Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Harden Security Devices Against Increasingly Sophisticated Evasions

on

  • 1,831 views

separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer. ...

separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer.

Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions?

Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.

Statistics

Views

Total Views
1,831
Views on SlideShare
1,762
Embed Views
69

Actions

Likes
1
Downloads
17
Comments
0

4 Embeds 69

http://www.breakingpointsystems.com 56
http://blogs.ixiacom.com 9
http://www.slideshare.net 2
http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • SneakAckHandshakeEstablish sessions with the SneakAck Handshake for all connections

Harden Security Devices Against Increasingly Sophisticated Evasions Harden Security Devices Against Increasingly Sophisticated Evasions Presentation Transcript

  • Harden Security Devices Against Increasingly Sophisticated Evasions
    BreakingPoint Webcast Wednesday
    December 16, 2009
  • Introductions/Agenda
    BreakingPoint speakers:
    Dennis Cox, CTO
    Todd Manning, Protocol & Security Researcher
    Dustin D. Trammell, Protocol & Security Researcher
    Quick Glance Agenda:
    Evasions Overview
    Evasions in Layer 3, 4, 5, 7 and more
    Latest evasion techniques
    How to validate you are protected
    BreakingPoint Five Keys
    2
  • Evasion Technique Introduction
    What Is An Evasion?
    Legitimate Permutation of Data
    Data remains valid
    Data looks different
    Attempt at bypassing detection or filters
    Data representation not recognized or understood by the monitoring entity
    Cause the monitor to revert to a less scrutinizing state
    Transport of data in a state that is not observable by the monitor
    3
  • Where are Evasions Used?
    Everywhere!
    Layer 3: IP
    Layer 4: TCP
    Layer 5: DCERPC, SunRPC, SIP
    Layer 7: HTTP, SMTP, POP3, FTP
    Content: HTML, OLE, Command-lines (Windows & UNIX), Exploit Shellcode
    4
  • Layer 3: IP Evasions
    FragEvasion
    IP Fragmentation
    Four IP fragmentation methods available:
    Overlapping end fragments, favoring either old or new data
    Overlapping all fragments, favoring either old or new data
    FragOrder
    Change the order in which fragments are sent
    Three behavior options:
    Normal order
    Reverse order
    Randomize order
    5
  • Layer 4: TCP Evasions
    SegmentOrder
    Change the order in which segments are sent
    Three behavior options:
    Normal order
    Reverse order
    Randomize order
    SkipHandShake
    Skip the three-way handshake for all connections
    6
  • Layer 5: SIP Evasions
    CompactHeaders
    Use compact header names instead of full-length header names
    Example: “From: <user>” -> “f: <user>”
    PadHeadersLineBreak
    Pad headers with line breaks
    Example: ‘Authorization: Digest username=“user”, realm=“home”’ -> ‘Authorization: Digest username=“user”, realm=“home”’
    PadHeadersWhitespace
    Pad headers with whitespace elements
    Example: “From: <user>” -> “From: <user> “
    RandomizeCase
    Randomize the case of data which is case insensitive
    Example: “From: <user>” -> “fROm: <UsEr>”
    7
  • Layer 7: Common Evasions
    PadCommandWhiteSpace
    SMTP, POP3, FTP, Commands (Windows, UNIX)
    Inserts arbitrary whitespace between commands and their arguments
    Examples:
    SMTP: “HELO example.com” -> “HELO example.com”
    FTP: “USER username” -> “USER username”
    Commands: “rm -rf /” -> “rm –rf /”
    PadPathSlashes
    Commands (Windows, UNIX)
    Uses slashes to pad command path names
    Examples:
    Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”
    8
  • Layer 7: HTTP Evasions
    Too many to list them all here…
    DirectorySelfReference
    Convert all directories to self-referenced relative directories
    Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”
    EncodeHexRandom
    Encode random parts of the URI in hex
    Example: “GET /index.html” -> “GET /ind%65x.%68tml”
    ServerChunkedTransfer
    Use “chunked” transfer-encoding to split up the server response
    ServerCompression
    Use gzip to encode the server response
    EncodeUnicodeRandom
    Encode random parts of the URI in wide Unicode (UTF-16)
    9
  • Content Evasions
    HTML Evasions: HTMLUnicodeEncoding
    Encodes HTML in the selected flavor of Unicode:
    UTF_7: 7-bit
    UTF_8: 8-bit
    UTF_16BE: 16-bit big-endian
    UTF_16LE: 16-bit little-endian
    UTF_32BE: 32-bit big-endian
    UTF_32LE: 32-bit little-endian
    Shellcode Evasions: RandomNops
    Uses random nop-equivalent sequences instead of actual No-Op instructions
    Example (ia32):
    “x90x90x90x90x90x90x90x90”
    becomes
    “x16x2fx5dx55x91x06x44x0e”
    10
  • The Latest Evasion Techniques
    Latest and greatest
    2010 Forecast?
    11
  • Do Evasions Cause Damage?
    12
  • How To Validate You Are Protected
    Forward Thinking
    Test, Test, Test
    Be Realistic
    Be Random
    Be Consistent
    13
  • Properly Testing Using Evasions
  • Enabling Evasions for BreakingPoint
    BreakingPoint Methods
    Attack Manager:
    Attack Group Options - Affects only the attack group selected
    Security Test Component:
    Parameters Tab, Attack Profile setting - Affects the entire test
    Overrides Tab - Affects the entire test
    Order of precedence
    Overrides
    Group Options
    Attack Profile
    15
  • The Five Keys BreakingPoint Provides
    80+ evasion techniques
    Dedicated security team
    New evasion techniques
    Apply across 4,300+ attacks
    Multi-layered evasions
    16
  • Q&A
    Thank You!
    17