Review "50 ways to escape IDs" to SCID

Editor's note: Maybe IDS can be broken through, but it won't be so easy.

Some of our customers talked about Mr. Fred Cohen's excellent article about IDS system vulnerabilities, "50 methods to circumvent IDs ". All 50 methods are listed below. The original version can be obtained from the http://all.net. Mr. Cohen claims that the IDS system can only play a small role in improving network security. His article lists 50 methods for attackers to bypass IDs. I refuted these 50 methods one by one.

1. Adding irrelevant characters in the usual intrusion will cause IDs to fail.. For example, you can add "& True" to the shell command, which does not have any negative impact on the operation, but will avoid IDS detection.

This is only valid in systems that are tolerant of input. For example, if a phf attack uses a string "/cgi-bin/phf" and adds any character before or after it, the web server will not accept this request. If the above method is used to attack the old AIX system using "tprof", "tprof" will be called in some places. Most IDS can be correctly matched. There are only a few IDS systems trying to match complex patterns, most of which are only a small part of the key to matching attacks.

2. Use tabs in the command to replace SpacesBecause most of the current IDS systems do not check all the delimiters, using non-standard delimiters will escape IDs. In a Unix shell, you can also use "," instead of ";".

Similar to the first one. Use tabs to run "tprof" instead of spaces. "tprof" appears in the command line ". In this way, the host or network-based IDS will discover this attack.

3. Similar to the second one, you can change the Separator in the system, for example, using % as the Separator. This will almost confuse most of IDs.

This requires changing ifs (internal field separator ). Many host-based IDS will monitor ifs changes. Many network-based IDS do not focus on complex models. In any case, the first three do not affect host-based IDS, such as tripwire, stalker, and cmds.

4. Rearrange the attack orderFor example, the attack order is "A; B; C", and the attack can also be successful in the order of "B; A; C. Many IDs cannot detect the second attack.

Logically, this is an attractive saying, but modern attacks can succeed in one step. These attacks will be discovered by many IDs. In complex attacks, some of their steps will be discovered.

5. Conduct a standard attack by more than one person. In addition, the example of "A; B; C" is used. If user X performs "A: B" and user y performs "C", then attackers will almost certainly not be found.

Similarly, if steps "A", "B", and "C" are required, IDS is very likely to find one of them, whether the user executes it. Using multiple accounts does confuse administrators, but attacks will still be discovered.

6. Divide a standard attack into multiple sessions. Log on to "A; B" for the first time, then log out, and then log on to the system for "C ".

As in article 5. The overflow script with root permission may have multiple rows, but only one row is critical. For example, you have to have a command to make a non-privileged user a privileged user.

7. Attack with multiple IP addresses/Systems. Log on to X and Y, perform "A" from X, perform "B" from Y, and then perform "C" from X ".

Similarly, similar to 5 and 6. Multiple connections will attract the attention of network-based IDS. Some IDS products, such as cmds, will find remote connections initiated from multiple IP addresses in a short time.

8. Define a macro for the commands used in the attack. For example, set a shell variable $ ZZ for CP and use $ ZZ instead of CP.

Added complexity, but IDs will detect this access. Imagine an IDS triggered in a "tprof" program. He will record this event. The same is true for defining a shell variable for/etc/passwd. The IDS system will find access to the/etc/passwd file in one Telnet operation. Therefore, these technologies have almost no effect on host-based IDS, such as cmds, stalker, and tripwire.

9. Define a macro for Command Parameters. For example, use $ P instead of/etc/passwd.

Refer to 8.

10. Replace the input command with a script. Normally, IDs will not notice this script.

This is the first indeed possible technology. However, we did not mention what happened after the attack was successful. Tools like cmds will detect abnormal login. Tripwire will find some backdoors. Renaming NMAP and strobe tools is indeed a good idea, but once they are used, network-based IDS will find them. If you execute a script that grants root privileges, many IDS products are sufficient to detect changes in attacks. This is already discussed in.

Bonus attack? Adding comments to attack instructions will not be noticed. If this is a script with root permissions, most IDS systems are robust enough to detect differences in attacks. This has been discussed in 4, 5, 6, and 7.

11. Use different commands to complete the same function. For example, in Unix shell, "Echo *" is generally equivalent to "ls ".

When attacking the system, you still need to run "tprof. Even if it is compiled into a binary program that only runs "trpof" on another system, many IDS systems such as stalker and seos will also find a shift from a non-privileged user to a privileged user.

12. Change the name in the attack. For example, if the attack uses a temporary file "XXX", you can change it to "yyy ".

This assumes that the IDS system only searches for the specified file name. For details, see 11.

13. Create a comparison table to translate keywords. Then replace the character. For example, you can replace the character with sed.

Same as 11.

14. Use "ebcdic" to encode the instruction and change the terminal type to "ebcdic ".. Because all character encoding has changed, IDs will not detect your behavior.

Same as 11.

15. Encrypt commandsFor example, using SSH can prevent sniffer. network IDS products generally include the sniffer function.

It is only useful for network-based IDS. Host-based IDS can fully control user behavior under ssh.

16. Use a suffix for sendingAnd then translate it back elsewhere. IDS does not understand these symbols.

Same as 15.

17. Full duplex communication with the target machineIDS cannot understand additional characters.

Dragon, t_sight, and all versions of the dod nid program can deal with these situations.

18. interactive use of some known intrusion technologies during an intrusion. IDS may not be distinguished.

At least one intrusion may be discovered. This is not a new technology, just like 5, 6, and 7.

19. encode the result sent by daemons so that the returned format will not be noticed by IDs.. For example, if you use a Sendmail bug to send a password file to yourself, you can use a sed script in the pipeline to change the ":" In the file to "-".

This occurs after the intrusion is successful. It is interesting how to process the password file after successful intrusion, but this is not an attack type.

20. Use the awk script in the MPs queue to exchange characters.. You can escape IDs.

Like 15. It is not a new method.

Bonus attack? Select a command from a table with a line number, and the target executes the corresponding command. For example, you can type "15 *. com", but the target executes "dir *. com ".

Like 15, this is just a new way to encrypt shell commands.

21. DoS IDs sensor port. Make it invalid.

Many network-based IDS products are configured securely to complete sensor without IP addresses. Some IDS products, such as dragon, do not have any opened UDP or TCP ports. RealSecure, netprowler, and netranger can also remove IP addresses to prevent attacks.

22. Use ping to attack IDS. By sending a large ping packet, many systems running IDs can crash, so that it will not detect subsequent attacks.

Or dos technology. As mentioned in 21 articles, many network IDs have higher security than those in the surrounding environment. Although I'm sure there are many network IDS running on Windows NT that have operating system vulnerabilities.

23. Attack platforms running IDs. Many IDs run on common operating systems with vulnerabilities. Once the attack platform is successful, it is easy to deal with IDs.

Same as 21 and 22.

24. Create incorrect audit records to confuse IDS. For example, sending a packet between an attack package and a normal package can make the attack look harmless.

SNI wrote a very good paper on this issue. NFR and Dragon network IDS can avoid these attacks. Generally, host-based IDS do not have these vulnerabilities.

25. The disk space of the IDS system is consumed.And then launch an attack. If you use harmless data to fill the disk space, IDs will crash and subsequent attacks will not be detected.

When will the IDS system crash? If the IDS system records all the information, it may be noticed by administrators. What attackers do is to improve the vigilance of administrators.

26. Stop generating or collecting audit records and then conduct attacks. For example, if a large number of processes are created, the IDS system cannot create any more audit processes.

This is a local DoS attack. Many UNIX operating systems can defend against these local attacks. Host IDS can also be avoided by using separate processes. In addition, if the server load is too heavy, the Administrator will notice too many processes.

27. Attack Response System to interrupt Communication. For example, some IDS system will cut off all traffic from the attack. Counterfeit attacks initiated from a specific host. The IDS system will cut off all connections from that host, and then it will be able to attack this specific host.

This is one of the attacks I'm interested in mr. Cohen's article. If I understand it correctly, this means that the IP address of the attacker is automatically blocked by IDs to block the protected network host. Some IDS products, such as cmds, netranger, netprowler, and RealSecure, can communicate with firewalls or routers. When a specific event occurs, the router and firewall will limit the traffic of a specific host. This technology has a traffic problem, that is, the reason why the firewall and IDS systems work together. When traffic is limited, only outgoing traffic is limited. The specified host will not be attacked in isolation.

28. Reverse input, and use another Conversion Tool for conversion. Do the same for sending and receiving.

Like 15. This is just a new way to disguise shell.

29. Insert a symbol in the middle of the input, and convert it into a prefix using awk.. The IDS system will not interrupt the connection.

For example, 15, 28, and 29. It is only useful when network IDS observe telnet or rlogin sessions. These technologies are difficult to use easily on FTP, HTTP, SMTP, and other protocols.

30. Use "Emacs" as the shell, and use the wipes and yanks input/output command cache instead of manual typing.. When the attacker executes the attack command on the target machine, the IDS system will only see commands similar to Ctrl-W and Ctrl-y.

NFR and RealSecure will be aware of the use of "Emacs", because the people who do not use "Vi" are likely to be hacker. Similarly, this is just another method to hide commands. It is usually only useful for telnet and rlogin.

Bonus attack-very slow input (preferably several hours between each command ). Because of the limited cache size, your input is washed away by a large number of IDs.

Network IDs have such vulnerabilities. No Host IDS. Some network IDs, such as NFR and Dragon, can be configured to detect long-time low-bandwidth network sessions.

31. Change to the target route to escape IDS.

With topology knowledge, this is an effective attack. Network resolution is required for such attacks. This will be easily discovered by the network IDS system. This attack also requires you to be well aware of the layout of the IDS system of the other party.

32. Change the returned route from the target to avoid IDS.

Same as 31.

33. Use the source route package to specify different routes to the target, which can escape some single IDS.

Almost all firewalls, routers, and servers discard and record source route packets. 31, 32, and 33 assume that a standby channel can reach the target, but in fact, the network IDS can be configured as a containment point (the network connection must pass through ).

34. Attackers can use modem dialing to attack the protected network and bypass the network IDS system..

Of course, we have more ways to escape the IDS system, first observe them, and then start from what they don't notice. For example, we can release a virus to a Windows NT system protected by Axent IA, BlackIce, or even RealSecure. These IDS systems are not aware of system-level viruses.

35. interference between the target and IDs. For network IDs, you can change the vro communication method.

This is very similar to 33. Network IDs are implemented by listening for network communication. If the communication is not monitored, No intrusion will be detected. This attack only happens when attackers can change internal network routes and have other access points from communication to traffic. Many network IDS systems can detect attempts to change routes.

36. Attack from the springboard. Attacks will be noticed, but they will not be traced (unless they are particularly good at tracking ).

The topic of this article is "50 ways to escape the IDS system ". However, this method does not escape the IDS system. It only changes the Intrusion detected by IDS into the host. You can also monitor your behavior as a stepping stone host.

37. Enable a connection on an unused Port.

The premise is that attackers can access the target. New attacks do not start in this way. Many programs such as Netcat can do this. Most such programs can be discovered by network IDs. Products such as RealSecure can even discover Loki ICMP (encapsulation of C/S through ICMP packets) sessions.

38. Use a changed protocol for communication. For example, use reverse order in words.. (You can refer to the PDP-11, VAX encoding ).

This is only encrypted network transmission. The premise is that there is a cooperative system in the Peer network.

39. Use the IP package to encapsulate the IPX package for attacks. The IDS system may only pay attention to the IP package, but does not understand its content.

If the other party has an IPX-based IDS system, they will find this attack.

40. Use different tunnel protocol attacks. For example, IP over HTML.

Or encrypted transmission technology.

Bonus attack? Define your own protocol for the new tool and then use it to attack. Refer to 40. You control the target host, write your own encrypted pipeline, and use it to communicate in front of the IDS system. This does not escape the IDS system.

41. Modem-based dial-up Internet attacks can prevent network IDS.

Same as 34.

42. generate a large amount of false attack information to increase the noise level of IDS. This makes it difficult for administrators to filter out real attacks from a large amount of information.

It is interesting, but considering that the network management system is designed to process and display information in an unintelligible way. The same is true for IDS systems. For example, dragong uses different tools to search for different data in many different levels of extraction. Enterprise-level products, such as Webtrends, tend to display all organized security messages in a very understandable way. If the attacker does as mentioned above, it will increase the alert level of the target.

43. Place intrusion commands in a Word Macro. Send the document to the target. IDS may not decode attack commands in macros.

See section 34. Some products such as RealSecure may find suspicious Java and ActiveX downloads. The application proxy firewall with virus detection can also detect such attacks.

44. Place intrusion commands in any macro of other products you can think of, such as power point and lotus-123..

See 43 and 34. The so-called 50 methods are not up to 50.

45. Place the commands in the compiled program(For example, a Trojan), and then find a way to download the target host and then execute it.

This is a classic all-time attack. Common Trojans can be discovered by many hosts and network IDs. Some firewalls can even detect Bo scans. On the other hand, this is also one of the most serious problems facing computer security today. It is almost impossible to check the binary program or even the source code to predict what it will do. IDS cannot do the same, but this is not the reason for throwing away the ID s product. When you want to use e-Mai to send sensitive company information, most IDs or firewall products will not be found.

46. attack using rare protocols. IDS may not know how to decode this package.

Protocol is not a good term. If this means different UDP/TCP ports, the network IDs should find it. However, many network IDS products only mark what they can understand as suspicious. For non-ICMP, UDP, and TCP attacks, many IDS can be configured to generate warnings.

47. Rewrite the original exploit statement in different languages.

I don't think this will be useful. For example, the check-CGI program has been spread for several months and can check more than 70 CGI vulnerabilities. He is ported from C to REBOL, but there is no difference at the network layer. This method is only effective when IDs only searches for specific binary programs.

48. Use non-technical attacks (such as so-called social engineering). Because IDs only deals with bits and bytes.

Yes, but this method can be prevented by establishing a warning system, background checks, cameras, employee training programs, and so on. You can even use legal means.

49. Attacks against Unix-running systems. Because today, almost all IDs are for UNIX systems.

According to a survey, netprowler, NFR flight jacket, netranger, RealSecure, dragon, and BlackICE can all detect most Windows NT attacks.

50-1000 +. Use one of thousands of methods not known to the current system. In some systems, the maximum number of attacks detected is only 50 (one of which claims to be more than 150, but I know that more than 2000 known vulnerabilities exist ), however, compared with 50, 150 is an improvement.

Where are the known vulnerabilities published? When we access packetstrom and rootshell, many major attacks can be covered by IDS products. There are some shortcomings specific to IDS, but most attacks can be noticed by IDs.

Bonus attacks-1000 + ........ Write a new attack script. IDS only detects some known vulnerabilities.

Refer to 50-1000 +.

Conclusion:

It is very difficult to evaluate the IDS system and network security, because this topic is very vague. I hope this article will cause some controversy and discuss the role of IDs in the network. For readers, it is obvious that the authors believe that IDS is very useful in security networks. I admit that good IDs cannot save the world, but they should not be underestimated easily.

Refer Security training base 』