Hacker Bypass Detection Methods

Hackers do not only know how to intrude into servers, but also how to disguise their own attacks. Malicious attackers can use a variety of escape methods to prevent themselves from being detected. Therefore, as a system administrator, they should also be aware of these methods to cope with possible attacks.

This articleArticleThe main purpose is not to reveal new hacker attack techniques, but to describe the methods used by hackers to evade detection and the evidence they may leave. These methods are highly deceptive, so it is more difficult to detect them.

Network Server

Our experimental environment uses two most common network servers: Apache and Microsoft's Internet Information Server (IIS ). We run Apache 1.3.9 on Red Hat Linux and IIS 4.0 on Windows NT 4.0. Both use common and SSL-enabled versions, so we can test attacks against Encrypted and unencrypted servers.

Hexadecimal Encoding

One of the simplest ways to disguise attacks is to modify URL requests. As an administrator, we generally search for certain strings or character sets of common text in log files. For example, we can search for strings matching known vulnerabilities in the request. For example, if the following string is found on our IIS server, we can see that someone is looking for a remote MDAC vulnerability in IIS:

06:45:25 10.0.2.79 get/MSADC/302

To learn how attackers can bypass this matching detection, refer to the following requests as part of the malicious attacker policy. To determine whether the msadc directory exists, attackers may enter the following content:

[Root @ localhost/root] # nc-N 10.0.2.55 80
GET/msadc http/1.0

This will generate the log files we have seen above. Attackers can encode the request with hexadecimal ASCII characters. In the preceding example, the string MSADC is changed to 6D 73 61 64 63 After hexadecimal encoding. You can use Windows charmapProgramTo quickly convert ASCII to hexadecimal characters. The above HTTP request, after the msadc string is encoded in hexadecimal format, becomes:

[Root @ localhost] # nc-N 10.0.2.55 80
GET/% 6D % 73% 61% 64% 63 HTTP/1.0

IIS Log File display:

07:10:39 10.0.2.31 get/MSADC/302

It should be noted that, although the hexadecimal encoding method is adopted, the generated logs and URLs that do not use the hexadecimal encoding are the same. In this example, encoding does not help attackers escape detection. However, if we look at Apache logs, this is another situation. The commands used by attackers to search for a CGI script are listed below, followed by the same commands after hexadecimal encoding:

[Root @ localhost] # nc-N 10.0.0.2 80
Headers/cgi-bin/test-cgi HTTP/1.0
[Root @ localhost] # nc-N 10.0.0.2 80
Head/% 63% 67% 69-bin/test-% 63% 67% 69 HTTP/1.0

Now let's take a look at the access_log file:

10.10.10.10--[18/OCT/2000: 08: 22: 47-0700] "head/cgi-bin/test-cgi HTTP/1.0" 200 0
10.10.10.10--[18/OCT/2000: 08: 23: 47-0700] "head/% 63% 67% 69-bin/test-% 63% 67% 69 HTTP/1.0" 200 0

First of all, we should note that in both examples 200CodeThe command is successful. However, in the second case, the log contains hexadecimal values instead of plaintext values. If we rely on forms to detect such attacks, we cannot detect the attacks. Many intrusion detection systems use less intelligent format matching technologies, and some products do not convert hexadecimal URLs for matching. However, no matter whether the intrusion detection software can convert the hexadecimal code, all network administrators should understand this trick.

Proxy Server

It is difficult for an attacker to completely hide the attack behavior, so it is very important to conceal the real source of the attack. If a hacker can hide his source IP address, he can launch an attack without worrying about being captured. Hackers can use a proxy server to hide their source IP addresses.

The proxy server is legally used to forward multiple protocols from a single access point. Generally, an internal user must use a proxy server to access the Internet. Therefore, the administrator can specify external access and internal access restriction policies on the proxy server. First, the user establishes a connection with the proxy server, and then the proxy server forwards the connection request to the real destination address. The destination address records the IP address of the proxy server as the source address of the request, rather than the IP address of the system that originally sent the request.

Unfortunately, the proxy server is too random on the Internet. (You can view the Proxys-4-All to get a list of machines with these misconfiguration errors .) These servers are often configured incorrectly so that Internet users can connect to these proxy servers. Once an Internet user connects to a server through a proxy server, the server records the IP address of the proxy server as the source address of the request. In the log of the attacked server, the IP address recorded by the attacker is an "innocent" host without any attack behavior, rather than the real IP address of the attacker. Let's take a look at the following example.

The following example shows the information generated by hacker attacks and attacks in logs.

Attacker

[Root@10.1.1.1/] # nc-V 10.8.8.8 80
Headers/HTTP/1.0

Log Files

10.1.1.1--[18/OCT/2000: 03: 31: 58-0700] "head/HTTP/1.0" 200 0

In this case, we can see that the attacker has achieved the same goal, but this time he used the proxy server.

Attacker

[Root@10.1.1.1/] # nc-V 216.234.161.83 80
Head http: // 10.8.8.8/HTTP/1.0

Log Files

216.234.161.83--[18/OCT/2000: 03: 39: 29-0700] "head/HTTP/1.1" 200 0

Note that in this example, the address displayed in the log file is the proxy server (216.234.161.83, proxy.proxyspace.com), rather than the real address of the attacker. In this case, the attacker successfully hides the source address of the attack. However, if the network administrator can get support from the proxy service, he can still track the real source of the attack. Most proxy servers store a very detailed log, so most of them can find the source of the attack. However, the hacker also has a corresponding method for anti-tracking: they can use multiple agents or use a "proxy chain" to launch attacks. The Administrator and law enforcement must check all the intermediate proxy servers in sequence to obtain the attack source. This kind of "Agent chain" is widely used in hacker groups, and tools like sockschain for windows are available.

SSL

Many people have discussed this in the past, but it is worth mentioning again that servers that allow SSL will not be detected by the network intrusion detection system. If a hacker makes a choice between port 80 (HTTP) and port 443 (https), the attacker selects port 443 every time. This is actually not a means, but a side effect caused by the use of encrypted communication. You can use the network server log file to monitor requests on port 443.

Conclusion

We showed you some common spoofing tricks on the Internet. Needless to say, these methods are constantly expanding as the imagination and creativity of hackers increase. For example, the technology of hexadecimal encoding is not only used in places such as fraudulent log file entries; it also spoofs the URL resolution mechanism of the network server, and may causeSource codeVulnerabilities such as exposures. In some cases, attackers also use multiple proxy servers for scanning and attacks, making it difficult for administrators to track the real source of attacks. Of course, SSL sometimes paves the way for "Security Hacking.