Your SlideShare is downloading. ×
Harden Security Devices Against Increasingly Sophisticated Evasions
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Harden Security Devices Against Increasingly Sophisticated Evasions

1,046

Published on

separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer. …

separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer.

Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions?

Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,046
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • SneakAckHandshake
    Establish sessions with the SneakAck Handshake for all connections
  • Transcript

    • 1. Harden Security Devices Against Increasingly Sophisticated Evasions BreakingPoint Webcast Wednesday December 16, 2009
    • 2. www.breakingpointlabs.com Introductions/Agenda • BreakingPoint speakers: – Dennis Cox, CTO – Todd Manning, Protocol & Security Researcher – Dustin D. Trammell, Protocol & Security Researcher • Quick Glance Agenda: – Evasions Overview – Evasions in Layer 3, 4, 5, 7 and more – Latest evasion techniques – How to validate you are protected – BreakingPoint Five Keys 2
    • 3. www.breakingpointlabs.com Evasion Technique Introduction • What Is An Evasion? – Legitimate Permutation of Data • Data remains valid • Data looks different – Attempt at bypassing detection or filters • Data representation not recognized or understood by the monitoring entity • Cause the monitor to revert to a less scrutinizing state • Transport of data in a state that is not observable by the monitor 3
    • 4. www.breakingpointlabs.com Where are Evasions Used? • Everywhere! – Layer 3: IP – Layer 4: TCP – Layer 5: DCERPC, SunRPC, SIP – Layer 7: HTTP, SMTP, POP3, FTP – Content: HTML, OLE, Command-lines (Windows & UNIX), Exploit Shellcode 4
    • 5. www.breakingpointlabs.com Layer 3: IP Evasions • FragEvasion – IP Fragmentation – Four IP fragmentation methods available: • Overlapping end fragments, favoring either old or new data • Overlapping all fragments, favoring either old or new data • FragOrder – Change the order in which fragments are sent – Three behavior options: • Normal order • Reverse order • Randomize order 5
    • 6. www.breakingpointlabs.com Layer 4: TCP Evasions • SegmentOrder – Change the order in which segments are sent – Three behavior options: • Normal order • Reverse order • Randomize order • SkipHandShake – Skip the three-way handshake for all connections 6
    • 7. www.breakingpointlabs.com Layer 5: SIP Evasions • CompactHeaders – Use compact header names instead of full-length header names – Example: “From: <user>” -> “f: <user>” • PadHeadersLineBreak – Pad headers with line breaks – Example: ‘Authorization: Digest username=“user”, realm=“home”’ -> ‘Authorization: Digest rnusername=“user”, rnrealm=“home”’ • PadHeadersWhitespace – Pad headers with whitespace elements – Example: “From: <user>” -> “From:tt<user> “ • RandomizeCase – Randomize the case of data which is case insensitive – Example: “From: <user>” -> “fROm: <UsEr>” 7
    • 8. www.breakingpointlabs.com Layer 7: Common Evasions • PadCommandWhiteSpace – SMTP, POP3, FTP, Commands (Windows, UNIX) – Inserts arbitrary whitespace between commands and their arguments – Examples: • SMTP: “HELO example.com” -> “HELOtt t example.com” • FTP: “USER username” -> “USER t tt username” • Commands: “rm -rf /” -> “rmt t –rft tt/” • PadPathSlashes – Commands (Windows, UNIX) – Uses slashes to pad command path names – Examples: • Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd” 8
    • 9. www.breakingpointlabs.com Layer 7: HTTP Evasions • Too many to list them all here… • DirectorySelfReference – Convert all directories to self-referenced relative directories – Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt” • EncodeHexRandom – Encode random parts of the URI in hex – Example: “GET /index.html” -> “GET /ind%65x.%68tml” • ServerChunkedTransfer – Use “chunked” transfer-encoding to split up the server response • ServerCompression – Use gzip to encode the server response • EncodeUnicodeRandom – Encode random parts of the URI in wide Unicode (UTF-16) 9
    • 10. www.breakingpointlabs.com Content Evasions • HTML Evasions: HTMLUnicodeEncoding • Encodes HTML in the selected flavor of Unicode: – UTF_7: 7-bit – UTF_8: 8-bit – UTF_16BE: 16-bit big-endian – UTF_16LE: 16-bit little-endian – UTF_32BE: 32-bit big-endian – UTF_32LE: 32-bit little-endian • Shellcode Evasions: RandomNops • Uses random nop-equivalent sequences instead of actual No-Op instructions • Example (ia32): – “x90x90x90x90x90x90x90x90” – becomes – “x16x2fx5dx55x91x06x44x0e” 10
    • 11. www.breakingpointlabs.com The Latest Evasion Techniques • Latest and greatest • 2010 Forecast? 11
    • 12. www.breakingpointlabs.com Do Evasions Cause Damage? 12
    • 13. www.breakingpointlabs.com How To Validate You Are Protected • Forward Thinking • Test, Test, Test • Be Realistic • Be Random • Be Consistent 13
    • 14. Properly Testing Using Evasions
    • 15. www.breakingpointlabs.com Enabling Evasions for BreakingPoint • BreakingPoint Methods – Attack Manager: • Attack Group Options - Affects only the attack group selected – Security Test Component: • Parameters Tab, Attack Profile setting - Affects the entire test • Overrides Tab - Affects the entire test • Order of precedence – Overrides – Group Options – Attack Profile 15
    • 16. www.breakingpointlabs.com The Five Keys BreakingPoint Provides 1. 80+ evasion techniques 2. Dedicated security team 3. New evasion techniques 4. Apply across 4,300+ attacks 5. Multi-layered evasions 16
    • 17. www.breakingpointlabs.com Q&A Thank You! 17

    ×