Banner grabbing: Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. An intruder however can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25, respectively. Tools commonly used to perform banner grabbing are Telnet, which is included with most operating systems, and Netcat. Banner grabbing is a simple method of OS detection. It is useful in detecting services run by firewalls. FTP, telnet, and Web servers are three main services which send out banners. The following is an example of SMTP banner grabbing:
telnetmail.targetcompany.org 25
-
Firewalking: Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expiration one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP "TTL expired in transit" message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP "administratively prohibited" message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective.
Some important firewalls
The following are some important firewalls:
-
Check Point Firewall Software
-
eScan Enterprise
-
Jetico Personal Firewall
-
ZoneAlarm Pro
-
Novell BorderManager
-
FireWall-1
-
Jetico Personal Firewall
-
InstaGate
-
ZoneAlarm Pro
-
AccessMaster NetWall
16.3 Understand honeypot
Exam Focus: Understand a honeypot. Objective includes:
-
Understand a honeypot.
-
Assess various types of honeypots.
-
Understand how to set up a honeypot.
Honeypot
A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason that a honeypot has low security permissions. A honeypot is used to gain information about the intruders and their attack strategies.
Types of honeypots
The following are the types of honeypots:
-
Low-interaction honeypot: It emulates services and programs that would be found on an individual's system. The honeypot will simply generate an error if the attacker does something that the emulation does not expect. The low-interaction honeypot captures limited amount of information.
-
High-interaction honeypot: It offers a vast amount of information about attackers. It provides an attacker access to the real operating system without any restriction. A high-interaction honeypot is a powerful weapon that provides opportunities to discover new tools, to identify new vulnerabilities in the operating system, and to learn how blackhats communicate with one another.
Advantages and disadvantages of honeypots
Honeypots have several advantages, which are as follows:
-
Small set of data: Honeypots collect small amounts of data, but almost all of this data is about real attacks or unauthorized activity.
-
Reduced false positives: Honeypots almost detect or capture attacks or unauthorized activities that reduce false positives.
-
False negatives: Honeypots detect and record any unseen or unnoticed attacks or behavior.
-
Cost effective: Honeypots only interact with malicious activity. So there is no need for high performance resources.
Honeypots also have some disadvantages, which are as follows:
-
Limited View: Honeypots can only see activities that interact with them. They cannot see or capture any attacks directed against existing systems.
-
Discovery and Fingerprinting: Honeypots can be easily detected and fingerprinted by several tools.
-
Risk of takeover: Since there are many security holes in honeypots, a malicious attacker can take over the honeypot and can use it to gain access and hack other networks.
Set up a honeypot
Take the following steps to set up a honeypot:
-
Download or purchase honeypot software. The following are some of the programs available for Linux systems:
-
Tiny Honeypot
-
LaBrea
-
Honeyd
KFSensor is software that operates with Windows.
-
Install a honeypot onto the computer by logging in as an administrator on the computer.
-
Install the software on the computer. Select the "Full Version" to ensure that every feature of the program is installed.
-
Place the honeypot software in the "Program Files" folder. Once you have chosen the folder, click "OK". The program will install.
-
Restart the computer for the honeypot to work.
-
Check the items that you want the honeypot to look for, including services, applications and Trojans, and name your domain by configuring the honeypot.
Honeypot tools
The following are honeypot tools:
-
NetBait
-
Single-honeypot
-
LaBrea Tarpit
-
Kojoney
-
Sendmail SPAM Trap
-
HoneyBOT
-
PatriotBox
-
Google Hack Honeypot
KFSensor
KFSensor is a Windows-based honeypot Intrusion Detection System (IDS). It acts as a honeypot to attract and log potential hackers by simulating vulnerable system services and Trojans. It has highly configurable features of detailed logging, analysis of attack, and security alerts. When using the KFSensor, a user can create different types of scenarios, such as what action should be taken when access to a honeypot is attempted. KFSensor contains many innovative and unique features, such as remote management, a Snort compatible signature engine, and emulations of real servers (e.g. FTP, POP3, HTTP, Telnet and SMTP) to deceive the hacker and gain more valuable information about his motives. The following are features of KFSensor:
-
GUI based management console
-
Remote management
-
Snort compatible signature engine
-
Emulations of Windows networking protocols
-
Export logs in multiple formats
-
Denial of Service attack protection
Specter
Specter is a commercial honeypot-based intrusion detection system. Specter is developed and sold by the Swiss company Netsec. It is used to lure hackers away from the production machines by simulating a vulnerable computer to an interesting target. It offers common Internet services such as SMTP, FTP, POP3, HTTP, and TELNET. These services appear perfectly normal to the attackers; however, in reality, these services are traps for the attackers to mess around and leave traces, without even knowing that they are connected to a decoy system.
A Specter system consists of a dedicated PC and the Specter software that is connected to the network where attacks are expected to occur. It can also be installed on internal networks to find suspicious activities within an organization. It is designed for commercial organizations, including small and large enterprises.
16.4 Examine evading IDS, understand evading firewalls, and learn detecting honeypots
Exam Focus: Examine evading IDS, understand evading firewalls, and learn detecting honeypots. Objective includes:
-
Examine evading IDS.
-
Understand evading firewalls.
-
Learn detecting honeypots.
Evasion attack
An evasion attack is one in which an IDS rejects a malicious packet but the host computer accepts it. Since the IDS has rejected it, it does not check the contents of the packet. Hence, using this technique, an attacker can exploit the host computer. In many cases, it is quite simple for an attacker to send such data packets that can easily perform evasion attacks on IDSs. The attacker sends portions of the request in packets that are mistakenly rejected by the IDS. This allows the removal of parts of the stream from the ID system's view. For example, the IDS cannot detect the attack if the malicious sequence is sent byte-by-byte and one byte is rejected by the IDS.
Denial of Service attack
Central logging servers are employed by many IDSs. Central logging servers are used exclusively for storing IDS alert logs. The central server is used to centralize alert data; hence, it can be viewed as a whole rather than on a system-by-system basis. Attackers can slow the central server down or even crash it using a DoS attack if they know the central log server's IP address. Attacks can go unnoticed after the server is shut down as the alert data is no longer being used.
An attacker can do the following using this evasion technique:
-
Cause the device to lock up.
-
Cause a personnel to be unable to investigate all the alarms.
-
Consume the device's processing power and permit attacks to sneak by.
-
Fill up disk space causing attacks to not be logged.
-
Cause more alarms that management systems can handle.
Obfuscating
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS Web server would decode and become attacked. Polymorphic code is another means to circumvent signature-based IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature. Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.
Session splicing IDS evasion technique
In the session splicing IDS evasion technique, an attacker delivers data in multiple small sized packets. Hence, it becomes very difficult for an IDS to detect the attack signatures of such attacks. For example, consider the following snort signature for detecting session splicing:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC whisker splice attack"; content: "|20|"; flags: A+; dsize: 1;reference:arachnids,296; classtype:attempted-recon; sid:1104; rev:1;)
This rule detects traffic destined to port 80 with the ack flag set, a space (hex 20) in the payload, and a dsize of 1. Although this signature accurately detects session splicing, this method can be modified to evade the IDS. To evade this rule, an attacker can send abnormally small packets. For example, an attacker can send very small sized packets with durations of 15 minutes per packet to the IIS Web server. Since an IIS session remains alive for a long time, the IDS may be tricked into accepting them as regular packet transformations.
Fragmentation overlap IDS evasion method
In this approach, an attacker sends packets in such a manner that one packet fragment overlaps data from a previous fragment. The information is organized in the packets in such a manner that when the victim's computer reassembles the packets, an attack string is executed on the victim's computer. Since the attacking string is in a fragmented form, the IDS is unable to detect it.
Fragmentation overwrite IDS evasion method
In this approach, an attacker sends packets in such a manner that one packet fragment overwrites data from a previous fragment. The information is organized into packets in such a manner that when the victim's computer reassembles the packets, an attack string is executed on the victim's computer. Since the attacking string is in a fragmented form, the IDS becomes unable to detect it.
Unicode evasion technique
Unicode is a character representation that gives each character a unique identifier for each written language. This facilitates the uniform computer representation of each language. There can be multiple representations of a single character; hence, Unicode is problematic for the IDS technology. For example, "\" can be represented as 5C, C19C and E0819C, this makes writing pattern matching signatures very difficult.
Fragmentation attack
The fragmentation reassembly timeout of the victim is more than the IDS fragmentation reassembly timeout. Suppose 15 seconds is the IDS fragmentation reassembly timeout and the system is monitoring Linux hosts. Linux hosts have a default fragmentation reassembly timeout of 30 seconds. The attacker can send the second fragment with a delay of 15 seconds but still within 30 seconds after sending the first fragment. Now, the victim reassembles the fragments. At the IDS, the fragmentation reassembly timeout parameter kicks in and a timeout takes place. As the IDS has already lost the first fragment due to time out, the second fragment received by the IDS will be dropped. Hence, the victim will reassemble the fragments and will be attacked, whereas the IDS will not make any noise or produce alerts.
IP address spoofing
The attacker can use IP address spoofing to gain an unauthorized access to a computer or network. In this attack, the attacker spoofs the IP address of the machine and makes it appear that the messages are coming from a trusted machine. The attacker modifies the address information in the IP packet header and the source address bit field in order to bypass the firewall.
Suppose there are three hosts named HostA, HostB, and HostC. HostC is a trusted machine of HostB. HostA wants to send some packets to HostB. HostA changes the IP addresses of these packets to impersonate itself to be HostC. HostB thinks that these packets are sent from HostC, but in reality they are sent from HostA.
Time-to-live attacks
In time-to-live attacks, an attacker is required to have a prior knowledge of the topology of the victim's network. Tools such as traceroute can be used to obtain this information. A traceroute gives information on the number of routers between the attacker and the victim. The attacker is assumed to have the prior information of the router present between the IDS and the victim. He breaks the information into three fragments. The attacker sends fragment 1 with a large TTL value and both the IDS and the victim receives fragment 1 with a large TTL value. The attacker then sends second fragment with TTL value of 1 and false payload. The IDS receives this fragment. As the TTL value is now reduced to zero, the router discards the fragment. Now, the IDS has only fragment 2 as it has already performed a reassembly and the stream has been flushed. The attacker finally sends the second fragment with a valid payload. The victim performs a reassembly on fragments (1,2, 3) and gets the attack. The attacker then sends fragment 3 with a valid TTL. This makes the IDS perform a TCP-reassembly on fragments (1, 2', 3). The victim will still wait for the second fragment.
Invalid RST packets
Checksums are used by the TCP protocol in order to ensure that there is reliable communication. To every transmitted segment, a checksum is added, and at the receiving end, the checksum is checked. The packet is dropped at the receiving end when the checksum differs from the checksum that the receiving host expects. To end two-way communication, the TCP protocol also uses an RST packet. Attackers can use invalid RST packets to elude detection by sending RST packets with an invalid checksum. Sending RST packets with an invalid checksum causes the IDS to stop processing the stream as the IDS thinks that the communication session has ended. However, the end host sees this packet and drops the packet if it is invalid after verifying the checksum value. Some IDS systems may stop reassembling the communication as they interpret this packet as an actual termination of the communication.
Urgency flag
The urgency flag is used within the TCP protocol for marking data as urgent. TCP uses an urgency pointer. The urgency pointer points to the beginning of urgent data within a packet. When the urgency flag is set, the following occurs:
-
All data before the urgency pointer is ignored.
-
The data to which the urgency pointer points is processed
Attackers can place garbage data before the urgency pointer, and the IDS reads that data without considering the end host's urgency flag handling. This implies that the IDS has more data than can be actually processed by the end host. Attackers can evade IDSs when IDSs do not take into account the TCP protocol's urgency feature.
ASCII shellcode
ASCII shellcode includes only characters contained within the ASCII standard. It allows attackers to bypass commonly enforced character restrictions within string input code. Attackers also use ASCII shellcode to bypass IDS pattern matching signatures as strings are hidden within the shellcode in a similar fashion to polymorphic shellcode. As all assembly instructions cannot be converted directly to ASCII values, using ASCCI for shellcode limits what the shellcode can do under some circumstances. Other instructions or a combination of instructions that convert to ASCI character representation can be used to bypass this restriction.
Application-layer attack
Some form of compression is employed in many applications that deal with media such as images, video, and audio to send an application in a form much smaller than the original. This increases data transfer speed. The entire attack can take place within compressed data and the IDS will have no way to check the compressed file format for signatures when a flaw is found in these applications. Many IDSs look for particular conditions that lead to an attack. There are times when many different forms can be taken by the attack. For example, several different integer values can be used to exploit integer overflow vulnerabilities.
Desynchronization - pre connection SYN
The desynchronization - pre connection SYN attack calls bind in order to get the kernel to assign a local port to the socket before calling connect. In this attack, an initial SYN is sent before the real connection with an invalid TCP checksum. This attack will synchronize the sniffer/IDS to a bogus sequence number before the real connection takes place if the sniffer ignores subsequent SYNs in a connection and does not check the TCP checksum.
Desynchronization - post connection SYN
In desynchronization - post connection SYN, the IDS should be tried to be desynchronized from the actual sequence numbers that the kernel is honoring. A post connection SYN packet should be sent in the data stream, which will have divergent sequence numbers, but otherwise meet all the important criteria to be accepted by the target. As this SYN packet references an already established connection, the target host will ignore this SYN packet.
The desynchronization - post connection SYN attack has the aim to get the IDS to resynchronize its notion of the sequence numbers to the new SYN packet. As it will be awaiting a different sequence number, it will then ignore the data that is legitimate part of the original stream. An RST packet should be sent with the new sequence number and close down its notion of the connection once succeeded in resynchronizing the IDS with a SYN packet.
Encryption
The most effective evasion attack occurs when the attacker has already established an encrypted session with the victim.
Flooding
The true attack traffic may go undetected when the attacker sends loads of unnecessary traffic to produce noise and if the IDS does not analyze the noise traffic.
Session token generation
The sender of the packets uses the session token generation mechanism to designate the route that a packet should take through the network. Each router will check the IP address of the designation and select the next node to forward the packets when the packets travel through the nodes in the network. Source routing allows a sender of a packet to partially or completely specify the route the packet takes through the network.
Tiny fragment
The tiny fragment attack involves sending an IP packet with the first fragment so small that it includes only the source and destination port information for TCP, not the TCP flags. The first fragment cannot be tested for this information if the access lists are established to drop or permit packets on the basis of TCP flags.
As most network devices do not perform reassembly of packets that pass through them, they do not check the rest fragments and allow them to pass through. In this way, an attacker can get an illegitimate packet through to an end host using these devices.
Bypass blocked sites using the IP address in place of URL
Bypass blocked sites using the IP address in place of URL involves typing the IP address directly in browser's address bar instead of typing the blocked Website's domain name. For example, instead of typing www.facebook.com, type its IP address to access Facebook. Host2ip can be used to determine the IP address of that blocked Website. This method cannot be used to unblock or access the Website if the blocking software can track the IP address sent to the Web server.
Bypass blocked sites using anonymous Website surfing sites
Many Websites around the net enables a user to surf the Internet anonymously. Some Websites have options for encrypting the URLs of the Websites. The proxy Websites will show another IP address and hide the actual IP address. All proxy sites maintain a list of currently active proxy sites which enable users to browse the Web anonymously. This can prevent the Website from being blocked, thus permitting access to users.
Proxy servers useful in unblocking the blocked Websites
The following are some proxy servers that are useful in unblocking the blocked Websites:
-
http://www.anonymizer.com
-
http://anonymouse.com
-
http://proxify.com
-
http://bumsk.com
-
http://dailybestlinks.com
-
http://www.spysurfing.com
-
http://alienproxy.com
-
http://indianproxy.com
Bypass a firewall using a proxy server
The following steps should be taken to bypass a firewall using a proxy server:
-
Find an appropriate proxy server.
-
Go to LAN of Network Connections tab and click the LAN/Network Settings on the Tools menu of any Internet browser.
-
Select "use a proxy server for LAN" under Proxy server settings.
-
Type the IP address of the proxy server in the Address bar.
-
In the Port box, type the port number that is used by the proxy server for client connections.
-
Click to select the bypass proxy server for local addresses checkbox if you do not want the proxy server computer to be used when connected to a computer on the local network.
-
To close the LAN settings dialog box, click OK.
-
To close the Internet Options dialog box, click OK.
Bypassing a firewall through the ICMP tunneling method
Bypassing a firewall through the ICMP tunneling method permits tunneling a backdoor shell in the data portion of ICMP echo packets. RFC 792 delineates ICMP operation. It does not specify what should go in the data portion. The payload portion is arbitrary. Most firewalls do not examine the payload option. Hence, any data can be inserted in the payload portion of the ICMP packet, including a backdoor application. Keeping ICMP open on firewalls is useful for tools such as ping and traceroute. Loki ICMP tunneling is used to execute commands of choice when it is assumed that ICMP is allowed through a firewall. Loki ICMP executes commands of choice by tunneling them inside the payload of ICMP echo packets.
Bypassing a firewall through the ACK tunneling method
Bypassing a firewall through the ACK tunneling method permits a backdoor application with TCP packets with the ACK bit set. The ACK bit is used for acknowledging the receipt of a packet. As ACK bits are supposed to be used in response to legitimate traffic that is already being allowed through, some firewalls do not check packets with the ACK bit set. ACK tunneling can be implemented using tools such as AckCmd.
Bypassing a firewall through the HTTP tunneling method
Bypassing a firewall through the HTTP tunneling method can be implemented if the target company has a public Web server with port 80 used for HTTP traffic that is unfiltered on its firewall. The payload of an HTTP packet is not examined by many firewalls in order to confirm that it is legitimate HTTP traffic. Hence, traffic can be tunneled inside TCP port 80 as it is already allowed. This technique of tunneling traffic across TCP port 80 is used by tools such as HTTPTunnel. HTTPTunnel is a client/server application. The client application is known as htc. The server is hts. The server should be uploaded onto the target system and it should be told which port is redirected through TCP port 80.
Bypassing a firewall through external systems
Bypassing a firewall through external systems includes the following steps:
-
A legitimate user works with some external systems in order to access the corporate network.
-
An attacker steals the session ID and cookies after sniffing the network traffic.
-
The attacker accesses the corporate network by bypassing the firewall and gets Windows ID of the running Netscape 4.x/Mozilla process on the user's system.
-
The attacker issues an openURL() command to the found window.
-
User's Web browser connects with the WWW server of the attackers.
-
The attacker inserts malicious payload into the requested Web page. Hence, code of the attacker gets executed on the user's machine.
Bypassing a firewall through the MITM attack
Bypassing a firewall through the MITM attack includes the following steps:
-
An attacker performs DNS server poisoning.
-
User 1 requests for www.ucertify.com to the corporate DNS server.
-
The corporate DNS server sends the IP address of the attacker.
-
User 1 accesses the attacker's malicious server.
-
The attacker connects with the real host and tunnels the user's HTTP traffic.
-
The attacker inserts malicious payload into the requested Web page. Hence, code of the attacker gets executed on the user's machine.
Insertion attack
In an insertion attack, an IDS accepts a packet and assumes that the host computer will also accept it. But in reality, when a host system rejects the packet, the IDS accepts the attacking string that will exploit vulnerabilities in the IDS. Such attacks can badly infect IDS signatures and IDS signature analysis.
When NIDS is less strict in processing packets, the IDS attack takes place. The insertion attack is used to defeat signature analysis and send request, but hides its content on the IDS with additional data. This makes the request appear harmless.
Polymorphic shell code attack
In a polymorphic shell code attack, the attacker sends malicious data which continuously changes its signature. The signature is changed by the attacking payload sent by the attacker. Since the new signature of the data does not match the old signature entered into the IDS signature database, the IDS becomes unable to point out the malicious data. Such data can harm the network as well as the IDS.
ADMutate
ADMutate is an online tool that performs polymorphic shell code attacks. It generates a buffer overflow exploit by transforming an
Share with your friends: