Chapter 17
Evasion

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  • images   III. Security
    • images   P. Vulnerabilities
  • images   IV. Tools/Systems/Programs
    • images   Q. Log analysis tools
    • images   S. Exploitation tools

  At this point in this book you have seen quite a number of ways to break into a computer system, network, or organization. The problem is that although a lot of these attacks are effective at getting information and other items from a target, they can be detected or thwarted. Today’s networks and environments employ a range of defensive and detective measures designed to deal with such attacks.

Corporations now employ many defensive measures, each with its own way of putting a stop to your attack. Intrusion detection systems (IDSs), intrusion prevention systems (IPSs), firewalls, honeypots, and other such defenses are potent obstacles to your activities. Although these devices are formidable, they are not insurmountable, so you need to first learn how they work and then see what you can do to overcome the obstacles or just get around them altogether. This chapter focuses on these systems and how to deal with them.

Honeypots, IDSs, and Firewalls

Before we delve into the various evasion techniques you can use to get around a defender’s defensive and detective mechanisms, you must learn how they work. We’ll look at each of these systems and show what they are designed to defend against and how they detect or stop an attack.

The Role of Intrusion Detection Systems

An intrusion detection system (IDS) is an application or device used to gather and analyze information that passes across a network or host. An IDS is designed to analyze, identify, and report on any violations or misuse of a network or host.

Let’s take a close look at how an IDS works. An IDS is used to monitor and protect networks by detecting malicious activity and reporting it to a group or contact such as a network administrator. Once activities of this type are detected, an administrator is alerted.

Here are some things to keep in mind as we go forward. An IDS:

  • Is designed to detect malicious or nonstandard behavior
  • Gathers information from within a network to detect violations of security policy
  • Reports violations and deviations to an administrator or system owner

The Four Types of Intrusion Detection Systems

In practice there are four types of IDSs, each offering unique capabilities that the others do not. We’ll first discuss the types available and where each fits in; then we’ll delve deeper into each.

  • The first type, and one of the most common, is the NIDS. The NIDS is designed to inspect every packet traversing the network for the presence of malicious or damaging behavior and, when malicious activity is detected, throw an alert. The NIDS is able to monitor traffic from the router to the host itself. Much like a packet sniffer, an NIDS operates similarly to a network card in promiscuous mode. In practice this type of IDS can take the form of a dedicated computer or the more common black-box design (which is a dedicated device).
  • The next major kind of IDS is the host-based intrusion detection system (HIDS), which is installed on a server or computer. An HIDS is responsible for monitoring activities on a system. It is adept at detecting misuse of a system, including insider abuses. Its location on a host puts the HIDS in close proximity to the activities that occur on a host as well as in a perfect position to deal with threats on that host. HIDSs are commonly available on the Windows platform but are found on Linux and Unix systems as well.
  • Log file monitors (LFMs) monitor log files created by network services. The LFM IDS searches through the logs and identifies malicious events. Like NIDSs, these systems look for patterns in the log files that suggest an intrusion. A typical example would be parsers for HTTP server log files that look for intruders who try well-known security holes, such as the phf attack. An example of a log file monitoring program is swatch.
  • File integrity-checking mechanisms, such as Tripwire, check for Trojan horses or files that have otherwise been modified, indicating an intruder has already been there.

The Inner Workings of an IDS

The main purpose of an IDS is to detect and alert an administrator about an attack. The administrator can then determine, based on the information received from the IDS, what action to take.

An IDS functions in the following way:

  1. The IDS monitors network activity for anomalies—that is, signatures, custom rules, or behaviors that may indicate an attack, reconnaissance attempt, or other malicious behavior. If the activity detected matches signatures that the IDS has on record or a known attack, the IDS reports the activity to an administrator, who will then decide what to do. Based on the configuration in place on the IDS, the system can also take additional actions, such as sending text messages, paging someone, or sending an email.
  2. If the packet passes the anomaly stage, then stateful protocol analysis is done.

IDS Detection Methods

So what mechanisms allow an IDS to determine what is an attack and what is not? What works with the rule engine? One of three methods will be used: signature, anomaly, or protocol detection.

Signature Detection

The first form of detection or recognition is based on a signature; this method is also sometimes called misuse detection. The system compares traffic to known models, and when matches are found it reports the attack.

  • Pattern matching is the most basic form of detecting and is used in many systems. The process relies on the comparison of known patterns against captured traffic. These models may be looking for changes or patterns in the TCP flags on traffic.
  • Signature recognition is effective at detecting known attacks and poor at detecting ones not in its database. There is also a slight possibility that other traffic not related to an attack will trigger a false positive. Improper signatures can cause false positives and false negatives.
  • Evolution of attacks and minor variations of attacks can result in the need for multiple signatures for a single attack. Just a single bit change can trigger the need for a new signature to be created.

Although these problems may seem to bar the implementation of such systems or at least cause some concern, this type of IDS is widely deployed.

Anomaly Detection

Anomaly detection is different from signature detection in how it detects potential attacks. In this system, any activity that doesn’t match something in the database is considered an anomaly. Also, any deviation from the configured database is regarded as an attack and triggers further action. Unlike the signature-based system, this type of system must be set up to understand what normal activity on a network is so that it can detect deviations from this baseline. If the system is not configured as to what constitutes normal behavior on a network, false positives and negatives can easily become a problem.

Protocol Detection

The third type of detection used by IDSs is protocol anomaly detection. It is based on the anomalies that are specific to a given protocol. To determine what anomalies are present, the system uses known specifications for a protocol and then uses that as a model to compare traffic against. Through use of this design, new attacks may be discovered.

This method can detect new attacks before normal anomaly detection or signature detection can. The detection method relies on the use or misuse of the protocol and not the rapidly changing attack method. Unlike the prior two methods, protocol anomaly detection does not require that you download signature updates. Alarms in this type of system are typically presented differently from others, and thus you should consult the manufacturers’ guides because each may be different.

Signs of an Intrusion

So what type of activities are indications of a potential attack? What type of actions can an IDS respond to? Let’s look at activities that may indicate an intrusion has occurred.

Host System Intrusions

What is an indicator of an attack on a host? A wide range of activities could be construed as an attack:

  • File system anomalies such as unknown files, altered file attributes, and/or alteration of files
  • New files or folders that appear without explanation or whose purpose cannot be ascertained. New files may be a sign of items such as a rootkit or an attack that could be spread across a network.
  • Presence of rogue suid or sgid on a Linux system
  • Unknown or unexplained modifications to files
  • Unknown file extensions
  • Cryptic filenames
  • Double extensions such as filename.exe.exe

This is not an exhaustive list. As attackers evolve, so do the attacks that may be used against a target.

Network Intrusions

Indications of a potential network attack or intrusion include the following:

  • Increased and unexplained use of network bandwidth
  • Probes or services on systems on the network
  • Connection requests from unknown IPs outside the local network
  • Repeated login attempts from remote hosts
  • Unknown or unexplained messages in log files
Nonspecific Signs of Intrusion

Other signs can appear that may indicate the presence of an intruder or potential intrusion in progress:

  • Modifications to system software and configuration files
  • Missing logs or logs with incorrect permissions or ownership
  • System crashes or reboots
  • Gaps in the system accounting
  • Unfamiliar processes
  • Use of unknown logins
  • Logins during nonworking hours
  • Presence of new user accounts
  • Gaps in system audit files
  • Decrease in system performance
  • Unexplained system reboots or crashes

Firewalls

Firewalls are another protective device for networks that stand in the way of a penetration tester or attacker. Firewalls represent a barrier or logical delineation between two zones or areas of trust. In its simplest form an implementation of a firewall represents the barrier between a private and a public network, but things can get much more complicated from there, as you’ll see in this section.

When discussing firewalls, it is important to understand how they work and their placement on a network. A firewall is a collection of programs and services located at the choke point (the location where traffic enters and exits the network). It is designed to filter all traffic flowing in and out and determine if that traffic should be allowed to continue. In many cases the firewall is placed at a distance from important resources so that in the case of compromise key resources are not adversely impacted. If you take enough care and do proper planning along with a healthy dose of testing, only traffic that is explicitly allowed to pass will be able to do so, with all other traffic dropped at the firewall.

Here are some details about firewalls to be aware of:

  • Firewalls are a form of IDS since all traffic can be monitored and logged when it crosses the firewall.
  • A firewall’s configuration is mandated by a company’s security policy and will change to keep pace with the goals of the organization.
  • Firewalls are typically configured to allow only specific kinds of traffic, such as with email protocols, web protocols, or remote access protocols.
  • In some cases, a firewall may also act as a form of phone tap, allowing for the identification of attempts to dial into the network.
  • A firewall uses rules that determine how traffic will be handled. Rules exist for traffic entering and exiting the network, and it is possible for traffic going one way not to be allowed to go the other way.
  • For traffic that passes the firewall, the device also acts as a router, helping guide traffic flowing between networks.
  • Firewalls can filter traffic based on a multitude of criteria, including destination, origin, protocol, content, or application.
  • In the event that traffic of a malicious nature tries to pass the firewall, a properly configured alarm will alert a system administrator or other party as needed.

Firewall Configurations

Not all firewalls or firewall setups are created equally, so you need to be familiar with each setup and how it works. Firewalls can be set up and arranged in several ways, each offering its own advantages and disadvantages. In this section we’ll cover each method.

Bastion Host

A bastion host is intended to be the point through which traffic enters and exits the network. It is a computer system that hosts nothing other than what it needs to perform its defined role, which in this case is to protect resources from attack. This type of host has two interfaces: one connected to the public network and the other to the internal network.

Screened Subnet

This type of setup uses a single firewall with three built-in interfaces. The three interfaces are connected to the Internet, the DMZ (more on this in a moment), and the intranet, respectively. The obvious advantage of this setup is that the individual areas are separated from one another by virtue of the fact that each is connected to its own interface. This offers the advantage of preventing a compromise in one area from affecting one of the other areas.

Multihomed Firewall

A multihomed firewall refers to two or more networks. Each interface is connected to its own network segment logically and physically. A multihomed firewall is commonly used to increase efficiency and reliability of an IP network. In this case, more than three interfaces are present to allow for further subdividing the systems based on the specific security objectives of the organization.

Demilitarized Zone

A DMZ is a buffer zone between the public and private networks in an organization. It is used to act as not only a buffer zone but also a way to host services that a company wishes to make publicly available without allowing direct access to their own internal network.

A DMZ is constructed through the use of a firewall. Three or more network interfaces are assigned specific roles such as internal trusted network, DMZ network, and external untrusted network (Internet).

Types of Firewalls

Not all firewalls are the same, and you must know the various types of firewall and be able to understand how each works:

Packet-Filtering Firewall This is perhaps the simplest form of firewall. It works at the Network level of the OSI model. Typically these firewalls are built directly into a router as part of its standard feature set. This firewall compares the properties of a packet such as source and destination address, protocol, and port. If a packet doesn’t match a defined rule, it is dropped. If the packet matches a rule, it typically is allowed to pass.

Circuit-Level Gateway This is a more complex form of firewall that works at the Session layer of the OSI model. A circuit-level firewall is able to detect whether a requested session is valid by checking the TCP handshaking between the packets. Circuit-level gateways do not filter individual packets.

Application-Level Firewall This firewall analyzes the application information to make decisions about whether to transmit the packets.

Stateful Multilayer Inspection Firewall This firewall combines the aspects of the other three types. It filters packets at the Network layer to determine whether session packets are legitimate, and it evaluates the contents of packets at the Application layer.

What’s That Firewall Running?

To determine a type of firewall and even a brand, you can use your experience with port scanning and tools to build information about the firewall your target is running. By identifying certain ports, you can link the results to a specific firewall and from that point determine the type of attack or process to take in order to compromise or bypass the device.

Fortunately, you can perform banner grabbing with Telnet to identify the service running on a port. If you encounter a firewall that has specific ports running, that may help in identification. It is possible to banner grab and see what is reported back.

Firewalking

Another effective way to determine the configuration of a firewall is through firewalking. Firewalking may sound like a painful process and test of courage, but it is actually the process of probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets at the firewall. The key to making this successful is the fact that the packets are set to have one more hop in their time to live (TTL) in order to get them past the firewall or elicit a response stating otherwise.

To perform a firewalk against a firewall, you need three components:

Firewalking Host The system, outside the target network, from which the data packets are sent to the destination host, in order to gain more information about the target network

Gateway Host The system on the target network that is connected to the Internet, through which the data packet passes on its way to the target network

Destination Host The target system on the network to which the data packets are addressed

Using Firewalk

There are different ways to perform the process of firewalking using different tools, but one that is popular is Firewalk for Linux. This utility is designed to make use of active methods to ascertain which Layer 4 protocols will pass through a device. When executed, Firewalk sends out numerous TCP and/or UDP packets with a TTL set to be one step higher than the target. In practice this means that if a packet goes through the firewall, it will expire at the next hop and the scanning system will receive an ICMP_TIME_EXCEEDED message. However, for traffic that is blocked, no response will be returned because the device will generally drop these packets completely.

The first step in making this process work is to determine the correct value for the TTL. Since we need traffic to get past the firewall and to the next host, the TTL will be set to the number of hops to get to the firewall plus one. Remember that when you are determining the exact hop count, you are not looking to reach anything farther on in the network, just the count to get one step past the firewall. Keep in mind that firewalking is intended to analyze the firewall itself, and you will go after other targets later. Once you have determined this using a utility such as traceroute, you can begin the actual scan.

To illustrate, here are the results of running Firewalk against a target:

Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 217.41.132.201 using 217.41.132.161 as a metric.
Ramping Phase:
1 (TTL 1): expired [192.168.102.254]
2 (TTL 2): expired [212.38.177.41]
3 (TTL 3): expired [217.41.132.201]
Binding host reached.
Scan bound at 4 hops.
Scanning Phase:
port 21: A! open (port listen) [217.41.132.161]
port 22: A! open (port not listen) [217.41.132.161]
port 23: A! open (port listen) [217.41.132.161]
port 25: A! open (port not listen) [217.41.132.161]
port 53: A! open (port not listen) [217.41.132.161]
port 80: A! open (port not listen) [217.41.132.161]
Scan completed successfully.

In this example you can see that ports 21 and 23 are both open and something is listening behind those ports. The other ports are just open and nothing is behind them based on the results returned.

If you look up higher in the results, you’ll see the Ramping phase. In this step the firewalking script is using traceroute to see how many hops it takes to get to the target. Once this number is determined to be 3, Firewalk adds one hop to bring it to 4 and limits or sets the bounds of the scan at 4 hops. By doing this the scanner can tell if packets got to the point past the firewall or were stopped by the firewall.

Let’s take Firewalk for a drive and see how to use it in practice; see Exercise 17.1.

One thing I haven’t mentioned in relation to firewalking is what you should do once you find open ports. In practice, once an attacker finds open ports they could now focus on those ports and configure their tools to get into the system through them. There is another benefit to finding these open ports on the firewall. Ports that are open by design of the system owner may not perform any sort of logging on traffic that passes through them.

Using Nmap to Determine a Firewall’s Configuration

As we have seen time and time again, Nmap is capable of doing many things, and in this case it can also perform firewalking. In practice, this means that the TTL value of packets is configured to one step past the firewall. If the probe passes the firewall and hits the next router, the TTL is decremented by 1 and an ICMP_TIME_EXCEEDED message is returned.

It starts with a TTL equal to the distance to the target. If the probe times out, it is re-sent with a TTL decreased by 1. If you get an ICMP_TIME_EXCEEDED, then the scan is over for this probe, meaning that the port is closed.

To make this even more effective Nmap has a built-in script that will perform firewalking for you. You can call this script and target a victim using the following syntax:

nmap --script=firewalk --traceroute <target ip-address>

In this example, --script= specifies the script to use. The next switch, --traceroute, executes a traceroute to the target IP address in order to determine the bounds for the firewalking process.

Mobile Devices and Firewalls

In the past firewalls protected networks as well as hosts on the network in the form of personal firewalls, but now mobile devices have the same problems that hosts had in the past. Thus we now have firewalls for mobile devices. The Google Play store, for example, is filled with different quality firewalls, some that are free and some that cost. This is the case for Apple’s devices as well.

Honeypots

One of the more interesting systems you will encounter is a honeypot. A honeypot may sound like something out of a Winnie the Pooh book, but it is actually a device or system used to attract and trap attackers who are trying to gain access to a system. However, honeypots are far from being just a booby trap; they have also been used as research tools, as decoys, and just to gain information. They are not designed to address any specific security problem.

Honeypots don’t fit into any neat classification or category. Honeypots can fulfil a number of different purposes or roles for an organization, but most agree that a honeypot provides value from being used by unauthorized parties or through illicit use. Honeypots are designed to be misused and abused and in that role they stand alone. In practice the system can appear as any of the following:

  • A dedicated server
  • A simulated system of some type
  • A service on a host designed to look legitimate
  • A virtual server
  • A single file

In all these examples the honeypot is configured to look like a real item within the environment, but it is anything but that. While a honeypot looks like a real resource and may behave that way, it is never intended to be used for any legitimate purpose. If a honeypot has any sort of actions in progress on it, then they are more than likely due to some sort of unauthorized or accidental use that may even be malicious.

In some circles a honeypot is viewed as a decoy device, but this is also not entirely correct and can be confusing. It is not unheard of for a honeypot to be described as something you put in your DMZ with the goal of having someone break into it. In terms of research this would be a valid and true statement to make, but it doesn’t hold up upon closer inspection. The last thing you want as the owner of a network or the person in charge of security is for someone to break into your environment, as would be the case of a decoy in the DMZ. Since a DMZ would host systems like web servers, email gateways, or other services, you would not want to draw an attacker’s attention in any way to these items.

Using a Honeypot in Practice

A honeypot is ideally suited to get a clearer picture of the activity on or around the critical systems in your environment. The common use of honeypots is to look like a legitimate resource so as to be indistinguishable from the real thing. This will subject both the honeypot and the real resource to the same activity, meaning that attacks can be detected more easily.

An example of a typical deployment of a honeypot would be one where we have a high-traffic web server. In this environment we would put the web server and a honeypot configured identically in the DMZ. Since both are the same, the attacks both are exposed to in the same location should also match. Any malware, probes, enumeration, or other actions would immediately be detectable as a potential attack because the honeypot has no legitimate use. This information gathered from the honeypot would allow for the design and placement of better defenses.

High vs. Low Interaction

Honeypots are not all created equal. There are two main categories: high- and low-interaction varieties.

  • Low-interaction honeypots rely on the emulation of service and programs that would be found on a vulnerable system. If attacked, the system detects the activity and throws an error that can be reviewed by an administrator.
  • High-interaction honeypots are more complex in that they are no longer a single system that looks vulnerable but an entire network typically known as a honeynet. Any activity that happens in this tightly controlled and monitored environment is reported. One other difference in this setup is that in lieu of emulation, real systems with real applications are present.

Honeypots can be easily explored and evaluated as something to consider for your environment. Those available include KFSensor, HoneyBOT, and HoneyDrive, to name a few.

Run Silent, Run Deep: Evasion Techniques

Each of the devices covered in this chapter is designed to stop or slow down an attack. Since you, as a penetration tester, are trying to test a system, you must be able to get around these devices if possible or at least know how to attempt to do so. In this section we discuss the various mechanisms available, how they work, and what devices they are designed to deal with.

Denial of Service vs. IDS

Another mechanism for getting around an IDS is to attack the IDS directly or exploit a weakness in the system via a DoS attack. A DoS or DDoS attack overwhelms or disables a target in such a way as to make it temporarily or permanently unavailable. Through the consumption of vital system resources, the overall performance of the target is adversely impacted, making it less able—or completely unable—to respond to legitimate traffic or at least not function to the best of its ability.

If we target an IDS with a DoS attack, something interesting happens: The IDS functions erratically or not at all. To understand this, think of what an IDS is doing and how many resources it needs to do its job. An IDS is sniffing traffic and comparing that traffic to rules, which takes a considerable amount of resources to perform. If these resources can be consumed by another event, then it can have the effect of changing the behavior of the IDS. By using enumeration and system hacking methods it is possible for an attacker to identify which resources are under load or are vital to the proper functioning of the IDS. Once those resources are identified, the attacker can clog up or consume the resources to make the IDS not function properly or become occupied by useless traffic.

Attacks such as the ping of death, teardrop attacks, SYN floods, Smurf Attacks, and Fraggle Attacks can be used to perform a DoS against an NIDS.

Insertion

An insertion attack is an effective method of defying detection by an IDS. In practice the insertion attack relies on knowledge of how the system works and how it will react to packets on the network. Essentially, the insertion attack relies on the fact that an IDS can accept packets that the actual intended recipient would otherwise accept. If an IDS does accept a packet that the end system rejected, then it can be fooled into believing that the end system did accept the packet as well. An attacker can take advantage of this situation by sending packets to an end system that the IDS accepts. Because of the way an IDS works, by sniffing all traffic and comparing it to what knowledge it has in order to detect attacks, it will accept all traffic. Since it will accept all packets that other systems won’t, it is possible to overwhelm or defeat it and get an attack past the IDS.

In practice, an insertion attack is effective against IDSs that use signature analysis to identify malicious activity.

Another way to carry out this attack is to tamper with the header of a packet. Adjusting values such as TTL, the flags, size, or other information can cause a packet to get rejected by an end system but not by the IDS.

Obfuscating

Because an IDS relies on being able to observe or read information, the process of obscuring or obfuscating code can be an effective evasion technique. This technique relies on manipulating information in such a way that the IDS cannot comprehend or understand it but the target can. You can accomplish this via manual manipulation of code or through the use of an obfuscator. One example that has been successful against older IDSs is the use of Unicode. By changing standard code such as HTTP requests and responses to their Unicode equivalents, you can produce code that the web server understands but the IDS may not.

Want to cover up your scanning activities by placing entries in the firewalls’ logs? Easy—just use Nmap to make the firewalls believe that the scan is coming from different locations. Nmap has the ability (through the –D switch) to generate decoys, meaning that detection of the actual scanning system becomes much more difficult:

nmap -D RND:10 <target ip> (Generates a random number of decoys)

Crying Wolf

Remember the story from your childhood of the boy who cried wolf? The shepherd boy in the story cried wolf so many times as a joke that when the wolf was actually attacking his flock, no one believed him and his flock got eaten. The moral of the story is that liars are rewarded with disbelief from others even when they tell the truth. How does this apply to our IDS discussion? Essentially the same way as the boy in the story: An attacker can target the IDS with an actual attack, causing it to react to the activity and alert the system owner. If done repeatedly, the owner of the system will see log files full of information that says an attack is happening, but no other evidence suggests the same. Eventually the system owner may start to ignore these warnings, or what they perceive to be false positives, and become lax in their observations. Thus an attacker can strike at their actual target in plain sight.

Session Splicing

The type of evasion technique known as session splicing is an IDS evasion technique that exploits the fact that some types of IDSs don’t reassemble or rebuild sessions before analyzing traffic. In addition, it is possible to fool some systems by fragmenting packets or tampering with the transmission of packets in such a way that the IDS cannot analyze them and instead forwards them to the target host.

Fun with Flags

The Transmission Control Protocol uses flags on packets to describe the status of the packet. Knowledge of these flags can yield benefits such as evasion techniques for IDSs.

Bogus RST

RST is one of the many flags used to end two-way communications between endpoints. In addition to these flags, checksums are used to verify the integrity of the packet to ensure that what was received is what was sent originally. An attacker can use alteration of this checksum to cause the IDS to not process the packet. What happens with some IDSs is that upon receipt of an invalid checksum, processing stops and the traffic passes unimpeded by the IDS without raising an alert.

Sense of Urgency

The URG flag is used to mark data as being urgent in nature. Packets flagged with the URG bit set are processed immediately by “jumping” to the front of the “line” ahead of other packets. Some IDSs do not take this previous data into account and let it pass unimpeded, letting an attack potentially pass without hindrance.

Encryption

Some IDSs cannot process encrypted traffic and therefore will let it pass. Of all the evasion techniques, encryption is one of the most effective.

Evading Firewalls

Earlier you learned what a firewall is capable of doing and the different types that exist. So how does an attacker evade these devices? A handful of techniques are available.

IP Address Spoofing

One effective way an attacker can evade a firewall is to appear as something else, such as a trusted host. Using spoofing to modify address information, the attacker can make the source of an attack appear to come from someplace other than the malicious party.

While this attack can be effective, there are some limitations that may thwart this process. The more obvious one is the fact that firewalls will more than likely drop traffic that would fit the definition here. Specifically, a trusted host may be something inside the  network itself. Any sort of specially crafted packet from an IP address range on the local network but coming from outside the network will get dropped as invalid.

Source Routing

Using this technique, the sender of the packet designates the route that a packet should take through the network in such a way that the designated route should bypass the firewall node. Using this technique, the attacker can evade the firewall restrictions.

Through the use of source routing, it is entirely possible for the attacker or sender of a packet to specify the route they want it to take instead of leaving such choices up to the normal routing process. In this process the origin or source of a packet is assumed to have all the information it needs about the layout of a network and can therefore specify its own best path for getting to its destination.

By employing source routing, an attacker may be able to reach a system that would not normally be reachable. These systems could include those with private IP addresses or those that are protected under normal conditions from the Internet. The attacker may even be able to perform IP spoofing, further complicating detection and tracing of the attack by making the packet’s origin unknown or different from its actual origin.

Fortunately, the easiest way to prevent source routing is to configure routers to ignore any source routing attempts on the privately controlled network.

Fragmentation

The attacker uses the IP fragmentation technique to create extremely small fragments and force the TCP header information into the next fragment. This may result in a case where the TCP flags field is forced into the second fragment, while filters can check these flags only in the first octet. Thus, the IDS ignores the TCP flags.

To cause fragmentation of traffic in Nmap you could use the following command:

Nmap –sS –sV –f <ip address or hostname of target>

Note that the –f instructs Nmap to break the scan being performed here into 8-byte fragments, which may be able to pass by defensive measures between the scanner and the target.

Two forms of fragmentation can be used to defeat an IDS, which are issues relating to reassembly and overlapping fragments.

In the first case, reassembly of fragments is exploited by an attacker fragmenting traffic intentionally. Under normal conditions the fragments are received by the intended host, and because each fragment is numbered, the host knows how to reassemble them. However, to fool an IDS an attacker can exploit a weakness in some IDSs by sending the packets out of order, which some IDSs cannot deal with. It is also possible to fragment traffic, but by only sending some of the fragments, the IDS must buffer the fragments until the last bit arrives. The problem here is that they never arrive and the IDS will store them in memory while it waits. If an attacker does this with enough traffic, memory will be used up on the IDS.

In the case of overlapping fragments, the IDS is forced to deal with fragments that won’t reassemble the right way. This means that the fragments may overlap or not otherwise fit together, so the IDS will fail when trying to deal with them.

IP Addresses to Access Websites

A mechanism that is effective in some cases at evading or bypassing a firewall is the use of an IP address in place of a URL. Since some firewalls look only at URLs instead of the actual IP addresses, using the address to access a website can allow an attacker to bypass the device.

Other mechanisms that are somewhat similar to this technique are using website anonymizers and open public proxy servers to get around the firewalls or website restrictions of a company.

ICMP Tunneling

Yet another method to bypass or evade a firewall is through the use of ICMP tunneling. ICMP can be used to bypass a firewall through a little-known part of the RFC 792 specification (responsible for defining the operation of ICMP). ICMP defines the format and structure of the packet but not what the packet carries as part of its data portion. Due to this ambiguous definition of the data portion, the contents can be completely arbitrary, thus allowing a diverse range of items to be included within the data section. This section can include information regarding applications that can open a covert channel or plant malware. The result can be that an organization’s firewalls are opened.

One tool that is effective at performing this type of task is Loki, which has the ability to tunnel commands within an ICMP echo packet. Other similar tools are NCovert and 007shell, both of which allow crafting of packets that can be used to bypass a firewall.

ACK Tunneling

Pursuing a variation of a theme, you can also use ACK tunneling to bypass the scrutiny of a firewall. ACK tunneling exploits the fact that some firewalls do not check packets that have the ACK bit configured. The reason for this lapse is that the ACK packet is used to respond to previous, and assumed legitimate, traffic that has already been approved.

An attacker can leverage this flaw by sending packets with the ACK flag set using a tool such as AckCmd.

HTTP Tunneling

An additional variation of the tunneling method involves exploiting HTTP. This method may be one of the easiest ones to use mainly because the protocol is already allowed through many firewalls as part of normal operations. HTTP traffic is considered normal because just about every company needs to have Internet access or provide public access to resources such as web servers and web applications.

One tool that may be used to exploit this situation is HTTPTunnel, which uses a client-server architecture to facilitate its operation.

Testing a Firewall and IDS

With so many techniques and mechanisms at your disposal, you can now test your defensive and monitoring capabilities.

Overview of Testing a Firewall

The following are the general steps for testing the integrity and capability of a firewall, whether it is based on hardware or software:

  1. Footprint the target.
  2. Perform port scanning.
  3. Perform banner grabbing against open ports.
  4. Attempt firewalking.
  5. Disable trusted hosts.
  6. Perform IP address spoofing.
  7. Perform source routing.
  8. Substitute an IP address for a URL.
  9. Perform a fragmentation attack.
  10. Use an anonymizer.
  11. Make use of a proxy server to bypass a firewall.
  12. Use ICMP tunneling.
  13. Use ACK tunneling.
Overview of Testing an IDS

Much like testing a firewall, there is a general process for testing an IDS. It tends to be something like the following:

  1. Disable trusted hosts.
  2. Attempt an insertion attack.
  3. Implement evasion techniques.
  4. Perform a DoS.
  5. Use code obfuscation.
  6. Perform a false-positive generation technique.
  7. Attempt a Unicode attack.
  8. Perform a fragmentation attack.

It is important to remember that not every attack will work when testing a firewall or IDS, but you should still log the results and make note of the way the devices respond. When testing is complete, compare and analyze the results to see if you can determine any patterns or behavior that may indicate the nature of the environment or vulnerabilities present.

Summary

In this chapter we looked at firewalls, IDSs, and honeypots as mechanisms used to defend a network as well as something to evade as an attacker. You saw that the problem is that whereas many attacks are effective at getting information, they can be thwarted by using any of the systems we have covered. Today’s networks and environments employ a range of defensive and detective measures designed to deal with such attacks.

Corporations now routinely use many defensive measures, each with its own way of putting a stop to attacks. Intrusion detection systems, intrusion prevention systems, firewalls, honeypots, and other such systems are potent adversaries and obstacles to your activities. Although these devices are formidable, they are not insurmountable, so you must learn how they work and then see what you can do to overcome the obstacles or just get around them altogether.

Exam Essentials

Understand the different types of firewalls. Know that not all firewalls are the same and that each operates a little differently. For example, packet filtering firewalls work at the network level and are commonly embedded in routers, whereas stateful firewalls are devices unto themselves.

Know the differences between HIDSs and NIDSs. Understand that an HIDS and an NIDS are not the same and do not monitor the same type of activity. An NIDS monitors traffic on a network but diminishes in effectiveness where a host is concerned. An HIDS has diminished capability outside a specific host.

Understand the role of a honeypot. A honeypot is a tool used to attract an attacker for the purpose of research, to act as a decoy, or to gain intelligence as to what types of attacks you may be facing and how well your defenses are working.

Review Questions

  1. An HIDS is used to monitor activity on which of the following?

    1. Network
    2. Application
    3. Log file
    4. Host

  2. Which of the following can be used to identify a firewall?

    1. Search engines
    2. Email
    3. Port scanning
    4. Google hacking

  3. An NIDS is based on technology similar to which of the following?

    1. Packet sniffing
    2. Privilege escalation
    3. Enumeration
    4. Backdoor

  4. Which of the following can be used to evade an IDS?

    1. Packet sniffing
    2. Port scanning
    3. Enumeration
    4. Encryption

  5. Altering a checksum of a packet can be used to do what?

    1. Send an RST.
    2. Send a URG.
    3. Reset a connection.
    4. Evade an NIDS.

  6. Firewalking is done to accomplish which of the following?

    1. Find the configuration of an NIDS.
    2. Find the configuration of an HIDS.
    3. Uncover a honeypot.
    4. Analyze a firewall.

  7. A method for overwhelming an IDS using packets with incorrect TTL values or flags is known as what?

    1. Session splicing
    2. Insertion
    3. Fragmenting
    4. ACK scanning

  8. How does a fragmentation attack, which takes a packet, breaks it into fragments, and sends only some of the fragments to the target, cause a DoS?

    1. By consuming processor power on the IDS
    2. By overwhelming the IDS with too many fragments
    3. By exhausting memory by caching the fragments
    4. By filling virtual memory with too much data

  9. Which of the following uses a database of known attacks?

    1. Signature file
    2. Anomaly
    3. Behavior
    4. Shellcode

  10. An anomaly-based NIDS is designed to look for what?

    1. Patterns of known attacks
    2. Deviations from known traffic patterns
    3. Log alterations
    4. False positives

  11. Multihomed firewall has a minimum of how many network connections?

    1. Two
    2. Three
    3. Four
    4. Five

  12. A DMZ is created with which of the following?

    1. A firewall and a router
    2. A multihomed firewall
    3. Two routers
    4. A multihomed router

  13. A firewall is used to separate which of the following?

    1. Networks
    2. Hosts
    3. Permissions
    4. ACL

  14. In practice a honeypot will be configured how?

    1. As an unpatched system
    2. As a decoy server
    3. As a duplicate of a real system
    4. As an analysis tool

  15. Which ports does SNMP use to function?

    1. 160 and 161
    2. 160 and 162
    3. 389 and 160
    4. 161 and 162

  16. HTTP is typically open on which port in a firewall?

    1. 25
    2. 443
    3. 80
    4. 110

  17. What is a system used as a chokepoint for traffic?

    1. IDS
    2. DMZ
    3. Bastion host
    4. SNMP host

  18. At which layer of the OSI model does a packet-filtering firewall work?

    1. Layer 1
    2. Layer 2
    3. Layer 3
    4. Layer 4

  19. What type of firewall analyzes the status of traffic?

    1. Circuit level
    2. Packet filtering
    3. Stateful inspection
    4. NIDS

  20. What can be used instead of a URL to evade some firewalls?

    1. IP address
    2. Encryption
    3. Stateful inspection
    4. NIDS