lptv4 module 22 ids penetration testing_norestriction
DESCRIPTION
LPTv4 Module 22 IDS Penetration Testing_NoRestrictionTRANSCRIPT
ECSA/LPT
EC CouncilEC Council Module XXIIEC-CouncilEC-Council Module XXII
IDS Penetration Testing
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S it
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
What is an IDS?
IDS is a software/hardware that detects and logs inappropriate, incorrect, or anomalous activity.
IDSes are typically characterized based on the source of the data they IDSes are typically characterized based on the source of the data they monitor.
There are 2 types of IDS:
• Host-based:• A host based IDS uses system log files and other electronic audit data to identify • A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
• Network-based:• A network-based IDS uses a sensor to monitor packets on the network to which it is
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
attached.
Network IDS
A network intrusion detection system (NIDS) is a system that tries to A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as denial of service attacks, port-scans or even attempts to crack into computers by monitoring network traffic.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Host-based IDS
A host-based IDS monitors individual hosts on the network for malicious activity; for example, Cisco Security Agent.
Host systems are more accurate than network-based IDS because they analyze the server's log files and not just network traffic patterns.
The host monitors the system and reports its activities to a centralized server.
They are expensive and resource intensive.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application-based IDS
An application-based IDS is like a host-based IDS designed to monitor a specific application (similar to antivirus software designed specifically to monitor your mail server).
An application-based IDS is extremely accurate in detecting malicious activity for the applications it protects.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Multi-Layer Intrusion Detection SystemsSystems
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engineanalysis engine.
It aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a single monitoring and analysis source.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Multi-Layer Intrusion Detection System BenefitsSystem Benefits
Improves detection time
Increases situational awareness
Incident handling and analysis
Shortens response time Shortens response time
Decreases detection and reaction time
Decreases consumed employee time and increases in system’s uptime
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Provides a clear picture of what happened during an incident
Wireless Intrusion Detection Systems (WIDS)Systems (WIDS)
WIDS monitor and evaluate user and system activities, identify known attacks determine abnormal network activity and detect policy attacks, determine abnormal network activity, and detect policy violations for WLANs.
Check for potential weakness that damage the WLAN security.
• Rough wireless APs. • Man-in-the-middle attacks.
A WIDS detects the following:
• DoS attacks.• MAC spoofing.• RF interference.• Isolates an attacker's physical location
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Isolates an attacker s physical location.• Identifies non-encrypted traffic.
IDS Testing Tool - IDS Informer
BLADE Software’s IDS Informer application safely tests the effectiveness of any intrusion detection (IDS) or intrusion prevention (IPS) system, in lab or production environments.
It takes only a few seconds to create and run tests in IDS Informer, and each test can contain any number of simulated attacks.
http://www.bladesoftware.net/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Testing Tool - IDS Informer (cont’d)(cont d)
Replay pre-defined network traffic to validate policy compliance without putting production systems at risk production systems at risk
Customize testing via rate of transmission (per attack and per packet), packet time-out, and expiration values
Retransmit stateful attacks between two unique hosts from a single PC
Spoof any source or destination IP address and port combination Spoof any source or destination IP address and port combination
Spoof any source or destination MAC address
Guarantee packet delivery
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Control packet expiration, timeout, and retries
IDS Informer: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Testing Tool - Evasion Gateway Gateway
Evasion Gateway applies known evasion techniques to circumvent firewalls, routers, and intrusion detection systems (IDS).
Evasion Gateway probes for a wide range of host-based vulnerabilities and validates network requirements such as minimum acceptable pack fragmentation size.
Clear, concise results from these tests help administrators identify hidden and unexpected weaknesses and improve overall y p psecurity posture.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Testing Tool - Evasion Gateway (cont’d)Gateway (cont d)
F t
• Bi-directional network based evasion i
Features:
• Fragmentation • HTTP Evasion • URI Encoding • Random URI encoding (non UTF8, random hex
encoding)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evasion Gateway: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Testing Tool - Firewall Informer Informer
Th Fi ll I f li i i l h fi i d The Firewall Informer application actively tests the configuration and performance of any firewall or other packet-filtering device, including routers, switches and gateways.
Unlike the passive approach of vulnerability assessment products, i ll f f ’ diFirewall Informer uses BLADE Software’s patent-pending S.A.F.E.
(Simulated Attack For Evaluation) technology to actively and safely test security infrastructure with real-world exploit to determine if devices are working according to security policy working according to security policy.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Testing Tool - Firewall Informer (cont’d)Informer (cont d)
Features:
• Sends and receives packets without the need for protocols to be bound to the cards
Features:
bound to the cards • Customizes testing via rate of transmission (per attack or per packet),
packet time-out and expiration values • Retransmits stateful attacks between two unique hosts from one PC • Spoofs any source or destination IP address and port combination • Spoofs any source or destination MAC address • Guarantees packet delivery
C t l k t i ti ti t d t i• Controls packet expiration, timeout, and retries
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Firewall Informer: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic IQ Professional
Traffic IQ Professional enables security professionals to quickly and easily audit Q y p q y yand validate the behavior of security devices by generating standard application traffic or attack traffic between two virtual machines.
Th i f d k i i bili i f T ffi IQ P f i l The unique features and packet transmission capabilities of Traffic IQ Professional make the task of reliably auditing, validating, and proving security compliance very easy and quick to complete.
It can be used to assess, audit and test the behavioral characteristics of any non-proxy packet-filtering device, including:
• Application layer firewalls.• Intrusion detection systems.• Intrusion prevention systems.
R t d it h
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Routers and switches.
Traffic IQ Professional: ScreenshotScreenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Testing Tool - OSSEC HIDS
OSSEC is scalable, multi-platform, and open source host-based intrusion detection system.
It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
OSSEC HIDS: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Common Techniques Used to Evade IDS SystemsEvade IDS Systems
Try pattern matching approach to identify potential attacks within the exploit code.
Use Unicode Evasion method that allows to view files on the IIS serverUse Unicode Evasion method that allows to view files on the IIS server.
Search for central log server's IP address and crash the system using a kDoS attack.
Send craft packets in order to trigger alerts and breed large number of f l false reports.
Flood the network with noise traffic to exhaust its resources examining i k f ffi
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
risk-free traffic.
IDS Penetration Testing Steps
Steps 1/2: Test for resource exhaustion/ IDS by sending ARP flood
Steps 3/4: Test the IDS by MAC spoofing/ IP spoofing
Steps 5/6: Test by sending a packet to the broadcast address/ inconsistent packets
Steps 7/8: Test IP packet fragmentation/duplicate fragments
Steps 9/10: Test for overlapping fragments/ping of deathSteps 9/10: Test for overlapping fragments/ping of death
Steps 11/12: Test for odd sized packets/ TTL evasion
St / T t b di k t t t /UDP h kSteps 13/14: Test by sending a packet to port 0/UDP checksum
Steps 15/16: Test for TCP retransmissions/ TCP flag manipulation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Test TCP flags
IDS Penetration Testing Steps (cont’d)(cont d)
Steps 18/19: Test the IDS by sending SYN floods/sequence number prediction
Steps 20: Test for backscatter
Steps 21/22: Test the IDS with ICMP packets/IDS using covert channels
Step 23: Test using TCP replay
Step 24: Test using TCP operap 4 g p
Step 25: Test using method matching
Step 26: Test the IDS using URL encodingStep 26: Test the IDS using URL encoding
Step 27: Test the IDS using double slashes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 28: Test the IDS for reverse traversal
IDS Penetration Testing Steps (cont’d) (cont d)
Step 29: Test for self-reference directories
Step 30: Test for premature request ending
Step 31: Test for IDS parameter hiding
Step 32: Test for HTTP-misformatting
Step 33: Test for long URLsStep 33: Test for long URLs
Step 34: Test for DOS/Win directory syntax
St T t f ll th d iStep 35: Test for null method processing
Step 36: Test for case sensitivity
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Test session splicing
Steps 1/2: Test for Resource Exhaustion/ IDS by Sending ARP Flood/ y g
Test for resource exhaustion:
• IDSs are prone to resource exhaustion attacks.• Every IDS system has memory, CPU, or bandwidth limitations.• The IDS performance might degrade or fail if these resources are
exhausted.• Test by sending large amounts of traffic to the IDS system.
Test the IDS by sending an ARP flood:
• Flood the network by sending ARP packets.• See the IDS response and how it reacts to this attack.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 3/4: Test the IDS by MAC Spoofing/ IP Spoofingp g/ p g
Test the IDS by MAC spoofing:
• Traffic can be disrupted on a network if two Ethernet adapters have exactly the same hardware (or MAC Media Access Control)
Test the IDS by MAC spoofing:
exactly the same hardware (or MAC – Media Access Control) addresses.
• Test the IDS by sending spoofed MAC addresses.
Test the IDS by IP spoofing:
• Spoof the IP address to flood the IDS. • See for the responses received.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 5/6: Test by Sending a Packet to the Broadcast Address/Inconsistent
PacketsPackets
Test by sending a packet to the broadcast dd
• Spoofed packets can also be used to cause an amplification effect if the are sent to a broadcast address
address:
they are sent to a broadcast address.
Test by sending inconsistent packets:
• An IP header contains a 16-bit total packet length field, giving a i k t l th f 6 b t
Test by sending inconsistent packets:
maximum packet length of 65,535 bytes. • The IHL field specifies the size of the header in 32-bit words.
Logically, therefore, we would expect the data portion of the packet to be the difference between the values in these two fields.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 7/8: Test IP Packet Fragmentation/Duplicate FragmentsFragmentation/Duplicate Fragments
T IP k f i
• All hosts must accept packets with a minimum length of 68 bytes.
Test IP packet fragmentation:
• The minimum size of the IP header is 20 bytes, and the last fragment could be as small as 1 byte if the unfragmented packet size was 1 greater than a multiple of 8.
Test for duplicate fragments:
• If duplicate fragments are received with differing content, which fragment is saved? The first? The second? Should both be discarded?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
discarded?
Steps 9/10: Test for Overlapping Fragments/Ping of Deathg / g
T f l i f Test for overlapping fragments:
• If a fragment is received whose contents partially overlap an already received fragment should the new packet’s contents take precedence over the original fragment, should the new packet s contents take precedence over the original packet’s contents.
Test for the ping of death:Test for the ping of death:
• A fragment offset can be given along with a packet size that causes the total k t l th t b t th th i f 65 535 b tpacket length to be greater than the maximum of 65,535 bytes.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 11/12: Test for Odd Sized Packets/TTL Evasion/
Test for odd sized packets:
• It is highly suspicious if a fragmented packet has a length that is not an even multiple of 8, since packets are fragmented in multiples of
p
p p g p8.
Test for TTL evasion:
• Malicious hosts can use a combination of retransmission and TTL games to fool an IDS into believing that it has seen the traffic that a
Test for TTL evasion:
games to fool an IDS into believing that it has seen the traffic that a host has seen, when, in fact, the IDS could be mistaken.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 13/14: Test by Sending a Packet to Port 0/UDP ChecksumPacket to Port 0/UDP Checksum
Test by sending a packet to port 0:
• For both TCP and UDP, port 0 traffic is considered unusual, since it is officially a reserved port and shouldn’t be used for any network communications Any port 0 traffic is probably not legitimate since the communications. Any port 0 traffic is probably not legitimate, since the packets are probably generated synthetically.
Test for UDP checksum:
• The UDP checksum is only optionally computed. If this 16-bit field is exactly 0, it signifies that the UDP checksum wasn’t computed on transmission and shouldn’t be checked upon reception.
• Any packets that have the UDP checksum turned off are questionable and may be subtle evasion attempts.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 15/16: Test for TCP Retransmissions/ TCP Flag ManipulationTCP Flag Manipulation
Test for TCP retransmissions:
• TCP retransmits packets to introduce a level of reliability to the unreliable IP transport mechanism
Test for TCP retransmissions:
unreliable IP transport mechanism.• If an IDS sees a retransmitted packet (with correct checksums) that
has different contents than the original packet, it can assume either a buggy TCP/IP implementation or a malicious attack.
Test the IDS by TCP flag manipulation:
• Various TCP stacks react differently to these illegal inputs.• Try different combinations of TCP flags.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Test TCP Flags
• A packet with no flags is neither Session p gInitiation (SYN), Midstream (ACK), nor Termination (FIN/RST). It is not part of any valid TCP transaction.
(none)
• The flag combination indicates both Session Initiation (SYN) and Session Termination (FIN), SYN/FIN Initiation (SYN) and Session Termination (FIN), an impossible condition.
SYN/FIN
• The flag combination indicates both Session Initiation (SYN) and Session Termination (RST), an impossible condition.
SYN/RST
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Test TCP Flags (cont’d)
Thi fl bi ti i di t S i • This flag combination indicates Session Initiation (SYN), Midstream (ACK), and Session Termination (FIN), an impossible condition.
SYN/FIN/ACK
• This flag combination indicates Session I iti ti (SYN) Mid t (ACK) d S i SYN/RST/ACK Initiation (SYN), Midstream (ACK), and Session Termination (RST), an impossible condition.
SYN/RST/ACK
• Often called the Xmas Tree flag combination, this combines the problem of Initiation, Midstream, and Termination flags with the PSH All Flags
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Midstream, and Termination flags with the PSH and URG flags (which in themselves are valid).
g
Steps 18/19: Test the IDS by Sending SYN Floods/ Sequence Number
PredictionPrediction
Test the IDS by sending SYN floods:
• Many TCP implementations are vulnerable to a resource-exhaustion attack known as SYN flooding, in which excessive requests are made to create sessions, thus causing memory utilization to occur.
y g
sessions, thus causing memory utilization to occur.• If these SYN packets are spoofed from addresses that do not exist, no
response packet containing SYN/ACK will be received, and the pending connection queue will expand.
• Many TCP services have easily predictable responses and thus the byte count
Test initial sequence number prediction:
• Many TCP services have easily predictable responses, and thus the byte count can be guessed with reasonable accuracy.
• The success of spoofing TCP connections, in these cases, would be predicated on the ease of predicting the initial sequence number used by the target host.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 20: Test for Backscatter
The term backscatter refers to the response SYN/ACK packets that a SYN-p / pflooded host will send in response to receiving the SYN packets.
If the source address of the original SYN packet is spoofed, the SYN/ACKs will be sent to that spoofed address, which may use all the network bandwidth for the spoofed host or network.
Backscatter can easily be detected as a flood of SYN/ACK packets without an initial SYN being sentan initial SYN being sent.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 21/22: Test the IDS with ICMP Packets/ IDS Using Covert ChannelsPackets/ IDS Using Covert Channels
Test the IDS with ICMP packets:
• ICMP packet spoofing can be used to create denial-of-service situations by falsely propagating error indications throughout the network.throughout the network.
Test the IDS using covert channels:
• A covert channel can be defined as a hidden communications mechanism.
• When a system has been compromised by other means, h k ill h h l isome hackers will use these covert channels in an attempt to
hide their activities.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 23: Test Using TCPReplay
Test using TCPReplay:
• How does TCPReplay help test NIDS systems?• Performance degrades as network traffic increases.
Test using TCPReplay:
• Attacks are hidden by heavily loaded traffic.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 24: Test Using TCPOpera
TCPopera is a tool that extends TCPreplay by allowing users to define TCPopera is a tool that extends TCPreplay by allowing users to define network conditions and play out traffic in a realistic environment where packets may be delayed or lost.
How would TCPopera aid in IDS testing?
• Does the IDS track TCP connection state?• How well does the IDS perform under different network conditions (false positives!)?• How does the IDS handle retransmitted packets?
TCPopera has the potential to provide IDS testing environments with traffic that exhibits TCP behavior quickly.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 25: Test Using Method MatchingMatching
Many ID systems were failing due to the fact that they were assuming the requests to use the GET method they were looking for the the requests to use the GET method--they were looking for the following style of signatures:
•GET /cgi-bin/some.cgi
Use HEAD instead of GET requests to trick the IDS.
•HEAD /cgi-bin/some.cgi
ID systems will fail if it is looking for GET signatures.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 26: Test the IDS Using URL EncodingEncoding
URL di i t d th URL ith it d i l t URL encoding is to encode the URL with its escaped equivalent.
The HTTP protocol specifies that arbitrary binary characters can be The HTTP protocol specifies that arbitrary binary characters can be passed within the URL by using %xx notation, where 'xx' is the hex value of the character.
In theory, the raw IDS would fail, since the signature "cgi-bin" does not match the string "%63%67%69%2d%62%69%6e”.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 27: Test the IDS Using Double SlashesDouble Slashes
R l i l '/' ith '//'Replace every single '/' with '//'
This will result in checks for "/cgi bin/some cgi" not matching This will result in checks for /cgi-bin/some.cgi not matching "//cgi-bin//some.cgi”.
However, most IDS (smart and raw) are aware of this trick and all derivatives of the trick using multiple (3+) slashes.
Smart ID systems tend to correctly interpret this (by logically combining all slashes into one).
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 28: Test the IDS for Reverse TraversalReverse Traversal
Break apart a signature, such as:
"/cgi-bin/some.cgi"
p g
by using reverse traversal directory tricks:
• GET /cgi-bin/blahblah/ /some cgi HTTP/1 0• GET /cgi-bin/blahblah/../some.cgi HTTP/1.0
Equates to "/cgi-bin/some.cgi" once the directory Equates to /cgi bin/some.cgi once the directory traversal has been accounted for.
Most IDS can detect this technique
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Most IDS can detect this technique.
Step 29: Test for Self Reference DirectoriesDirectories
The '..' means the parent directory.
'.' means the current directory.
So "c:\temp\ \ \ \ \ \" is equivalent to: So c:\temp\.\.\.\.\.\ is equivalent to:
"c:\temp\" ("/tmp/./././././" being "/tmp/" for you Unix folk)
This technique will bypass raw ID systems from matching signatures like "/cgi-bin/phf”.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: Test for Premature Request EndingRequest Ending
Some IDS system can stop looking after the "HTTP/1.0\r\n"
GET %20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n
This translates to:This translates to:
GET / HTTP/1.0\r\nHeader: /../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n
Or :
GET / HTTP/1.0\r\nHeader: /../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n\r\n
This is also valid.IDS will decode the encoding first and stop scanning at fake 'premature' ending, rather than the real one
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
rather than the real one.
Step 31: Test for IDS Parameter HidingHiding
IDS ti d t th d t i th tIDS sometimes does not scan the data in the parameters.
Some IDS may stop processing once the '?' is reached which indicates the Some IDS may stop processing once the ? is reached, which indicates the rest of the data are parameters:
•GET /index htm%3fparam=/ /cgi bin/some cgi HTTP/1 0•GET /index.htm%3fparam=/../cgi-bin/some.cgi HTTP/1.0
This translates to:This translates to:
•GET /index.htm?param=/../cgi-bin/some.cgi HTTP/1.0
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 32: Test for HTTP-MisformattingMisformatting
Some IDS systems that implement minimal signatures depend on the trailing space for matching.
For example, matching "/phf" could lead to many false positives, but "/phf " (notice the trailing space) helps assure that the final requested page is closer to the actual 'phf' and not just starting ith the requested page is closer to the actual 'phf', and not just starting with the letters 'phf’.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 33: Test for Long URLs
Some IDS only look within the first xx bytes of the request. Generally hi k ll i h fi li f h d i h this works well, since the first line of the request needs to contain the
URL.
However, we can exploit this by submitting a request along the lines of:
•GET /rfprfp<lots of characters>rfprfp/../cgi-bin/some.cgi HTTP/1.0
The key is to include enough characters to move the rest of the submitted request outside the scope of the ID systems' scan limit.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 34: Test for DoS/Win Directory SyntaxDirectory Syntax
Microsoft separates directories using '\' because Unix uses '/'
Internally in IIS (as well as all other DOS/Windows based web servers) can still use '\' in web requests, since they are still valid as directory separators /cgi-bin/phf is same as \cgi-bin/phf
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 35: Test for Null Method ProcessingProcessing
M C t i lib i th NULL h t t d t th d f th Many C string libraries use the NULL character to denote the end of the string.
Some IDS still use these libraries, the reoccurrence of using NULLs to denote the end of strings is still quite common.
We can use this to our advantage with the following type of request:We ca use t s to ou ad a tage t t e o o g type o equest:
•GET%00 /cgi-bin/some.cgi HTTP/1.0
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 36: Test for Case Sensitivity
The DOS/Windows filesystem has a unique characteristic that Unix / y qdoesn't: filenames are case insensitive.
This means requests for "index.htm", "INDEX.HTM" and "Index.Htm" are all the same.
The signature "/cgi-bin/some.cgi" does not literally match
"/CGI-BIN/SOME.CGI"
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Test Session Splicing
Many IDS systems only scan for a particular signature within the Many IDS systems only scan for a particular signature within the current packet--signatures are not split up and checked across multiple packets.
For example, the request "GET / HTTP/1.0" may be split across
multiple packets to be "GE", "T ", "/", " H", "T",
"TP", "/1", ".0".
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
The main feature of Intrusion Detection System (IDS) is to monitor The main feature of Intrusion Detection System (IDS) is to monitor network activity on the host network/workstation and generate alerts when there is an intrusion.
For host-based system, the most common detection mechanism is i t itisignature recognition.
Network-based Intrusion Detection System detects the risk based on transfer patterns and essential organization of network. Attacks not detected by host-based ids can be easily detected using network-based IDS
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited