Harden Security Devices Against Increasingly Sophisticated Evasions

Harden Security Devices Against Increasingly Sophisticated Evasions
BreakingPoint Webcast Wednesday
December 16, 2009

Introductions/Agenda
BreakingPoint speakers:
Dennis Cox, CTO
Todd Manning, Protocol & Security Researcher
Dustin D. Trammell, Protocol & Security Researcher
Quick Glance Agenda:
Evasions Overview
Evasions in Layer 3, 4, 5, 7 and more
Latest evasion techniques
How to validate you are protected
BreakingPoint Five Keys
2

Evasion Technique Introduction
What Is An Evasion?
Legitimate Permutation of Data
Data remains valid
Data looks different
Attempt at bypassing detection or filters
Data representation not recognized or understood by the monitoring entity
Cause the monitor to revert to a less scrutinizing state
Transport of data in a state that is not observable by the monitor
3

Where are Evasions Used?
Everywhere!
Layer 3: IP
Layer 4: TCP
Layer 5: DCERPC, SunRPC, SIP
Layer 7: HTTP, SMTP, POP3, FTP
Content: HTML, OLE, Command-lines (Windows & UNIX), Exploit Shellcode
4

Layer 3: IP Evasions
FragEvasion
IP Fragmentation
Four IP fragmentation methods available:
Overlapping end fragments, favoring either old or new data
Overlapping all fragments, favoring either old or new data
FragOrder
Change the order in which fragments are sent
Three behavior options:
Normal order
Reverse order
Randomize order
5

Layer 4: TCP Evasions
SegmentOrder
Change the order in which segments are sent
Three behavior options:
Normal order
Reverse order
Randomize order
SkipHandShake
Skip the three-way handshake for all connections
6

Layer 5: SIP Evasions
CompactHeaders
Use compact header names instead of full-length header names
Example: “From: <user>” -> “f: <user>”
PadHeadersLineBreak
Pad headers with line breaks
Example: ‘Authorization: Digest username=“user”, realm=“home”’ -> ‘Authorization: Digest username=“user”, realm=“home”’
PadHeadersWhitespace
Pad headers with whitespace elements
Example: “From: <user>” -> “From: <user> “
RandomizeCase
Randomize the case of data which is case insensitive
Example: “From: <user>” -> “fROm: <UsEr>”
7

Layer 7: Common Evasions
PadCommandWhiteSpace
SMTP, POP3, FTP, Commands (Windows, UNIX)
Inserts arbitrary whitespace between commands and their arguments
Examples:
SMTP: “HELO example.com” -> “HELO example.com”
FTP: “USER username” -> “USER username”
Commands: “rm -rf /” -> “rm –rf /”
PadPathSlashes
Commands (Windows, UNIX)
Uses slashes to pad command path names
Examples:
Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”
8

Layer 7: HTTP Evasions
Too many to list them all here…
DirectorySelfReference
Convert all directories to self-referenced relative directories
Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”
EncodeHexRandom
Encode random parts of the URI in hex
Example: “GET /index.html” -> “GET /ind%65x.%68tml”
ServerChunkedTransfer
Use “chunked” transfer-encoding to split up the server response
ServerCompression
Use gzip to encode the server response
EncodeUnicodeRandom
Encode random parts of the URI in wide Unicode (UTF-16)
9

Content Evasions
HTML Evasions: HTMLUnicodeEncoding
Encodes HTML in the selected flavor of Unicode:
UTF_7: 7-bit
UTF_8: 8-bit
UTF_16BE: 16-bit big-endian
UTF_16LE: 16-bit little-endian
UTF_32BE: 32-bit big-endian
UTF_32LE: 32-bit little-endian
Shellcode Evasions: RandomNops
Uses random nop-equivalent sequences instead of actual No-Op instructions
Example (ia32):
“x90x90x90x90x90x90x90x90”
becomes
“x16x2fx5dx55x91x06x44x0e”
10

The Latest Evasion Techniques
Latest and greatest
2010 Forecast?
11

Do Evasions Cause Damage?
12

How To Validate You Are Protected
Forward Thinking
Test, Test, Test
Be Realistic
Be Random
Be Consistent
13

Properly Testing Using Evasions

Enabling Evasions for BreakingPoint
BreakingPoint Methods
Attack Manager:
Attack Group Options - Affects only the attack group selected
Security Test Component:
Parameters Tab, Attack Profile setting - Affects the entire test
Overrides Tab - Affects the entire test
Order of precedence
Overrides
Group Options
Attack Profile
15

The Five Keys BreakingPoint Provides
80+ evasion techniques
Dedicated security team
New evasion techniques
Apply across 4,300+ attacks
Multi-layered evasions
16

Q&A
Thank You!
17

Harden Security Devices Against Increasingly Sophisticated Evasions

by BreakingPoint Systems on Dec 18, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 54

Statistics

Harden Security Devices Against Increasingly Sophisticated Evasions — Presentation Transcript

http://www.breakingpointsystems.com	52
http://www.slideshare.net	2