Harden Security Devices Against Increasingly Sophisticated Evasions
BreakingPoint Webcast Wednesday
December 16, 2009
www.breakingpointlabs.com2
Introductions/Agenda
• BreakingPoint speakers:– Dennis Cox, CTO– Todd Manning, Protocol & Security Researcher– Dustin D. Trammell, Protocol & Security Researcher
• Quick Glance Agenda:– Evasions Overview– Evasions in Layer 3, 4, 5, 7 and more– Latest evasion techniques– How to validate you are protected– BreakingPoint Five Keys
www.breakingpointlabs.com3
Evasion Technique Introduction
• What Is An Evasion?– Legitimate Permutation of Data
• Data remains valid• Data looks different
– Attempt at bypassing detection or filters• Data representation not recognized or understood by the
monitoring entity• Cause the monitor to revert to a less scrutinizing state• Transport of data in a state that is not observable by the
monitor
www.breakingpointlabs.com4
Where are Evasions Used?
• Everywhere!– Layer 3: IP– Layer 4: TCP– Layer 5: DCERPC, SunRPC, SIP– Layer 7: HTTP, SMTP, POP3, FTP– Content: HTML, OLE, Command-lines (Windows &
UNIX), Exploit Shellcode
www.breakingpointlabs.com5
Layer 3: IP Evasions
• FragEvasion– IP Fragmentation– Four IP fragmentation methods available:
• Overlapping end fragments, favoring either old or new data• Overlapping all fragments, favoring either old or new data
• FragOrder– Change the order in which fragments are sent– Three behavior options:
• Normal order• Reverse order• Randomize order
www.breakingpointlabs.com6
Layer 4: TCP Evasions
• SegmentOrder– Change the order in which segments are sent– Three behavior options:
• Normal order• Reverse order• Randomize order
• SkipHandShake– Skip the three-way handshake for all connections
www.breakingpointlabs.com7
Layer 5: SIP Evasions
• CompactHeaders– Use compact header names instead of full-length header names– Example: “From: <user>” -> “f: <user>”
• PadHeadersLineBreak– Pad headers with line breaks– Example: ‘Authorization: Digest username=“user”, realm=“home”’
-> ‘Authorization: Digest \r\nusername=“user”, \r\nrealm=“home”’
• PadHeadersWhitespace– Pad headers with whitespace elements– Example: “From: <user>” -> “From:\t\t<user> “
• RandomizeCase– Randomize the case of data which is case insensitive– Example: “From: <user>” -> “fROm: <UsEr>”
www.breakingpointlabs.com8
Layer 7: Common Evasions
• PadCommandWhiteSpace– SMTP, POP3, FTP, Commands (Windows, UNIX)– Inserts arbitrary whitespace between commands and their
arguments– Examples:
• SMTP: “HELO example.com” -> “HELO\t\t \t example.com”• FTP: “USER username” -> “USER \t \t\t username”• Commands: “rm -rf /” -> “rm\t \t –rf\t \t\t/”
• PadPathSlashes– Commands (Windows, UNIX)– Uses slashes to pad command path names– Examples:
• Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”
www.breakingpointlabs.com9
Layer 7: HTTP Evasions
• Too many to list them all here…• DirectorySelfReference
– Convert all directories to self-referenced relative directories– Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”
• EncodeHexRandom– Encode random parts of the URI in hex– Example: “GET /index.html” -> “GET /ind%65x.%68tml”
• ServerChunkedTransfer– Use “chunked” transfer-encoding to split up the server response
• ServerCompression– Use gzip to encode the server response
• EncodeUnicodeRandom– Encode random parts of the URI in wide Unicode (UTF-16)
www.breakingpointlabs.com10
Content Evasions
• HTML Evasions: HTMLUnicodeEncoding• Encodes HTML in the selected flavor of Unicode:
– UTF_7: 7-bit– UTF_8: 8-bit– UTF_16BE: 16-bit big-endian– UTF_16LE: 16-bit little-endian– UTF_32BE: 32-bit big-endian– UTF_32LE: 32-bit little-endian
• Shellcode Evasions: RandomNops• Uses random nop-equivalent sequences instead of actual No-Op
instructions• Example (ia32):
– “\x90\x90\x90\x90\x90\x90\x90\x90”– becomes– “\x16\x2f\x5d\x55\x91\x06\x44\x0e”
www.breakingpointlabs.com11
The Latest Evasion Techniques
• Latest and greatest• 2010 Forecast?
www.breakingpointlabs.com12
Do Evasions Cause Damage?
www.breakingpointlabs.com13
How To Validate You Are Protected
• Forward Thinking• Test, Test, Test• Be Realistic• Be Random• Be Consistent
Properly Testing Using Evasions
www.breakingpointlabs.com15
Enabling Evasions for BreakingPoint
• BreakingPoint Methods– Attack Manager:
• Attack Group Options - Affects only the attack group selected
– Security Test Component:• Parameters Tab, Attack Profile setting - Affects the entire test• Overrides Tab - Affects the entire test
• Order of precedence– Overrides– Group Options– Attack Profile
www.breakingpointlabs.com16
The Five Keys BreakingPoint Provides
1. 80+ evasion techniques
2. Dedicated security team
3. New evasion techniques
4. Apply across 4,300+ attacks
5. Multi-layered evasions
www.breakingpointlabs.com17
Q&A
Thank You!
