12 CEH: Evading IDS, Firewalls, and Honeypots
What 4 *IDS/firewall evasion tools* does the material recommend?
1. Traffic IQ Professional 2. Nmap 3. Metasploit 4. Inundator
What is a *multi-honed firewall* firewall architecture?
DMZ | Internet - Firewall - Firewall - Intranet
What is a *screened subnet* firewall architecture?
DMZ | Internet - Firewall - Intranet
True or false: IDSs sit inline with the flow of network traffic.
False. IDSs typically have one promiscuous network interface connected attached to each monitored network.
What is a *firewall*?
Hardware and/or software designed to prevent unauthorized access to or from a private network
What is a honeypot that simulates all services and applications of a target network?
High-interaction honeypot
In what IDS evasion technique does the attacker split the attack traffic into many fragments such that no single packet triggers the IDS?
Session splicing
What is the IDS evasion technique, *ASCII shellcode*?
Shellcode that only includes characters which are present only in the ASCII standard An attacker can use ASCII shellcode to bypass the IDS signature as the *pattern matching* doesn't work effectively with the ASCII values
What intrusion detection technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision?
Signature recognition
What is the firewall evasion technique, *DNS tunneling*?
Smuggle data within DNS requests
Name the following firewall type. 1. Creates a directory of outbound TCP connections, an entry fo each currently established connection 2. Terminates traffic that doesn't belong to an active session
Stateful inspection firewall
True or false: IPSs sit inline with the flow of network traffic.
True
What is the IDS evasion technique, *desynchronization - post-connection SYN*?
1. An attacker sends a *post-connection SYN packet* in the data stream, which will have *divergent sequence numbers* 2. However, the target host will ignore this SYN packet, as it references an already established connection 3. The intent of this attack is to get the IDS to resynchornize its notion of the sequence numbers to the new SYN packet
What is the IDS evasion technique, *invalid RST packets*?
1. An attacker sends the RST packet to the IDS with an invalid checksum. 2. The target system checks the RST packet's checksum and drops it. 3. The IDS stops processing the packet thinking that the TCP communication session has ended, but the target system will receive the packet 4. The attacker will be able to interact with the target while the IDS thinks that the communication has ended
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities? 1. An attacker, working slowly enough, can evade detection by the IDS. 2. Network packets are dropped if the volume exceeds the threshold. 3. The IDS will not distinguish among packets originating from different sources. 4. Thresholding interferes with the IDS' ability to reassemble fragmented packets.
1. An attacker, working slowly enough, can evade detection by the IDS.
What are the 3 *snort directions* the material specifies?
1. -> 2. <- 3. <>
Which of the following descriptions is true about a static NAT? 1. A static NAT uses a one-to-one mapping. 2. A static NAT uses a many-to-many mapping. 3. A static NAT uses a many-to-one mapping. 4. A static NAT uses a one-to-many mapping.
1. A static NAT uses a one-to-one mapping.
What are the 4 *snort IP address* options the material specifies?
1. Address: i.e., *192.168.1.1* 2. CIDR: i.e., *192.168.1.0/24* 3. Not Address/CIDR: i.e., *!192.168.1.1* or *!192.168.1.0/24* 4. Any: *any*
What are the 3 *snort actions* the material specifies?
1. Alert: generate an alert 2. Log: log the packet 3. Pass: drop/ignore the packet
What 3 *IPS tools* does the material recommend?
1. Alien Vault Unified Security Management (USM) 2. IBM Security Network Intrusion Prevention System 3. Cyberoam Intrusion Prevention System
What is the firewall evasion technique, *tiny fragments*?
1. An attacker creates *tiny fragments* of outgoing packets forcing some of the TCP packet's header information into the next fragment 2. The IDS filter rules that specify patterns *will not match* with the fragmented packets due to broken header information 3. The attack will succeed if the filtering router examines only the first fragment and allows all the other fragments to pass through
What is the firewall evasion technique, *source routing*?
1. Source routing allows the sender of a packet to partially or completely *specify the route* the packet takes through the network 2. An attacker leverages source router to ensure the packet evades the edge firewall
What is the IDS evasion technique, *application-layer attack*?
1. Applications accessing media files *compress* them to a smaller size for maximizing the data transfer rate 2. The IDS cannot verify the *signature of the compressed file* format 3. This enables an attacker to exploit the vulnerabilities in compressed data The IDS can recognize conditions favorable for attack, but alternative forms of attack are also possible, making the detection of application-layer attacks *extremely difficult* for the IDS
What are 3 *packet fragment generator tools* the material recommends?
1. Colasoft Packet Builder 2. CommView 3. NetScan Tools Pro
What are the 3 types of intrusions, according to the material?
1. File system intrusion (anything having to do with a file) 2. Network intrusion (anything having to do with the network) 3. System intrusion (anything having to do with the host system that isn't necessarily a file, like logs, software, or processes)
What are the 3 *HTTP tunneling* tools recommended by the material?
1. HTTPort 2. HTTHost 3. Super Network Tunnel
What is the IDS evasion technique, *urgency flag*?
1. If the URG flag is set, the TCP protocol sets the urgent pointer field to a *16-bit offset value* that points to the last byte of urgent data in the segment 2. Many IDSs do not consider the urgent pointer and process all the packets in the traffic, whereas the target system processes the urgent data only 3. The results in the IDS and the target systems have *different sets of packets*, which can be exploited by an attacker to pass the attack traffic
What 2 *honeypot tools* does the material recommend?
1. KFSensor 2. SPECTER
What is the IDS evasion technique, *polymorphic shellcode*?
1. Many IDSs identify signatures for the commonly used strings embedded inside the shellcode 2. Polymorphic shellcode attacks include *multiple signatures*, making it difficult to detect the signature 3. Attackers *encode the payload* using certain techniques and then place a decoder before the payload 4. As a result of this the *shellcode is completely rewritten each time it is sent*, thus evading detection
What 3 *mobile firewalls* does the material recommend?
1. Mobiwol: NoRoot Firewall 2. Mobile Privacy Shield 3. NetPatch Firewall
What 3 tools does the material recommend for *DNS tunneling*?
1. NSTX 2. Heyoka 3. Iodine
At which two traffic layers do most commercial IDSs generate signatures?
1. Network Layer 2. Transport Layer
What are the 2 types of intrusion detection systems?
1. Network-based 2. Host-based
What are the 3 *SSH tunneling* tools recommended by the material?
1. OpenSSH 2. Bitvise 3. Secure Pipes
In what order are Snort IDS rules evaluated by default?
1. Pass 2. Drop 3. Alert 4. Log
What are the 5 *snort port* options the material specifies?
1. Port: i.e., *80* 2. Port Range: i.e., *8000:8008* 3. Not Port/Range: i.e., *!80* or *!8000:8008* 4. Less Than / Greater Than Port: i.e., *:80* or *80:* 5. Any: *any*
What is the IDS evasion technique *desynchronization - pre-connections SYN*?
1. Send an *initial SYN before the real connection is established*, but with an invalid TCP checksum 2. If a SYN packet is received *after the TCP control block is opened*, the IDS resets the appropriate sequence number to match that of the newly received SYN packet 3. An attacker sends *fake SYN packets* with a completely invalid sequence number to desynchronize the IDS, stopping the IDS from monitoring all legitimate and attack traffic
What 2 tools does the material recommend for *detecting honeypots*?
1. Send-Safe Honeypot Hunter 2. kippo_detect
What are the 3 ways the material specifies for how an IDS detects an intrusion?
1. Signature recognition 2. Anomaly detection (based on user behavior) 3. Protocol anomaly detection
What are the 3 *snort protocols* the material specifies?
1. TCP 2. UDP 3. ICMP
What 2 *firewalls* does the material recommend?
1. ZoneAlarm Free Firewall 2019 2. ManageEngine Firewall Analyzer
What 3 *IDS tools* does the material recommend?
1. snort 2. Suricata 3. AlientVault OSSIM
What 3 *mobile IDS tools* does the material recommend?
1. zIPS 2. Wifi Inspector 3. Wifi Intruder Detect
How many bit checksum is used by the TCP protocol for error checking of the header and data and to ensure that communication is reliable?
16-bit
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following: 1. Stops checking rules, sends an alert, and lets the packet continue 2. Continues to evaluate the packet until all rules are checked 3. Blocks the connection with the source IP address in the packet 4. Drops the packet and moves on to the next one
2. Continues to evaluate the packet until all rules are checked
Check Point's FireWall-1 listens to what TCP port?
259
What is the *snort rule format*?
<action> <protocol> <address> <port> <direction> <address> <port> (<match condition>; msg: "<match message>";)
What is the firewall evasion technique, *bypassing firewalls through the ICMP tunneling method*?
A payload can be smuggled in the *data section* of an ICMP packet, which is not normally checked by IDSs
What is the firewall evasion technique, *bypassing firewalls through the HTTP tunneling method*?
A payload can be smuggled within an HTTP traffic
What is a *DMZ*?
A network that serves as a buffer between the internal secure network and the insecure Internet
What is the firewall evasion technique, *bypassing firewalls through the ACK tunneling method*?
A payload can be smuggled in the *TCP parameters* of ACK packets, which is not normally checked by IDSs
What is an *application proxy*?
A proxy server that filters connections based on the services and protocols appropriate to that application For example, an FTP proxy will only allow FTP traffic to pass through and all other services and protocols will be blocked
What is a *honeypot*?
A system that is expressly set up to attract and trap people who attempt to penetrate an organization's network
What is *firewalking*?
A technique that uses TTL values to determine gateway ACL filters and it maps networks and detects the presence of a firewall by analyzing the IP packet responses
What is the IDS evasion technique, *insertion attack*?
An attacker carefully crafts and sends packets to the target system via the IDS with varying TTLs such that some packets reach the IDS but not the target system, effectively bypassing the IDS IDS accepts more packets than the target
What is the IDS evasion technique, *time-to-live attack*?
An attacker carefully sends different packets with specifically different TTL values to trick the IDS into dropping the packets and the target into accepting them
What is the IDS evasion technique, *unicode evasion*?
An attacker converts the attack string to Unicode characters to avoid pattern signature matching the IDS
What is the IDS evasion technique, *obfuscation*?
An attacker encodes the attack packet payload in such a way that the target host can decode the payload, but the IDS cannot
What is the IDS evasion technique, *fragmentation attack*?
An attacker exploits the fragment reassembly timeout difference between the IDS and the target to send attack fragments that will be properly reassembled by the target, but will time out before being properly reassembled by the IDS
What is the IDS evasion technique, *overlapping fragments*?
An attacker generates a series of tiny fragments with overlapping TCP sequence numbers. This works when the target will reassemble the overlapping fragments properly, but the IDS won't
What is the firewall evasion technique, *IP address spoofing*?
An attacker masquerades as a trusted host to conceal his identity and bypass the firewall
What is the IDS evasion technique, *denial-of-service (DOS)*?
An attacker performs a DOS attack against the IDS server. If successful, the attackers' intrusion attempts won't be logged
What is the IDS evasion technique, *flooding*?
An attacker sends loads of unnecessary traffic to produce noise and if the IDS does not analyze the noise traffic well, then the true attack traffic may go undetected
What is the IDS evasion technique, *evasion*?
An attacker sends portions of the request in packets that the IDS mistakenly discards, allowing the removal of parts of the stream from the IDS such that the primary payload still arrives to the target machine IDS accepts less packets than the system
What is *snort*?
An open-source network intrusion detection system (IDS), capable of performing real-time traffic analysis and packet logging on IP networks
Which intrusion detection method detects an intrusion based on the fixed behavioral characteristics of the users and components of a computer system?
Anomaly detection
Name the following type of firewall. 1. Works at application layer 2. Examines traffic and filters on application-specific commands such as HTTP:POST or FTP:PUT
Application-level firewall
What is a *true positive*?
Attack -> alert
What is a *false negative*?
Attack -> no alert
What is the IDS evasion technique, *false positive generation*?
Attackers with knowledge of the target IDS craft malicious packets just to generate alerts, hiding the real attack traffic
In what way do the attackers identify the presence of layer 7 tar pits?
By looking at the latency of the response from the service
Name the following firewall type. 1. Works at session (OSI) / transport (TCP/IP) layer 2. Information passed to a remote computer through through this firewall appears to have originated from this firewall 3. Monitor requests to create sessions and determine if those sessions will be allowed 4. Allow or prevent *data streams*, not *individual packets*
Circuit-level gateway firewall
What type of honeypot is very effective in determining the entire capabilities of adversaries and is mostly deployed in an isolated virtual environment along with a combination of vulnerable servers?
Honeynets
Name the following firewall type. 1. Works at Network/Internet layer 2. Each packet is compared to a set of criteria before being forwarded or dropped 3. Rules can include source and/or destination IP address, port number, and protocol
Packet filtering firewall
You are a security expert. What can you do to protect an internal server that does not have antivirus and you cannot install any tools because of performance issues?
Install *compensatory controls* such as *internal* FW and IPS to protect it.
What is a *bastion host* firewall architecture?
Internet - Firewall - Bastion Host - Intranet A *bastion host* is a computer system designed and configured to protect network resources from attacks
What technique manipulates the TCP/IP stack and is effectively employed to slow down the spread of worms and backdoors?
Layer 4 tar pits
What feature of Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks?
Local forwards
What tool is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall?
Loki
What is a honeypot that simulates only a limited number of services and applications of a target network?
Low-interaction honeypot
What type of honeypot is simulated with known vulnerabilities, such as outdated APIs and vulnerable SMBv1 protocols, and emulates different Trojans, viruses, and backdoors that encourage adversaries to perform exploitation activities?
Malware honeypot
What is a honeypot that simulates a real operating system, applications, and services of a target network?
Medium-interaction honeypot
The general indicators of *what type of intrusion* are repeated login attempts from remote hosts, a sudden influx of log data, and a sudden increase in bandwidth consumption?
Network intrusion
What is a *false positive*?
No attack -> alert
What is a *true negative*?
No attack -> no alert
Where are firewalls generally deployed?
On the edge of the network
What type of firewall inspects only header information in network traffic?
Packet filter firewall
What is a honeypot that emulates the real production network of a target organization?
Pure honeypot
What is the firewall evasion technique, *bypass blocked sites using anonymous website surfing sites*?
Routes all traffic through an encrypted tunnel directly from a laptop to secure and harden servers and networks
While *firewalking*, if you receive the response that a particular port's *TTL was exceeded*, what do you know?
The firewall does not filter on that particular port
While *firewalking*, if you receive the response that a particular port got *no response*, what do you know?
The firewall is blocking connections to that port
What tool audits and validates the behavior of security devices and is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of a non-proxy packet filtering device?
Traffic IQ Professional
What is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?
They must be dual-homed
What is the firewall evasion technique, *bypass blocked sites using an IP address in place of a URL*?
Type the IP address directly into the browser's address bar instead of the domain name
What is the IDS evasion technique, *encryption*?
When an attacker has already established an encrypted session with the victim, it results in the most effective evasion attack
What is the Perl module that supports IDS evasion techniques?
libwhisker
Hardware firewalls are used to protect ______________ and software firewalls are used to protect _______________.
networks, hosts
