Your SlideShare is downloading. ×
0
Harden Security Devices Against Increasingly
Sophisticated Evasions
BreakingPoint Webcast Wednesday
December 16, 2009
www.breakingpointlabs.com
Introductions/Agenda
• BreakingPoint speakers:
– Dennis Cox, CTO
– Todd Manning, Protocol & Secu...
www.breakingpointlabs.com
Evasion Technique Introduction
• What Is An Evasion?
– Legitimate Permutation of Data
• Data rem...
www.breakingpointlabs.com
Where are Evasions Used?
• Everywhere!
– Layer 3: IP
– Layer 4: TCP
– Layer 5: DCERPC, SunRPC, S...
www.breakingpointlabs.com
Layer 3: IP Evasions
• FragEvasion
– IP Fragmentation
– Four IP fragmentation methods available:...
www.breakingpointlabs.com
Layer 4: TCP Evasions
• SegmentOrder
– Change the order in which segments are sent
– Three behav...
www.breakingpointlabs.com
Layer 5: SIP Evasions
• CompactHeaders
– Use compact header names instead of full-length header ...
www.breakingpointlabs.com
Layer 7: Common Evasions
• PadCommandWhiteSpace
– SMTP, POP3, FTP, Commands (Windows, UNIX)
– In...
www.breakingpointlabs.com
Layer 7: HTTP Evasions
• Too many to list them all here…
• DirectorySelfReference
– Convert all ...
www.breakingpointlabs.com
Content Evasions
• HTML Evasions: HTMLUnicodeEncoding
• Encodes HTML in the selected flavor of U...
www.breakingpointlabs.com
The Latest Evasion Techniques
• Latest and greatest
• 2010 Forecast?
11
www.breakingpointlabs.com
Do Evasions Cause Damage?
12
www.breakingpointlabs.com
How To Validate You Are Protected
• Forward Thinking
• Test, Test, Test
• Be Realistic
• Be Rand...
Properly Testing Using Evasions
www.breakingpointlabs.com
Enabling Evasions for BreakingPoint
• BreakingPoint Methods
– Attack Manager:
• Attack Group Opt...
www.breakingpointlabs.com
The Five Keys BreakingPoint Provides
1. 80+ evasion techniques
2. Dedicated security team
3. New...
www.breakingpointlabs.com
Q&A
Thank You!
17
Upcoming SlideShare
Loading in...5
×

Harden Security Devices Against Increasingly Sophisticated Evasions

1,067

Published on

separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer.

Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions?

Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,067
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • SneakAckHandshake
    Establish sessions with the SneakAck Handshake for all connections
  • Transcript of "Harden Security Devices Against Increasingly Sophisticated Evasions"

    1. 1. Harden Security Devices Against Increasingly Sophisticated Evasions BreakingPoint Webcast Wednesday December 16, 2009
    2. 2. www.breakingpointlabs.com Introductions/Agenda • BreakingPoint speakers: – Dennis Cox, CTO – Todd Manning, Protocol & Security Researcher – Dustin D. Trammell, Protocol & Security Researcher • Quick Glance Agenda: – Evasions Overview – Evasions in Layer 3, 4, 5, 7 and more – Latest evasion techniques – How to validate you are protected – BreakingPoint Five Keys 2
    3. 3. www.breakingpointlabs.com Evasion Technique Introduction • What Is An Evasion? – Legitimate Permutation of Data • Data remains valid • Data looks different – Attempt at bypassing detection or filters • Data representation not recognized or understood by the monitoring entity • Cause the monitor to revert to a less scrutinizing state • Transport of data in a state that is not observable by the monitor 3
    4. 4. www.breakingpointlabs.com Where are Evasions Used? • Everywhere! – Layer 3: IP – Layer 4: TCP – Layer 5: DCERPC, SunRPC, SIP – Layer 7: HTTP, SMTP, POP3, FTP – Content: HTML, OLE, Command-lines (Windows & UNIX), Exploit Shellcode 4
    5. 5. www.breakingpointlabs.com Layer 3: IP Evasions • FragEvasion – IP Fragmentation – Four IP fragmentation methods available: • Overlapping end fragments, favoring either old or new data • Overlapping all fragments, favoring either old or new data • FragOrder – Change the order in which fragments are sent – Three behavior options: • Normal order • Reverse order • Randomize order 5
    6. 6. www.breakingpointlabs.com Layer 4: TCP Evasions • SegmentOrder – Change the order in which segments are sent – Three behavior options: • Normal order • Reverse order • Randomize order • SkipHandShake – Skip the three-way handshake for all connections 6
    7. 7. www.breakingpointlabs.com Layer 5: SIP Evasions • CompactHeaders – Use compact header names instead of full-length header names – Example: “From: <user>” -> “f: <user>” • PadHeadersLineBreak – Pad headers with line breaks – Example: ‘Authorization: Digest username=“user”, realm=“home”’ -> ‘Authorization: Digest rnusername=“user”, rnrealm=“home”’ • PadHeadersWhitespace – Pad headers with whitespace elements – Example: “From: <user>” -> “From:tt<user> “ • RandomizeCase – Randomize the case of data which is case insensitive – Example: “From: <user>” -> “fROm: <UsEr>” 7
    8. 8. www.breakingpointlabs.com Layer 7: Common Evasions • PadCommandWhiteSpace – SMTP, POP3, FTP, Commands (Windows, UNIX) – Inserts arbitrary whitespace between commands and their arguments – Examples: • SMTP: “HELO example.com” -> “HELOtt t example.com” • FTP: “USER username” -> “USER t tt username” • Commands: “rm -rf /” -> “rmt t –rft tt/” • PadPathSlashes – Commands (Windows, UNIX) – Uses slashes to pad command path names – Examples: • Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd” 8
    9. 9. www.breakingpointlabs.com Layer 7: HTTP Evasions • Too many to list them all here… • DirectorySelfReference – Convert all directories to self-referenced relative directories – Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt” • EncodeHexRandom – Encode random parts of the URI in hex – Example: “GET /index.html” -> “GET /ind%65x.%68tml” • ServerChunkedTransfer – Use “chunked” transfer-encoding to split up the server response • ServerCompression – Use gzip to encode the server response • EncodeUnicodeRandom – Encode random parts of the URI in wide Unicode (UTF-16) 9
    10. 10. www.breakingpointlabs.com Content Evasions • HTML Evasions: HTMLUnicodeEncoding • Encodes HTML in the selected flavor of Unicode: – UTF_7: 7-bit – UTF_8: 8-bit – UTF_16BE: 16-bit big-endian – UTF_16LE: 16-bit little-endian – UTF_32BE: 32-bit big-endian – UTF_32LE: 32-bit little-endian • Shellcode Evasions: RandomNops • Uses random nop-equivalent sequences instead of actual No-Op instructions • Example (ia32): – “x90x90x90x90x90x90x90x90” – becomes – “x16x2fx5dx55x91x06x44x0e” 10
    11. 11. www.breakingpointlabs.com The Latest Evasion Techniques • Latest and greatest • 2010 Forecast? 11
    12. 12. www.breakingpointlabs.com Do Evasions Cause Damage? 12
    13. 13. www.breakingpointlabs.com How To Validate You Are Protected • Forward Thinking • Test, Test, Test • Be Realistic • Be Random • Be Consistent 13
    14. 14. Properly Testing Using Evasions
    15. 15. www.breakingpointlabs.com Enabling Evasions for BreakingPoint • BreakingPoint Methods – Attack Manager: • Attack Group Options - Affects only the attack group selected – Security Test Component: • Parameters Tab, Attack Profile setting - Affects the entire test • Overrides Tab - Affects the entire test • Order of precedence – Overrides – Group Options – Attack Profile 15
    16. 16. www.breakingpointlabs.com The Five Keys BreakingPoint Provides 1. 80+ evasion techniques 2. Dedicated security team 3. New evasion techniques 4. Apply across 4,300+ attacks 5. Multi-layered evasions 16
    17. 17. www.breakingpointlabs.com Q&A Thank You! 17
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×