2009/09/22 12:22:2

3 .6 7 k Avg: 3 .9 0 k IC M P L a s t: Avg: 1 .0 4 k 8 8 6 .0 8 UDP L a s t: Avg: 8 .9 4 k 2 2 .9 0 k TCP L a s t: Avg: IP - O t h e r L a s t: G raph L a s t U p d ate d : T ue 22 Sep 1 2 :2 0 :0 2 C EST 2009
0 .0 0
0 .0 0
M ax: M ax: M a x : M a x :
6 .0 6 k 6 .6 1 k 3 5 .8 5 k
0 .0 0
http://hl7007.w w w l.h p.com
In tru sio n D etectio n System : T ip p in g P oint

Source: http://hl0163.wwwl.hp.com TippingPoint IPS is inserted seamlessly and transparently into the network; it is an in-line device. Each packet is thoroughly inspected to determine whether it is malicious or legitimate. It provides performance, application, and infrastructure protection at gigabit speeds through total packet inspection.
Module 17 Page 2605
XXXXXXXX Attacks Per Action

40 k 30 k 20 k 10 k
Mon 16:00
Mon 20:00
Tue 00:00
Tue 04:00
Tue 08:00
Tue 12:00
Fron 2009/09/21 12:22:52 To 2009/09/22 12:22:52 8 Perm itted L a s t: 27.39 k Avg: 13.79 k Blocked L a s t: 0.00 Avg: 0.00 Discarded In v a lid L a s t; 69.38 Avg: 66.91 Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009 Max: Max: Max: 40.38 k 0.00 81.33
XXXXXXXX Attacks Per Protocol

40 k 30 k 20 k 10 k
|J W1A1 11. w l^
1
.hr f
^ __1_^ * %
Mon 16:00 Mon 20:00 Tue 00:00 Tue 04:00 Tue 08:00 Tue 12:00 Fron 2009/09/21 12:22:52 To 2009/09/22 12:22:52
ICMP 3.67 k Avg: L a s t: 3.90 k Max: UDP Avg: 1.04 k Max: L a s t : 886.08 TCP L a s t: 22.90 k Avg: 8.94 k Max: IP-O ther Avg: Max: L a s t: 0.00 0.00 Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009
6 .06 k 6.61 k 35.85 k 0.00
FIGURE 17.17: Tipping Point Screenshot
Module 17 Page 2606
Intrusion Detection Tools

IBM Security Network Intrusion Prevention System
http://w w w -01.ibm . com
CE H
Peek & Spy

http://netw orkingdynam ics.com
Cisco Intrusion Prevention
Systems
http ://w w w .cisco.com
INTOUCH INSA-Network Security Agent

h ttp ://w w w . ttinet. com
AIDE (Advanced Intrusion Detection Environment)

h ttp ://a id e , sourceforge.net
Strata Guard
h ttp ://w w w . s tillsecure.com
SNARE (System iNtrusion Analysis & Reporting Environment)

h ttp ://w w w . intersectalliance. com
U C
IDP8200 Intrusion Detection and Prevention Appliances

https :/ / w w w .juniper, net
Vanguard Enforcer BH|

http://www.go2s/anguard.com
I n t r u s i o n D e t e c t i o n T o o ls
^ Intrusion detection tools detect anomalies. These tools, when run on a dedicated workstation, read all network packets, reconstruct user sessions, and scan for possible intrusions by looking for attack signatures and network traffic statistical anomalies. In addition, these tools give real-time, zero-day protection from network attacks and malicious traffic, and prevent malware, spyware, port scans, viruses, and DoS and DDoS from compromising hosts. A few of intrusion detection tools are listed as follows: 0 IBM Security Network Intrusion Prevention System available at http://www-01.ibm.com
Peek & Spy available at http://networkingdvnamics.com Q 0 INTOUCH INSA-Network Security Agent available at http://www.ttinet.com Strata Guard available at http://www.stillsecure.com
IDP8200 Intrusion Detection and Prevention Appliances available at https://www.juniper.net Q OSSEC available at http://www.ossec.net
Cisco Intrusion Prevention Systems available at http://www.cisco.com
Module 17 Page 2607
AIDE (Advanced Intrusion Detection Environment) available at http://aide.sourceforge.net SNARE (System iNtrusion Analysis & Reporting Environment) available at http://www.intersectalliance.com
Vanguard Enforcer available at http://www.go2vanguard.com
Module 17 Page 2608
Intrusion Detection Tools

(C ontd)
Check Point Threat Prevention Appliance
h ttp ://w w w . checkpoint, com
CE H
M i s
FortiGate
h ttp ://w w w .fo rtin e t. com
V S
^
fragroute
http ://w w w . m onkey, org
.&
Enterasys Intrusion Prevention System

h ttp ://w w w .enterasys.com
Next-Generation Intrusion Prevention System (NGIPS)

h ttp ://w w w . sourcefire.com
StoneGate Virtual IPS Appliance

http ://w w w .5 tonesoft.co m
Outpost Network Security

h ttp://w w w .agnitum .com
V4
Cyberoam Intrusion Prevention System

http ://w w w .cyb eroam .com
1ifi
Check PointIPS-1
McAfee Host Intrusion Prevention for Desktops

h ttp ://w w w .m ca fe e . com
I n t r u s i o n D e t e c t i o n T o o l s ( C o n t d)
In addition, to the previously mentioned intrusion detection tools, there are few more tools that can be used for detecting intrusions: Check Point Threat Prevention Appliance available at http://www.checkpoint.com Q Fragroute available at http://www.monkey.org
Next-Generation Intrusion Prevention System (NGIPS) available at http://www.sourcefire.com Q Q Outpost Network Security available at http://www.agnitum.com Check Point IPS-1 available at http://www.checkpoint.com
FortiGate available at http://www.fortinet.com Enterasys Intrusion Prevention System available at http://www.enterasys.com 6 Q 9 StoneGate Virtual IPS Appliance available at http://www.stonesoft.com Cyberoam Intrusion Prevention System available at http://www.cyberoam.com McAfee Host Intrusion Prevention for Desktops available at http://www.mcafee.com
Module 17 Page 2609
Firewall: ZoneAlarm PRO Firewall

lil l
Z o n eA la rm
C EH
PRO Rrewall
Scan Update
unc< 4> Tod3
A YO URC O M H U IER IS SECURE
Hi
IDENTITY A UA IA
A p p lim h o nC o n tro l
!,prg-g-w wrd
Blocks dangerous betavtcre and inajthoiUed Irtwnst Uarn>lbr*
. , PC T u n cU p
^
Het Vj V0 % r* V V
S'.iv^n I1 youcomputerfo Imiwved performsiKe.
ftorcbaed-iewimge Q l Check Point
Log V * V vt vf V, jd V Y *1 * * y! y!
Everts Bkxked NetBIOS broadcasts Blocked outgoing N etBos nane requests Bfcckfd oackeU fa racwl connaaioni Blocked x r SYN TCP pKkets Blocked nouted jackets Blocked loopback packets Blocked ncnJP packet Blocked fragmerted IP packets Other blocked IP packets M ailSafe violations Lock violators Bfccked 1ppltr*en Anuvrus/Artnpywr* vert# Antivfus.'Arti-cpywre earning *rorc Aouvnjs/Affrapyw( pcwecton not t&xd
! Omkft 1 |O tm H [
Q IC If C a n o *
h ttp:/ / w w w .z o n e a la rm ,c o m
F ire w a ll: Z o n e A la rm P R O F ire w a ll / mi

Source: http://www.zonealarm.com ZoneAlarm PRO Firewall blocks attackers and intruders from accessing your system. It monitors programs for suspicious behavior, spotting and stopping new attacks that bypass traditional antivirus protection. It prevents identity theft by guarding your personal data. It even erases your tracks allowing you to surf the web in complete privacy. Furthermore, it locks out attackers, blocks intrusions, and makes your PC invisible online. In addition, it filters out annoying and potentially dangerous email.
Module 17 Page 2610
PRO Firewall
ZoneAlarm
YOUK CO M PUILH IS SLC U R t
j| Q
Ci bu'
) M COMPUTER Q
k ta ia w LA 1
IN tER N C T
IO C N IITYt D A T A Q
A d v a n c e d F irew all Bocks rvMont and hackar acfinrfy
Alerts and Logs
Antivirus & Anti s p y w a re Detect! and *move* xr* are and vtusea
rrtrirt *w m rat
A p p licatio n Control Bocks dangerous bchavm and 1 rulhou0d ttamef tr Alert V Log Evwta Stocked NetBIOS broadcasts Booked outgong Net&oe name requests Bocfced packets for recent connections Socked non-SYN TCP packets Stocked routed packets Bocked toopbeck packets Stocked non-IP packet* Stocked frgmertod IP packets Other blocked IP packets M *S 4 *oiabon* Lock violation Bocked appftcabone Artrvtu/Art!spyware everts Arveu*/Art spyware *earwig arron Arewus/Arti spyware protection not lo^ d /s
y
V*
y y V
V V V V V
V V
V V V V V V V
V
V V
y y y
FIGURE 17.18: ZoneAlarm PRO Firewall Screenshot
Module 17 Page 2611
Firewalls
Check Point Firewall Software Blade
CEH
Firewall UTM
h ttp ://w w w .e so ft. com
%
"
eScan Enterprise Edition

http ://w w w . escanav. com
Sonicwall
h ttp ://w w w . tribecaexpress.com
Jetico Personal Firewall

h ttp ://w w w .je tico . com
Comodo Firewall
http ://personalfirew all. com odo. com
Outpost Security Suite

http ://fre e, agnitum. com
Online Armor
http://w w w .online-arm or.com
Novell BorderManager
h ttp ://w w w . nos/ell.com
(III ^
j-
FortiGate-5101C
h ttp ://w w w .fo rtin e t. com
F ire w a lls
Firewalls provide essential protection to the computers against viruses, privacy threats, objectionable content, hackers, and malicious software when networked or connected to the Internet. A firewall monitors running applications that access the network. It analyzes downloads and warns you if downloading a malicious file, stops it from infecting your PC. A few of the firewalls that provide system protection are listed as follows: Check Point Firewall Software Blade available at http://www.checkpoint.com 9 eScan Enterprise available at http://www.escanav.com
w
Jetico Personal Firewall available at http://www.ietico.com 0 Q Outpost Security Suite available at http://free.agnitum.com Novell BorderManager available at http://www.novell.com
Firewall UTM available at http://www.esoft.com Sonicwall available at http://www.tribecaexpress.com Q 9 Q Comodo Firewall available at http://personalfirewall.comodo.com Online Armor available at http://www.online-armor.com FortiGate-5101C available at http://www.fortinet.com
Module 17 Page 2612
Honeypot Tool: KFSensor

KFSensor Professional Evaluation Trial
File View Scenario Signatures Settings Help
UrtifW
CEH
itkM l lUikw
bdj
Visitor 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... ADMIN-PC ADMIN-PC 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... Received (00 01 00 00 9 0 1A C [00 01 00 00 94]9[DA (00 01 00 00 E2 EF E5 (0001 00 00 E2 EF E5 [00 01 OOOOBD][[D1 [000100 00M010C [E5 A5 80 00 00 01 0C NBT DGRAM Packet [000100 00M010C [00 01 00 00 FE 85 02
i g j 4 X, |Tt]U u x u"1 1 1
. kfwm or locjlho... B O TCP i f 0 Closed T... 2 1 FTP 25 SMTP 53 ONS 68 DHCP E 80 US - 41w
a
Q a d a! fc g*
Dura...
ID <? 129 128 <?127 126 >125 124 <5' 123
Start 10/22/2012 12:44:32 PM.538 10/22/2012 12:44:31 PM.796 10/22/2012 12:44:31 PM.027 10/22/2012 12:43:57 PM.200 10/22/2012 12:43:56 PM.451 10/22/201212:43:55 PM.768 10/22/2012 12:43:44 PM.148 10/22/2012 12:43:43 PM.737 10/22/2012 12:43:14 PM.860 10/22/2012 12:43:14 PM.285 10/22/2012 12:43:13 PM.704 10/22/2012 12:42:32 PM.749 10/22/2012 12:42:32 PM.519 10/22/2012 12:42:32 PM.288
J J
JS 110 POP3 ^ 119 NNTP j j j H i MSBP... g
1 2 2
<5 121
J
I
1 g ..IS NBT t ...

593 CIS
139 NBTSe... 389 LDAP 441 HU PS..
120
119 118 < S > 117 <5 116
0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UDP 0 .0 0 0 UOP 0 .0 0 0 UOP
Pr...
Sens...
Name
51067 UOP Packet 51067 UDP Packet 51067 UOP Packet 51067 UOP Packet 51067 UDP Packet 51067 UDP Packet 57195 UDP Packet 138 NBT Datag... 51067 UOP Packet 51067 UDP Packet 51067 UOP Packet 51067 UOP Packet 51067 51067 UOP Packet UOP Packet
[0 0 0 100 00 02])[81]
[0001000002])|81)
[00 01 00 00 15 BC 9j [00 01 00 O OB9]\[E7
3 1 0 MS Cl^ 1080 SOCKS J 1433 SOI S... g 2234 Direct...
8 8
g109
KFSensor is a host-based Intrusion Detection System (IDS) It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans
10/22/2012 12:40:38 PM.322 0.000 UDP 138 NBTDatag... WIN-ETIR... NBT DGRAM Packet,
3128 M S Projo 3268 Globa...
3 | 3389 Termi...
< 1
Server Running Visitors: 4
I
Events: 28/28
>
h ttp://www. key focus, net

H o n e y p o t T o o l: K F S e n s o r
Source: http://www.keyfocus.net
KFSensor is a Windows-based honeypot intrusion detection system (IDS). It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone. KFSensor is designed for use in a Windows-based corporate environment and contains many innovative and unique features such as remote management, a Snort-compatible signature engine, and emulations of Windows networking protocols. Features: GUI-based management console Remote management Q Snort compatible signature engine
Emulations of Windows networking protocols Q Export logs in multiple formats
Module 17 Page 2613
Denial-of-service (DOS) attack protection

KFSensor Professional - Evaluation Trial
File View Scenario Signature* Settings Help
L=1h I
Visitor 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... ADMIN-PC ADMIN-PC 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 157.56.149.... 1S7.S6.149.... 157.56.149.... WIN-ETLR... Received [0001 0000901AC. (0001 000094]9(DA [00 01 00 00 E2 EF E5 (00 01 00 00 2 EF t i [0001 00 00 BD]((01 [0001 0000M01 OC [E5 A5 80 00 00 01 0C NBT DGRAM Packet [00 01 00 00]t(01 OC [00 01 00 00 FE 85 02 [0001 00 00 D2])[81) [0001 00 00 D2])[81) [00 01 00 001 SBC 9/ [00 01 00 00 B9J\JE7 [0001 0000 89ME7 [00 01 00 00]q[F9 EF [00 01 00 00 FF 92])[( [00 01 00 00 FF 92])[( (00 01 00 00 OO DB1 [00010000]c-[AFF: NBT DGRAM Packet
i 8
A A
?1 1 ; r 5 1! i g g a
10 O 129 O ' 128 CM 27 <? 126 <? 125 (S' 124 O 123 0 122 12 1 Start
r i tf a * *
Du*... 0.000 0.000 0.000 0MO 000 0.000 0X100 0.000 OMO OMO OJXO OMO OMO OMO OMO OMO OMO OMO OMO OMO OMO Pr... UDP UDP UDP UDP UOP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UOP UDP UDP UOP UDP UDP m Sens...
\
N*m<
- j kfswor kxalho- _ j TCP s j 0 Closed T...
10/22/2012 12:44:32 PM.538 10/22/2012 12:44:31 PM.796 10/22/2012 12:44:31 PM.027 10/22/2012 12243:57 PM.200 10/22/2012 12:43:56 PM.451 10/22/2012 12:43:55 PM.768 10/22/2012 12:43:44 PM.14S 10/22/2012 12:43:43 PM.737 10/22/2012 12:43:14 PM.860 10/22/2012 12:43:14 PM.285 10/22/2012 12:43:13 PM.704 10/22/2012 12:42:32 PM.749 10/22/2012 12:42:32 PM.519 10/22/2012 12:42:32 PM.288 10/22/2012 12:41:49 PM.172 10/22/2012 12:41:48 PM.944 10/22/2012 12:41:48 PM.714 10/22/2012 12:41:03 PM.652 10 /1 / 01 i 4 1 j pm.41 10/22/2012 12:41:03 PM.186 10/22/2012 12:40:38 PM.322
51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 57195 UDP Packet 138 NBT Datag... 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet 51067 UDP Packet S1047 UOP Packet 51067 UDP Packet 138 NBT Datag...
M2 1F T P
j 53 ONS
25 SMTP
3 68 OHCP
J
3
10 IIS [wet
110 POP3
j g 119 NNTP
B
g
Mt RB...
139 NBT Se...
O 120 < 5 119 O 118 O 117 9 116
^ 389 LDAP
j4 4 > .M wt^ 593 CIS 0 5 1038 MS CL. 1080 SOCKS SQLS... 2234 Direct... j 5 3128 IIS Pro*; J J
0
1433
O 115 O 114 O 113 O 11 2 111 O 11 0 S 109
3268 Glob*... 3389 Ttrmi...

CW> C/W> I 1 1( K I II I
>
< T
I
Server. Running Visitors; 4 Events: 28/28
FIGURE 17.19: KFSensor Screenshot
Module 17 Page 2614
Honeypot Tool: SPECTER
CEH
SPECTER is a smart honeypot-based intrusion detection system that offers common Internet services such as SMTP, FTP, POP3, HTTP, and TELNET which appear perfectly normal to the attackers but in fact are traps SPECTER provides massive amounts of decoy content including images, MP3 files, email messages, password files, documents, and all kinds of software
& ns _ | ?i M a p f l 21 r P 1U N R P C P S S H 2J 2J P SUB? O J K JJ B P BENERC
2\ 2\ 21 2\ 21 2\ 21
P P P F P r
* Shjtrd U* * 1 EvytW C |
2i
j 21
21
MalScMrlPAdtott | j* IU.' co m
2\
2!
2 1&
IrsW* ntforginmail
2 1
|2 1
| 2J | 2J
5wu1M1pisi|h]r j j
S d P w .iw d
lPAdd1.net EAM.l iW
|7 S rn d P w r _J
.11
http://www .specter. com
H o n e y p o t T o o l: S P E C T E R
Source http://www.specter.com
SPECTER is a honeypot or deception system. It simulates a complete system, providing an interesting target to lure hackers away from production systems. It offers common Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, they are traps so that traces are left without the attacker knowing that they are connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people. Furthermore, SPECTER automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content and it generates decoy programs that can't leave hidden marks on the attacker's computer. Automated weekly online updates of the honeypot's content and vulnerability databases allow the honeypot to change constantly without user interaction. Advantages: Q Q Suspicious interest in the network, and computers, can be detected immediately. Administrators are notified of hostile activity when it happens, so that they can immediately look at the problem and take action.
Module 17 Page 2615
The system is very easy to set up and configure while providing sophisticated features. Fully automated online updates of the honeypot's content and vulnerability databases allow the honeypot to change constantly without user interaction.
Q There cannot be false alerts, as a legitimate user cannot connect to the honeypot. 0 Specter simulates in 14 different operating systems:
Windows 98, Windows NT, Windows 2000, Windows XP, Linux, Solaris, Tru64, NeXTStep, Irix, Unisys Unix, AIX, MacOS, MacOS X, and FreeBSD.
Enpne Veron
S
Operaing Sytfem r Random r Wndom 98 C Wndowi N T r Wrdom 2003 ^ WndomXP r MacOS r MacOS X r u u r Sc*am r NeXTStep r TruS4 r 1w
C
Setvcei Lap.
TNeadt Coroecbom 1014 Notfcon P IradartOe P AMmal P p

Short mad Siafut
P FTP P TELNET P SMTP P FINGER P HTTP P NETBUS P POP3 p Provide maij . 21 2] 21 21 21
p DM S p IM AP4 p SUNR PC P
SSH
2 J 21 21 21 21 21 21
-U 21 21 21 21 S lit tngwe SlopEwqww | | Roconliqurc Log Anatyxcr j J

_2J
m a d
P SUB7 P B02t p GENERIC
P Emm log T Srrios
p btoo
P CoMwoaora Load Save

U w Corftguabon j ?1
Cor*gja Sydofl | p Sfc c 2i
P fg P Tiace Fngei P Port Scan P ONS Lookup p Whoa P Fip Barra* p Sfrtp Banner P Http Header
21 21
Siencai Confutation I Syttem Name p Mart _?J P Legal mesiage

Pam*or<j Type C Easy
|art!enantf edu
|0UTFW fT0
|ISC 168 1 : 5 0
1 1
com
C o r t q ja K r , |_ 7 J
ConhguatocnVwwon
M jJS w v m IP A M * .
r U rn / 5U n w r AK
r FreeBSD
Character
2J 2J
21 21
P (MnexxMas _>J
MadAdAeit
^ WebScrvKxC0rf1gu 4 M n| 71 2 J ------------------------------' _ | p Inckjde seKrqt rtmafc 21
p Tetoet Banner j j r Random r Fa*ng C Secvce ^ Open C
f? Noimd r Hard r Mean Fufi C Chetvact C Warning
QadilOiioMai |
r UiaHTTPPio^.
Short M ari Adder. P Remote Management
com Port J
_7J
Statu* Mai Penod [h | f!7
_?J
| 6 8 0
Po**Pc*
PicairuaH!
J21
P E>eect fnenJ^connecftoru P Ute cuiiom mai menage tot POP3 P Utecurfomwaimgmeiiage
p HttpDocimem _7J P Trace Route
J2 J J-l
21
r Sham p e
H o p . |
3 0
p SandPWMe _ J
WchSM> | O
ffou a c f t o r aa r elogged
FIGURE 17.20: SPECTER Screenshot
Module 17 Page 2616
Honeypot Tools
LaBrea Tarpit
h ttp ://la brea. sou reef or ge. net
CEH
WinHoneyd
http://www2.nets/igilance.com
PatriotBox
http ://w w w . alkasis. com
HIHAT
http://hih at.sou rceforge.net
Kojoney
h ttp ://kojo ney. sourceforge. net y ,
*
^
^
Argos
h ttp ://w w w .fe w . vu.nl
H I
HoneyBOT
h ttp://w w w .atom icsoftw aresolution s.com
Glastopf
http ://glastopf.org
Google Hack Honeypot

h ttp://ghh.sourceforge.net m !n 1 E|
Send-Safe Honeypot Hunter

h ttp://w w w .send-safe.com
H o n e y p o t T o o ls
Honeypots are the security tools that give the security community an opportunity to monitor attackers' tricks and exploits by logging their every activity, so that they can respond to these exploits quickly without attackers actually misusing and compromising systems. A few honeypot tools are listed as follows: Q LaBrea Tarpit available at http://labrea.sourceforge.net Q PatriotBox available at http://www.alkasis.com Koionev available at http://koioney.sourceforge.net HoneyBOT available at http://www.atomicsoftwaresolutions.com Google Hack Honeypot available at http://ghh.sourceforge.net WinHoneyd available at http://www2.netvigilance.com Q HIHAT available at http://hihat.sourceforge.net Q Argos available at http://www.few.vu.nl 9 Glastopf available at http://glastopf.org Q Send-Safe Honeypot Hunter available at http://www.send-safe.com
Module 17 Page 2617
Module Flow
CEH
Copyright by EG-G*nncil. All Rights Reserved. Reproduction Is Strictly Prohibited.
ft;
M o d u le F lo w
An IDS is the critical security mechanism implemented in order to prevent intrusions and at the same time, to alert the security personnel when an attacker attempts to intrude into the network. An IDS can detect the attacker's attempts of breaking into the network. In order to avoid being detected by the IDS, attackers try to evade IDSes.
Detecting Honeypots
Firewall Evading Tools -" ' Countermeasure
>
Evading IDS
Evading Firewall
cL
Penetration Testing
This section describes the ways in which attackers try to evade IDSes.
Module 17 Page 2618
Insertion Attack
U rtifM
CEH
tUx*l lUckM
An attacker exploits this condition and inserts data into the IDS
Attacker obscures extra traffic and IDS concludes traffic is harmless
Sees "A ttack"
S ees "Atxack"
N etw ork M on ito r
l o im
i o i
in i
n in i
*
Accepted M onitor
An attacker sends one-character packets to the target system via the IDS with varying TTL such that some packets reach to the IDS but not the target system This will result in the IDS and the target system having two different character strings
Rejected by End System
Attacker's
Data Stream
A Figure: Insertion of the letter 'X
In s e rtio n A tta c k
The process where the attacker confuses the IDS by forcing it to read the invalid packets is known as insertion, that is, the packet would not be accepted by the system to which it is addressed. If a packet is malformed or if it does not reach its actual destination, the packet is invalid. If the IDS read an invalid packet, the IDS will become confused. To understand how insertion becomes a problem for a network IDS, it is important to understand how IDSes detect attacks. The IDS employs pattern-matching algorithms to look for specific patterns of data in a packet or stream of packets. For example, IDSes might look for the string "phf" in an HTTP request to discover a PHF Common Gateway Interface (CGI) attack. An attacker who can insert packets into the IDS can prevent pattern matching from working. For instance, an attacker can send the string "phf" to a web server, attempting to exploit the CGI vulnerability, but force the IDS to read "phoneyf" (by "inserting the string "oney") instead. One simple insertion attack involves intentionally corrupting the IP checksum. Every packet transmitted on an IP network has a checksum that is used to verify whether the packet was corrupted in transit. IP checksums are 16-bit numbers that are computed by examining information in the packet. If the checksum on an IP packet does not match the actual packet, the host to which it is addressed will not accept it, while the IDS might consider it as part of the effective stream.
Module 17 Page 2619
For example, the attacker can send packets whose Time to live fields have been crafted to reach the IDS but not the target computers. An attacker confronts the IDS with a stream of onecharacter packets (the attacker-originated data stream), in which one of the characters (the letter 'X') will be accepted only by the IDS. As a result, the IDS and the end system reconstruct two different strings.
"
Accepted Monitor
Rejected by End System
Attacker's Data Stream Figure: In sertio n o f th e le tte r 'X
A
............................ FIGURE 17.21: Insertion Attack
Module 17 Page 2620
E v a sio n
In this evasion technique, an end system accepts a packet that an IDS rejects
C EH
Using this technique, an attacker exploits the host computer Attacker sends portions of the request in packets that the IDS mistakenly rejects, allowing the removal of parts of the stream from the IDS For example, if the malicious sequence is sent byte-by-byte, and one byte is rejected by the IDS, the IDS cannot detect the attack
E v a sio n
An "evasion" attack occurs when the IDS discards a packet that the host to which it is addressed accepts. Evasion attacks are devastating to the accuracy of the IDS. An evasion attack at the IP layer allows an attacker to attempt arbitrary attacks against hosts on a network, without the IDS ever realizing it. The attacker sends portions of the request in packets that the IDS mistakenly rejects, allowing the removal of parts of the stream from the ID system's view. For example, if the malicious sequence is sent byte-by-byte, and one byte is rejected by the IDS, the IDS cannot detect the attack. Here, the IDS gets fewer packets than the destination. One example of an evasion attack occurs when an attacker opens a TCP connection with a data packet. Before any TCP connection can be used, it must be "opened" with a handshake between the two endpoints of the connection. A fairly obscure fact about TCP is that the handshake packets can themselves bear data. IDSes that do not accept the data in these packets are vulnerable to an evasion attack.
Module 17 Page 2621
End System
Sees "Attack"
Sees "Attack"
Network Monitor
in
n in iin
Accepted M onitor
Rejected by
End System
Attacker's Data Stream
A %.....
Figure: Insertion o f the letter 'A' FIGURE 17.22: Evasion
Module 17 Page 2622
D en ialofService Attack (DoS)

B B Many IDSs use a centralized server for logging alerts
CEH
If attackers know the IP address of the centralized server they can perform DoS or other hacks to slow down or crash the server As a result, attackers' intrusion attempts will not be logged
[ W \
Consumes the device's processing power and allows attacks to sneak by
Causes the device to lock up
Fills up disk space causing attacks to not be logged
technique, an attacker:
Causes personnel to be unable to investigate all the alarms
Causes more alarms than can be handled by management systems (such as databases, ticketing systems, etc.)
D e n i a l o fS e r v i c e A t t a c k (DoS)
Multiple types of denial-of-service attacks are valid against IDS systems. The attacker identifies a point of network processing that requires the allocation of a resource, causing a condition to occur that consumes all of that resource. The resources that can be affected by the attacker are CPU cycles, memory, disk space, and network bandwidth. The CPU capabilities of the IDS can be monitored and affected. This is because IDS needs half of the CPU cycle to read the packets, detecting what the purpose of their existence is, and then comparing them with some location in the saved network state. An attacker can verify the most computationally expensive network processing operations and then compel the IDS to spend all its time carrying out useless work. An IDS requires memory for a variety of things. For generating a match for the patterns, the TCP connections should be saved, the reassembly queues should be maintained, and the buffers of the data should be generated. In the initial phase, the system requires memory so that it can read the packets. Memory is allocated by the system. It is needed for network processing operations. An attacker can verify the processing operations that require the ID system to allocate memory and force the IDS to allocate all of its memory for meaningless information. In certain circumstances, the ID systems store activity logs on the disk. The stored events occupy most of the disk space. Most computers have limited disk space. The attackers can
Module 17 Page 2623
occupy a major part of the disk space on the IDS by creating and storing a large number of useless events. This renders the IDS useless in terms of storing real events. Network IDS systems record the activity on the networks they monitor. They are competent because networks are hardly ever used to their full capacity; few monitoring systems can cope with an extremely busy network. The IDS system, unlike an end system, must read everyone's packets, not just those sent specifically to it. An attacker can overload the network with meaningless information and prevent the IDS system from keeping up with what is actually happening on the network. Many IDSes today employ central logging servers that are used exclusively to store IDS alert logs. The central server's function is to centralize alert data so it can be viewed as a whole rather than on a system-by-system basis. However, if attackers know the central log server's IP address, they could slow it down or even crash it using a DoS attack. After the server is shut down, attacks could go unnoticed because the alert data is no longer being logged. Using this evasion technique, an attacker: Consumes the device's processing power and allows attacks to sneak by 6 Fills up disk space causing attacks to not be logged
Causes more alarms than can be handled by management systems (such as databases, ticketing systems, etc.) Causes personnel to be unable to investigate all the alarms Causes the device to lock up
Module 17 Page 2624
Obfuscating
CEH
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer understands but the IDS will not
Attackers can encode attack patterns in Unicode to bypass IDS filters, but be understood by an IIS web server
Polymorphic code is another means to circumvent signaturebased IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature
Attackers manipulate the path referenced in the signature to fool the HIDS
Attacks on encrypted protocols such as HTTPS are obfuscated ifthe attack is encrypted
O b fu scatin g
Obfuscation means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscator is sometimes used to convert a straightforward program into one that works the same way but is much harder to understand. An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. An attacker manipulates the path referenced in the signature to fool the HIDS. Using the Unicode character, an attacker could encode attack packets that the IDS would not recognize but that an IIS web server would decode and become attacked. Polymorphic code is another means to circumvent signature-based IDSes by creating unique attack patterns, so that the attack does not have a single detectable signature. Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted. Polymorphic code is another means to circumvent signature-based IDSes by creating unique attack patterns, so that the attack does not have a single detectable signature.
Module 17 Page 2625
F a ls e P o sitiv e G e n e ra tio n
This mode does not attack the target, but instead, it does something relatively normal. In this mode, an alarm is generated when no condition is present to warrant one. However, many IDSes falsely trigger on this. Another attack similar to the DoS method is to generate a large amount of alert data that must be logged. Attackers craft packets known to trigger alerts within the IDS, forcing it to generate a large number of false reports. This type of attack is designed to create a great deal of log "noise" in an attempt to blend real attacks with the false. Attackers know all too well that when looking at log data, it can be very difficult to differentiate between legitimate attacks and false positives. If attackers have knowledge of the IDS system, they can even generate false positives specific to that IDS.
Module 17 Page 2626
Session Splicing
A technique used to bypass IDS where an attacker splits the attack traffic in to many packets such that no single packet triggers the IDS
CEH
M any IDSs stops reassembly if they do not receive packets within a certain time
It is effective against IDSs that do not reconstruct packets before checking them against intrusion signatures
IDS will stop working if the target host keeps session active for a time longer than the IDS reassembly time
If attackers are aware of delay in packet reassembly at the IDS, they can add delays between packet transmissions to bypass the reassembly
Any attack attempt after a successful splicing attack will not be logged by the IDS
S e ssio n S p lic in g
Session splicing is an IDS evasion technique that exploits how some IDSes do not reconstruct sessions before performing pattern matching on the data. It is a network-level evasion method that divides the string across several packets. The data in the packets is divided into small portions of bytes and while delivering the string match is evaded. It is used by an attacker to deliver the data into several small sized packets. IDS can't handle too many small sized packets and fails to detect the attack signatures. If attackers know what IDS system is in use, they could add delays between packets to bypass reassembly checking. Many IDSes reassemble communication streams, so if a packet is not received within a reasonable amount of time, many IDSes stop reassembling and handling that stream. If the application under attack keeps a session active longer than an IDS will spend on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by the attacker. Different tools such as Nessus, Whisker, etc. are used for session splicing attacks.
Module 17 Page 2627
U n ic o d e E v a s io n T e c h n iq u e
C EH
Unicode is a character coding system to support the worldwide interchange, processing, and display of the written texts For Example, / > %u2215, e > %u00e9 (UTF-16) and %c2%a9, * -> %e2%89%a0 (UTF-
Attackers can convert attack strings to Unicode characters to avoid pattern and signature matching at the IDS Attackers can encode URLs in HTTP requests using Unicode characters to bypass HTTP-based attack detection at the IDS
8)
U n ic o d e E v a s io n T e c h n iq u e
Unicode is a character representation that gives each character a unique identifier for each written language to facilitate the uniform computer representation of each language. This is problematic for IDS technology because it is possible to have multiple representations of a single character. For example, '\' can be represented as 5C, C19C and E0819C, which makes writing pattern matching signatures very difficult. Example for how Unicode affects IDS: Microsoft IIS 4.0/5.0 Directory Traversal vulnerability released in October 2000 by Rain Forrest Puppy This IIS vulnerability improperly restricts directory listings that were Unicode encoded within the URL request This allowed remote attackers to view files on the IIS server that they normally would not be permitted to see
Module 17 Page 2628
F r a g m e n ta tio n A tta ck
C EH
Fragmentation can be used as an attack vector when fragmentation timeouts vary between IDS and host
If fragment reassembly timeout is 10 seconds at the IDS and 20 seconds at the target system, attackers will send the second fragment after 15 seconds of sending the first fragment
In this scenario, the IDS will drop the fragment as the second fragment is received after its reassembly time but the target system will reassemble the fragments
Attackers will keep sending the fragments with 15 second delays until all the attack payload is reassembled at the target system
F r a g m e n ta tio n A tta c k
Attackers break the single Internet protocol datagram into multiple packets of smaller size. IDS fragmentation reassembly timeout is less than fragmentation reassembly timeout of the victim. Attack Scenario: Assume the IDS fragmentation reassembly timeout is 15 seconds and the system is monitoring Linux hosts that have default fragmentation reassembly timeout of 30 seconds. After sending the first fragment, the attacker can send the second fragment with a delay of 15 seconds but still within 30 seconds. Now, the victim reassembles the fragments whereas at the IDS the fragmentation reassembly timeout parameter kicks in and the time out occurs. The second fragment received by the IDS will be dropped as the IDS has already lost the first fragment, due to time out. Thus, the victim will reassemble the fragments and will receive the attack whereas the IDS will not make any noise or generate alerts.
Module 17 Page 2629
(C o n td)
I f* "
CEH
4 #
Attacker NIDS Frag_timeout = lOsec Frag 1 Victim Frag_timeout = 20sec
T im e = o S e c
Frag 1
S en d in g
Frag 1
T im e = 1 5 S e c
1 0
<2
S e c < T im e 0 Sec
Frag 2
S en d in g
Frag 2
Frag 2
Frag 1
V
Attack
F r a g m e n t a t i o n A t t a c k ( C o n t d)
The following figure illustrates the attack where the NIDS fragmentation re-assembly timeout is less than the victim's fragmentation reassembly timeout.
Attacker
Victim
T im e = O Sec
Frag 1
Sending
Frag 1
Frag 1
T im e = 1 5 Sec
15
<3
Se c <Timo 0 S ec
F IG U R E 17.23: NIDS Fragm entation Re-assem bly P art 1
Module 17 Page 2630
(C o n td)
A similar fragmentation attack works when the IDS timeout exceeds the victim's
CEH
Victim and IDS receive frag 2 and 4 out of 4 fragments, both carry a false payload
IDS reassembles 4 received fragments, but computed net checksum is invalid, so packet is dropped
Victim drops these two fragments after 30 sec, and does not send ICMP since frag 1 never received
Victim and IDS receive real frag 2 and 4 out of 4 fragments
Victim and IDS receive frag 1 and 3 out of 4 fragments
Victim reassembles 4 received fragments and is attacked; IDS times out frag 2 and 4 and drops
c
<H|
An attacker has fragmented the attack packet into four segments: 1, 2, 3, and 4, and sends frag2 and frag4 with a false payload (referred as 2', 4'), which are received by both the victim and the IDS. The victim waits until the fragments' reassembly timeout occurs at the victim's end and it drops the initial fragments (30 seconds in this case). The victim still has not received fragment 1, so it will quietly drop the fragments and no ICMP error message will be thrown by the victim. The attacker then sends packets (1, 3) with legitimate payloads. At this stage, the victim has only fragments (1, 3), whereas the IDS has fragments (1, 2', 3, 4') in that 2, 4 fragments sent by attacker have a false payload. Since the IDS has all the four fragments it will do a TCP reassembly. Also, since fragments 2 and 4 have false payloads, the net checksum computed will be invalid. So, the IDS will drop the packet. If the attacker now sends fragments 2, 4 again with valid payload, the IDS will have only these two fragments, whereas the victim will have all (1, 3, 2, 4) fragments all with a valid payload, and it will do a reassembly and read the packet as an attack.
Module 17 Page 2631
F r a g m e n ta tio n A tta c k
(C o n ttt)
NIDS Frag_timeout= 60sec
Attacker
Victim Frag_timeout= 30sec
T im e = o S e c
Frag 2
S en d in g
Frag 4
Frag 2
Frag 4
Frag 2
Frag 4
T im e = 3
Sec
Waiting
Frag 2
Frag 4
Frag w a itin g
Fragments dropped
1
3 0 6 0
Sec <T < Sec
Frag 1
S en d in g
Frag 3
<Frag 4 Frag 3|| Frag 2 Frag 1
Frag 1
R eceived
Frag 3
1 .
F alse R easse m b ly
3 0 6 0
Sec <T < Sec
Frag 2
S en d in g
Frag 4
Frag 2
R eceived
Frag 4
....,j
Frag 4 Frag 3 Frag
Frag 1
j
1
C o rre ct re a s s e m b ly
Attack
The following figure illustrates an attack where the NIDS fragmentation reassembly timeout is more than the victim's fragmentation reassembly timeout.
<3
Attacker
T im e = o S e e Frag 2' Frag 4'
NIDS Frag_tim eout= 60sec Victim F r a g tim e o u t- 30sec
Frag 2'
Frag 4'
Frag 2'
Frag 4'
T im e = 3 0 S e c
W aiting
Frag 2
Frag 4'
Fragments dropped
3 0 Sec < T < b o See
Frag 1
Frag 3
Frag 4
F rag 3 Frag 2' F rag 1
Frag 1
Frag 3
False Reassembly
3 0 See <T < 6 0 See
Frag 2
Frag 4
Frag 2
Frag 4
Frag 4 Frag 3 Frag 2 Frag 1
Correct reassembly
y
Attack
F IG U R E 17.24: NIDS Fragm entation Re-assem bly P art 2
Module 17 Page 2632
Overlapping Fragments
An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap
CEH
El
0 ,
When the target computer reassembles the TCP stream, it must decide how to handle the four overlapping bytes
For example, the first packet will include 80 bytes of payload, but the second packet's sequence number will be 76 bytes after the start of the first packet
Some operating systems will take the original
* ' * 1 "' '
!.arc li 1 c 1uu3n|uc1u iiagmcii yviui a given offset (e.g., Cisco IOS)
O v e rla p p in g F ra g m e n ts
Source: http://books.google.co.in
An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. In an overlapping fragment attack, the packets start in the middle of another packet. For example, the first packet can include 80 bytes of payload, but the second packet's sequence number can be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, it must decide how to handle the four overlapping bytes. Some operating systems can take the original fragments with a given offset (e.g., Windows W2K/XP/2003) and some operating systems can take the subsequent fragments with a given offset (e.g., Cisco IOS).
Module 17 Page 2633
:
Attacker W indow s XP CiscolOS
Frag 3
Frag 2 Sending
Frag 1
Frag 3
Frag 2 Received
Frag 1
Frag 3
Frag 2 Received
Frag 1
Frag 4
Frag 3 Sending
Frag 2
Frag 4
Frag 3
Frag 2
Frag 1
Frag 4
Frag 3
Frag 2
Frag 1
Reassembled FIGURE 17.25: Working of Overlapping Fragments
Reassembled
Module 17 Page 2634
T im e -T o -L iv e A tta c k s
fe rtM M Ith K Ji lU c k M
CEH
These attacks require the attacker to have a prior knowledge of the topology of the victim's network This information can be obtained using tools such as traceroute which gives information on the number of routers between the attacker and the victim
Attacker breaks malicious traffic into 3 fragments
Attacker sends frag 1 with high TTL, false frag 2 with low TTL
IDS receives both fragments, victim receives first fragment only
Attacker sends frag 3 with high TTL
IDS reassembles 3 fragments into meaningless packet and drops
Victim receives real frag 2, and suffers attack, while no log entry created
Source: http://www.scribd.com Each IP packet has a field called Time to Live (TTL), which indicates how many more hops the packet should be allowed to make before being discarded or returned. Each router along a data path decrements this value, by one. When a router decrements this value to zero, it drops the packet and sends an ICMP alert notification. Typically, when a host sends a packet, it sets the TTL to a value high enough that the packet can reach its destination under normal circumstances. Different operating systems use different default initial values for the TTL. Because of this an attacker can guess the number of routers between itself and a sending machine, and make assumptions on what the initial TTL was, thereby guessing which OS a host is running, as prelude to an attack. In order to prevent such detection, SmartDefense can change the TTL field of all packets (or all outgoing packets) to a given number. A router is present between the IDS and a victim - and the attacker is assumed to have this prior information and carries out the attack by breaking it into three fragments. Attacker sends fragment 1 with a large TTL value, which is received by both the IDS and the victim and then sends second fragment (frag2') with the TTL value of 1 and false payload. This fragment is received by the IDS, whereas the router (which is situated between the IDS and the victim) discards it as the TTL value is now reduced to zero. At this stage, the IDS has only fragment 2 as
Module 17 Page 2635
it has already performed a reassembly and the stream has been flushed. The attacker finally sends the second fragment with a valid payload and the victim performs a reassembly on fragments (1, 2, 3) and gets the attack. The attacker then sends fragment 3 with a valid TTL. This makes the IDS perform a TCP-reassembly on fragments (1, 2 ', 3), whereas the victim still waits for the second fragment.
Module 17 Page 2636
(C o n td)
CEH
TTL-based Evasion Attack

T i m e - T o - L i v e A t t a c k s ( C o n t d)
The following figure illustrates the Time-to-Live attack, a TTL-based evasion attack:
Attackor
.......
Router
f J)
Victim
NIDS
Sending
Trag 2'
TTL=1
Sending
Frag 2' TTL=1
Frag 1
Frag dropped at router
Frag 1
W aiting
Frag 3
Sending
Frag 3
Frag 2'
False Reassembly
Frag 1
Frag 3
Frag 1
Frag 3
Sending
Frag 2
Frag 1
C orrect Reassem bly
TTL-based evasion attack F IG U R E 17.26: Time-To-Live Attacks
Module 17 Page 2637
In v a lid R S T P a c k e ts
C EH
TCP uses 16-bit checksum field for error-checking of the header and data
Reset (RST) flag in a TCP header is used to close a TCP connection
In invalid reset attack, attackers send RST packet to the IDS with an invalid checksum
IDS stop processing the packet thinking that the ended but the target system will receive the packet
The target system checks the RST packet's checksum and drops it
The attack enables attackers to communicate with the target system while the IDS thinks that the communication has ended
In v a lid RST P a c k e ts
The TCP protocol uses checksums to ensure that communication is reliable. A checksum is added to every transmitted segment and it is checked at the receiving end. When a checksum differs from the checksum expected by the receiving host, the packet is dropped at the receiver's end. The TCP protocol also uses an RST packet to end two-way communications. Attackers can use this feature to elude detection by sending RST packets with an invalid checksum, which causes the IDS to stop processing the stream because the IDS thinks the communication session has ended. However, the end host sees this packet and verifies the checksum value, then drops the packet if it is invalid Some IDS systems might interpret this packet as an actual termination of the communication and stop reassembling the communication. Such instances allow attackers to continue to communicate with the end host while confusing the IDS because the end host accepts the packets that follow the RST packet with an invalid checksum value.
Module 17 Page 2638
U rg e n c y F la g
Urgent (URG) flag in the TCP header is used to mark the data that require urgent processing at the receiving end
CEH
Ifthe URG flag it set, the TCP protocol sets the Urgent Pointer field to a 16-bit offset value that points to the last byte of urgent data in the segment
Many IDSs do not consider the urgent pointer and process all the packets in the traffic whereas the target system process only the urgent data
This results in the IDS and the target systems having different set of packets, which can be exploited by attackers to pass the attack traffic
I 1| I
Urgency flag attack example
"1 B y t e data, next to U r g e n t data, w i l l b e lost, w h e n U r g e n t d a t a a n d nor m a l d a t a ar e com b i n e d . " P a c k e t 1: AB C P a c k e t 2: DE F U r g e n c y P o i n t e r : 3 P a c k e t 3: GHI E n d result: A B C D E F H I
rks in This example illustrates how the urgency flag works conjunction with the urgency pointer
:auses According to the RFC 1122, the urgency pointer causes one byte of data next to the urgent data to be lost when urgent data is combined with normal data
I
I
U rg e n cy F la g
The urgency flag is used within the TCP protocol to mark data as urgent. TCP uses an urgency pointer. That points to the beginning of urgent data within a packet. When the urgency flag is set, all data before the urgency pointer is ignored, and the data to which the urgency pointer points is processed. Some IDSes do not take into account the TCP protocol's urgency feature, which could allow attackers to evade the IDS, as seen in other evasion techniques. Attackers can place garbage data before the urgency. The pointer and the IDS read that data without consideration for the end host's urgency flag handling. This means the IDSes have more data than the end host actually processed. Urgency flag attack example: "1 Byte data, next to Urgent data, can be lost, when Urgent data and normal data are combined." Packet 1: ABC Packet 2: DEF Urgency Pointer: 3 Packet 3: GHI End result: ABCDEFHI
Module 17 Page 2639
This example illustrates how the urgency flag works in conjunction with the urgency pointer. According to the 1122 RFC, the urgency pointer causes one byte of data next to the urgent data to be lost when urgent data is combined with normal data.
Module 17 Page 2640
P o ly m o rp h ic S h e llc o d e
/ Most IDSs contain signatures for commonly used strings within shellcode V > < / This is easily bypassed by using encoded shellcode containing a stub that decodes the shellcode that follows
CEH
This method also hides the . .. commonly used strings Mcode'0 shellcode, making shellcode signatures useless
----
----
This means that shellcode can be completely different each
--------~ Polymorphic shellcode allows attackers to hide their shellcode by encrypting it in a simplistic form
It is difficult for IDSs to identify this data as shellcode
Ip r g y
P o ly m
o r p h ic
S h e llc o d e
Most IDSes contain signatures for commonly used strings within shellcode. This is easily bypassed by using encoded shellcode containing a stub that decodes the shellcode that follows. This means that shellcode can be completely different each time it is sent. Polymorphic shellcode allows attackers to hide their shellcode by encrypting it in a simplistic form. It is difficult for IDSs to identify this data as shellcode. This method also hides the commonly used strings within shellcode, making shellcode signatures useless.
Module 17 Page 2641
A S C II S h e llc o d e a
CEH
The following is an ASCII shellcode example:
ASCII shellcode includes characters which are present only in ASCII standard Attackers can use ASCII shellcode to bypass the IDS signature as the pattern matching does not work effectively with the ASCII values Scope of ASCII shellcode is limited as all assembly instructions cannot be converted to ASCII values directly This limitation can be overcome by using other sets of instructions for converting to ASCII values properly
char shellcode[] = "LLLLYhb0pLX5b0pLHSSPPWQPPaPWSUTBRDJfh5 tDS" "RajYX0Dka0TkafhN9fYfILkbOTkdj fYOLkfOTk gfh" "6rfYflLki0tkkh95h8YlLkmjpY0Lkq0tkrh2wn uXl" "DksOtkwj fXODkxOtkxOtkyCj nYOLkzCOTkzCCj
txo
"DkzCOtkzCj3X0Dkz0TkzC0tkzChjG3IYlLkzCC CCO" "tkzChpfcMXlDkzCCCC0tkzCh4pCnYlLkzlTkzC CCC" "fhJGfXflDkzfltkzCCjHXODkzCCCCjvYOLkzCC Cjd" "XODkzCOTkzCjWXODkzOTkzCjdXODkzCjXYOLkz Otk" "zMdgwn9Flr8F55h8pG9wnuvjrNf rVx2LGkG3I Dpf " "cM2KgmnJGgbinYshdvD9d";
W hen executed, the shellcode above executes a "/bin/sh" shell, ,bin' and ,sh' are contained in the last few bytes of the shellcode. Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
A S C I I
S h e llc o d e
ASCII shellcode contains only characters contained within the ASCII standard. This form of shellcode allows attackers to bypass commonly enforced character restrictions within string input code. It also helps attackers bypass IDS pattern matching signatures because strings are hidden within the shellcode in a similar fashion to polymorphic shellcode. Using ASCII for shellcode is very restrictive in that it limits what the shellcode can do under some circumstances because not all assembly instructions convert directly to ASCII values. This restriction can be bypassed using other instructions or a combination of instructions that convert to ASCII character representation, which serves the same purpose of the instructions that improperly convert. The following is an ASCII shellcode example:
c h a r s h e llc o d e [] =
"L L L L Y h b 0 p L X 5 b 0 p L H S S P P W Q P P a P W S U T B R D Jfh 5 tD S " " R a jY X 0 D k a 0 T k a f h N 9 f Y f IL k b O T k d j fY O L k fO T k g f h " " 6 r fY fIL k iO tk k h 9 5 h 8 Y lL k m jp Y 0 L k q 0 t k r h 2 w n u X l" " D k s O t k w j fX O D k x O tk x O tk y C jn Y O L k z C O T k z C C jtX O " " D k z C 0 tk z C j3 X 0 D k z 0 T k z C 0 t k z C h jG 3 IY lL k z C C C C 0 "
Module 17 Page 2642
tk z C h p fc M X lD k z C C C C 0 tk z C h 4 p C n Y lL k z lT k z C C C C " fh JG fX f lD k z f lt k z C C jH X O D k z C C C C jv Y O L k z C C C jd " "X O D k z C O T k z C jW X O D k z O T k z C jd X O D k z C jX Y O L k z O tk " 1 1z M d g w n 9 F l r 8 F 5 5 h 8 p G 9 w n u v j r N f r V x 2 L G k G 3 I D p f " ,Ic M 2 K g m n J G g b in Y s h d v D 9 d " ;
When executed, the shellcode above executes a "/bin/sh" shell, 'bin and 'sh' are contained in the last few bytes of the shellcode.
Module 17 Page 2643
A p p lic a tio n -L a y e r A tta c k s
UrtifM
C EH
ItkKJl Nm Im
Applications accessing m edia files (audio, video and im ages) com press them to sm aller size for maximizing data tran sfer rate
IDS cann ot ve rify th e signature of com pressed file form at
This enables an attacker to exploit th e vu ln erabilities in com pressed data
IDS can recognize p articular conditions favorable for attack but o ther alternative form s o f attack are also possible, for exam ple, various integer values can be used to exploit integer o ve rflo w vulnerabilities
This m akes th e detection of attack traffic extrem ely difficult at th e IDS
A p p lic a t io n - la y e r
A t t a c k s
In order to transfer media files speedily, such as images, audios, videos, the files can be compressed and transferred in smaller parts. Attackers find flaws in this compressed data and perform attacks and even IDSes cannot identify the signatures within the compressed data. Many applications that deal with media such as images, video, and, audio employ some form of compression to be sent in a form much smaller than the original, which increases data transfer speeds. When a flaw is found in these applications, the entire attack can occur within compressed data, and the IDS can have no way to check the compressed file format for signatures. Many IDSes look for specific conditions that allow for an attack. However, there are times when the attack can take many different forms. For example, integer overflow vulnerabilities could be exploited using several different integer values. This fact combined with compressed data makes signature detection extremely difficult.
Module 17 Page 2644
D e s y n c h r o n iz a t io n
P r e
C o n n e c t io n
C EH
If a SYN packet is received after the TCP control block is opened, the IDS resets the appropriate sequence number to match that of the newly received SYN packet
- m
Attackers send fake SYN packets with a completely invalid sequence number to desynchronize the IDS
This stops IDS from monitoring all, legitimate and attack, traffic
P r e
C o n n e c t io n
S Y N
This attack calls bind to get the kernel to assign a local port to the socket before calling connect. This is another attack that an attacker performs and sends an initial SYN before the real connection is established, but with an invalid TCP checksum. The sniffer can ignore or accept subsequent SYNs in a connection. If the sniffer is smart, it does not check the TCP checksum; otherwise it checks the TCP checksum. If the sniffer checks the checksum, then the attack is synchronized and a bogus sequence number is sent to the sniffer/IDS before the real connection occurs.
Module 17 Page 2645
D esynchronization - Post Connection SYN

Once succeeded in resynchronizing the
IDS with a SYN packet, send an RST packet ---
with the new sequence number and close down its notion of the connection
The intent of this attack is to get the IDS to resynchronize its notion of the sequence numbers to the new SYN packet
It will then ignore any data that is a legitimate part of the original stream, because it will be awaiting a different sequence number
Send a post connection SYN packet in the data stream, which will have divergent sequence numbers, but otherwise meet all of the necessary criteria to be accepted by the target host
---However, the target host will ignore this SYN packet, as it references an already established connection
For this technique, attempt to desynchronize v--- the IDS from the actual sequence numbers that the kernel is honoring Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P o s t
C o n n e c t io n
S Y N
To deceive an intelligent sniffer or an ID system, attackers do not directly try to deceive it, for it keeps track of the TCP sequence numbers. For this technique to work efficiently, attackers first desynchronize the sniffer or IDS. The attack on the sniffer or IDS can be implemented by sending a post connection SYN packet in the data stream. The data stream can have all the necessary sequence numbers (all different) and meet the criteria so that the stream is accepted by the target. After transmitting the data stream, the host ignores the SYN packet, because the reference of the SYN packet has already established connection. The motive behind this attack is to resynchronize the sniffer/IDS. If the attacker succeeds in resynchronizing the IDS with a SYN packet, attacker then sends an RST packet with the new sequence number.
Module 17 Page 2646
O th e r T y p e s o f E v a s io n
CEH
(rtifwd itkitjl
E n c r y p t io n
W hen the attacker h a s already established a n encrypted se ssio n with the victim, it results in the m ost effective eva sio n attack
T h e attacker se n d s lo a d s of unnecessary traffic to produce noise, a n d if ID Sd o e s not a n a lyze the n o ise traffic w ell, then the true attack traffic m ay g o undetected
O t h e r
T y p e s
o f E v a s io n
There are two more types of evasion: Encryption When the attacker has already established an encrypted session with the victim, it results in the most effective evasion attack. Flooding The attacker sends loads of unnecessary traffic to produce noise, and if the IDS do not analyze the noise traffic, the true attack traffic may go undetected.
Module 17 Page 2647
Module Flow
CEH
o d u le
F lo w
Firewalls are the security mechanisms implemented by a network or a system to protect itself from being attacked. Attackers try to bypass firewalls so that they can break the security mechanisms and gain access to the legitimate system or network.
Detecting Honeypots
Firewall Evading Tools Countermeasure
1?
Evading IDS
Evading Firewall
V
Penetration Testing
This section describes various ways in which an attacker can evade the firewall.
I P A d d r e s s S p o o f in g
C EH
IPa d d re s s sp o o fin g is a h ija ck in g te chn ique in w h ich a na tta cke rm a sq u e ra d e sa s a trusted h o st to c o n c e a lh is id e n tity, sp o o f aW e bs ite ,h ija ck b ro w s e rs ,o rg a in u n a u th o rize da c c e s s to a netw ork
A tta c k e rs m odify the a d d re ssin g inform ation in the IPp a c k e th e a d e ra n d the s o u rc e a d d re s sb its field in order to b y p a s s the firew all
F o re x a m p le , le t's c o n s id e r th re eh o s ts :A ,B a n dC H o s tC is atru ste dm a c h in eo fh o s tB H o s t Am a s q u e ra d e s to b ea sh o s t Cb y m o d ifyin g th e IPa d d re s s of th em a lic io u s p a c k e tsth a th e in te n d s to s e n d to th eh o s tB W h e n th ep a c k e ts a re re c e iv e d ,h o s t Bth in k s that th e ya re fro mh o s tC ,b u ta re a c tu a lly fro mh o s tA
iB 10;0.0.1 sss: 10.0.0.1 I ! ............. w Destination Address: Source Address1 :1 0 .0 .0 .2 | .................. ............ .
lv
flu
Host C: Trusted Machine
I P
A d d r e s s
S p o o f in g
IP address spoofing or IP spoofing is one of the ways that an attacker tries to evade firewall restrictions. IP spoofing is a technique where the attacker creates Internet protocol packets by using a forged IP address and gains access over the system or network without any authorization. The attacker spoofs the messages and they appear to be sent from a reliable source. Thus, the attacker succeeds in impersonating others identities with help of IP spoofing. Hackers generally use this technique for not getting caught while spamming and various other activities. The following scenario shows how an attacker bypasses a firewall by impersonating a different identity with the help of th IP spoofing technique: Let's consider three hosts: A, B, and C 0 Host C is a trusted machine of host B
Host A wants to send some packets to host B and A impersonates itself to be C by changing the IP address of these packets 0 When these packets are received, B thinks that these packets are from C, but actually they are from A
Module 17 Page 2649
FIGURE 17.27: Working of IP Address Spoofing
Module 17 Page 2650
S o u rc e R o u tin g
(crtifwd
c EH
ItkKJl Nm Im
S o u rc ero u tin ga llo w sth e s e n d e ro f ap a c k e t to p a rtia lly o rc o m p le te ly s p e c ify th e ro u te , th ep a c k e t ta k e s th ro u g h th en e tw o rk
V.
A sth ep a c k e t tra v e ls th ro u g h th en o d e s inth en e tw o rk ,e a c h ro u te re x a m in e s th ed e s tin a tio n I Pa d d re s sa n dc h o o s e s th en e x t h o pto d ire c t th ep a c k e t toth e d e s tin a tio n
Ins o u rc e ro u tin g , th es e n d e r m a k e ss o m eo ra ll o f th e s e d e c is io n so nth e ro u te r
The figure shows source routing, where the originator dictates eventual route of traffic
S o u r c e
R o u t in g
Using this technique, the sender of the packet designates the route that a packet should take through the network in such a way that the designated route should bypass the firewall node. Using this technique the attacker can evade the firewall restrictions. When these packets travel through the nodes in the network, each router will check the IP address of the destination and choose the next node to forward them. In source routing, the sender makes some or all of these decisions on the router. The figure shows the principle of the source routing but it is an optimal way, which makes the decision of the next hop.
* 1 * 1
Sender
----- L
A
D e s t in a t io n
c
F IG U R E 17.28:
Module 17 Page 2651
T in y F r a g m e n t s
A tta c k e rs c re a tetin y fra g m e n ts o fo u tg o in gp a c k e ts fo rc in gs o m eo f th eT C Pp a c k e t's h e a d e r in fo rm a tio n in to th en e x t fra g m e n t
(crtifwd
C EH
itkKJl
T h ea tta c kw ill s u c c e e dif th e filte rin g ro u te r e x a m in e so n ly th e firs t fra g m e n ta n da llo wa ll th e o th e r fra g m e n ts to p a s sth ro u g h
T h e ID S filte r ru le s th a ts p e c ify p a tte rn sw ill n o t m a tc hw ith th e fra g m e n te dp a c k e ts d u eto b ro k e n h e a d e r in fo rm a tio n
This attack is used to avoid user defined filtering rules and works when the firewall checks only for the TCP header information
IP 3 a r0 J I0 B 0 K S o u rc eP o rt
M K = 1 ,F ra g m e n t0 ffs e t= 0 D e s tin a tio nP o rt S e q u e n c eN u m b e r A c k n o w le d g e m e n tS e q u e n c eN u m b e r
D a ta O ffs e t C h e c k s u m
R e s e rv e d
A C K
- -
W in d o w U rg e n tP o in te r= 0
0
T in y
F r a g m
e n t s
The attacker uses the IP fragmentation technique to create extremely small fragments and force the TCP header information into the next fragment. This may result in a case whereby the TCP flags field is forced into the second fragment, and filters will be unable to check these flags in the first octet thus ignoring them in subsequent fragments. Attackers hope that only the first fragment is examined by the filtering router (firewall) and the remaining fragments are passed through. This attack is used to avoid user defined filtering rules and works when the firewall checks only for the TCP header information.
Module 17 Page 2652
IP-3ar0JI0B0K Source Port
MK=1, Fragment 0ffset=0 Destination Port Sequence Number Acknowledgement Sequence Number
Data Offset
Checksum
Reserved
ACK
Window Urgent Pointer=0
FIGURE 17.29: Tiny Fragments Diagram
Module 17 Page 2653
Bypass Blocked Sites Using IP A ddress in Place of URL

This method involves typing the IP address directly in browser's address bar in place of typing the blocked website's domain name Use services such as Host2ip to find the IP address of the blocked website
C EH
For example, to access Orkut, type its IP address instead of typing domain name
This method fails if the blocking software tracks the IP address sent to the web server
M . H H EQ 1 209.85.153.85 www.orkut.com ^
r^ r ir i 1 1 ____
k _ J
[..................... 1
'
_ ~ ^ ] __
!!
------------- - Orkut Login Page 1
B y p a s s U R L
B lo c k e d
S it e s
U s in g
I P
A d d r e s s
in
P la c e
o f
You can also evade firewall restrictions by typing the IP address of the blocked siteinstead of its domain names. This allows you to access the restricted or blocked sites. Youneed touse some tools to convert the target domain name into its IP address. For example: 0 0 0 Instead of typing www.Orkut.com, type its IP address to access Orkut Host2ip can help you to find the IP address of that blocked website If the blocking software can track the IP address sent to the web server, the website could not be unblocked or accessed by using this method
Attacker
L J ::::::::::::::::::::::
www.orkut.com Orkut Login Page
209.85.153.85 ^
F IG U R E 17.30: Bypass Blocked Sites Using IP Address in Place of URL
Module 17 Page 2654
Bypass Blocked Sites Using Anonymous Website Surfing Sites

J M a n yw e b s ite sa ro u n d th en e te n a b le su rfin g th e Intern e ta n o n y m o u s ly J S o m ew e b s ite sp ro v id eo p tio n s to e n cry p t th eU R L 's of th ew e b s ite s
CEH
J T h e s ep ro x yw e b s ite sw ill h id e th ea c tu a l IP a d d re s sa n dw ill s h o wa n o th e r IPa d d re s s , w h ic hc o u ld p re ve n t th ew e b site fro m b e in gb lo c k e d th u sa llo w in ga c c e s sto th e m
annymizer Proxy servers can

http ;//WWVN
http://'NWWSpVSUrf'ne
bp-oxv " ' h' P u unblock I h D://a 'M blocked websites ^ ^ 2
rxy.com
B y p a s s S u r f in g
B lo c k e d S it e s
S it e s
U s in g
A n o n y m
o u s
e b s it e
Anonymous website surfing sites help you to surf the Internet anonymously and to unblock blocked sites, i.e., evade firewall restrictions. By using these sites, you can surf restricted sites anonymously, i.e., without using your IP address on the Internet. There are a number of anonymous website surfing sites available on the Internet. Some websites provide options to encrypt the URLs of websites. Here is a list of some of the proxy servers that can help you to unblock blocked websites: 0 0 0 0 0 0 0 0 http://anonvmouse.org http://www.anonymizer.com http://www.webproxyserver.net http://www.boomproxy.com http://proxify.com http://www.spysurfing.com http://alienproxv.com http://zendproxy.com
Module 17 Page 2655
Bypass a Firew all Using Proxy Server

Find an appropriate proxy server
In the Port box, type the port number that is used by the proxy server for client connections (by default, 8080)
(crtifwd
c EH
ItkKJl lUckM
On the Tools menu of any Internet browser, go to LAN of Network Connections tab, and then click LAN/Network Settings
Click to select the bypass proxy server for local addresses check box if you do not want the proxy server computer to be used when connected to a computer on the local network
U n d e r Proxy server settings, s e le c t th eu s eap ro x ys e rv e r fo rL A N
C lic kOK to c lo s eth e LAN b o x
Settings dialog
Inth eA d d re s sb o x , typ e the IP address o f th e p ro x ys e rv e r
C lic kOK a g a intoc lo s ethe Options d ia lo gb o x
Internet
B y p a s s
F i r e w
a ll
U s in g
P r o x y
S e r v e r
By using a proxy server, you can also bypass the firewall restriction imposed by a particular organization. To evade the firewall restrictions using a proxy server, follow these steps: 1. Find an appropriate proxy server. 2. On the Tools menu of any Internet browser, go to LAN of Network Connections tab, and then click LAN/Network Settings. 3. Under Proxy server settings, select the use a proxy server for the LAN. 4. In the Address text box, type the IP address of the proxy server. 5. In the Port text box, type the port number that is used by the proxy server for client connections (by default, 8080). 6. Click to select the bypass proxy server for local addresses check box if you do not want the proxy server computer to be used when connected to acomputer on the local network. Click OK to close the LAN Settings dialog box. Click OK again to close the Internet Options dialog box.
7. 8.
Module 17 Page 2656
B K
It allows tunneling a backdoor shell in the data portion of ICMP Echo packets
RFC 792, which delineates ICMP operation, does not define what should go in the data portion
The payload portion is arbitrary and is not examined by most of the firewalls, thus any data can be inserted in the payload portion of the ICMP packet, including a backdoor application Some administrators keep ICMP open on their firewall because it is useful for tools like ping and traceroute Assuming that ICMP is allowed through a firewall, use Loki ICMP tunneling to execute commands of choice by tunneling them inside the payload of ICMP echo packets
-Q &
a
GO< S U
-
B y p a s s in g M e t h o d
F ir e w
a ll t h r o u g h
th e
I C
T u n n e lin g
ICMP tunneling allows tunneling a backdoor shell in the data portion of ICMP Echo packets. RFC 792, which delineates ICMP operation, does not define what should go in the data portion. The payload portion is arbitrary and is not examined by most of the firewalls, thus any data can be inserted in the payload portion of the ICMP packet, including a backdoor application. Some administrators keep ICMP open on their firewall because it is useful for tools like ping and traceroute. Assuming that ICMP is allowed through a firewall, use Loki ICMP tunneling to execute commands of choice by tunneling them inside the payload of ICMP echo packets
W ra p se v il c lie n tc o m m a n d inIC M PE c h op a c k e t ^ < ..................................... < ........................ ....................... U n w ra p sc o m m a n d ,e x e c u te sit, lo c a llyw ra p so u tp u t in IC M PE c h o P a c k e t, a n d re s e n d sb a c kto a tta c k e r Internet Client
Attacker
Firewall
FIGURE 17.31: Bypassing a Firewall through the ICMP Tunneling Method
Module 17 Page 2657
B ypassing Firew all through ACK T unneling M ethod

* It allow s tunneling a backdoor application w ith TCP packets w ith the ACK bit set
CEH
ACK bit is used to acknow ledge receipt of a packet
Some firewalls do not check packets with the ACK bit set because ACK bits are supposed to be used in response to legitimate traffic that is already being allowed through
Tools such as AckCmd (http://ntsecurity.nu) can be used to im plem ent ACK tunneling
Wraps evil client command in TCP packet
??m z z ::::= ! 1
Firew all Unwraps command, executes it, locally wraps output in TCP Packet, and resends back to attacker Internet Client
9
Attacker
F ir e w
a ll
t h r o u g h
t h e
A C K
T u n n e lin g
ACK tunneling allows tunneling a backdoor application with TCP packets with the ACK bit set. The ACK bit is used to acknowledge receipt of a packet. Some firewalls do not check packets with the ACK bit set because ACK bits are supposed to be used in response to legitimate traffic that is already being allowed through. Attackers use this as an advantage to perform ACK tunneling. Tools such as AckCmd (http://ntsecurity.nu) can be used to implement ACK tunneling.
Wraps evil client command in TCP packet
wm
Firew all Unwraps command, executes it, locally wraps output in TCP Packet, and resends back to attacker
5
Attacker
]82
In te rn e t Client
F IG U R E1 7 .3 2 :B y p a s s in gaF ire w a ll th ro u g h th eA C KT u n n e lin gM e th o d
Module 17 Page 2658
B ypassing Firew all through HTTP T unneling M ethod

that is unfiltered on its firewall
(rtifwtf
CEH
ilk K4 1 UthM
This method can be implemented if the target company has a public web server with port 80 used for HTTP traffic,
Many firewalls do not examine the payload of an HTTP packet to confirm that it is legitimate HTTP traffic, thus it is possible to tunnel traffic inside TCP port 80 because it is already allowed
Tools such as HTTPTunnel (http://www.nocrew.org) use this technique of tunneling traffic across TCP port 80
HTTPTunnel is a client/server application, the client application is called htc, and the server is hts
Upload the server onto the target system and tell it which port is to be redirected through TCP port 80
Attacker
Firewall
Unwraps command, executes it locally wraps output in payload of HTTP packet and resends back to attacker Internet Client
F i r e w
a ll t h r o u g h
t h e
H T T P
T u n n e lin g
This method can be implemented if the target company has a public web server with port 80 used for HTTP traffic, that is unfiltered on its firewall. Many firewalls do not examine the payload of an HTTP packet to confirm that it is legitimate HTTP traffic, thus it is possible to tunnel traffic inside TCP port 80 because it is already allowed. Tools such as HTTPTunnel (http://www.nocrew.org) use this technique of tunneling traffic across TCP port 80. HTTPTunnel is a client/server application, the client application is called htc, and the server is hts. Upload the server onto the target system and tell it which port is to be redirected through TCP port 80.
Wraps evil client command in payload of HTTP packet
Attacker
Firewall
Unwraps command, executes it locally wraps output in payload of HTTP packet and resends back to attacker
F IG U R E1 7 .3 3 :B y p a s s in gaF ire w a ll th ro u g h th eH T T PT u n n e lin gM e th o d
Module 17 Page 2659
B ypassing Firew all through E xternal System s

J L e g itim a te u s e rw o rk sw ith s o m ee x te rn a ls y s te mto a c c e s sth ec o rp o ra te n e tw o rk J A tta c k e rs n iffsth eu s e r tra ffic ,s te a lsth es e s s io n ID a n dc o o k ie s J A tta c k e ra c c e s s e sth ec o rp o ra te n e tw o rk b y p a s s in g th e fire w a ll a n dg e ts W in d o w s IDo f th e ru n n in g N e ts c a p e4 .x /M o z illa p ro c e s so nu s e r's s y s te m
r cu
J A tta c k e r th e n is s u e sa no p e n U R L () c o m m a n d to th e fo u n dw in d o w J U s e r's w e bb ro w s e r isre d ire c te d to th ea tta c k e r's W e bs e rv e r J T h em a lic io u sc o d e se m b e d d e d inth ea tta c k e r's w e b p a g ea red o w n lo a d e da n de x e c u te do nth eu s e r's m a c h in e
Corporate Network
1 tit
I- i
Legitimate User
User C
User B
_ J
B y p a s s in g
F ir e w
a ll
t h r o u g h
E x t e r n a l
S y s t e m
Attackers can bypass firewall restrictions through external systems as follows: 1. Legitimate user works with some external system to access the corporate network. 2. Attacker sniffs the user traffic, and steals the session ID and cookies. 3. Attacker accesses the corporate network bypassing the firewall and gets Windows ID of the running Netscape 4.x/ Mozilla process on user's system. 4. Attacker then issues an openURL() command to the found window. 5. User's web browser connects with the attacker's W W W server.
6. Attacker inserts malicious payload into the requested web page (Java applet) and thus the attacker's code gets executed on the user's machine.
Module 17 Page 2660
Corporate Network
.e g
Legitimate User UserC User B User A
Malicious Server
Attacker
F IG U R E1 7 .3 4 :B y p a s s in gaF ire w a ll th ro u g hE x te rn a lS y s te m s
Module 17 Page 2661
B ypassing Firew all through MITM Attack

8 8 Attacker performs DNS server poisoning User A requests for WWW.juggyboy.com to the corporate DNS server 8 8 Corporate DNS server sends the IP address (127.22.16.64) of the attacker e user's HHTP traffic
CEH
User A accesses the attacker's malicious server Attacker connects with the real host and tunnels the
The malicious codes embedded in the attacker's web page are dow nloaded and executed on the user's machine
Corporate Network
UscrC
1 ri
UserB
User A Juggyboy Server 192.76.23.14
Malicious server 127.22.16.64
Attacker
B y p a s s in g
F ir e w
a ll
t h r o u g h
I T M
A t t a c k
The following steps illustrate an example scenario of how an attackerbypasses firewall through an MITM attack: 1. 2. 3. 4. 5. 6. Attacker performs DNS server poisoning. User A requests WWW.juggyboy.com to the corporate DNS server. Corporate DNS server sends the IP address (127.22.16.64) of the attacker. User A accesses the attacker's malicious server. Attacker connects with the real host and tunnels the user's HHTP traffic. Attacker inserts malicious payload into the requested web page (Java applet),and thus the attacker's code is executed on the user's machine.
Module 17 Page 2662
Corporate Network
U s e rC
4 a
U s e rB
U s e rA Juggyboy Server 192 76 23 14 Mallclous server 127.22.16.64
Attacker
FIGURE 17.35: Bypassing a Firewall through a M U M Attack
Module 17 Page 2663
Module Flow
CEH
o d u le
F lo w
Honeypots are the mechanisms intended to track or divert attackers from entering into a genuine network without adequate permissions. Attackers in an attempt to break into the target network first check for honeypots, if any are installed on the target network. Attackers perform honeypot detection to check whether the target network has a honeypot or not. IDS, Firewall and Honeypot Concepts Detecting Honeypots
IDS, Firewall and Honeypot System a Evading IDS
Countermeasure
Evading Firewall
Penetration Testing
Module 17 Page 2664
This section provides insight into honeypot detection and the tools that can be used for detecting honeypots.
Module 17 Page 2665
D e te c tin g H o n e y p o ts
A tta c k e rs c a nd e te rm in e th e p re s e n c eof h o n e y p o ts b y p ro b in gth es e rv ic e s ru n n in go n th es y s te m
CEH
A tta c k e rs c ra ft m a lic io u sp ro b e p a c k e ts to s c a nfo rs e rv ic e s s u c ha sH T T Po v e rS S L( H T T P S ) , S M T Po v e rS S L(S M P T S ), a n d IM A Po v e rS S L(IM A P S )
T o o lsto p ro b eh o n e y p o ts : S e n d -s a feH o n e y p o t H u n te r N e s s u s H p in g P o rts th a ts h o wap a rtic u la rs e rv ic e ru n n in gb u td e n y ath re e -w a y h a n d s h a k e co n n e ctio n in d ic a te th e p re s e n c e of ah o n e y p o t
Note: Attackers can also defeat the purpose of honeypots by using multi-proxies (TORs) and hiding their conversation using encryption and steganography techniques Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
D e t e c t in g
H o n e y p o t s
A honeypot is a system used on the Internet designed especially for diverting the attacker by tricking or attracting him or her when he or she attempts to gain unauthorized access to the information system in an organization. Just as honeypots are intended to divert the attackers from actual network, attackers use honeypot detection systems or methods to identify the honeypots installed on the target network. Once they detect honeypots, attackers try to bypass them so that they can focus on targeting the actual network. Detecting honeypots involves three basic steps: 0 Attackers can determine the presence of honeypots by probing the services running on the system.
Q Attackers craft malicious probe packets to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS), and IMAP over SSL (IMAPS). Ports that show a particular service running but deny a three-way handshake connection indicate the presence of a honeypot. Different tools such as Send-safe Honeypot, Hunter, Nessus, and Hping can be used for probing honeypots. Note: Attackers can also defeat the purpose of honeypots by using multi-proxies (TORs) and hiding their conversation using encryption and steganography techniques.
Module 17 Page 2666
Honeypot D etecting Tool: Send Safe Honeypot H unter

Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for "ho ney pots"
Fioalteslodieck
C EH
Send-Safe Honeypot Hunter 3.2.28 DEMO

Sstinos ?atu: Aboii
h ttp :/ / 1 0 .0 .0 1 6 / rn o re p e d S .ix l
Mlp://tQQa1SA>jpioi6c.lt
F e a tu re s : C h e c k s lis ts o fH T T P S ,S O C K S 4 ,a n dS O C K S 5 p ro x ie sw ith a n yp o rts

O u tp u t
0 Vabc crcxies @ Fdlcd pojiej: R i Honeyoots CAProcram Files (x85)kSendSafe HcneyDtf Hinter DEMOVooc C\P gOT Fibs (x85)\ScndSafe Honeypot Hunter DEMOVok CAProgam Files (x9S)kSend-Safe HcneyDcf Hinfer DEMOVw C \Progatn Fifes (x06)\Scnd-Safe Honeypot Hinter DEHl
10
...
Checks several rem ote or local proxylists at once
@ Al < cp * horcypoti:
0pfaw L J U t e proxies Nuioo gf '.hcadi.
jq
Ltslerer IP OiontIP:
10008 10008
rerrote
^ u p l o a d "Valid proxies honeypots' files to FTP
and
Ccrv*c(10r trn*0.1t 1 5
Nunbcr of retries |
SMTP Pat: 25
R BI 0 *6 .:
dsb
a t
Write log to file m irutes Log level. i5'DetaM ed Lc^ Fa< yl> pe. AUTO Q Rested afiei check
C a np ro c e s s ^^^^H autom atically e v e ry s p e c ifie dp e rio do f tim e
n Save w ockina woxes Ibefae HdL checkl la
I Check RB- r
Check pcKîs! every 3
M a yb eu s e dfo r
v a lid a tin ga sw e ll
Elaosedtme: U.UU.UU
Staited: N/A
h ttp ://w w w .s e n d -s a fe .co m
H o n e y p o t
D e t e c t in g
T o o l:
S e n d - S a fe
H o n e y p o t
H u n t e r
Source: http://www.send-safe.com Send-Safe Honeypot Hunter is a honeypot detection tool designed for checking lists of HTTPS and SOCKS proxies for honeypots. Some of the Send-Safe Honeypot Hunter features include: Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports Can check several remote or local proxylists at once 0 0 Can upload "Valid proxies" and "All exept honeypots" files to FTP Can process proxylists automatically every specified period of time
May be used for usual proxylist validating as well
Module 17 Page 2667
Send-Safe Honeypot Hunter 3.2.28 DEMO

Settings Status About http: /710.0.0.1 6/myproxies. txt http: lf\ 0.0.0.1 G/morepeas. txt
Proxylists to check:
Output [vl Valid proxies: @ Failed proxies: 0 Honeypots: 0 All exept honeypots: Options Use proxies: Number of threads: 50 Listener IP: Client IP: 10.0.0.8 10.0.0.8 v v remote remote C: ^Program Files (x86)\S end-S afe Honeypot H unter DE M0 \goc C: \Program Files (x86)\S end-S afe Honeypot H unter DE M0 \faile C: ^Program Files (x86)\S end-S afe Honeypot H unter DE M0 \hor C:\Program Files (x86)\S end-S afe Honeypot Hunter DEM I ... ... ...
Connection timeout: 15 Number of retries: R B L Check: 1 list. dsbl. org
SMTP Port: 25
___ Save working proxies (before RBL check) to: Check RBL first Q Check proxylist every I I Write log to file 30 minutes Log level: !5 -Detailed Log Proxy type: AUTO j v v
__Restart after check
Elapsed time: 0.00.00
Started: N/A
Stop
Start
F IG U R E1 7 .3 6 :H o n e y p o tD e te c tin gT o o l: S e n d -S a fe H o n e y p o tH u n te rS c re e n s h o t
Module 17 Page 2668
Module Flow
CEH
Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
o d u le
F lo w
Firewall evasion can be accomplished with the help of tools. These tools help an attacker in evading the firewall and thus breaking into the network. With the help of tools, an attacker can evade a firewall easily and also in less time.
Detecting Honeypots
Firewall Evading Tools < Countermeasure
1? S g jp
Evading IDS
Evading Firewall
Penetration Testing
This section is dedicated to firewall evasion tools.
Module 17 Page 2669
Firew all Evasion Tool: Traffic IQ Professional

generating the standard application traffic or attack traffic betw een tw o virtual machines
CEH
Traffic IQ Professional enables security professionals to au dit and validate the b ehavior of security devices by
Kjappcom - Traffic IQ Professional Free Licence: 15 days remaining
\=11
Settings
Traffic IQ Professional can be used to assess, audit, and test the behavioral characteristics of any non-proxy packet-filtering device including: S Application layer firewalls
- C PK yrr F i \&\
* J Traffic 0 *
lfp
Scan
Prompt - T lj
îtor
Script
^ Reports
o
_ k O J V f* P o *0
IHTTP IE DHTMl Sen I W o nS t.m HTTP IE Fort &>S$k HTTPIE HFW4gnbiJei a.-nflo* S HTTP IE Ob'eddaLarwnoleecettAonSkM HTTPIE Ob*dlag ovoltowSk* HTTP IE Pocup Btocke* Bypaet S kar HTTPIE Slatutbar Spool S kar HTTPIE IfleteiSportS.k* HTTP S kar HTTP IIS 40 HTR Ovaltow(wnK.bndl $ k* HTTP IIS 4 0 HTR OvwDow(vwr32 txnd SI HTTP IK 40 HTR Ovaftow (*52IbWlM0| S kar HTIP IIS 40 HIR O verflowlvwv*2_b^*a.upew>e) S k HTTP IIS 40HTR Ovwllow | *2 bm d vnc*c) S.k* HTTP IIS 40HTROvnHow(wn32 **clSkar HTTP IIS 40 Souc Cod# Owctotu (Gxkerw a*p) S Mr HTTP IIS SO ISAPI POST Ovwflow (**32 bnd) S kar HTTP IIS 5 0 ISAP1 POST Ovwftow(*.32 U..J me* p| S k HTTP ItS 5 0 ISAPI POST Ovwltaw (w *t32-bnd"rta] S I HTTP1K<;n K.aptpn^T n(v. u r>"vf , [thm dracKnt F 19? 168 ?100
| 0 CJwctPort
Intrusion detection systems e Intrusion prevention systems Routers and switches

!
_J C U M .
I CcnwtonFI** F o m h n rtfw lad i o lntfAto1dlrf44onlntor*Mer
Q ' -Q In to r n H Z t& c rti 1J*V

Karalo Q CCrrvnFIn O l I TrafelQlfaaiy */ Q TrVSclOPw 0 !H*pFte O ! Scion i _J Xutc Ffet
.r1
h ttp : //w w w .id a p p c o m .c o m
F i r e w
a ll
E v a s io n
T o o l:
T r a f f ic
IQ
P r o f e s s io n a l
Source: http://www.idappcom.com Traffic IQ Professional enables security professionals to audit and validate the behavior of security devices by generating the standard application traffic or attack traffic between two virtual machines. The unique features and packet transmission capabilities of Traffic IQ Professional make the task of reliably auditing, validating, and proving security compliance easy and quick to complete. It can be used to assess, audit, and test the behavioral characteristics of any non-proxy packet-filtering device including Application layer firewalls, intrusion detection systems, intrusion prevention systems, and routers and switches.
Module 17 Page 2670
id a p p c o m- T ra ffic IQP ro fe s s io n a l -F r e eL ic e n c e :1 5d a y sre m a in in g

ile Help Groups | Scan Prompt Editor Tiaific Replay j) Import ^ Play ( J ) Pause Q Stop 3 [ Internal macfwte 1 (IP 132168.1.100 5 * Port
D irectio n
S i Traffic
Script
Reports
Settings
- C l Program Files (x86) C~\ Acunetix O Checkpoint O CMAK ~ 0 Com m on Files -Q Foundstone Free Tools (~ InstallShield Installation Information O ln*el P ! Internet Explotet C ] Java fp Karalon Q Com m on Files Q TtaffielQ Library Q Traffic IQ Pro Help Files O Scripts ^3 Tralfic Files KevFocus
A d a p te r S ta tu s
External machine IP 192.168.2100 ! f , PottO
HTTP IE DHTML S a t* Irêction S kar HTTP IE Font DoS Skat HTTP IE HRAign buffet overflow S kar HTTP IE Ob!ecl data !emote execution S kai HTTP IE Object tag overflow S kar HTTP IE Popup Blocker Bypass S.kar HT TP IE Statusbai Spoof S kar HTTP IE Titlebai Spoof S kat HTTP 1e5 W ex Ska HT TP IIS 4 0 HTR Overflow (w32_b d| S kat HT TP IIS 4 OHTR Overflow (Win32 bind meterpretei) Skat HTTP IIS 4 0 HTR Overflow (wn32.bmd.stg) S.kar HT TP IIS 4 OHTR Overflow (wn32 bind slg_upexec)S,kar HT TP IIS 4 0 HTR Overflow (wm32_Und_vncmject) S kat HTTP IIS 4 OHTR Overflow (win32_exec)S kar HTTP IIS 4 0 Source Code Disclosure (CodeGrws asp) S kai HTTP IIS 50 ISAP1 POST Overflow (wn32Jxnd) S kat HTTP IIS 50 ISAPI POST Overflow (Win32 bind meterpretei) S kat HTTP IIS 50 ISAPI POST Overflow (wn32 bm d stg) S.kar < !n !.nvr1c Trafhc Status External Machne Ethernet Packet Status
nTTP1
Internal Machine Ethernet Packets sent 72
Q i
Packets sent 7 1
FIGURE 17.37: Traffic IQ Professional Screenshot
Module 17 Page 2671
Ethical Hacking and Countermeasures Copyright by ECC0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Firew all Evasion Tool: tcp-overdns

tcp -o ve r-d -dns ns
tc p -o v e r-d n sc o n ta in s as p e c ia ld n ss e rv e ra n d as p e c ia l d n sc lie n t T h ec lie n ta n ds e rv e rw o rk in ta n d e mto p ro v id e aT C P (a n dU D P !) tu n ne l th ro u g h th es ta n d a rd D N Sp ro to c o l
CEH
WJL j
cT Command Prom pt - ja v a -jar tcp-over-dns-server.jar --domain
ip
B E D
C:\Utilities\tcp-overdns-l.0>java -jar tcp-over-dns-server.jar forward-port 22 000000.0 nain: tcp-over-dns-server starting up 000000.0 nain: Hosting dona in: * 000000.0 nain: DNS listening on: /0.0.0.0:53 000000.0 nain: Forwarding to: /127.0.0.1:22 000000.0 nain: hTU: 1S00 000000.0 nain: Log level: 3
Ld
h ttp : //a n a lo g b it.c o m
F ir e w
a ll
E v a s io n
T o o l:
tc p - o v e r - d n s
Source: http://analogbit.com tcp-over-dns contains a special dns server and a special dns client. The client and server work in tandem to provide a TCP (and UDP!) tunnel through the standard DNS protocol. It is similar to the defunct NSTX dns tunneling software. The purpose of this software is to succeed where NSTX failed. All NSTX tunnels disconnect within tens of seconds in real-world situations, tcpover-dns is written to be quite robust while at the same time providing acceptable bandwidth speeds. It features include: 9 Windows, Linux, Solaris compatibility
Sliding window packet transfers for increased speed and reliability Runtime selective LZMA compression Q TCP and UDP traffic tunneling
Module 17 Page 2672
F IG U R E1 7 .3 8 : tcp -o ve r-d n s in co m m a n d pro m t
Module 17 Page 2673
F i r e w a l l E v a s i o n T o o ls
J
*
CEH
UrtifW itkMl lUckw
S n a re A gent for W indow s

h ttp://w w w .intersectalliance.com
Sm
F re e n e t
h ttp s://fre en e tp ro je ct. org
Y o u rF re e d o m
h ttp ://w w w . your-freedom.net
P roxifier
h ttp ://w w w .p ro x if 1er.com
A telier W eb F ire w a ll T e s te r
La\ h ttp ://w w w .ate lie rw e b.co m
F ir e w
a ll
E v a s io n
T o o ls
Firewall evasion tools helps in breaching a firewall from inside as well as exporting data with innocent-looking packets that contain insufficient data for sniffers or firewalls to analyze. A few firewall evasion tools are listed as follows: Q Snare Agent for Windows available at http://www.intersectalliance.com
Q AckCmd available at http://ntsecurity.nu 9 Q e Q Tomahawk available at http://tomahawk.sourceforge.net Your Freedom available at http://www.your-freedom.net Atelier Web Firewall Tester available at http://www.atelierweb.com Freenet available at https://freenetproject.org
GTunnel available at http://gardennetworks.org Q Q 9 Hotspot Shield available at http://www.anchorfree.com Proxifier available at http://www.proxifier.com Vpn One Click available at http://www.vpnoneclick.com
Module 17 Page 2674
P a c k e t F r a g m e n t G e n e ra to rs
o
C o la so ft P a c k e tB uilder
h ttp :/'/w w w . colasoft. com
CEH
N C o n ve rt
h ttp : / / ww w.xn vie w. com
C om m V iew
h ttp ://w w w . tamos.com
g g %
fping 3
h ttp ://fp in g .o rg
h p in g 3
h ttp ://w w w . hping. org
N e tS c a n T o o ls P ro L*2 a]
h ttp://w w w .netscantools.com
M ulti-G enerator (M G E N )
h ttp ://c s .itd . nrl.navy. m il
p ktg e n
h ttp ://w w w .lin uxfo un da tio n.o rg
N et-lnspect
h ttp ://se arch . cpan.org
P a cke tM a ke r
A h ttp ://w w w .jdsu .com
aaa
P a c k e t
F r a g m
e n t
G e n e r a t o r s
Packet fragment generators allow you to edit and send packets via your wireless network adapter. They allow you to hide your network file transfers across the Internet. By utilizing packet forgery, these tools hide your file transfer by cloaking it in seemingly harmless data. A few packet fragment generators are listed as follows:
e e e e e e
Colasoft Packet Builder available at http://www.colasoft.com CommView available at http://www.tamos.com hping3 available at http://www.hping.org Multi-Generator (MGEN) available at http://cs.itd.nrl.navv.mil Net-lnspect available at http://search.cpan.org NConvert available at http://www.xnview.com
fping 3 available at http://fping.org
Q NetScanTools Pro available at http://www.netscantools.com e e

Pktgen available at http://www.linuxfoundation.org PacketMaker available at http://www.idsu.com
Module 17 Page 2675
Module Flow
CEH
Module Flow
So far, we have discussed various concepts and topics related to intruding into or bypassing security mechanisms such as IDSes, firewalls, and honeypots. Now we will discuss the ways to protect them, i.e., countermeasures. Countermeasures help in enhancing security.
Detecting Honeypots
Sgp
1?
Evading IDS
Countermeasure
Evading Firewall
^
'4
Penetration Testing
This section highlights various countermeasures against IDSes, firewalls, and honeypot attacks.
Module 17 Page 2676 Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n te r m e a s u r e s
Look for the nop opcode Shut d ow n switch ports associated with the known other than 0x90 to defend against the polymorphic shellcode problem
CEH
attack hosts
Perform an in-depth analysis o f ambiguous netw ork traffic for all possible threats
Train users to identify attack patterns and regularly update/patch all the systems and network devices
Deploy IDS after a
m thorough analysis of
Reset (RST) malicious TCP netw ork topology, nature of netw ork traffic, and the num ber of host to monitor
sessions
C o u n t e r m
e a s u r e s
The following are few countermeasures that provide protection against evading IDSes, firewalls, and honeypots: Administratively shut down a switch port interface associated with a system from which attacks are being launched. Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem. Perform "bifurcating analysis," in which the monitor deals with ambiguous traffic streams by instantiating separate analysis threads for each possible interpretation of the ambiguous traffic. Maintain security vulnerability awareness, patch vulnerabilities as soon as possible, and wisely choose the IDS based on the network topology and network traffic received. Generate TCP RST packets to tear down malicious TCP sessions, any issues of several available ICMP error code packets in response to malicious UDP traffic. Interact with the external firewall or router to add a general rule to block all communication from individual IP addresses or entire networks.
Module 17 Page 2677
C o u n te rm e a s u re s
( C o n t d )
CEH
Use a traffic normalizer to rem ove potential ambiguity from the packet stream before it reaches to the IDS
Ensure that IDSs norm alize fragm ented packets and allow those packets to be reassembled in the proper order
Define DNS server for client
Harden the security of all com m unication devices such as modems, routers, switches, etc.
~ ~ r resolver in routers or similar

netw ork devices
If possible, block IC M P TTL expired packets at the external interface level and change the TTL field to a large value, ensuring that the end host always receives the packets
C o u n t e r m
e a s u r e s
( C o n t d )
S The following are additional countermeasures against evading IDSes, firewalls, and honeypots: Implement a "traffic normalizer": a network forwarding element that attempts to eliminate ambiguous network traffic and reduce the amount of connection state that the monitor must maintain. Q Ensure that IDSss normalize fragmented packets and allow those packets to be reassembled in the proper order, which enables the IDS to look at the information just as the end host can see it. Q Keep updating the IDS system and firewall software regularly. Maintain security vulnerability awareness, patch vulnerabilities as soon as possible, and wisely choose the IDS based on the network topology and network traffic received. Change the TTL field to a large value, ensuring that the end host always receives the packets. In such case, attackers cannot slip information to the IDS. As a result, that data never reaches the end host, leaving the end host with the malicious payload.
Module 17 Page 2678
M o d u l e F lo w
CEH
o d u le
F lo w
You need to conduct penetration test on firewalls, IDSes, and honeypots in order to ensure that they can withstand against different types attacks carried out by attackers. As a pen tester, you should conduct penetration testing on firewalls, IDSes, and honeypots to determine the vulnerabilities present in them before the attacker determines and exploits them. IDS, Firewall and Honeypot Concepts IDS, Firewall and Honeypot System
Evading IDS
Evading Firewalls Firewall Evading Tools
Detecting Honeypots
Coutermeasures V
Penetration Testing
This section shows the importance of firewall/IDS pen testing and also describes the steps involved in it.
Module 17 Page 2679
Firewall/IDS Penetration Testing

J
C EH
Firewall/IDS penetration testing is to evaluate the Firewall and IDS for ingress and egress traffic filtering capabilities W hy Firewall/IDS pen testing?
&
To check if firewall/IDS properly enforces an organization's firewall/IDS policy
To check the amount of network information accessible to an intruder
To check if the IDS and firewalls enforces organization's network security policies
f t
To check the firewall/IDS for potential breaches of security that can be exploited
To check if the firewall/IDS is good enough to prevent the external attacks
To evaluate the correspondence of firewall/IDS rules with respect to the actions performed by them To verify whether the security policy is correctly enforced by a sequence of firewall/IDS rules or not
To check the effectiveness of the network's security perimeter
J _ _
F ir e w
a ll/ ID S
P e n e t r a t io n
T e s t in g
Firewall/IDS penetration testing is conducted to identify if there is any security vulnerability related to hardware, software and its configuration, and how to protect the network from outside attackers. It helps in evaluating security by testing for ingress and egress vulnerabilities and proper rule sets of the entire network with respect to the possibility of entry from an external location W hy firewall/IDS pen testing? Firewall/IDS pen testing is required to: Q Check if firewall/IDS properly enforces an organization's firewall/IDS policy 9 Check if firewall/IDS and components within network properly enforce an organization's network security policy Q Q Check the strength of firewall/IDS protection against externally initiated attacks Check how much information about a network is available from outside a network Q Check the effectiveness of the network's security perimeter 9 Check the firewall/IDS for potential breaches of security that can be exploited 9 Evaluate the correspondence of firewall/IDS rules with respect to the actions performed by them 9 Verify whether the security policy is correctly enforced by a sequence of firewall/IDS rules or not
Module 17 Page 2680
F ir e w a ll P e n e tr a tio n T e s tin g
5 S A >: n^ S Perform port scanning technique to know the available ports that uniquely identify the firewalls Perform banner grabbing technique to detect the services run by the firewall Perform firewalking technique to determine access information on the firewall when probe packets are sent
Perform p ort scanning to d etect firew all
Firew all d etected ?
Perform b anner grabbing to detect firew all
Firew all detected
/Copyright by EC-CMICil. All Rights Resen/eiReproduction is Strictly Probfbited.
K ?
F ir e w
a ll
T e s t in g
As a pen tester, you should implement the following steps to conduct penetration testing on a firewall. Stepl: Footprint the target You should footprint the target by using various tools such as Sam Spade, nslookup, traceroute, Nmap, and neotrace to learn about a system, its remote access capabilities, its ports and services, and the other aspects of its security. Step2: Perform port scanning You should perform port scanning to detect the firewall to determine the available ports that uniquely identify the firewalls. If the firewall is detected, then disable a trusted host or perform banner grabbing to detect the firewall. Step3: Perform banner grabbing You should perform the banner grabbing technique to detect the services run by the firewall. If the firewall is detected, then disable a trusted host or perform firewalking to detect the firewall. Step4: Perform firewalking You should use the firewalking technique to determine access information on the firewall when probe packets are sent. If a firewall is detected, then disable a trusted host.
Module 17 Page 2681
( C o n t d )
/rt.fw*
C EH
tttxji NMhM
P e rfo rmIPA d d re s s S p o o fin g

V
P e rfo rmA C K T u n n e lin g

A
P e rfo rmS o u rc e R o u tin g

V
P e rfo rmIC M P T u n n e lin g

A
Perform IP address spoofing to gain unauthorized access to a computer or a network Perform fragmentation attack to force the TCP header information into the next fragment in order to bypass the firewall Use proxy servers that block the actual IP address and display another thereby allowing access to the blocked website
U s e IPa d d re s s in p la c e of U R L
y
U s eP ro x yS e rv e rs
P e rfo rmIP F ra g m e n ta tio n
U s eA n o n y m o u s W e b s ite S u rfin gS ite s
Perform ICMP tunneling to tunnel a backdoor application in the data portion of ICMP Echo packets Perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with TCP packets with the ACK bit set
. Cbpyright by EC-ClUCM. All Rights Reserved.; Reproduction is Strictly Probfbited.
Jjjg
F i r e w
a ll
T e s t in g
(C o n t d )
Step 5: Disable the trusted host Step6: Perform IP address spoofing You should perform IP address spoofing to gain unauthorized access to a computer or a network. Step 7: Perform source routing Step8: Use an IP address in place of URL Step 9: Perform a fragmentation attack You should perform an IP fragmentation attack to force the TCP header information into the next fragment in order to bypass the firewall. Step 10: Use anonymous website surfing sites You should use anonymous website surfing sites to hide your identity from the Internet. S te p ll: Use proxy servers You should use proxy servers that block the actual IP address and display another, thereby allowing access to the blocked website.
Module 17 Page 2682
Stepl2: Perform ICMP tunneling You should perform ICMP tunneling to tunnel a backdoor application in the data portion of ICMP Echo packets. Stepl3: Perform ACK tunneling You should perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with TCP packets with the ACK bit set.
Module 17 Page 2683
( C o n t d )
P e rfo rmH T T P T u n n e lin g
U s eE x te rn a l S y s te m s
P e rfo rmM IT M A tta c k
Perform HTTP tunneling using tools such as HTTPTunnel to tunnel the traffic across TCP port 80 Gain access to the corporate network by sniffing the user's traffic and stealing the session ID and cookies Perform MITM attack in order to own corporate DNS server or to spoof DNS replies to it /Copyright by EC-CMlCil. All Rights Resen/ed. R^production is Strictly Probfbited.
F ir e w
a ll
T e s t in g
(C o n t d )
Stepl4: Perform HTTP tunneling You should perform HTTP tunneling using tools such as HTTPTunnel to tunnel the traffic across TCP port 80. Stepl5: Use external systems Stepl6: Perform MITM Attack You should perform an MITM attack in order to own corporate the DNS server or to spoof DNS replies to it. Step 17: Document all the findings
Module 17 Page 2684
Perform obfuscating technique to encode attack packets that IDS would not detect but an IIS web server would decode and become attacked Try to bypass IDS by hiding attack traffic in a
P e rfo rmIn s e rtio n A tta c k V Im p le m e n tE v a s io n T e c h n iq u e V P e rfo rmD e n ia lo f-S e rv ic eA tta c k V O b fu s c a te o rE n c o d e th eA tta c kP a y lo a d
P e rfo rm F ra g m e n ta tio nA tta c k A P e rfo rmU n ic o d e E v a s io nT e c h n iq u e ----------------A P e rfo rmS e s s io n S p lic in gT e c h n iq u e
large volume of false positive alerts (false positive generation attack) Use session splicing technique to bypass IDS by keeping the session active for a longer time than the IDS reassembly time Try Unicode representations of characters to evade the IDS signature Perform fragmentation attack with IDS fragmentation reassembly timeout less and more than that of the Victim
P e rfo rmF a ls eP o s itiv e G e n e ra tio nT e c h n iq u e
/Copyright by EC-CliacM. All Rights ReSen/ed. Reproduction is Strictly Probfbited.
g g jj
ID S
T e s t in g
You should carry out following steps to conduct IDS penetration testing. Stepl: Disable a trusted host You should try to find and disable the trusted host so that thetargeted host thinks thatthe traffic that the attacker will generate emanates from there. Step2: Perform an insertion attack Step3: Implement the evasion technique Step4: Perform a denial-of-service attack Step5: Obfuscate or encode the attack payload You should implement the obfuscating technique to encode attack packets that the IDS would not detect but an IIS web server would decode and be attacked. Step6: Perform the false positive generation technique You should use the false positive generation technique to create a greatdeal of log"noise" an attempt to blend real attacks with the false. Step7: Perform the Session Splicing Technique in
Module 17 Page 2685
You should implement the session splicing technique to stop the IDS by keeping the session active longer than IDS will spend on reassembling it. Step8: Perform the Unicode evasion technique You should implement the Unicode evasion technique to evade IDSes as it is possible to have multiple representations of a single character. Step 9: Perform a fragmentation attack You should perform a fragmentation attack with IDS fragmentation reassembly timeout less and more than that of the victim.
Module 17 Page 2686
ID S P e n e t r a t i o n T e s t i n g :
( C o n t d )
/ /rtifw*
C EH
Perform Overlapping Fragm ents Technique
Perform Pre Connection SYN Attack
g p
Perform overlapping fragment technique to craft a series of packets with TCP sequence numbers configured to overlap Try invalid RST packets technique to bypass IDS as it prevents IDS from processing the stream Perform urgency flag evasion technique to evade IDS as some IDSs do not consider the TCP protocol's urgency feature Try to bypass IDS by encrypting the shellcode to make it undetectable to IDS (polymorphic shellcode technique)
V Perform Time-ToLive Attack Perform Post Connection SYN Attack
y ___________ Perform Invalid RST Packets Technique Perform Encryption and Flooding Techniques
Perform Urgency Flag Technique V Perform Polym orphic Shellcode Technique
Perform ApplicationLayer Attack
Try to evade IDS pattern matching signatures by hiding the shellcode content using ASCII codes (ASCII shellcode technique) Perform application layer attacks as many IDSs fail to check the compressed file formats for signatures
Perform ASCII Shellcode Technique Establish an encrypted session with the victim or send loads of unnecessary traffic to produce noise that cannot be analyzed by the IDS
/Copyright by EC-CliacM. All Rights Reien/ed.Reproduction is Strictly Probfbited.
CD
ID S
T e s t in g
(C o n t d )
SteplO: Perform the overlapping fragments technique You should use othe verlapping fragments technique to craft a series of packets with TCP sequence numbers configured to overlap. Step 11: Perform a Time-To-Live attack Step 12: Perform the invalid RST packets technique You should use the invalid RST packets technique to evade detection by sending RST packets with an invalid checksum that causes the IDS to stop processing the stream. Stepl3: Perform the urgency flag technique You should use the urgency flag technique to evade IDSrd as some IDSrds do not consider the TCP protocol's urgency feature. Stepl4: Perform the polymorphic shellcode technique You should use the polymorphic shellcode technique to hide the shellcode by encrypting it in a simplistic form that is difficult for IDS to identify that data as a shellcode. Stepl5: Perform the ASCII shellcode technique
Module 17 Page 2687
You should perform the ASCII shellcode technique to bypass IDS pattern matching signatures because strings are hidden within the shellcode as in a polymorphic shellcode. Stepl6: Perform an Application-layer attacks You should try to perform Application-level attacks as many IDSes will have no way to check the compressed file format for signatures. Stepl7: Perform encryption and flooding techniques You should try encryption and flooding attacks with the victim or send loads of unnecessary traffic to produce noise that can't be analyzed by the IDS. Stepl8: Perform a post-connection SYN attack Stepl9: Perform a pre-connection SYN attack Step 20: Document all the results obtained from this test
Module 17 Page 2688
M o d u le S u m m a ry
CEH
Intrusion D etection Systems (IDS) m onitor packets on the netw ork w ire and attem pt to discover if an attacker is trying to break into a system
System Integrity Verifiers (SIV ) m onitor the system files to find when an intruder changes. Tripwire is one of the popular SIVs
Intrusion detection happens either by anom aly detection or signature recognition or Protocol Anom aly Detection
Firewall is a hardware, software or a com bination of both that is designed to prevent unauthorized access to or from a private netw ork
Firewall is identified by three techniques nam ely port scanning, banner grabbing, and firewalking Honeypots are programs that simulate one or more netw ork services that are designated on a com puter's ports
In order to effectively d etect intrusions that use invalid protocol behavior, IDS must re-implem ent a w ide variety of application-layer protocols to d etect suspicious or invalid behavior
One o f the easiest and most com m on ways for an attacker to slip by a firewall is by installing netw ork softw are on an internal system that uses a port address perm itted by the firewall's configuration
- r n
'
>
o d u le
S u m
a r y
Intrusion detection systems (IDSes) monitor packets on the and attempt to discover if an attacker is trying to break into a system.
network
wire
System integrity verifiers (SIVs) monitor the system files to find when an intruder changes. Tripwire is one of the popular SIVs. Q Intrusion detection happens either by anomaly detection or signature recognition or protocol anomaly detection.
A firewall is hardware, software, or a combination of both that is designed to prevent unauthorized access to or from a private network. A firewall is identified by three techniques: port scanning, banner grabbing, and firewalking.
0
Honeypots are programs that simulate one or more network services that are designated on a computer's ports. In order to effectively detect intrusions that use invalid protocol behavior, an IDS must re-implement a wide variety of Application-layer protocols to detect suspicious or invalid behavior.
Module 17 Page 2689
One of the easiest and most common ways for an attacker to slip by a firewall is by installing network software on an internal system that uses a port address permitted by the firewall's configuration.
Module 17 Page 2690

CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 17 Evading IDS, Firewalls, and Honeypots PDF

Uploaded by

Copyright:

Available Formats

Evading IDS, Firewalls, and Honeypots

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Evad in g IDS, Firew alls, and Honeypots

Engineered by Hackers. Presented by Professionals.

Module 17: Evading IDS, Firewalls, and Honeypots Exam 312-50

Module 17 Page 2550

R u s s ia n S e r v ic e R e n ts A c c e s s T o H a cke d C o rpo rate P Cs

October 23, 2012 12:30 PM

R u ssia n S ervice R ents A ccess To H ac k ed C o rp o rate PCs

Module 17 Page 2551

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Module 17 Page 2552

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Copyright 2012 UBM Tech By Mathew J.Schwartz

Module 17 Page 2553

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Firewall/IDS Penetration Testing

Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

General Indications of Intrusions Firewall Architecture

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Copyright by EG-G*nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

IDS, Firewall an d Ho ne yp ot Concepts

Detecting H one ypo ts

IDS, Firewall an d H o ne yp ot System

Firewall Evading Tools

Pe ne tra tio n Testing

Module 17 Page 2555

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Intrusion Detection Systems (IDS) and their Placement

Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 Page 2556

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Module 17 Page 2557

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

How IDS Works

Signature file com parison

Stateful protocol analysis

Copyright by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 Page 2558

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

FIGURE 17.2: How an IDS Works

Module 17 Page 2559

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Ways to Detect an Intrusion /

Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 17 Page 2560

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

A nom aly D etectio n

P rotocol A nom aly D etectio n

Module 17 Page 2561

Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots