This presentation describes a number of ways to bypass intrusion detection systems and was originally presented at Black Hat USA 2006. This was co-presented by HD Moore and Brian Caswell.
• Slightly oversized frames • Broadcast destinations • Multiple VLAN headers Not useful or practical • Requires local media access • IPS likely to drop the frame
an IP packet into fragments • Minimum fragment size is 8 bytes IP stacks handle this different ways • Overlaps, duplicates, gaps, oh my! • Abuse differences to evade IDS
Protocol code differences • Vendor specific extensions • Error condition handling Fun tricks for every protocol! • HTTP, FTP, SMTP, DNS • SunRPC, DCERPC, SMB
ISS • SunRPC fragmentation • FTP telnet option negotiation • HTTP URI encoding Many new techniques • Vendor-specific URI encoding • Evasion for 'deep' protocols • Client-side attack evasion
Signature-only • State track + signature • State + context + signature • Complete protocol emulation – What version of the protocol? – What version-specific options? – What vendor-specific options?
operations • Independent of TCP and IP layers • IDS must track length and offset • Evade DCERPC signatures • Evade malware signatures • Offset value ignored for pipes Demonstration
• Offset value determines location • Used to align fields in memory • Abused to fill with bogus data • Max padding is ~4000 bytes... – Insert fake SMB requests – Trigger low-risk signatures Demonstration
• Simple command echos data • Useful to trick SMB state engines • Max size is greater than MTU... – Insert fake SMB responses – Trigger low-risk signatures
• Normally just \PIPE\ • Not validated by the OS • Max length is ~4000 bytes • Evade almost all Trans signatures • Also useful for state engine attacks Demonstration
• Multiple commands per request • Login, open file, write, close, logoff • Also useful for state engine attacks Evasion with Request Stacking • Pile all SMBs into one send() • Side effect of Nagle algorithm
– TCP, HTTP, UDP, SMB (4+ ways) • Multiple ways to represent data – Big endian or little endian byte order – Unicode, EBCDIC, or ASCII strings – IEEE, VAX, Cray, or IBM floats • Supports fragmentation – IP + TCP + SMB + DCERPC = ? • Excellent source of new vulns :-)
via RpcProxy • One-packet UDP function calls – Uses the idempotent flag Ports and processes • Shared processes share pipes • Choose which named pipe to use • Everyone loves \BROWSER
• Len + Offset + TotalLen + string + null pad to 32bit boundary "\x05\x00\x00\x00” "\x00\x00\x00\x00” "\x05\x00\x00\x00” "ABCD” "E\x00\x00\x00" • Use non-NULLs for padding!
Endian ASCII • Len + Offset + TotalLen + string + pad to 32bit boundary "\x00\x00\x00\x00” "\x00\x00\x00\x00” "\x00\x00\x00\x00” "\x00\x00\x00\x00” • Or on some services "\x00\x00\x00\x00"
certificate ($$$) • Compromise and hijack existing cert • Convince the user to ignore warnings • Use SSL wrapped CGI proxy server! https://www.fsurf.com/index.php?q=http://IP:8080/foo.pls https://proxify.com/u?http://IP:8080/foo.wmf
alert system • Nikto is great for this! • Multiple alerts per packet? – One IDS triggers ~1050 per packet! Attack the user • Hide the real attack in the flood • Abuse UI limitations to hide events
SlowPath – Minimum processing on FastPath – SlowPath used for exceptions • Find the SlowPath – Management services – Encryption and authentication – IP fragment processing
“core” is licensed for a chip – Provides common networking features – Routing, reassembly, switching, etc • Quickest way to add a feature – Common choice for quick development – Just as buggy as any other software – Any flaw applies to multiple vendors :-)
over allocator • Block must hold entire packet • Split into “buckets” based on size • Stream a specific packet pattern – Try 63, 65, 129, 257, 1025, 2049 – Allocate all blocks in a given bucket – Force exceptions and pass-through
– Force it to repeat over and over • Trigger exception processing – Use invalid characters, recursion, etc • Inject termination characters – Use terminator strings to fail a match – Depends on the signature and protocol
work done by memcpy • Send “evilfoo” * 8 • 48 calls to memcpy • 96 to 384 memory operations0 • 2000 ms on a 65k packet of evilfoo [0] Depending on platform, alignment, and libc implementation
amount of any character • From= • [^&]{165,} – 165 or more bytes of anything but & • Force repeated backtrack – “From=“ repeating, “&” at byte 165 Demonstration
template, set boundaries – Enable block mode in IPS product – Flood request permutations and create sig :-) • Direct memory access – Hardware bus monitoring – Root the box and dump the process • Poor cryptography – Key has to accessible somewhere