• Save
Decloaking the Network: Evasions Exposed (2012 San Diego)

Like this? Share it with your network

Share

Decloaking the Network: Evasions Exposed (2012 San Diego)

  • 2,925 views
Uploaded on

The escalating sophistication of intrusions continues to threaten networks. As threats evolve so must your network security. Learn cutting edge network level protocol obfuscations and evasion......

The escalating sophistication of intrusions continues to threaten networks. As threats evolve so must your network security. Learn cutting edge network level protocol obfuscations and evasion techniques to gain a better understanding of how these techniques work. We will then examine how they are often combined with attacks to bypass network protections. We will dive into recent enhancements to Cisco’s security products and review existing detection ability. Attendees of this course will leave being able to ask more intelligent questions regarding device coverage. We will introduce tools that can be used to test devices allowing you to gauge the state of your network security.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4361

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,925
On Slideshare
2,925
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Decloaking the Network Evasions Exposed BRKSEC-2012BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 2. Who I am: Craig Williams Cisco for 6 years IPS development team IPS signature team Applied security research (ASR) team Administrator for malware lab Technical Leader for signature services Specialties: malware, exploits, intrusion prevention, signature design, vulnerability research, protocol analysis, obfuscationBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 3. Agenda  What is a network level evasion?  What is normalization?  Basic Evasions  Cutting Edge Evasions  Evolving Evasion Resistance  Demos
  • 4. Evasions – Not Magic, Do Not Panic What are evasions? ‒ Generic techniques to bypass network security devices ‒ Hide the attack via obfuscations ‒ Often based off options or ambiguity in RFC documentsBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • 5. Evasions What is not a network level evasion? ‒ Non-generic techniques - specific fragment sizes ‒ Swapping shell code ‒ Shell code encoders ‒ Evading a signature is not a network level evasion  ‒ IP TCP Protocol Exploit Shellcode   Shellcode Shellcode Shellcode Shellcode Shellcode Shellcode ShellcodeBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • 6. Coverage: Vulnerability vs. Exploits A fundamental concept in network security is vulnerability vs. exploit based detection Vulnerability based detection is protection against the base vulnerability ‒ Not affected by changes in shellcode ‒ Not affected by different exploits ‒ Should address all possible exploits CAN be affected by network level evasionsBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • 7. Vulnerability vs. ExploitsNewly Exploited The Exploits! Do you really want to block just the yellow one? BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • 8. An Example – Regular Expressions A pattern to match something, in this case traffic Still the standard for IPS signatures Everyone is not equal – imagine evading a grep If you understand the basics of signature writing evading them will be even easier  The General Metacharacters: ^[](){}.*?|+$ and sometimes -BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • 9. Basic Regex Character class [Cc] indicates it will match C or c ‒ [Hh][Ee][Ll][Ll][Oo] – would match hello case insensitively Hex is fine too ‒ [x48x68][x45x65][x4Cx6c][x4cx6C][x4fx6f] ‒ How would you do a literal x48 You can exclude characters ‒ The ^ charter inside a character class indicates not ‒ [^H] == [x00-x47x49-xFF]BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • 10. Basic Regex Optional characters ‒ A? is zero or one capital A {} Are simple repeat operators ‒ H{2} == HH ‒ H{1,2} ==HH? ‒ H{2,} == HHHHHHHHHHHHHHHH…HHH The pipe is an OR operator ‒ a|b == [ab] ‒ (hello)|(world) ‒ hello|world – are these last two identical?BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • 11. Basic Regex You can do ranges ‒ [A-C] matches an A, B, or C The same applies to hex ‒ [x01-x05] is equivalent to (x01|x02|x03|x04|x05) Combinations are normal ‒ Abc[x01-x03] would match: 1. Abcx01 2. Abcx02 3. Abcx03BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • 12. Vulnerability vs. Exploits – Example Protocol X vulnerability If the 1 byte (8 bits) size field exceeds the value of 200 (Hex value 0xc8) an overflow occurs The size field can be identified by a 3 byte ASCII tag XYZ, followed by the size byte ‒ X Y Z x01 Benign! X ‒ Y Z xC9 Malicious! BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 13. Vulnerabilities vs. Exploits – Example Is this pattern good enough: XYZ[xc9-xff] What happens if it runs over IP or TCP? Packets can be manipulated so that what you should see is often different from what you will see Evasions are possible at nearly all protocol layersBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • 14. IP/TCP Evasions Easily accessible tools can evade network devices using common evasion techniques (fragrouter, fragroute, etc.) Network devices need to know what the end host will see in order to enforce policy – how? Full protocol proxy is ideal but not feasible IP / TCP normalization is used to enforce policy regardless of the evasion technique being usedBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • 15. An Example: Reconstructing Flows  IP and TCP can cause a stream of data to break into many parts  Both IP fragmentation and TCP segmentation can occur naturally or intentionally to evade IPS  IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate this evasion technique USER root TCP: HDR USER HDR rootIP: HDR HDR US HDR ER HDR HDR ro HDR ot BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • 16. Normalization – At a High Level Stack implementations also vary widely.Source: Placeholder for Notes Is 14 Points BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 17. Normalization – For a Network Protocol and network stack implementations differ Attackers can use the ambiguity that is already in the RFC’s to hide ‒ URG pointer ‒ SYN with Data ‒ Data on an ACK ‒ Window-size manipulation Attackers can attempt to confuse network devices about the state of a session or sessionsBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • 18. Basic Evasions
  • 19. A Brief Visual C B ABRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • 20. Fragmentation Issues Fragmentation is separating your data into several pieces Think of it like a slice of bread Its slightly more complex though  How do you put the bread back together? What happens if you lose a piece? What happens if two pieces seem to go in the same place?BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • 21. High Level Fragmentation A typical packet: Header Data A fragmented packet: Header Da Header ta Things get more complex with additional layers Stub Header Da Stub Header taBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • 22. Fragmentation An example IP TCP Data TCP fragmentation IP TCP Da Segment one IP TCP ta Segment twoBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • 23. Fragmentation: Reassembly Policies  Fragments can overlap ‒ What happens if the data is different?  Reassembly Policies ‒ BSD: First fragment take precedence left-trims ‒ BSD-right: New fragments take precedence right-trims ‒ Linux: First fragment takes precedence if offset is less ‒ First: Always allow first packet precedence ‒ Last: Always allow last packet to take precedenceUmesh Shankar and Vern Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic”, 2003. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • 24. Fragmentation Examples Operating System IP Reassembly Policy Linux 2.4 Linux MacOS First OpenBSD Linux Windows First Cisco IOS Last AIX BSDSource:, “Active Mapping: Resisting NIDS Evasion Umesh Shankar and Vern Paxsonut Altering Traffic”,2003. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • 25. IP Fragmentation: Victim Processing Different Operating Systems reassemble fragments differently If a device doesn’t understand how the traffic will be reassembled it cannot properly inspect the packet Example: Hello World Offset 1 2 3 3 Request Hello x20 World Steve Windows Accepts Accepts Accepts Ignores IOS Accepts Accepts Overwrite AcceptsBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • 26. TCP Segmentation Very similar to IP fragmentation RFC793 implies a FIRST policy should be used What do you think happened?BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • 27. TCP Segmentation: Examples Operating System TCP Reassembly Policy Linux 2.4 BSD MacOS BSD OpenBSD BSD Windows BSD Cisco IOS BSD AIX BSDUmesh Shankar and Vern Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic”,2003. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 28. TCP Segmentation: Reassembly Policies  Finer Grain Reassembly Policies ‒Windows/BSD ‒First/Windows Vista ‒Linux ‒Solaris ‒Linux-old ‒LastJudy Novak, “Target-based Fragmentation Reassembly”,2003. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • 29. TCP Segmentation Examples Operating System TCP Reassembly Policy Windows (pre vista) Windows Linux 2.4 Linux BSD/AIX Bsd Solaris Solaris Windows Vista First None LastJudy Novak, Steve Sturges, “Target-Based TCP Stream Reassembly”,2007. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • 30. TCP Segment Overwrite Packet broken into segments Segmented packets are sent where the segment offset of one packet overwrites the data in the same segment offset of another packet Example: Hello World Packet 1 2 3 3 Offset Data Hel lo World Steve Offset 0 16 32 32BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 31. Fragmentation Demo Fun with scapy! BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • 32. IP Evasions – Time To Live Time to Live = TTL Designed to protect the network from routing loops TTL is decremented each time a packet goes though a router (or L3 switch..) TTL of 0 or 1 is dropped There is no way for a network device to know the number of hops to the victimBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • 33. TTL – Time to LiveBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • 34. IP Evasions – The TTL Problem Packets are sent with different TTL values, causing some of the packets to be dropped before being reassembled by target host Example: GET x.ida?[bufferoverflow] BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 35. TTL Manipulation  TTL evasion uses attributes of IP and TCP and how they interact  Attackers can adjust TTL values on IP packets to purposely confuse devices seq1 TTL=11 timed out d seq1 seq1 TTL=20 f f seq2 TTL=9 timed out nAttacker Victim seq2 seq2 TTL=21 o o z seq3 TTL=10 timed out seq3 o seq3 TTL=20 o d seq4 TTL=10 timed out d or f?; n or o?; z or o? BRKSEC-2012 Security Device affiliates. All rights reserved. © 2012 Cisco and/or its Cisco Public 36
  • 36. Whisker Evasions The Basics User Input: http://1.1.1.1/userlist.cgi?user=fred&id=7  GET userlist.cgi?user=fred&id=7 HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7 BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  • 37. Whisker Evasions Brief history of whisker ‒URL encoding ‒Double slashes ‒Reverse traversals ‒Premature request ending ‒Parameter Hiding ‒HTTP mis-formatting ‒Null method processing ‒Session splicinghttp://www.wiretrip.net/rfp/txt/whiskerids.html BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • 38. Whisker Evasions URL EncodingOriginal URL: http://1.1.1.1/userlist.cgi GET %75%73%65%72%6c%69%73%74%2e%63%67%69 HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • 39. Whisker Evasions Double Slashes GET //directory//userlist.cgi?user=fred&id=7 HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • 40. Whisker Evasions Reverse Traversals GET /cgi-bin/foooo/../userlist.cgi?user=fred&id=7 HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • 41. Whisker Evasions Parameter Hiding GET userlist.cgi%3fuser=fred&id=7 HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  • 42. Whisker Evasions HTTP mis-formatting GET<tab><tab>userlist.cgi?user=fred&id=7<tab>HTTP/1.1 Host:<tab><tab>1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7 BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  • 43. Whisker Evasions Null Method Processing GET%00 user=fred&id=7 HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11;U; Linux i686; en-US; rv:1.5a) Accept: text/html Accept-Language: en-us;en: q=0.5 Accept-Encoding: gzip; deflate Accept-Charset: ISO-8859-1, utf-8; q=0.7,*,q=0.7 BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • 44. Whisker Evasions Session Splicing – think TCP segmentation Sending request across multiple packets G ET user list.cgi HTTP/1.1 BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • 45. Evasion vs. Obfuscation There is a slight difference An evasion is generally thought of as something specifically designed to work around a flaw or detection method ‒ Example - Fragmentation Obfuscations are designed to prevent human or heuristic algorithms from seeing something ‒ Example – URL EncodingsBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  • 46. URL Obfuscations Why isn’t this easy? “A number of implementations have introduced decoding variations, sometimes referred to as bugs”Blaine Kubesh
  • 47. Obfuscations..BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • 48. Obfuscation...and EvasionBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • 49. A Simple Example Similar to transform algorithms Rotate X characters ‒ ROT 1 ‒ ABC->BCD ‒ ROT1(ROT1(x)) where x is ABC -> CDE Imagine if CDE decoded to both BCD and ABC Real examples are much more complex, we will cover them brieflyBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 50. URL Obfuscations Double encoding – the code point passes though two levels of encoding Un-encoded octets mixed with encoded octets in a UTF-8 sequence Ambiguous bits – some decoder implementations ignore certain bits in the encoding Microsoft Base-36 ‒ Another example of decoder implementation error, old ‒ versions of Microsoft’s UTF8 decoder accept 36 characters ‒ (A-Z and 0-9) as valid hexadecimal characters in the UTF8 ‒ encoding instead of the normal 16 characters (A-F and 0-9).BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • 51. More Decoding Variations Alternate code pages – ex: Latin code pages Lets calculate the worst case scenario How many unique ways can a single character be encoded when Double Encoding is utilized BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  • 52. Decoding Variations – Let’s Count the Ways... IIS 4 is a great example ‒ 4 unicode sequences ‒ 3 substitution methods for each escape sequence char ‒ Alternate character mappings (ex: u == 0xff55 0x1d8 and so on) Based off this there are about 940 ways to encode / Next consider / represented as %uHHHH (H = Hex) Since decoding takes place twice each individual character in the sequence can also be encodedBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  • 53. Application EncodingsHTTP URL Encoding – Circa 2000 http://host.example.com/c.asp  c  %5j  %e0%81%9j  …  %63  %4z  %dg%81%9j  %c1%a3  %c19j  …  %cw%o1%q3  %e0%81%a3  …  …  %u0063  %ax%q3  …  … 1.2e+17 ways to encode ‘c’ BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  • 54. Example: HTTP UTF EncodingDouble encoded %e0%80%a5 %2m %dg%80%b3 % 6 3 %63 c 1.2e+17 ways to encode ‘c’ BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  • 55. Example: HTTP UTF EncodingDouble encoded %e0%80%a5 %ax%q5 %30 %e0%7g%b3 % e 0 … 3 %e0%81%a3 c 1.2e+17 ways to encode ‘c’ BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • 56. Example: HTTP UTF Encoding And don’t forget our accented friends A=ÀÁÂÃÄÅĀĄĂ O=ÒÓÔÕÖØŌŐŎBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  • 57. Demo 1URL Encoding A demo BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  • 58. Advanced Evasions 59
  • 59. URG Pointer Defined to allow things like ctrl-c over Telnet to be prioritized Allows urgent data to be passed in urgent mode The ambiguity begins… ‒ RFC 793 – pointer is last+1 ‒ RFC 1122 – pointer is last NOT last+1 TCP URG DATA DATBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  • 60. URG Pointer Are the lines really separate? URG Data Normal Data BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  • 61. URG Pointer Urgent mode is not out of band data ‒ Sockets and all derived stacks are wrong  TCP DA TCP U:F TCP TA RFC 6093 is designed to remove the ambiguity BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  • 62. A Little Background: Server Message Block Server Message Block (SMB) – main purpose is file-sharing and remote-transactions Designed to be a presentation layer protocol SMB Pipes are used for IPC (think socket) Runs over TCP For our purposes we only care about using it as another widget to stack evasions so our Microsoft Remote Procedure Call (MSRPC) attacks are even more evasive IP TCP SMBBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  • 63. SMB Evasions – The Fun Stuff Pipe Evasions ‒ Max and min read - fragmentation! ‒ Max and min write – fragmentation! ‒ Data padding – kind of like fragmentation! ‒ Name evasions! ‒ Pipe IO modes! All of this stacks on top of our TCP and IP evasions BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  • 64. SMB Evasions – A Quick VisualBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  • 65. MSRPC – The Overview Microsoft Remote Procedure Call ‒ Modified DCE/RPC Used to create a client/server model in Windows NT with very little effort Uses? ‒ Microsoft DNS Admin tool ‒ Microsoft Exchange 5.5 Admin front-ends ‒ In other words lots of stuff  Runs over TCP or UDP or SMBBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
  • 66. MSRPC OverviewClient Server BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  • 67. Multiple UUIDBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  • 68. Multiple UUIDBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  • 69. BIND_ACK Multiple UUID RepliesBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  • 70. BIND_ACK Multiple UUID RepliesBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  • 71. MSRPC – What if You Change Your Mind… Switch UUID in the middle of the conversation! BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
  • 72. MSRPC – What if You Change Your Mind… Switch UUID in the middle of the conversation! BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
  • 73. MSRPC Example – SMB FragmentationBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
  • 74. MSRPC ExampleSMB Fragmentation BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
  • 75. MSRPC Example – TCP FragmentationBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
  • 76. MSRPC Example – TCP FragmentationBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
  • 77. MSRPC – The Fun Begins! IP TCP SMB MSRPC IP TCP SMB MSRPC IP TCP SMB MSRPC IP TCP SMB MSRPC Payload IP TCP SMB MSRPC IP TCP SMB MSRPC IP TCP SMB MSRPC IP TCP SMB MSRPCIn our example we end up with seven packets using justMSRPC fragmentation BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
  • 78. MSRPC – Putting It All Together Take the top packet from the last slide IP TCP SMB M IP TCP SMB S IP TCP SMB R IP TCP SMB MSRPC P IP TCP SMB P IP TCP SMB C IP TCP SMB P In our example we end up with six packets using SMB fragmentation BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
  • 79. MSRPC – Another Layer Take the top packet from the last slide IP TCP S IP TCP M IP TCP SMB M IP TCP B IP TCP M In our example at this layer we only multiply by four more packets BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
  • 80. MSRPC – Another Layer Take the top packet from the last slide… again IP T IP C IP TCP S IP P IP S In our example at this layer we only multiply by four more packets BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
  • 81. MSRPC – Putting It All Together End up with thousands of packets IP TCP SMB MSRPC Payload Packet capture of regular attack is ~4k, after layers of evasion 70MB or more! BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
  • 82. A Quick Review – Fun With Metasploit The metasploit project A 10,000 foot view ‒ use exploit exploit/windows/smb/ms08_067_netapi ‒ Set TARGET 5 ‒ Set PAYLOAD PAYLOAD windows/speak_pwned ‒ Exploit BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
  • 83. MSRPC Demo! Lets dive in.. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
  • 84. Evolving Evasion 85
  • 85. Does MSRPC or HTTP Concern You? Return web is probably the largest growing attack surface out there MSRPC over SMB based worms have historically been some of the fastest spreading most virulent network based attacks ‒ From an evasion based standpoint what concerns you? BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
  • 86. New in 7.1(5) – Evasion Resistance Return Web Enhancements ‒ Decompression support ‒ Decoding support ‒ UTF support BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
  • 87. UTF Encoding A Unicode transformation format (UTF) is an algorithmic mapping from every Unicode code point (except surrogate code points) to a unique byte sequence. The ISO/IEC 10646 standard uses the term “UCS transformation format” for UTF; the two terms are merely synonyms for the same concepthttp://unicode.org/faq/utf_bom.html BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
  • 88. UTF Decoding ExampleBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
  • 89. Chunked Encoding Data transfer mechanism in HTTP 1.1 Makes content-length unrequired Dynamically generated content BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
  • 90. Chunked EncodingBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
  • 91. Compression HTTP 1.1 allows responses to be compressed in RFC 2616 Effectively makes pattern matching impossible without decompressing the stream BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
  • 92. CompressionBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
  • 93. SMB+MSRPC Enhancements SMB Enhancements ‒ Machine generated code ‒ Complete redesign ‒ Extremely easy to rapidly add new features BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
  • 94. In Conclusion.. Evasions are not magic, your Cisco devices protect you against them Most evasions combine Defense in depth, test your infrastructure BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
  • 95. Questions:
  • 96. Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
  • 97. Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
  • 98. BRKSEC-2012 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public