CEHv10 IDS, Firewalls & Honeypots
Firewall Limitations
- Firewalls can restrict users from accessing valuable services like FTP, Telnet, NIS, etc. and sometimes restricts Internet access as well. - The firewall cannot protect from internal attacks (backdoor) in a network. For example, a disgruntled employee who cooperates with the external attacker. - The firewall concentrates its security at one single point which makes other systems within the network prone to security attacks. - A bottleneck could occur if all the connections pass through the firewall. - The firewall cannot protect the network from social engineering and data-driven attacks where the attacker sends malicious links and emails to employees inside the network. - If external devices such as a laptop, mobile phone, portable hard drive, etc. are already infected and connected to the network, then a firewall cannot protect the network from these devices. - The firewall is unable to adequately protect the network from all types of zero-day viruses that try to bypass it. - A firewall cannot do anything if the network design and configuration is faulty. - A firewall is not an alternative to antivirus or antimalware. - A firewall does not block attacks from a higher level of the protocol stack. - A firewall does not protect against attacks originating from common ports and applications. - A firewall does not protect against attacks from dial-in connections. - A firewall is unable to understand tunneled traffic.
Intrusion Detection System (IDS) Pen Testing
- Perform obfuscating technique to encode attack packets that IDS would not detect, but an IIS web server would decode and become attacked - Try to bypass IDS by hiding attack traffic in a large volume of false positive alerts (false positive generation attack) - Use session splicing technique to bypass IDS by keeping the session active for a longer time than the IDS reassembly time - Try Unicode representations of characters to evade the IDS signature - Perform fragmentation attack with IDS fragmentation reassembly timeout less and more than that of the Victim - Perform overlapping fragment technique to craft a series of packets with TCP sequence numbers configured to overlap - Try invalid RST packets technique to bypass IDS as it prevents IDS from processing the stream - Perform urgency flag evasion technique to evade IDS as some IDSs do not consider the TCP protocol's urgency feature - Try to bypass IDS by encrypting the shellcode to make it undetectable to IDS (polymorphic shellcode technique) - Try to evade IDS pattern matching signatures by hiding the shellcode content using ASCII codes (ASCII shellcode technique) - Perform application layer attacks as many IDSs fail to check the compressed file formats for signatures - Establish an encrypted session with the victim or send loads of unnecessary traffic to produce noise that cannot be analyzed by the IDS
Defend Against IDS Evasion
- Shut down switch ports associated with the known attack hosts. - Perform an in-depth analysis of ambiguous network traffic for all possible threats. - Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions. - Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem. - Train users to identify attack patterns and regularly update/patch all the systems and network devices. - Deploy IDS after a thorough analysis of network topology, nature of network traffic, and the number of hosts to monitor. - Use a traffic normalizer to remove potential ambiguity from the packet stream before it reaches to the IDS. - Ensure that IDSs normalize fragmented packets and allow those packets reassembled in the proper order. - Define DNS server for client resolver in routers or similar network devices. - Harden the security of all communication devices such as modems, routers, etc. - If possible, block ICMP TTL expired packets at the external interface level and change the TTL field to a considerable value, ensuring that the end host always receives the packets. - Regular update of antivirus signature database. - Use a traffic normalization solution at the IDS to prevent the system against evasions. - Store the attack information (attacker IP, victim IP, timestamp) for future analysis.
Defend Against Firewall Evasion
- The configuration of the firewall should be performed in such a way that the IP address of an intruder should be filtered out. - Set the firewall ruleset to deny all traffic and enable only the services required. - If possible, create a unique user ID to run the firewall services. Rather than running the services using the administrator or root IDs. - Configure a remote syslog server and apply strict measures to protect it from malicious users. - Monitor firewall logs at regular intervals and investigates all suspicious log entries found. - By default, disable all FTP connections to or from the network. - Catalog and review all inbound and outbound traffic allowed through the firewall. - Run regular risk queries to identify vulnerable firewall rules. - Monitor user access to firewalls and control who can modify the firewall configuration. - Specify the source and destination IP addresses as well as the ports. - Notify the security policy administrator on firewall changes and document them. - Control physical access to the firewall. - Take regular backups of the firewall ruleset and configuration files. - Schedule regular firewall security audits.
How IDS detects Intrusions
-Signature Recognition -Anomaly Detection -Protocol Anomaly detection
Bypass Firewall via MITM Atk
1. Attacker performs DNS server poisoning 2. User A requests for www.certifiedhacker.com to the corporate DNS server 3. Corporate DNS server sends the IP address (127.22.16.64) of the attacker 4. User A accesses the attacker's malicious server 5. Attacker connects to the real host and tunnels the user's HTTP traffic 6. The malicious codes embedded in the attacker's web page are downloaded and executed on the user's machine
Bypass Firewall via Proxy Server
1. Find an appropriate proxy server 2. On the Tools menu of any Internet browser, go to "Proxy Settings" and in the Internet Properties dialog box under Connections tab, click "LAN settings" 3. Under LAN Settings, click on a "Use a proxy server for your LAN" checkbox 4. In the Address box, type the IP address of the proxy server 5. In the Port box, type the port number that is used by the proxy server for client connections (by default, 8080) 6. Click to select "Bypass proxy server for local addresses" checkbox if you do not want the proxy server computer to be used when connected to a computer on the local network 7. Click OK to close the LAN Settings dialog box 8. Click OK again to close the Internet Properties dialog box
Firewalls
A software-or hardware-based system located at the network gateway that protects the resources of a private network from unauthorized access of users on other networks. They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet It examines all messages entering or leaving the Intranet and blocks those that do not meet the specified security criteria. Always install away from the rest of the network, so that none of the incoming request can get direct access to a private network resource
Tiny Fragments
Attackers create tiny fragments of outgoing packets forcing some of the TCP packet's header information into the next fragment. The IDS filter rules that specify patterns will not match with the fragmented packets due to broken header information. The attack will succeed if the filtering router examines only the first fragment and allow all the other fragments to pass through. This attack is used to avoid user-defined filtering rules and works when the firewall checks only for the TCP header information.
Application Layer Attacks
Attackers find flaws in this compressed data and perform attacks; even the IDS signatures cannot identify attack code within data thus compressed.
Overlapping Fragments
Attackers use overlapping fragments technique to evade IDS. In this technique, attackers generate a series of tiny fragments with overlapping TCP sequence numbers.
SSH Tunneling Tool
Bitvise -It provides secure remote login capabilities to Windows workstations and servers by encrypting data during transmission Secure Pipes -OS X based SSH tunneling software. Some of the features it includes are remote forward, Local Forward and SOCKS Proxies
Intrusion Detection Systems (IDS)
Checks traffic & senses alarms A security software or hardware device used to monitor, detect, and protect networks or system from malicious activities It monitors both inbound/outbound traffic of the network and checks for suspicious activities continuously that may indicate a network or system security breach. It checks traffic for signatures that match known intrusion patterns One of the most common places to deploy IDS is near the firewall, Placed inside, the IDS will be ideal if it is near a DMZ;however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network.
Detecting presence of Fake AP
Fake access points only send beacon frames but do not produce any fake traffic on the access points, and an attacker can monitor the network traffic and quickly notice the presence of Fake AP.
Packet Filtering Firewall
In this firewall, each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet and transmit it, or send a message to the originator. It works at the Internet Protocol (IP) layer of the TCP/IP model or network layer of the OSI model. Packet filter-based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to direct. This makes decisions according to -Source IP address: -Destination IP address: -Source TCP/UDP port -Destination TCP/UDP port -TCP flag bits: Used to check whether the packet has an SYN, ACK, or other bits set for the connection to be made. -Protocol in use -Direction: -Interface: Used to check whether or not the packet is coming from an unreliable zone
Snort IDS (also Sniffer, Logger & IPS)
Network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching and is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. Uses of Snort: o Straight packet sniffer like tcpdump o Packet logger (useful for network traffic debugging, etc.) o Network intrusion prevention system Snort Rules -uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing.
Protocol Anomaly detection
One way IDS detects Intrusions occurs This detection depends on the anomalies specific to a protocol. It identifies particular flaws between how vendors deploy the TCP/IP protocol. Protocols designs according to RFC specifications, which dictate standard handshakes to permit universal communication. detectors are different from the traditional IDS in how they present alarm
Signature Recognition
One way IDS detects Intrusions occurs This is also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. Only attacks should match the model; otherwise, false alarms could occur. compares incoming or outgoing network packets with the binary signatures of known attacks, using simple pattern-matching techniques to detect intrusion.
Anomaly Detection
One way IDS detects Intrusions occurs know as "not-use detection," This can be detected when an event occurs outside the tolerance threshold of normal traffic, therefore any deviation from regular use is an attack detects the intrusion based on the fixed behavioral characteristics In this type of approach, the inability to construct a model thoroughly on a regular network is of concern. These models should be used to check on specific networks.
Bastion Host
Part of a firewall Architecture Designed for defending the network against attacks. It acts as a mediator between inside and outside networks. Traffic entering or leaving the network passes through the firewall, it has two interfaces: o Public interface directly connected to the Internet o Private interface connected to the Intranet
Multi-homed Firewall
Part of a firewall Architecture This is a node with multiple NICs that connects to two or more networks It connects each interface to the separate network segments logically and physically. It helps in increasing efficiency and reliability of an IP network. More than three interfaces are present that allow for further subdividing the systems based on the specific security objectives of the organization.
Screened Subnet (DMZ)
Part of a firewall Architecture This is a protected network created with a two-or three-homed firewall behind a screening firewall and is a name commonly used to refer to the DMZ. connect the first interface to the Internet, the second interface to the DMZ, and the third to the intranet. The advantage of this from the intranet is that public requests can be responded to without allowing traffic into the intranet. A disadvantage with the three-homed firewall is that if it compromised, both the DMZ and intranet could also be compromised.
Desynchronization
Pre-Connection SYN: -This attack is performed by sending an initial SYN before the real connection is established, but with an invalid TCP checksum. -Attackers send fake SYN packets with a completely invalid sequence number to desynchronize the IDS. This stops IDS from monitoring all, legitimate and attack, traffic Post-Connection SYN: -For this technique, attempt to desynchronize the IDS from the actual sequence numbers that the kernel is honoring. --This attack intends to get the IDS to resynchronize its notion of the sequence numbers to the new SYN packet. It will then ignore any data that is a legitimate part of the original stream because it will be awaiting a different sequence number. -Once succeeded in resynchronizing the IDS with a SYN packet, send an RST packet with the new sequence number and close down its notion of the connection
Research Honeypot
These honeypots are high interaction honeypots primarily deployed in research institutes, government or military organizations to get a detailed knowledge about the actions of intruders. By using this type of honeypots security analysts can obtain in-depth information about the way an attack is performed, vulnerabilities exploited and the attack techniques and methods used by the attackers. The drawback of this honeypots is that it does not contribute to the direct security of the company, not good for improving infrastructure
HIgh interaction honeypot
These honeypots do not emulate anything; they run actual vulnerable services or software on production systems with real OSs and applications. These honeypots simulate all services and applications. It can be completely compromised They capture complete information about an attack vector such as attack techniques, tools, and intent of the attack. The honeypotized system is more prone to infection, as attack attempts can be carried out on real production systems.
Unicode Evasion
This Evasion Technique is a character coding system that supports encoding, processing, and displaying of written texts for universal languages to maintain consistency in a computer representation. Attackers can implement an attack by different character encodings known as "code points" in the Unicode code space, the most commonly used character encodings are Unicode Transformation Format (UTF)-8 and UTF-16.
Host-based Intrusion Detection System (HIDS)
This IDS analyze each system's behavior. This can be installed on any system ranging from a desktop PC to a server. It is more versatile than the NIDS. In addition to detecting unauthorized insider activity, they are also effective at detecting unauthorized file modification. Focuses on the changing aspects of local systems
ASCII Shell Code
This contains only characters from the ASCII standard. This form of shellcode allows attackers to bypass commonly enforced character restrictions within string input code. It also helps attackers bypass IDS pattern matching signatures because shellcode hides strings in a similar way to polymorphic shellcode Using this is very restrictive, in that it limits what the shellcode can do under some circumstances, When executed, the shellcode above executes a "/bin/sh" shell. 'bin' and 'sh' are contained in the last few bytes of the shellcode.
Circuit-level Gateway Firewall
This firewall works at the session layer of the OSI model or TCP layer of TCP/IP. It forwards data between networks without verifying it, and blocks incoming packets into the host, but allows the traffic to pass through itself. For detecting whether or not a requested session is valid, it checks TCP handshaking between packets Circuit proxy firewalls allow or prevent data streams; they do not filter individual packets. They are relatively inexpensive and hide the information about the private network that they protect.
Stateful Multi-layer Inspection Firewall
This firewalls combine the aspects of the other three types of firewalls (Packet Filtering, Circuit Level Gateways, and Application Level Firewall). They filter packets at the network layer of the OSI model (or the IP layer of TCP/IP), to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer Features - This type of firewall can remember the packets that passed through it earlier and make decisions about future packets based on the stated in the conversation. - These firewalls provide the best of both packet filtering and application-based filtering. - Cisco PIX firewalls are stateful. - These firewalls track and log slots or translations.
Application-level Firewall
This gateways (proxies) firewall can filter packets at the application layer of the OSI model (or the application layer of TCP/IP). Incoming and outgoing traffic is restricted to services supported by proxy It examine traffic and filter on application-specific commands such as HTTP: post and get Features - They analyze the application information to make decisions about whether to permit traffic. - Being proxy-based, they can permit or deny traffic according to the authenticity of the user or process involved. - A content-caching proxy optimizes performance by caching frequently accessed information rather than sending new requests to the servers for the same old data.
Medium interaction honeypot
This honeypot simulates a real OS, applications and its services of a target network. These honeypots can only respond to preconfigured commands, therefore, the risk of intrusion increases. The main disadvantage of this honeypot is that the attacker can quickly discover that the system behavior is abnormal. Tools- HoneyPy, Kojoney2, and Cowrie.
Production Honeypot
This honeypots emulate real production network of an organization. Attackers uncover and discover the vulnerabilities and trigger alerts that help network administrators to provide early warnings of attacks and hence reduce the risk of an intrusion. This type of honeypots can also emulate different trojans, viruses, and backdoors to attract the attackers. As this is deployed internally, it also helps to find out internal flaws and attackers within an organization.
Bypass Firewall via SSH Tunneling
This involves sending unencrypted network traffic through an SSH tunnel. For example, suppose you want to transfer files on an unencrypted FTP protocol, but the FTP protocol is blocked on the target firewall. The unencrypted data can be sent over encrypted SSH protocol using SSH tunneling. Attackers make use of this technique to bypass firewall restrictions. They connect to external SSH servers and create SSH tunnels to port 80 on the remote server, thereby bypassing firewall restrictions. Attackers make use of OpenSSH (OpenBSD Secure Shell) to encrypt and tunnel all traffic from a local machine to a remote machine to avoid detection by perimeter security controls. O
Honeypots
This is a computer system on the Internet intended to attract and trap people who try unauthorized or illicit utilization of the host system to penetrate into an organization's network. It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise. Whenever there is any interaction with a this, it is most likely to be a malicious activity This help in preventing attacks, detecting attacks, and for information gathering and research. It can log port access attempts, or monitor an attacker's keystrokes Detection Tool - Send-Safe Honeypot Hunter
Hardware Firewall
This is a dedicated firewall device placed on the perimeter of the network. It is an integral part of network setup and is also built into Broadband routers or as a standalone product. It employs a technique of packet filtering. It reads the header of a packet to find out the source and destination address and compares it with a set of predefined and/or user-created rules that determine whether if it should forward or drop the packet. It functions on an individual system or a particular network connected using a single interface However, it is considered a more expensive option, difficult to implement and upgrade
KFSensor
This is a low-interaction honeypot, used to attract and identify penetrations. They implement vulnerable system services and Trojans to attract hackers. This honeypot can be used to monitor all TCP, UDP, and ICMP ports and services. KFSensor identifies and alerts about port scanning and denial-of-service attacks.
Virtual Private Network (VPN)
This is a network that provides secure access to the private network through the internet. They are used for connecting wide area networks (WAN). It allows computers on one network to connect to computers on another network. It is used for the secure transmission of sensitive information over an untrusted network, using encapsulation and encryption. This is an attempt to combine both the advantages of public and private networks. They have no relation to firewall technology, but firewalls are convenient for adding VPN features as they help in providing secure remote services All of these that run over the Internet employ these principles: - Encrypts the traffic - Checks for integrity protection - Encapsulates into new packets, which are sent across the Internet to something that reverses the encapsulation - Checks the integrity - Then finally, decrypts the traffic
Honeynet
This is a prime example of a high-interaction honeypot and is neither a product nor a software solution that a user installs. Instead, it is an architecture—an entire network of computers designed to attack. The idea is to have an architecture that creates a highly controlled network with real computers running real applications, in which all activities are monitored and logged Without the knowledge of the attackers, all their activities and actions, from encrypted SSH sessions to email and file uploads, is captured by inserting kernel modules on the victim's systems. At the same time, this controls the attacker's activity. It deso this by using a honeywall gateway, which allows inbound traffic to the victim's systems but controls the outbound traffic using intrusion prevention technologies.
Honeytrap
This is low-interaction honeypot used to observe attacks against TCP and UDP services. It runs as a daemon and starts server processes dynamically on requested ports Attackers are tricked, and they send responses to this server process. The data that is received by the this is concatenated into a string and stored in a database file. This string is called attack string. This parses attack strings for a command requesting the server to download a file from another host in the network requesting the server to download a file from another host in the network
Kojoney2
This is medium interaction honeypot. It emulates a real SSH environment. This honeypot listens on port 21 for incoming SSH connections. If a connection request is initiated, it will verify users against an internal list of fake users. Mostly, the connections are accepted by granting access to SSH shell. It simulates many shell commands to trick attackers. Using this attackers can download files using wget and curl commands.
Software Firewall
This is similar to a filter It sits between the regular application and the networking components of the OS. It is more helpful for individual home users, is suitable for mobile users who need digital security working outside of the corporate network and it is easy to install on an individual's PC, notebook, or workgroup server. Software firewalls utilize more resources, than hardware firewalls and this reduces the speed of system. Examples of software firewalls are produced by Norton, McAfee, and Kaspersky among others.
Network Address Translation (NAT)
This separates IP addresses into two sets and enabling the LAN to use these addresses for internal and external traffic, respectively. ThisT helps hide an internal network layout and force connections to go through a choke point It can act as a firewall filtering technique where it allows only those connections which originate on the inside network and will block the connections which originate on the outside network. NAT systems use different schemes for translating between internal and external addresses:
ZoneAlarm & Firewall Analyzer Firewalls
This tool prevents identity theft by guarding your data. It even erases your tracks allowing you to surf the web in complete privacy. Fit locks out attackers, blocks intrusions, and makes your PC invisible online. Also, it filters out an annoying and potentially dangerous email This tool is an agent-less log analytics and configuration management software that helps network administrators to understand how bandwidth is being used in their network. Firewall Analyzer is vendor-agnostic and supports almost all open source and commercial network firewalls such as Check Point, Cisco, Juniper, Fortinet, Palo Alto, etc.
TippingPoint & AlienVault IDSs
TippingPoint IPS is in-line threat protection that defends critical data and applications without affecting performance and productivity. It contains over 8,700 security filters written to address zero-day and known vulnerabilities. TippingPoint IPS consists of both inbound/outbound traffic inspection, as well as application-level security capabilities. AlienVault® OSSIMTM, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization, and correlation. OSSIM provides one unified platform with many of the essential security capabilitie
Bypass Web App Firewall (WAF) via XSS Attack
XSS attack exploits vulnerabilities that occur while processing input parameters of the end users and the server responses in a web application. Attackers take advantage of these vulnerabilities to inject malicious HTML code in the victim website to bypass the WAF Using ASCII values to bypass WAF -String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41) Using Hex Encoding to bypass WAF -%3C%73%63%69%72%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3C%2F%73%6 3%72%69%70%74%3E Using Obfuscation to bypass WAF -In this technique, attackers use a combination of upper and lower case letters alert("XSS") becomes aLeRT("XSS")
Pros and Cons of NAT
Advantages - Network address translation helps to enforce the firewall's control over outbound connections. - It restricts incoming traffic and allows only packets that are part of a current interaction initiated from the inside. - Helps hide the internal network's configuration and thereby reduces the success of attacks on the network or system. Disadvantages - The NAT system has to guess how long it should keep a particular translation, which is impossible to guess correctly every time. - The NAT interferes with encryption and authentication systems to ensure the security of the data. - Dynamic allocation of ports may interfere with packet filtering.
Pros and Cons of an Application Proxy
Advantages - Proxy services can be good at logging because they can understand application protocols and effectively allow logging. - Proxy services reduce the load on network links as they are capable of caching copies of frequently requested data and allow it to be directly loaded from the system instead of the network. - Proxy systems perform user-level authentication, as they are involved in the connection. - Proxy systems automatically protect weak or faulty IP implementations as it sits between the client and the internet and generates new IP packets for the client. Disadvantages - Proxy services lag behind non-proxy services until the suitable proxy software is available. - Each service in a proxy may use different servers. - Proxy services may require changes in the client, applications, and procedures.
Main Function of IDS
An IDS gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse. An IDS is also referred as a "packet-sniffer," which intercepts packets traveling along various communication mediums and protocols, usually TCP/IP. The packets are analyzed after they are captured. An IDS evaluates traffic for suspected intrusions and signals an alarm after detection.
Why do you need HTTP Tunneling
Blocking of TCP/IP ports, traffic initiated from outside the network, and, network protocols except for a few commonly used protocols, etc. Access to surf denied websites Post in forums anonymously by hiding the IP address To use an application such as chatting through ICQ or IRC, instant messengers, games, browsers, etc. Sharing of confidential resource over HTTP securely Downloading files with filtered extensions and/or with malicious cod
Bypass Firewall via External Systems
Home machine of employee Machine that does remote administration of target network Machine from company's network but located at different place Steps to be followed to bypass a firewall through external systems: 1. Legitimate user works with some external system to access the corporate network 2. Attacker sniffs the user traffic, steals the session ID and cookies 3. Attacker accesses the corporate network bypassing the firewall and gets Windows ID of the running Mozilla process on user's system 4. Attacker then issues an OpenURL() command to the found window 5. User's web browser is redirected to the attacker's Web server 6. The malicious codes embedded in the attacker's web page are downloaded and executed on the user's mach
IDS Evasion Techniques
- Insertion Attack - Evasion - Denial-of-Service Attack - Obfuscating - False Positive Generation - Session Splicing - Unicode Evasion - Fragmentation Attack - Overlapping Fragments - Time-To-Live Attacks - Invalid RST Packets - Urgency Flag - Polymorphic Shellcode - ASCII Shellcode - Application-Layer Attacks - Desynchronization - Encryption - Flooding
Firewall Technologies
- Packet Filtering (L2-4) - Circuit Level Gateways (L5) - Application Level Firewall (L7) - Stateful Multilayer Inspection (L3) - Application Proxies (L7) - Virtual Private Network (All but Layer 1) - Network Address Translation (L3)
Techniques to bypass a Firewall
- Port Scanning - Firewalking - Banner Grabbing - IP Address Spoofing - Source Routing - Tiny Fragments - Using IP Address in Place of URL - Using Anonymous Website Surfing Sites - Using Proxy Server - ICMP Tunneling - ACK Tunneling - HTTP Tunneling - SSH Tunneling - Through External Systems - Through MITM Attack - Through Content - Through XSS Attack
Mobile Honeypot Tools
-HosTaGe -Network Guard
Types of Honeypots
-Low interaction honeypot -Medium interaction honeypot -HIgh interaction honeypot -Production Honeypot -Research Honeypot
Mobile Firewalls
-Mobiwol: NoRoot Firewall -Mobile Privacy Shield -NetPatch Firewall
Bypass Firewall via Content
In this method the attacker sends the content containing malicious code to the user and tricks user to open it so that the malicious code can be executed Commonly used file formats for carrying malicious contents are: EXE,COM,BAT,PS, PDF CDR (Corel Draw) DVB,DWG (AutoCad) SMM (AMI Pro) DOC,DOT,CNV,ASD (MS Word) XLS,XLB,XLT (MS Excel) ADP, MDA,MDB,MDE,MDN,MDZ (MS Access) VSD (Visio) MPP,MPT (MS Project) PPT,PPS,POT (MS PowerPoint) MSG,OTM (MS Outlook)
False Positive Generation
In this mode, the IDS generates an alarm when no condition is present to warrant one.
More about Firewalls
Is an intrusion detection mechanism that is designed by each organization's security policy. Can be configure to restrict incoming traffic to POP and SMTP and to enable email access. Certain firewalls block specific email services to secure against spam. Can configure to check inbound traffic at a "checkpoint," where a security audit is performed. It can also act as an active "phone tap" tool for identifying an intruder's attempt to dial into modems in a secured network.
Session Splicing
It is a network-level evasion method used to bypass IDS where an attacker splits the attack traffic in too many packets such that no single packet triggers the IDS.
De-Militarized Zone (DMZ)
It is an area that hosts computer(s) or a small sub-network placed as a neutral zone between a particular company's internal network and untrusted external network to prevent outsider access to a company's private data It serves as a buffer between the secure internal network and the insecure Internet, as it adds a layer of security to the corporate LAN, thus preventing direct access to other parts of the network. It is created using a firewall with three or more network interfaces assigned specific roles, Any service such as mail, web, and FTP that provide access to external users can be placed in the this; Although web servers that communicate with database servers cannot reside here—as doing so could give outside users direct access to sensitive information.
Organizational Networks IDS systems
Log File Monitoring -monitors log files created by network services. The LFM IDS searches through the logs and identifies malicious events. -In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intrusion. File Integrity Checking -These mechanisms check for Trojan horses, or modified files, indicating the presence of an intruder. Tripwire is an example of a file integrity checking tool.
HTTP Tunneling Tools
Super Network Tunnel -A two-way HTTP tunneling software that connects two computers utilizing HTTP-Tunnel Client and HTTP-Tunnel Server. -It works like VPN tunneling but uses HTTP protocol to establish a connection for accessing the Internet without monitoring and gives an extra layer of protection against attackers, spyware, identity theft, and so on. HTTPort and HTTHost -Allows users to bypass the HTTP proxy, which blocks Internet access to e-mail, instant messengers, P2P file sharing, ICQ, News, FTP, IRC, and so on. Tunna HTTP Tunnel
Low interaction honeypot
This honeypot emulates only limited number of services and applications of a target system or network. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error These honeypots cannot be compromised completely. They capture limited amounts of information, mainly transactional data, and some limited interaction. They are set to collect higher level information about attack vectors such as network probes and worm activities
Obfuscating
This means to make code harder to understand or read, generally for privacy or security purposes. This is an IDS evasion technique used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS. An attacker manipulates the path referenced in the signature to fool the HIDS. Using the Unicode character, an attacker could encode attack packets that the IDS would not recognize, but an IIS web server would decode
Bypass Firewall via ICMP Tunneling
This protocol is used to send an error message to the client. As it is required service for network communication, therefore user often enables this service on their networks. Moreover, it does not cause a significant threat from the security perspective. Attacker takes advantage of enabled ICMP protocol on the network and performs ICMP tunneling to send his/her malicious data into the target network. ICMP Tunnel provides attackers with full access to target networks Tool - loki
Network-based Intrysion Detection System (NIDS)
This systems check every packet entering the network for the presence of anomalies and incorrect data. By limiting the firewall to drop large numbers of data packets, the NIDS checks every packet thoroughly. It audits the information contained in the data packets, logging information of malicious packets, and assigns a threat level to each risk after receiving the data packets. These mechanisms typically consist of a black box placed on the network in promiscuous mode, listening for patterns indicative of an intrusion. It detects malicious activity such as Denial-of-Service attacks, port scans, or even attempts to crack into computers by monitoring network traffic.
Detecting presence of Sebek-based Honeypots
This type of honeypots record all the data that is accessed via reading () call. Attackers can detect the existence of Sebek based honeypots by analyzing the congestion in the network layer since Sebek data communication will be mostly unencrypted. Since Sebek logs everything that is accessed via reading () call before transferring to the network, it causes the congestion effect.
Types of IDS Alerts
True Positive (Attack - Alert): - occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. False Positive (No attack - Alert): -Occurs if an event triggers an alarm when no actual attack is in progress. False Negative (Attack - No Alert): -Occurred when an IDS fails to react to an actual attack event. True Negative (No attack - No Alert): -Occurred when an IDS identifies an activity as acceptable behavior and the activity is acceptable.
Source Routing
Using this technique, the sender of the packet designates the route (partially or entirely) that a packet should take through the network, in such a way that the designated route should bypass the firewall node. It takes two approaches: loose source routing, and strict source routing. In loose source routing, the sender specifies one or more stages the packet must go through, whereas, in strict source routing, the sender specifies the exact route the packet must go through.
URG Flag
When the user sets the urgency flag, TCP protocol ignores all data before the urgency pointer, and the data to which the urgency pointer points is processed. . Some IDSes do not take into account the TCP protocol's urgency feature and process all the packets in the traffic whereas the target system process only the urgent data. Attackers exploit this feature to evade the IDS, as seen in other evasion techniques.
Application Proxy
Works as a proxy server and filters connections for specific services. -A proxy service is an application or program that helps forward user requests (for example, FTP or Telnet) to the actual services It is a type of server that acts as an interface between the user workstation and the Internet. A proxy service is available to the user in the internal network, the service on the outside network (Internet) and is transparent. Instead of direct communication between each, they talk with the proxy, and it handles all the communication between users and the internet services. Transparency is the advantage of proxy services.
SPECTER
a honeypot or deception system. It simulates a complete system and provides an appealing target to lure hackers away from production systems. It offers typical Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker by messing them so that he leaves some traces knowing that they had connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people. It automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content, and it generates decoy programs that cannot leave hidden marks on the attacker's computer. Automated weekly online updates of the honeypot's content and vulnerability databases allow the honeypot to change regularly without user interaction
Detectinng Layer 4 tar Pit
like Labrea can be identified by the attacker by analyzing the TCP window size, where tar pit continuously acknowledge incoming packets even though the TCP window size is reduced to zero
Firewalking
A method of collecting information about remote networks behind firewalls. It is a technique that uses TTL values to determine gateway ACL filters and map networks by analyzing IP packet response This method helps locate a firewall, additional probing permits fingerprinting and identification of vulnerabilities. It requires three hosts: o Firewalking host: The firewalking host is the system outside the target network, from which the data packets are sent to the destination host to gain more information about the target network. o Gateway host: The gateway host is the suspected firewall system on the target network, through which the data packet passes on its way to the target network. o Destination host: The destination host is the target system on the target network to which the data packets are addressed
Polymorphic Shell Code
A signature-based network intrusion detection system (NIDS) identifies an attack by matching attack signatures with incoming and outgoing data packets This attack includes multiple signatures making it difficult to detect the signature. Attackers encode the payload using some technique and then place a decoder before the payload. As a result of this, the shellcode is completely rewritten each time it is sent evading detection. attackers hide their shellcode (attack code) by encrypting it with an unknown encryption algorithm and including the decryption code as part of the attack packet.
Two modes Application-layer firewalls can fuction at
Active application-level firewalls: -They examine all incoming requests, including the actual message that exchanged against known vulnerabilities, such as SQL injection, parameter and cookie tampering, and cross-site scripting. -The requests deemed genuine are allowed to pass through them. Passive application-level firewalls: -They work similarly to an IDS, in that they also check all incoming requests against known vulnerabilities, but they do not actively reject or deny those requests if a potential attack is discovered
Pros and Cons of a Hardware Firewall
Advantage o Security: A hardware firewall with its operating system (OS) is considered to reduce the security risks and has increased the level of security controls. o Speed: Hardware firewalls initiate faster responses and enable more traffic. o Minimal Interference: Since a hardware firewall is a separate network component, it enables better management and allows the firewall to shut down, move or be reconfigured with less interference on the network. Disadvantages: o More expensive than a software firewall. o Hard to implement and configure. o Consumes more space and involves cabling.
Pros and Cons of Virtual Private Network (VPN)
Advantages - A VPN hides all the traffic that flows over it, ensures encryption, and protects the data from snooping. - It provides remote access for protocols without letting people attack from the Internet at large. Disadvantages - As the VPN runs on a public network, the user will be vulnerable to an attack on the destination network.
Pros and Cons of a Software Firewall
Advantages: o Less expensive than hardware firewalls. o Ideal for personal or home use. o Easier to configure and reconfigure. Disadvantages: o Consumes system resources. o Difficult to un-install firewalls. o Not appropriate for environments requiring faster response times.
Detecting Layer 2 Tar Pits
An attacker can also identify the presence of these tar pits by analyzing the ARP responses.
Detecting Honeyd Honeypot
An attacker can identify the presence of honeyd honeypot by performing time based TCP Fingerprinting methods (SYN Proxy behavior). The following picture depicts the difference between a response to a normal computer vs. the response of honeyd honeypot for the manual SYN request sent by an attacke
Detecting presence of Bait and Switch Honeypots:
An attacker can identify the presence of this kind of honeypots by looking at specific TCP/IP parameters like the Round-Trip Time (RTT), the Time To Live (TTL), the TCP timestamp, etc
Bypass Blocked Sites via Anonymous Website Surfing Sites
Anonymous web-surfing sites help to browse the Internet anonymously and unblock blocked sites (i.e., evade firewall restrictions). Anonymizer's VPN routes all the traffic through an encrypted tunnel directly from your laptop to secure and hardened servers and network. It then masks the real IP address to ensure complete and continuous anonymity for all online activities.
Bypass Firewall via ACK Tunneling
As ACK packets are sent after establishing a session, ACK traffic is considered legitimate. Another reason why filtering of ACK packets is ignored is to lessen the workload of firewalls, as there can be many ACK packets for one SYN packet. This allows tunneling a backdoor application with TCP packets with the ACK bit set. The ACK bit acknowledges the receipt of a packet. As stated earlier, some firewalls do not check packets with the ACK bit set, because ACK bits are supposed to be used in response to legitimate traffic that has already been allowed to pass through. Attackers use this as an advantage in ACK tunneling. Tools such as AckCmd (http://ntsecurity.nu) use ACK tunneling.
Detecting Honeypots running on VMware:
Attackers can identify the instances that are running on the VMWare virtual machine by analyzing the MAC address. -By looking at the IEEE standards for the current range of MAC addresses assigned to VMWare Inc., an attacker can identify the presence of VMWare based honeypots.
Detecting Layer 7 Tar Pits
Attackers can identify the presence of Layer 7 tar pits by looking at the latency of the response from the service.
Detecting presence of User-Mode Linux (UML):
Attackers can identify the presence of UML honeypot by analyzing the files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, etc. which contain UML-specific information
Invalid RST Packets
Attackers can use this feature to elude detection by sending RST packets with an invalid checksum, which causes the IDS to stop processing the stream because the IDS thinks the communication session has ended. attackers to continue to communicate with the end host while confusing the IDS because the end host accepts the packets that follow the RST packet with an invalid checksum
Firewall Architectures
Bastion Host Screened Subnet Multi-homed Firewall
Time-To-Live (TTL) Atk
Each IP packet has a field called Time to Live (TTL), which indicates how many hops the packet can take before a network node discards it. Typically, when a host sends a packet, it sets the TTL to a value high enough that it can reach its destination under normal circumstances. Different OSs use different default initial values for the TTL. Because of this, attackers can guess the number of routers between them and a sending machine, and make assumptions on what the initial TTL was, thereby guessing which OS a host is running, as a prelude to an attack.
General Indications of Intrusion
File System- unfamiliar files, permissions Network- probes, log data System- logs, sys performance, processes
Bypass Firewall via HTTP Tunneling
HTTP Tunneling technology allows attackers to perform various internet tasks despite the restrictions imposed by firewalls. Many firewalls do not examine the payload of an HTTP packet to confirm that it is legitimate. Thus it is possible to tunnel traffic via TCP port 80. HTTPTunnel is a client/server application, the client application is htc, and the server is hts.
Types of Firewall
Hardware Software
Denial of Service (DoS) Atk
IDS evasion technique The resources affected by the attacker are CPU cycles, memory, disk space, and network bandwidth. Attackers monitor and attack the CPU capabilities of the IDS. This is because IDS needs half of the CPU cycle to read the packets
IDS Evasion
IDS evasion technique This attack occurs when the IDS discards packets while the host that has to get the packets accepts them. This attack at the IP layer allows an attacker to attempt arbitrary attacks against hosts on a network, without the IDS ever realizing it. For example, if the attacker sends malicious sequence byte by byte, and if the IDS rejects only one byte, it cannot detect the attack.
Insertion Attack
IDS evasion technique This is the process in which the attacker confuses the IDS by forcing it to read invalid packets This attack occurs when NIDS is less strict in processing packets than the internal network Attacker obscures extra traffic and IDS concludes traffic is harmless. Hence, the IDS gets more packets than the destination Every packet transmitted on an IP network has a checksum that verifies the corrupted packets. IP checksums are 16-bit numbers, computed by examining information in the packet. I
Fragmentation Attack
IP packets must follow standard Maximum Transmission Unit (MTU) size while traveling across the network. If the packet size is exceeded, it will be splitted into multiple fragments ("fragmentation"). The IP header contains a fragment ID, fragment offset, fragment length, fragments flags, and others besides the original data. In a network, the flow of packets is irregular, so systems need to keep fragments around, wait for future fragments, and then reassemble them in order. Fragmentation can be used as an attack vector when fragmentation timeouts vary between IDS and host.
Firewall Pen Testing
Identifying the Firewall o Perform port scanning technique to know the available ports that uniquely identify the firewalls o Perform banner grabbing technique to detect the services run by the firewall o Perform firewalking technique to determine access information on the firewall when probe packets are sen Performing various Attacks o Perform IP address spoofing to gain unauthorized access to a computer or a network o Perform source routing to designate the packet route to bypass the firewall o Perform fragmentation attack to force the TCP header information into the next fragment to bypass the firewall o Type the IP address directly in browser's address bar in place of typing the blocked website's domain name to evade the firewall restriction o Use proxy servers that block the actual IP address and display another thereby allowing access to the blocked website o Perform ICMP tunneling to tunnel a backdoor application in the data portion of ICMP Echo packets o Perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with TCP packets with the ACK bit set o Perform HTTP tunneling using tools such as Super Network Tunnel, HTTPort, HTTHost, Tunna, etc. to tunnel the traffic across TCP port 80 o Perform SSH tunneling using tools such as Bitvise to encrypt and tunnel all the traffic from a local machine to a remote machine o Gain access to the corporate network by sniffing the user's traffic and stealing the session ID and cookies o Perform MITM attack to own corporate DNS server or to spoof DNS replies to it o Perform XSS attack to identify the vulnerabilities present in the Web Application Firewall
Detecting presence of Snort_inline
If an outgoing packet is dropped, that might look like a black hole to an attacker, and when the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification
IDS Tools
Snort TippingPoint AllenVault OSSIM
How IDS works
IDSs have sensors to detect malicious signatures in data packets, and some advanced IDSs have behavioral activity detection, to determine malicious traffic behavior. Even if the packet signatures do not match perfectly with the signatures in the IDS signature database, the activity detection system can alert administrators about possible attacks. If the signature matches, the IDS performs predefined actions such as terminating the connection, blocking the IP address, dropping the packet, and/or signaling an alarm to notify the administrator. When signature matches, anomaly detection will skip; otherwise, the sensor may analyze traffic patterns for an anomaly. When the packet passes all tests, the IDS will forward it into the network.
IDS/Firewall Evasion Tools
Traffic IQ Professional Hotspot Shield FTester Snare Agent for Windows Tomahawk Atelier Web Firewall Tester Freenet Your Freedom Proxifier VPN One Click Iodine
Mobile IDSs
zIPS Wifi Inspector Wifi Intruder Detector Pro
Packet Fragment Generators
Colasoft Packet Builder NetScanTools Pro Ostinato WAN Killer WireEdit hping3 Multi-Generator (MGEN)
Honeypot Tools
-KFSensor -Specter -HoneyBOT