lptv4 module 22 ids penetration testing_norestriction

ECSA/LPT

EC CouncilEC Council Module XXIIEC-CouncilEC-Council Module XXII

IDS Penetration Testing

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S it

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

What is an IDS?

IDS is a software/hardware that detects and logs inappropriate, incorrect, or anomalous activity.

IDSes are typically characterized based on the source of the data they IDSes are typically characterized based on the source of the data they monitor.

There are 2 types of IDS:

• Host-based:• A host based IDS uses system log files and other electronic audit data to identify • A host-based IDS uses system log files and other electronic audit data to identify

suspicious activity.

• Network-based:• A network-based IDS uses a sensor to monitor packets on the network to which it is



attached.

Network IDS

A network intrusion detection system (NIDS) is a system that tries to A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as denial of service attacks, port-scans or even attempts to crack into computers by monitoring network traffic.



Host-based IDS

A host-based IDS monitors individual hosts on the network for malicious activity; for example, Cisco Security Agent.

Host systems are more accurate than network-based IDS because they analyze the server's log files and not just network traffic patterns.

The host monitors the system and reports its activities to a centralized server.

They are expensive and resource intensive.



Application-based IDS

An application-based IDS is like a host-based IDS designed to monitor a specific application (similar to antivirus software designed specifically to monitor your mail server).

An application-based IDS is extremely accurate in detecting malicious activity for the applications it protects.



Multi-Layer Intrusion Detection SystemsSystems

mIDS integrates many layers of IDS technologies into a single monitoring and analysis engineanalysis engine.

It aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a single monitoring and analysis source.



Multi-Layer Intrusion Detection System BenefitsSystem Benefits

Improves detection time

Increases situational awareness

Incident handling and analysis

Shortens response time Shortens response time

Decreases detection and reaction time

Decreases consumed employee time and increases in system’s uptime



Provides a clear picture of what happened during an incident

Wireless Intrusion Detection Systems (WIDS)Systems (WIDS)

WIDS monitor and evaluate user and system activities, identify known attacks determine abnormal network activity and detect policy attacks, determine abnormal network activity, and detect policy violations for WLANs.

Check for potential weakness that damage the WLAN security.

• Rough wireless APs. • Man-in-the-middle attacks.

A WIDS detects the following:

• DoS attacks.• MAC spoofing.• RF interference.• Isolates an attacker's physical location



• Isolates an attacker s physical location.• Identifies non-encrypted traffic.

IDS Testing Tool - IDS Informer

BLADE Software’s IDS Informer application safely tests the effectiveness of any intrusion detection (IDS) or intrusion prevention (IPS) system, in lab or production environments.

It takes only a few seconds to create and run tests in IDS Informer, and each test can contain any number of simulated attacks.

http://www.bladesoftware.net/



IDS Testing Tool - IDS Informer (cont’d)(cont d)

Replay pre-defined network traffic to validate policy compliance without putting production systems at risk production systems at risk

Customize testing via rate of transmission (per attack and per packet), packet time-out, and expiration values

Retransmit stateful attacks between two unique hosts from a single PC

Spoof any source or destination IP address and port combination Spoof any source or destination IP address and port combination

Spoof any source or destination MAC address

Guarantee packet delivery



Control packet expiration, timeout, and retries

IDS Informer: Screenshot



IDS Testing Tool - Evasion Gateway Gateway

Evasion Gateway applies known evasion techniques to circumvent firewalls, routers, and intrusion detection systems (IDS).

Evasion Gateway probes for a wide range of host-based vulnerabilities and validates network requirements such as minimum acceptable pack fragmentation size.

Clear, concise results from these tests help administrators identify hidden and unexpected weaknesses and improve overall y p psecurity posture.



IDS Testing Tool - Evasion Gateway (cont’d)Gateway (cont d)

F t

• Bi-directional network based evasion i

Features:

• Fragmentation • HTTP Evasion • URI Encoding • Random URI encoding (non UTF8, random hex

encoding)



Evasion Gateway: Screenshot



IDS Testing Tool - Firewall Informer Informer

Th Fi ll I f li i i l h fi i d The Firewall Informer application actively tests the configuration and performance of any firewall or other packet-filtering device, including routers, switches and gateways.

Unlike the passive approach of vulnerability assessment products, i ll f f ’ diFirewall Informer uses BLADE Software’s patent-pending S.A.F.E.

(Simulated Attack For Evaluation) technology to actively and safely test security infrastructure with real-world exploit to determine if devices are working according to security policy working according to security policy.



IDS Testing Tool - Firewall Informer (cont’d)Informer (cont d)

Features:

• Sends and receives packets without the need for protocols to be bound to the cards

Features:

bound to the cards • Customizes testing via rate of transmission (per attack or per packet),

packet time-out and expiration values • Retransmits stateful attacks between two unique hosts from one PC • Spoofs any source or destination IP address and port combination • Spoofs any source or destination MAC address • Guarantees packet delivery

C t l k t i ti ti t d t i• Controls packet expiration, timeout, and retries



Firewall Informer: Screenshot



Traffic IQ Professional

Traffic IQ Professional enables security professionals to quickly and easily audit Q y p q y yand validate the behavior of security devices by generating standard application traffic or attack traffic between two virtual machines.

Th i f d k i i bili i f T ffi IQ P f i l The unique features and packet transmission capabilities of Traffic IQ Professional make the task of reliably auditing, validating, and proving security compliance very easy and quick to complete.

It can be used to assess, audit and test the behavioral characteristics of any non-proxy packet-filtering device, including:

• Application layer firewalls.• Intrusion detection systems.• Intrusion prevention systems.

R t d it h



• Routers and switches.

Traffic IQ Professional: ScreenshotScreenshot



IDS Testing Tool - OSSEC HIDS

OSSEC is scalable, multi-platform, and open source host-based intrusion detection system.

It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response.



OSSEC HIDS: Screenshot



Common Techniques Used to Evade IDS SystemsEvade IDS Systems

Try pattern matching approach to identify potential attacks within the exploit code.

Use Unicode Evasion method that allows to view files on the IIS serverUse Unicode Evasion method that allows to view files on the IIS server.

Search for central log server's IP address and crash the system using a kDoS attack.

Send craft packets in order to trigger alerts and breed large number of f l false reports.

Flood the network with noise traffic to exhaust its resources examining i k f ffi



risk-free traffic.

IDS Penetration Testing Steps

Steps 1/2: Test for resource exhaustion/ IDS by sending ARP flood

Steps 3/4: Test the IDS by MAC spoofing/ IP spoofing

Steps 5/6: Test by sending a packet to the broadcast address/ inconsistent packets

Steps 7/8: Test IP packet fragmentation/duplicate fragments

Steps 9/10: Test for overlapping fragments/ping of deathSteps 9/10: Test for overlapping fragments/ping of death

Steps 11/12: Test for odd sized packets/ TTL evasion

St / T t b di k t t t /UDP h kSteps 13/14: Test by sending a packet to port 0/UDP checksum

Steps 15/16: Test for TCP retransmissions/ TCP flag manipulation



Step 17: Test TCP flags

IDS Penetration Testing Steps (cont’d)(cont d)

Steps 18/19: Test the IDS by sending SYN floods/sequence number prediction

Steps 20: Test for backscatter

Steps 21/22: Test the IDS with ICMP packets/IDS using covert channels

Step 23: Test using TCP replay

Step 24: Test using TCP operap 4 g p

Step 25: Test using method matching

Step 26: Test the IDS using URL encodingStep 26: Test the IDS using URL encoding

Step 27: Test the IDS using double slashes



Step 28: Test the IDS for reverse traversal

IDS Penetration Testing Steps (cont’d) (cont d)

Step 29: Test for self-reference directories

Step 30: Test for premature request ending

Step 31: Test for IDS parameter hiding

Step 32: Test for HTTP-misformatting

Step 33: Test for long URLsStep 33: Test for long URLs

Step 34: Test for DOS/Win directory syntax

St T t f ll th d iStep 35: Test for null method processing

Step 36: Test for case sensitivity



Step 37: Test session splicing

Steps 1/2: Test for Resource Exhaustion/ IDS by Sending ARP Flood/ y g

Test for resource exhaustion:

• IDSs are prone to resource exhaustion attacks.• Every IDS system has memory, CPU, or bandwidth limitations.• The IDS performance might degrade or fail if these resources are

exhausted.• Test by sending large amounts of traffic to the IDS system.

Test the IDS by sending an ARP flood:

• Flood the network by sending ARP packets.• See the IDS response and how it reacts to this attack.



Steps 3/4: Test the IDS by MAC Spoofing/ IP Spoofingp g/ p g

Test the IDS by MAC spoofing:

• Traffic can be disrupted on a network if two Ethernet adapters have exactly the same hardware (or MAC Media Access Control)

Test the IDS by MAC spoofing:

exactly the same hardware (or MAC – Media Access Control) addresses.

• Test the IDS by sending spoofed MAC addresses.

Test the IDS by IP spoofing:

• Spoof the IP address to flood the IDS. • See for the responses received.



Steps 5/6: Test by Sending a Packet to the Broadcast Address/Inconsistent

PacketsPackets

Test by sending a packet to the broadcast dd

• Spoofed packets can also be used to cause an amplification effect if the are sent to a broadcast address

address:

they are sent to a broadcast address.

Test by sending inconsistent packets:

• An IP header contains a 16-bit total packet length field, giving a i k t l th f 6 b t

Test by sending inconsistent packets:

maximum packet length of 65,535 bytes. • The IHL field specifies the size of the header in 32-bit words.

Logically, therefore, we would expect the data portion of the packet to be the difference between the values in these two fields.



Steps 7/8: Test IP Packet Fragmentation/Duplicate FragmentsFragmentation/Duplicate Fragments

T IP k f i

• All hosts must accept packets with a minimum length of 68 bytes.

Test IP packet fragmentation:

• The minimum size of the IP header is 20 bytes, and the last fragment could be as small as 1 byte if the unfragmented packet size was 1 greater than a multiple of 8.

Test for duplicate fragments:

• If duplicate fragments are received with differing content, which fragment is saved? The first? The second? Should both be discarded?



discarded?

Steps 9/10: Test for Overlapping Fragments/Ping of Deathg / g

T f l i f Test for overlapping fragments:

• If a fragment is received whose contents partially overlap an already received fragment should the new packet’s contents take precedence over the original fragment, should the new packet s contents take precedence over the original packet’s contents.

Test for the ping of death:Test for the ping of death:

• A fragment offset can be given along with a packet size that causes the total k t l th t b t th th i f 65 535 b tpacket length to be greater than the maximum of 65,535 bytes.



Steps 11/12: Test for Odd Sized Packets/TTL Evasion/

Test for odd sized packets:

• It is highly suspicious if a fragmented packet has a length that is not an even multiple of 8, since packets are fragmented in multiples of

p

p p g p8.

Test for TTL evasion:

• Malicious hosts can use a combination of retransmission and TTL games to fool an IDS into believing that it has seen the traffic that a

Test for TTL evasion:

games to fool an IDS into believing that it has seen the traffic that a host has seen, when, in fact, the IDS could be mistaken.



Steps 13/14: Test by Sending a Packet to Port 0/UDP ChecksumPacket to Port 0/UDP Checksum

Test by sending a packet to port 0:

• For both TCP and UDP, port 0 traffic is considered unusual, since it is officially a reserved port and shouldn’t be used for any network communications Any port 0 traffic is probably not legitimate since the communications. Any port 0 traffic is probably not legitimate, since the packets are probably generated synthetically.

Test for UDP checksum:

• The UDP checksum is only optionally computed. If this 16-bit field is exactly 0, it signifies that the UDP checksum wasn’t computed on transmission and shouldn’t be checked upon reception.

• Any packets that have the UDP checksum turned off are questionable and may be subtle evasion attempts.



Steps 15/16: Test for TCP Retransmissions/ TCP Flag ManipulationTCP Flag Manipulation

Test for TCP retransmissions:

• TCP retransmits packets to introduce a level of reliability to the unreliable IP transport mechanism

Test for TCP retransmissions:

unreliable IP transport mechanism.• If an IDS sees a retransmitted packet (with correct checksums) that

has different contents than the original packet, it can assume either a buggy TCP/IP implementation or a malicious attack.

Test the IDS by TCP flag manipulation:

• Various TCP stacks react differently to these illegal inputs.• Try different combinations of TCP flags.



Step 17: Test TCP Flags

• A packet with no flags is neither Session p gInitiation (SYN), Midstream (ACK), nor Termination (FIN/RST). It is not part of any valid TCP transaction.

(none)

• The flag combination indicates both Session Initiation (SYN) and Session Termination (FIN), SYN/FIN Initiation (SYN) and Session Termination (FIN), an impossible condition.

SYN/FIN

• The flag combination indicates both Session Initiation (SYN) and Session Termination (RST), an impossible condition.

SYN/RST



Step 17: Test TCP Flags (cont’d)

Thi fl bi ti i di t S i • This flag combination indicates Session Initiation (SYN), Midstream (ACK), and Session Termination (FIN), an impossible condition.

SYN/FIN/ACK

• This flag combination indicates Session I iti ti (SYN) Mid t (ACK) d S i SYN/RST/ACK Initiation (SYN), Midstream (ACK), and Session Termination (RST), an impossible condition.

SYN/RST/ACK

• Often called the Xmas Tree flag combination, this combines the problem of Initiation, Midstream, and Termination flags with the PSH All Flags



Midstream, and Termination flags with the PSH and URG flags (which in themselves are valid).

g

Steps 18/19: Test the IDS by Sending SYN Floods/ Sequence Number

PredictionPrediction

Test the IDS by sending SYN floods:

• Many TCP implementations are vulnerable to a resource-exhaustion attack known as SYN flooding, in which excessive requests are made to create sessions, thus causing memory utilization to occur.

y g

sessions, thus causing memory utilization to occur.• If these SYN packets are spoofed from addresses that do not exist, no

response packet containing SYN/ACK will be received, and the pending connection queue will expand.

• Many TCP services have easily predictable responses and thus the byte count

Test initial sequence number prediction:

• Many TCP services have easily predictable responses, and thus the byte count can be guessed with reasonable accuracy.

• The success of spoofing TCP connections, in these cases, would be predicated on the ease of predicting the initial sequence number used by the target host.



Step 20: Test for Backscatter

The term backscatter refers to the response SYN/ACK packets that a SYN-p / pflooded host will send in response to receiving the SYN packets.

If the source address of the original SYN packet is spoofed, the SYN/ACKs will be sent to that spoofed address, which may use all the network bandwidth for the spoofed host or network.

Backscatter can easily be detected as a flood of SYN/ACK packets without an initial SYN being sentan initial SYN being sent.



Steps 21/22: Test the IDS with ICMP Packets/ IDS Using Covert ChannelsPackets/ IDS Using Covert Channels

Test the IDS with ICMP packets:

• ICMP packet spoofing can be used to create denial-of-service situations by falsely propagating error indications throughout the network.throughout the network.

Test the IDS using covert channels:

• A covert channel can be defined as a hidden communications mechanism.

• When a system has been compromised by other means, h k ill h h l isome hackers will use these covert channels in an attempt to

hide their activities.



Step 23: Test Using TCPReplay

Test using TCPReplay:

• How does TCPReplay help test NIDS systems?• Performance degrades as network traffic increases.

Test using TCPReplay:

• Attacks are hidden by heavily loaded traffic.



Step 24: Test Using TCPOpera

TCPopera is a tool that extends TCPreplay by allowing users to define TCPopera is a tool that extends TCPreplay by allowing users to define network conditions and play out traffic in a realistic environment where packets may be delayed or lost.

How would TCPopera aid in IDS testing?

• Does the IDS track TCP connection state?• How well does the IDS perform under different network conditions (false positives!)?• How does the IDS handle retransmitted packets?

TCPopera has the potential to provide IDS testing environments with traffic that exhibits TCP behavior quickly.



Step 25: Test Using Method MatchingMatching

Many ID systems were failing due to the fact that they were assuming the requests to use the GET method they were looking for the the requests to use the GET method--they were looking for the following style of signatures:

•GET /cgi-bin/some.cgi

Use HEAD instead of GET requests to trick the IDS.

•HEAD /cgi-bin/some.cgi

ID systems will fail if it is looking for GET signatures.



Step 26: Test the IDS Using URL EncodingEncoding

URL di i t d th URL ith it d i l t URL encoding is to encode the URL with its escaped equivalent.

The HTTP protocol specifies that arbitrary binary characters can be The HTTP protocol specifies that arbitrary binary characters can be passed within the URL by using %xx notation, where 'xx' is the hex value of the character.

In theory, the raw IDS would fail, since the signature "cgi-bin" does not match the string "%63%67%69%2d%62%69%6e”.



Step 27: Test the IDS Using Double SlashesDouble Slashes

R l i l '/' ith '//'Replace every single '/' with '//'

This will result in checks for "/cgi bin/some cgi" not matching This will result in checks for /cgi-bin/some.cgi not matching "//cgi-bin//some.cgi”.

However, most IDS (smart and raw) are aware of this trick and all derivatives of the trick using multiple (3+) slashes.

Smart ID systems tend to correctly interpret this (by logically combining all slashes into one).



Step 28: Test the IDS for Reverse TraversalReverse Traversal

Break apart a signature, such as:

"/cgi-bin/some.cgi"

p g

by using reverse traversal directory tricks:

• GET /cgi-bin/blahblah/ /some cgi HTTP/1 0• GET /cgi-bin/blahblah/../some.cgi HTTP/1.0

Equates to "/cgi-bin/some.cgi" once the directory Equates to /cgi bin/some.cgi once the directory traversal has been accounted for.

Most IDS can detect this technique



Most IDS can detect this technique.

Step 29: Test for Self Reference DirectoriesDirectories

The '..' means the parent directory.

'.' means the current directory.

So "c:\temp\ \ \ \ \ \" is equivalent to: So c:\temp\.\.\.\.\.\ is equivalent to:

"c:\temp\" ("/tmp/./././././" being "/tmp/" for you Unix folk)

This technique will bypass raw ID systems from matching signatures like "/cgi-bin/phf”.



Step 30: Test for Premature Request EndingRequest Ending

Some IDS system can stop looking after the "HTTP/1.0\r\n"

GET %20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n

This translates to:This translates to:

GET / HTTP/1.0\r\nHeader: /../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n

Or :

GET / HTTP/1.0\r\nHeader: /../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n\r\n

This is also valid.IDS will decode the encoding first and stop scanning at fake 'premature' ending, rather than the real one



rather than the real one.

Step 31: Test for IDS Parameter HidingHiding

IDS ti d t th d t i th tIDS sometimes does not scan the data in the parameters.

Some IDS may stop processing once the '?' is reached which indicates the Some IDS may stop processing once the ? is reached, which indicates the rest of the data are parameters:

•GET /index htm%3fparam=/ /cgi bin/some cgi HTTP/1 0•GET /index.htm%3fparam=/../cgi-bin/some.cgi HTTP/1.0

This translates to:This translates to:

•GET /index.htm?param=/../cgi-bin/some.cgi HTTP/1.0



Step 32: Test for HTTP-MisformattingMisformatting

Some IDS systems that implement minimal signatures depend on the trailing space for matching.

For example, matching "/phf" could lead to many false positives, but "/phf " (notice the trailing space) helps assure that the final requested page is closer to the actual 'phf' and not just starting ith the requested page is closer to the actual 'phf', and not just starting with the letters 'phf’.



Step 33: Test for Long URLs

Some IDS only look within the first xx bytes of the request. Generally hi k ll i h fi li f h d i h this works well, since the first line of the request needs to contain the

URL.

However, we can exploit this by submitting a request along the lines of:

•GET /rfprfp<lots of characters>rfprfp/../cgi-bin/some.cgi HTTP/1.0

The key is to include enough characters to move the rest of the submitted request outside the scope of the ID systems' scan limit.



Step 34: Test for DoS/Win Directory SyntaxDirectory Syntax

Microsoft separates directories using '\' because Unix uses '/'

Internally in IIS (as well as all other DOS/Windows based web servers) can still use '\' in web requests, since they are still valid as directory separators /cgi-bin/phf is same as \cgi-bin/phf



Step 35: Test for Null Method ProcessingProcessing

M C t i lib i th NULL h t t d t th d f th Many C string libraries use the NULL character to denote the end of the string.

Some IDS still use these libraries, the reoccurrence of using NULLs to denote the end of strings is still quite common.

We can use this to our advantage with the following type of request:We ca use t s to ou ad a tage t t e o o g type o equest:

•GET%00 /cgi-bin/some.cgi HTTP/1.0



Step 36: Test for Case Sensitivity

The DOS/Windows filesystem has a unique characteristic that Unix / y qdoesn't: filenames are case insensitive.

This means requests for "index.htm", "INDEX.HTM" and "Index.Htm" are all the same.

The signature "/cgi-bin/some.cgi" does not literally match

"/CGI-BIN/SOME.CGI"



Step 37: Test Session Splicing

Many IDS systems only scan for a particular signature within the Many IDS systems only scan for a particular signature within the current packet--signatures are not split up and checked across multiple packets.

For example, the request "GET / HTTP/1.0" may be split across

multiple packets to be "GE", "T ", "/", " H", "T",

"TP", "/1", ".0".



Summary

The main feature of Intrusion Detection System (IDS) is to monitor The main feature of Intrusion Detection System (IDS) is to monitor network activity on the host network/workstation and generate alerts when there is an intrusion.

For host-based system, the most common detection mechanism is i t itisignature recognition.

Network-based Intrusion Detection System detects the risk based on transfer patterns and essential organization of network. Attacks not detected by host-based ids can be easily detected using network-based IDS



IDS.

lptv4 module 22 ids penetration testing_norestriction

Documents

intrusion detection systems

destination ip address

ids testing tool

cgi http 1 http 1

evasion gateway

id systems

udp checksum

single monitoring