NetworkSec - Advanced SecDevices - IDS Evasion Techniques
[toc]
IDS Evasion Techniques
“A look at whisker’s anti-IDS tactics” by Rain Forest Puppy (https://www.apachesecurity.net/archive/whiskerids.html) “IDS Evasion Techniques and Tactics” by Kevin Timm (https://www.securityfocus.com/printable/infocus/1577)
Brief Overview
- From CIDF to RFC 4765
Common Intrusion Detection Framework (CIDF)
- old (late 90s) attempt by DARPA (US govt’s Defense Advanced Research Projects Agency)
- to develop an IDS interchange format
- Started as a research project, currently dormant
- CIDF components that together define an Intrusion Detection System:
- E-boxes - event generators (sniffers, monitors)
- A-boxes - analysis engines (signature matchers)
- D-boxes - storage mechanisms (loggers)
- C-boxes - countermeasures (alarms, firewalls)
- 
- The IETF (Internet Engineering Task Force) recently (2007) started work on a common format (RFC 4765):
- Physical, Network and Host IDS/IPS
- Physical: Security Guards, Security Cameras, Access Control Systems (Card, Biometric), Firewalls, Man Traps, Motion Sensors
- NIDS design considerations & problems
Simple Evasion Techniques
Using mixed case characters
- This technique can be useful for attackers when attacking platforms (e.g., Windows) where filenames are not case sensitive;
- otherwise, it is useless.
- Its usefulness rises, however, if the target Apache includes mod_speling as one of its modules.
- This module tries to
find a matching file on disk, ignoring case and allowing up to one spelling mistake
.
Character escaping
- escape any character by preceding the character with a backslash character
(\)
, - and if the character does not have a special meaning, the escaped character will convert into itself.
\d converts to d
.
- It is not much but it is enough to fool an IDS.
- For example
- an IDS looking for the pattern
id
would not detect a stringi\d
, which has essentially the same meaning.
- an IDS looking for the pattern
Using whitespace
- Using excessive whitespace, especially the less frequently thought of characters such as TAB and new line, can be an evasion technique.
- example
- SQL injection attempt using
DELETE FROM
(two spaces in between the words instead of one) - the attack will be undetected by an IDS looking for
DELETE FROM
(with just one space in between).
- SQL injection attempt using
Path Obfuscation
Many evasion techniques are used in attacks against the filesystem.
- For example, many methods can obfuscate paths to make them less detectable:
Self-referencing directories
- When a
./
combination is used in a path - it does not change the meaning but it breaks the sequence of characters in two.
- example,
/etc/passwd = obfuscated: /etc/./passwd
.
Double slashes
- Using double slashes is one of the oldest evasion techniques.
- example,
/etc/passwd may be written as /etc//passwd
.
Path traversal
- Path traversal occurs when a backreference is used to back out of the current folder, but the name of the folder is used again to advance.
- For example,
/etc/passwd may be written as /etc/dummy/../passwd
, and both versions are legal.- This evasion technique can be used against application code that performs a file download to make it disclose an arbitrary file on the filesystem.
- Another use of the attack is to evade an IDS system looking for well-known patterns in the traffic
- (
/etc/passwd
is one example).
Windows folder separator
- When the web server is running on Windows, the Windows-specific folder separator
\
can be used. - For example,
../../cmd.exe = ..\..\cmd.exe
.
IFS evasion
- Internal Field Separator (IFS)
- a feature of some UNIX shells (sh and bash, for example) that allows the user to change the field separator (normally, a whitespace character) to something else.
- After execute an
IFS=X
command on the shell command line - type
CMD=X/bin/catX/etc/passwd;eval$CMD
to display the contents of the/etc/passwd
file on screen.
Null-Byte Attacks
- Using
URL-encoded null bytes
is an evasion technique and an attack at the same time.- This attack is effective against applications developed using C-based programming languages.
- Even with scripted applications, the application engine they were developed to work with is likely to be developed in C and possibly vulnerable to this attack.
- Even Java programs eventually use native file manipulation functions, making them vulnerable, too.
- Internally, all C-based programming languages use the null byte for string termination.
- When a URL-encoded null byte is planted into a request,
- it often fools the receiving application, which decodes the encoding and plants the null byte into the string.
- The planted null byte will be treated as the end of the string during the program’s operation,
- and
the part of the string that comes after it and before the real string terminator will practically vanish
.
- We looked at how a URL-encoded null byte can be used as an attack when we covered source code disclosure vulnerabilities in the “Source Code Disclosure” section.
This vulnerability is rare in practice though Perl programs can be in danger of null-byte attacks, depending on how they are programmed.
- Null-byte encoding is used as an evasion technique mainly against web application firewalls when they are in place.
- These systems are almost exclusively C-based (they have to be for performance reasons), making the null-byte evasion technique effective.
- Web application firewalls trigger an error when a dangerous signature (pattern) is discovered.
- They may be configured not to forward the request to the web server, the attack attempt will fail.
- However, if the signature is hidden after an encoded null byte, the firewall may not detect the signature, allowing the request through and making the attack possible.
- To see how this is possible, we will look at a single POST request, representing an attempt to exploit a vulnerable
form-to-email script
and retrieve the passwd file:
1
2
3
4
5
6
POST /update.php HTTP/1.0
Host: www.example.com
Content-Type: application/x-form-urlencoded
Content-Length: 78
firstname=Ivan&lastname=Ristic%00&email=ivanr@webkreator.com;cat%20/etc/passwd
- A web application firewall configured to watch for the
/etc/passwd
string will normally easily prevent such an attack. - But by embedded a null byte at the end of the lastname parameter.
- firstname=Ivan&lastname=Ristic
%00
&email=ivanr@webkreator.com;cat%20/etc/passwd
- firstname=Ivan&lastname=Ristic
- If the firewall is vulnerable to this type of evasion, it may miss our command execution attack, enabling us to continue with compromise attempts.
Some Advanced Evasion Techniques (AETs)
Obfuscation: (Insertion, Evasion, Session Splicing, Fragmentation)
Insertion:
Stuffing the analyzer with “invalid” packets
Evasion:
Slipping “valid” packets past the analyzer
Fragmentation
Breaking the attack into multiple packets
- Similar to Session Splicing
- Attacker send packets in blocks that do not trigger IDS signatures or cause alerts
- Generally more powerful than Session Splicing
- Two common fragmentation methods
- overwrites a section of a previous fragment
- overwrites a complete fragment
- Enables attackers to write an entire packet of garbage information and craft their attack to blend in with standard protocols
- Some IDSs do have ways to handle these attacks through reassembly
Examples:
- Attack 1: Overlap Method
- Packet 1:
GET /cgi-bin/
- Packet 2:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../phxx
- Packet 3:
f?
- Packet 1:
- This fragmentation can
overwrite the 'xx' portion of Packet 2 with the data in Packet 3
, making the information resemble the following:GET /cgi-bin/ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../phf?
- Attack 2: Overwrite Method
- Packet 1:
GET /cgi-bin/
- Packet 2:
some_normal_filename.cgi
- Packet 3:
/aaa/../aaa/../aaa/../phxx
- Packet 4:
f?
- Packet 1:
- similar to the first
- but, the
'xx' portion is overwritten
and thesome_normal_filename.cgi packet is completely overwritten with the last two packets
- This leaves
GET /cgi-bin/phf?
as the end result.
- This leaves
Session Splicing
attacker delivers data in multiple, smallsized packets
to the target computer
deliver the payload over multiple packets over long periods of time
- effective against IDS that
do not reconstruct packets before checking them again through intrusion signatures
- Many IDS
stop reassembly if they do not receive packets within a certain time
- If attackers are aware of delays in packet reassembly at the IDS, they add delays between packet transmissions to bypass the reassembly
- IDS become useless if the target host keeps sessions active for a longer time than the IDS reassembly time
- effective against IDS that
- defeating simple pattern matching in IDS systems without session reconstruction
- characteristic of the attack: a continuous stream of small packets.
- making it very difficult for an IDS to detect the attack signatures.
no single packet triggers the IDS
- Any attack attempt after a successful splicing attack will not be logged by the IDS
Tool: Whisker
- One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack.
- way of splitting packets:
- fragmenting them, but an adversary can also simply craft packets with small payloads.
- The ‘whisker’ evasion tool calls crafting packets with small payloads ‘session splicing’.
Denial of Service (DoS) & False Positive Generation
- Causing resource starvation and overloading the IDS
- Basic problem
- NIDS needs to simulate the operation of all protected end-systems and internal network
- Scarce Resources (CPU cycles, memory, disk space, bandwidth)
- Usually working in a “fail-open” state
- CPU DoS (target computationally expensive operations)
- Fragment/Segment reassembly
- Encryption/Decryption
- Memory DoS
(target state management operations)
- TCP 3-way Handshake (TCP Control Block - TCB)
- Fragment/Segment reassembly
- Network Bandwidth DoS
(target NIDS’s inability to process packets at line speed)
- Reactive Systems DoS
- Trigger lots of alarms (false positives)
- Prevent valid access by spoofed addresses
- Hide real attacks
Pattern-Matching Weaknesses
- Exploiting pattern-based detection approach employed by most IDS
- Most IDS solutions employ a
pattern-based detection component
- This approach is problematic, because not all input needs to be the same to trigger vulnerabilities
- Example pattern:
- GET
/cgi-bin/phf?
- GET
- Obfuscation:
- GET
/cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%25%2fp%68f?
- GET
- Both versions result in the same output, yet look very different
- Unicode evasion can also be used here
- e.g.
\ can be represented as 5C, C19C and E0819C
- e.g.
extremely common IDS evasion technique in the web world? unicode characters
- Unicode attacks can be effective against applications that understand it.
- Unicode: represent every character needed by every written human language as a single integer number.
- Unicode evasion, referenced as UTF-8 evasion.
- Unicode characters are normally represented with two bytes, but this is impractical in real life.
- One aspect of UTF-8 encoding causes problems:
- non-Unicode characters can be represented encoded.
- What is worse is multiple representations of each character can exist.
- Non-Unicode character encodings are known as overlong characters, and may be signs of attempted attack.
Protocol Violation,
- Attacks targeted at complex protocol
- e.g. SMB (Server Message Block), MSRPC, SunRPC
- In order to provide protection to a complex protocol, the IDS has to have a deep understanding of it
- The IDS implementation also needs to be
- Fault-tolerant
- Resilient
- Able to cope with excessive and unexpected connections and requests
TTL Attacks
- attackers have some knowledge of the internal network topology
- Attackers must know the distance to the end host and whether an IDS is placed in front of the end host
- By using a small TTL flag in a TCP packet, attackers can send packets that will only reach the IDS and not the end host
- The IDS, in turn, will think the packet addressed to the end host will make it there
- This allows attackers to inject garbage packets into the IDS stream processing
- Example:
- Packet 1: GET /cgi-bin/p TTL 15
- Packet 2: some_file.cgi?= TTL 10
- Packet 3: hf? TTL 15
- This assumes that the end host is beyond the 15 TTL limit and will receive the data
- It also assumes that the IDS is within the 10-14 TTL limit, and any data lower than that will not reach the destination host
- The IDS receives: GET /cgi-bin/psome_file.cgi?=hf?
- The end host will receive: GET /cgi-bin/phf?
Urgency Flag
- The urgency flag is used within the TCP protocol to mark data as urgent
- When the urgency flag is set,
all data before the urgency pointer is ignored
, - and
the data to which the urgency pointer points is processed
- When the urgency flag is set,
- Some IDSs do not take into account the TCP protocol’s urgency feature
- Attackers can place garbage data before the urgency pointer
- The IDS reads that data without consideration for the end host’s urgency flag handling
- This means the IDS has more data than the end host actually processed
- Example of an urgency flag attack:
- “1 Byte data, next to Urgent data, will be lost, when Urgent data and normal data are combined.”
- Packet 1:
ABC
- Packet 2:
DEF Urgency Pointer: 3
- Packet 3:
GHI
- End result:
ABCDEFHI
- According to the 1122 RFC,
- the urgency pointer causes
one byte of data next to the urgent data to be lost
when urgent data is combined with normal data
- the urgency pointer causes
Polymorphic Shellcode
- Most IDSs contain signatures for commonly used strings within shellcode
- This is easily bypassed by using encoded shellcode containing a stub that decodes the shellcode that follows
- This means that shellcode can be completely different each time it is sent
- Polymorphic shellcode allows attackers to hide their shellcode by encrypting it in a simplistic form
- It is difficult for IDSs to identify this data as shellcode
- This method also hides the commonly used strings within shellcode, making shellcode signatures useless
ASCII Shellcode
- Similar to polymorphic shellcode
- ASCII shellcode contains only characters contained within the ASCII standard
- This helps attackers bypass IDS pattern matching signatures as strings are hidden within the shellcode in a similar fashion to polymorphic shellcode
- The following is an ASCII shellcode example:
- char shellcode[] =
- “LLLLYhb0pLX5b0pLHSSPPWQPPaPWSUTBRDJfh5tDS”
- “RajYX0Dka0TkafhN9fYf1Lkb0TkdjfY0Lkf0Tkgfh”
- “6rfYf1Lki0tkkh95h8Y1LkmjpY0Lkq0tkrh2wnuX1”
- “Dks0tkwjfX0Dkx0tkx0tkyCjnY0LkzC0TkzCCjtX0”
- “DkzC0tkzCj3X0Dkz0TkzC0tkzChjG3IY1LkzCCCC0”
- “tkzChpfcMX1DkzCCCC0tkzCh4pCnY1Lkz1TkzCCCC”
- “fhJGfXf1Dkzf1tkzCCjHX0DkzCCCCjvY0LkzCCCjd”
- “X0DkzC0TkzCjWX0Dkz0TkzCjdX0DkzCjXY0Lkz0tk”
- “zMdgvvn9F1r8F55h8pG9wnuvjrNfrVx2LGkG3IDpf”
- “cM2KgmnJGg
bin
Ysh
dvD9d”;
- When executed, the shellcode above executes a “/bin/sh” shell
Encryption and Tunneling
- When the attacker manages to establish an encrypted tunnel to the target, IDS-es are evaded completely
- Any sort of encrypted connection/tunneling works
- SSH, SSL, IPSec, RDP, etc
Application Hijacking
- If done correctly
few HIDS will detect it
, whileNIDS usually skip the application layer completely
- Application layer attacks enable many different forms of evasion
- Many applications that deal with media such as images, video and audio employ some form of compression
- When a flaw is found in these applications, the entire attack can occur within compressed data, and the IDS will have no way to check the compressed file format for signatures
File Locations and Integrity
- Circumventing triggers in HIDS
to evade IDS during a Port Scan:
- Use fragmented IP packets
- Spoof your IP address when launching attacks and sniff responses from the server
- Use source routing (if possible)
- Connect to proxy servers or compromised Trojaned machines to launch attacks
Potential Solutions
- Normalization
- Normalization takes obfuscated input and attempts to translate it into what the end host will eventually see
- This usually entails encoding in formats such as Unicode and UTF8
- The normalization process allows for encoding, translation and the application of pattern matching to the normalized data
- Prevents obfuscating the attack strings using Unicode or UTF8 strings
- Polymorphic shellcode & ASCII shellcode could circumvent this
- Some IDSs are attempting to apply normalization to polymorphic shellcode
- CPU intensive, which affects monitoring for the remaining network traffic
- Normalization also applies to network data
- Some IDSs normalize fragmented packets and reassemble them in the proper order
- This enables the IDS to look at the information just as the end host will see it
- In addition, some IDSs change the TTL field to a large number
- This ensures that packets reach the end host
- Packet Interpretation Based on Target Host
- IDS are at a disadvantage
- These systems attempt to recreate what the end host will see and handle
- There are a lot of disparate methods of communicating data over a network
- The end host’s TCP/IP stack should be used (host-based IDS)
- Better than trying to recreate the stream in a way that the stream may be handled
- In using the host to do the work, the guessing portion of the task is eliminated
- Another option: using modular TCP/IP stacks within an IDS
- Using the stacks based on the targeted host’s operating system
- Specific OS handling of anomalous traffic must be thoroughly reviewed
- Effective in mitigating fragmentation, RST packet handling and Urgency Flags
Tools & Resources
- Some free IDS:
- ACARM-ng, AIDE (Advanced Intrusion Detection Environment)
- Bro NIDS, Fail2ban, OSSEC (Open Source Host-based IDS)
- Prelude SIEM (Security Information & Event Management)
- Samhain
- Snort, Suricata
- Tripwire
- some IDS evasion tools:
- Evader
- Nmap
- Nmap reference on IDS evasion
- libemu
- Kali Linux
- Fragroute
- Fragrouter
- InTrace
- SniffJoke
- Other tools
- Wireshark, HxD (hex editor/viewer)
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.