16. 1 Understand Intrusion Detection Systems (ids)



Download 128.86 Kb.
Page3/3
Date31.01.2017
Size128.86 Kb.
#12828
1   2   3
attack shell code so that the new attack shell code cannot be recognized by any Intrusion Detection Systems. When the transformed code arrives at the server, it reassembles itself and executes as an attacking code.

 

Detect honeypots



Attackers can probe the services running on the system to determine the presence of honeypots. Attackers craft malicious probe to scan for the following services:

  • HTTP over SSL (HTTPS)

  • SMTP over SSL (SMPTS)

  • IMAP over SSL (IMAPS)

Send-safe Honeypot, Hunter, Nessus, and Hping are tools that can be used to probe honeypots. The presence of a honeypot is indicated by ports that show a particular service running but deny a three-way handshake connection.

 

Send-Safe Honeypot Hunter



Send-Safe Honeypot Hunter is a tool used to check list of HTTPS and SOCKS proxies for honeypots. The following are features of Send-Safe Honeypot Hunter:

  • It is used to check lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports.

  • It is used to check several remote or local proxylists at once.

  • It can upload "Valid proxies" and "All except honeypots" files to FTP.

  • It can process proxylists automatically at every specified period of time.

  • It may be used for validating of usual proxylist.

 

tcp-over-dns

tcp-over-dns includes a special dns server and a special dns client. The client and server operate in tandem in order to provide a TCP and tunnel through the standard DNS protocol.

 

16.5 Identify firewall evading tools



Exam Focus: Identify firewall evading tools. Objective includes:

  • Identify firewall evading tools.

  • Analyze a firewall and IDS penetration testing.

 

Firewall evasion tools

The following are firewall evasion tools:


  • Snare Agent

  • Atelier Web Firewall Tester

  • AckCmd

  • Tomahawk

  • Your Freedom

  • TCPOpera

  • Covert TCP

  • Traffic IQ Gateway

 

Packet fragment generators

The following are packet fragment generators:


  • Blast

  • MGEN Toolset

  • Ettercap

  • Net::RawIP

  • hping2

  • SING

  • Libnet

  • Nconvert

 

Fragroute

Fragroute is a tool that is used to fragment packets before transmission. It can intercept, modify, or rewrite traffic that is destined for any specific host and can be used to perform attacks such as fragmentation, overlap, overwrite, etc. This tool is used for testing vulnerability in IDSs and firewalls. It is also used by attackers for evading an IDS since, in most of the cases, fragmented packets can bypass IDSs and firewalls.

 

Countermeasures taken while using an IDS and a firewall



The following countermeasures are taken while using an IDS and a firewall:

  • A switch port interface associated with a system from which attacks are being launched should be administratively shut down.

  • In order to defend against the polymorphic shellcode problem, look for the nop opcode other than 0x90.

  • Bifurcating analysis should be performed. In this analysis, the monitor deals with ambiguous traffic streams. The monitor instantiates separate analysis threads for each possible interpretation of the ambiguous traffic.

  • Security vulnerability awareness should be maintained as soon as possible, and the IDS should be wisely chosen on the basis of the network topology and network traffic received.

  • TCP RST packets should be generated to tear down malicious TCP sessions. Any of several available ICMP error code packets should be issued in response to malicious UDP traffic.

  • You should interact with the external firewall or router in order to add a general rule for blocking all communication from individual IP addresses or entire networks.

  • A traffic normalizer should be implemented.

  • You should ensure that IDSs normalize fragmented packets and permit those packets to be reassembled in the proper order. This enables the IDS to look at the information just as the end host will see it.

  • The IDS system and firewall software should be regularly updated.

  • The TTL value should be changed to a large value. This ensures that the end host always receives the packets. In such a case, attackers cannot slip information to the IDS. As a result, the data never reaches the host and leaves the end host with the malicious payload.

 

Firewall/IDS penetration testing

Firewall/IDS penetration testing is needed due to the following reasons:


  • Checking if the firewall/IDS properly enforces the firewall/IDS policy of the organization

  • Checking if the firewall/IDS and components within the network properly enforces the network security policy of the organization

  • Determining how well the firewall/IDS provides protection against externally initiated attacks

  • Checking the effectiveness of the network's security perimeter

  • Checking how much information about a network is available from outside a network

  • Checking the firewall/IDS for potential breaches of security that can be exploited

  • Evaluating the correspondence of firewall/IDS rules with respect to the actions performed by them

  • Verifying whether the security policy is correctly enforced by a sequence of firewall/IDS rules or not

 

Firewall penetration testing

Take the following steps for firewall penetration testing:


  1. Gain unauthorized access to a computer or a network by performing IP address spoofing.

  2. Perform a fragmentation attack in order to force the TCP header information into the next fragment to bypass the firewall.

  3. Use proxy servers that block the actual IP address and display another thereby allowing access to the blocked Website.

  4. Perform ICMP tunneling in order to tunnel a backdoor application in the data portion of ICMP echo packets.

  5. Perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with TCP packets with the ACK bit set.

 

IDS penetration testing

Take the following steps for IDS penetration testing:


  1. Encode attack packets that the IDS will not detect but an IIS Web server will decode and become attacked by using the obfuscating technique.

  2. Use a false positive generation technique in order to create a good deal of log noise to blend real attacks with the false.

  3. Perform the session splicing technique to stop the IDS by keeping the session active longer than the IDS will spend on reassembling it.

  4. Perform the Unicode evasion technique in order to evade IDS as it is possible to have multiple representations of a single character.

  5. Perform the fragmentation attack with the IDS fragmentation reassembly timeout less and more than that of the victim.

  6. Perform the overlapping fragment technique in order to craft a series of packets with TCP sequence numbers.

  7. Perform the invalid RST packets technique in order to evade detection by sending RST packets with an invalid checksum that causes an IDS to stop processing the stream.

  8. Perform the urgency flag evasion technique in order to evade IDSs as some IDSs do not consider the TCP protocol's urgency feature.

  9. Perform the polymorphic shellcode technique in order to hide the shellcode by encrypting it in a simplistic form.

  10. Perform the ASCII shellcode technique in order to bypass IDS pattern matching signatures as strings are hidden within the shellcode as in a polymorphic shellcode.

  11. Perform application layer attacks as many IDSs will have no way to check the compressed file format for signatures.

  12. Set up an encrypted session with the victim or send loads of unnecessary traffic to produce noise that cannot be analyzed by the IDS.

 

Chapter Summary

In this chapter, we learned about Intrusion Detection Systems, ways to detect an intrusion, and various types of Intrusion Detection Systems. This chapter focused on firewalls, types of firewalls, honeypots, and types of honeypots. This chapter also covered firewall evading tools and firewall and IDS penetration testing.

Glossary


 

ADMutate

ADMutate is an online tool used to perform polymorphic shell code attacks" with An online tool to perform polymorphic shell code attacks.

 

Demilitarized zone



A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes external services of an organization to a larger network, usually the Internet.

 

Evasion attack



An evasion attack is one in which an IDS rejects a malicious packet but the host computer accepts it.

 

Firewall



A firewall is a combination of software and hardware that prevents data packets from coming in or going out of a specified network or computer.

 

Fragroute



Fragroute is a tool used for fragmenting packets before transmission.

 

HIDS



A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces.

 

Honeypot



A honeypot is used to gain information about the intruders and their attack strategies.

 

Intrusion Detection System



An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and manipulating computer systems locally, through the Internet or through an intranet.

 

KFSensor



KFSensor is a Windows-based honeypot Intrusion Detection System.

 

NIDS



A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity, such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

 

PIDS



A protocol-based intrusion detection system (PIDS) is an intrusion detection system, which is typically installed on a Web server, and is used in the monitoring and analysis of the protocol in use by the computing system.

 

Snorts



Snort is a sniffer tool that operates as a network sniffer. It logs the activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

 

Stateful firewall



A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it.

 

Tripwire



Tripwire is a System Integrity Verifier (SIV) that is used to monitor files and detect changes made by an intruder.
Download 128.86 Kb.

Share with your friends:
1   2   3




The database is protected by copyright ©ininet.org 2024
send message

    Main page