SlideShare a Scribd company logo

Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides

Olli-Pekka Niemi
Olli-Pekka Niemi

My presentation in BlackHat USA 2013 with Antti Levomäki

Internet
1 of 57
Download to read offline
EVADING  DEEP  INSPECTION  FOR   FUN  AND  SHELL  
Who  we  are   •  Olli-­‐Pekka  Niemi   –  Chief  Research  Officer,   Stoneso9   •  An;  Levomäki   –  Senior  Vulnerability   Analyst,  Stoneso9  
•  IntroducEon  to  evasions   •  Previous  research   •  Evasions  explained   •  Evasion  tesEng  methodology     •  Results     Agenda  
•  Network  intrusion  prevenEon  systems  (IPS)     – middleboxes  used  to  protect  hosts  and  services   – analyze  network  traffic  and  aNempt  to  alert  and   terminate  connecEons  that  are  deemed  harmful.   •  Next  GeneraEon  Firewalls  (NGFW)   – Firewalls  with  built  in  IPS  funcEonaliEes   •  We  treat  NGFW  as  IPS  in  this  presentaEon   IPS,  NGFW,  what?  
•  Intrusion  PrevenEon  Systems  should    protect   vulnerable  hosts  from  remote  exploits   •  Exploits  can  apply  mulEple  evasion  methods   to  bypass  the  detecEon  capabiliEes  of  the  IPS   and  break  into  the  remote  protected  host  
What?  
•  Successful  traffic  analysis  requires  that  the  IPS   device  interprets  traffic  in  the  same  way  as   the  host  it  is  protecEng   – TCP/IP  protocols  and  applicaEon  protocols  on  top   of  TCP/IP  are  rich  in  features.   – there  is  a  large  gap  between  how  protocols  should   be  used  and  how  they  can  be  used   Should  vs  Must  
•  The  reason  that  evasions  work  is  the  old   robustness  principle  stated  by  Jon  Postel  in   RFC793          “be  conservaEve  in  what  you  do,          be  liberal  in  what  you  accept  from                  others”.     Why  
•  We  call  deliberately  sending  traffic  in  a  way   that  is  difficult  to  analyze  by  a  middlebox  an   evasion  technique    
•  Aren’t  evasions  just  some  protocol  anomalies   or  malicious  packets…   •    …that  can  be  dropped  by  the  IPS?  
•  No.  Some  evasions  can  be  classified  as  an   aNack,  but  most  evasions  are  simply   alternaEve  ways  of  encoding  data.  
•  Evasion  is  evasion  only  when  applied  with   aNack.  Blocking  connecEons  based  on  a   potenEal  evasion  without  normalizing  cause   false  posiEves  
•  Most  of  IPS  devices  are  throughput  oriented   by  design.  Evasions  work  because   – the  IPS  devices  are  lacking  proper  understanding   and  analysis  of  the  protocol.   – TCP/IP  reassembly  implementaEon  shortcuts  to   favor  packet  throughput   – design  flaws  or  missing  features  
•  Have  evasions  been  researched  before?   – Yes.    A  lot.  
•  Ptacek,  Newsham:  “InserEon,  Evasion,  and  Denial  of  Service:   Eluding  Network  Intrusion  DetecEon”,  1998.   •  Raffael  Marty,  Thor  –  A  tool  to  test  intrusion  detecEon  systems  by   variaEon  of  aNacks,  2002   •  A.  Samuel  Gorton  and  Terrence  G.  Champion,  Combining  Evasion   Techniques  to  Avoid  Network  Intrusion  DetecEon  Systems,  2004   •  Giovanni  Vigna  William  Robertson  Davide  Balzaro;  :  TesEng   Network-­‐based  Intrusion  DetecEon  Signatures  Using  Mutant   Exploits,  2004     •  Shai  Rubin,  Somesh  Jha,  and  Barton  P.  Miller:  AutomaEc   GeneraEon  and  Analysis  of  NIDS  ANacks,  2004       •  Varghese,  et  al.,  DetecEng  Evasion  ANacks  at  High  Speeds  without   Reassembly,  Sigcomm,  2006.   Academic  Research  
•  Horizon,  DefeaEng  Sniffers  and  Intrusion  DetecEon   Systems,  Phrack  Magazine    Issue  54,  1998,  arEcle  10  of   12.   •  Rain  Forest  Puppy:  A  look  at  whisker's  anE-­‐IDS  tacEcs, 1999   •  NIDS  Evasion  Method  named  "SeolMa",  Phrack  57,   Phile  0x03,  2001   •  Daniel  J.  Roelker  ,  HTTP  IDS  Evasions  Revisited,  2003   •  Brian  Caswell,  H  D  Moore,  ThermopEc   Camouflage:Total  IDS  Evasion,  BlackHat,  2006       •  Renaud  Bidou:  IPS  Shortcomings,  BlackHat  2006   Hacker  Research  
•  Fragroute(r)  by  Dug  Song  ~1999   •  Robert  Graham:  SideStep,  2000   •  Rain  Forest  Puppy:  Whisker,  libwhisker   •  Raffael  Marty:  Thor,  2002   •  Metasploit  Framework   •  Immunity  Canvas   •  Core  Impact   •  Breaking  Point   •  Libnet   •  Scapy   •  Tcpreplay     •  Karalon   Tools  
•  So  Why  do  evasions  sEll  work?  
•  Evasion  detecEon  and  normalizaEon  is  difficult   •  Reduce  throughput     •  Anomaly  based  evasion  prevenEon  false  posiEves   •  Throughput-­‐wise  effecEve  packet  based  paNern   matching  miss  aNacks  deploying  evasions   •  Proper  TCP/IP  reassembly  requires  a  lot  of   memory  
•  IPS  does  not  know  whether  a  packet  seen     reaches  the  desEnaEon   –  Packet  loss  may  have  occurred   –  Packet  will  be  discarded  by  the  desEnaEon   The  Problem  of  Stream  Reassembly   Packet  loss?   ANacker  
•  The  IPS  knows  that  a  packet  reached  the   desEnaEon  when  it  receives   acknowledgement  from  the  desEnaEon     The  Problem  of  Stream  Reassembly   ANacker   ACK  
•  The  aNacker  may  cra9  a  packet  that  will  be  dropped  by  the   desEnaEon,  while  the  IPS  is  fooled  to  classify  this  as  normal   (packet  loss)   •  The  aNacker  will  then  send  the  malicious  packet  that  the  IPS   will  pass  along  as  a  retransmission     –  There  are  mulEple  ways  of  doing  this:   •  TTL/IP  opEons/TCP  opEons/checksums   The  Problem  of  Stream  Reassembly   ANacker  
•  At  the  point  of  triggering  the  vulnerability,  cra9  a   packet  that  is  not  malicious  looking  and  will  not   exploit  the  target   •  The    packet  will  be  dropped  by  the  target   •  IPS  does  not  know  that   •  Send  the  packet  that  will  compromise  the  target.     •  IPS  treat  this  packet  as  a  resend  due  to  packet   loss  and  passes  the  packet   •  Enjoy  shell  (IPS  does  not  log  anything)   ALack  Strategy  
•  IPS  must  keep  every  unacked  packet  in   memory  to  avoid  being  evaded   – It  seems  that  most  do  not,  or  at  least  the   implementaEon  is  faulty   Proper  MiNgaNon  
EVASIONS  EXPLAINED  
•  Payload  can  be  split  into  segments  of  arbitrary   size     •  Segments  can  be  sent  in  any  order   •  Too  many  small  TCP  segments  might  lead  into   anomaly  based  connecEon  terminaEon.  Apply   segmentaEon  only  when  actually  triggering   the  vulnerability  and/or  to  the  shellcode   – Most  boxes  are  sEll  vulnerable  to  this   TCP  SegmentaNon  and  Reordering  
•  The  PAWS  (ProtecEon  Against  Wrapped   Sequence  numbers)  algorithm  is  defined  in   RFC1323   –  uses  TCP  Emestamps  to  drop  segments  that  contain   Emestamps  older  than  the  last  successfully  received   segment.     •  Its  use  as  an  evasion  was  described  already  by   Ptacek  and  Newsham  in  1998     –  SEll  works  against  most  of  today´s  IPS  devices       PAWS    
•  PAWS  causes  problems  for  TCP  reassembly   when  the  IPS  does  not  know  which  segments   the  end  hosts  accept  or  discard.   •  TCP  segments  designated  for  PAWS   eliminaEon  can  be  created  by  duplicaEng  a   valid  TCP  header  and  moving  its  Emestamp   value  backwards.  The  actual  payload  can  be   arbitrary,  e.g.,  a  non-­‐malicious  version  of  a   protocol  message.   PAWS    
•  Retransmit  SYN  with  first  segment  containing   payload   •  Most  IPS  devices  have  problems  with  the   unexpected  combinaEon  of  a  retransmiNed   SYN  flag  and  new  payload  in  an  established   connecEon   – IPS  devices  are  fooled  by  the  duplicated  SYN  and   pass  connecEon  uninspected   SYN  Retransmit  
•  IPv4  packet  headers  can  contain  opEons.  If   any  of  the  opEons  are  invalid,  the  whole  IPv4   packet  should  be  discarded  by  the  receiving   host.  This  can  cause  problems  if  the  inspecEng   device  and  the  end  host  discard  different   packets.   IPv4  OpNons  
•  Urgent  pointer  marks  TCP  payload  as  urgent   •  TCP  socket    handle  urgent  data  as  either  inline  or  out-­‐of-­‐ band.   –   Out-­‐of-­‐band  data  is  not  returned  via  normal  recv()  calls  and   gets  discarded  by  applicaEons  that  do  not  use  urgent  data.   Most  operaEng  systems  default  to  out-­‐of-­‐band  urgent  data     •  The  use  of  TCP  urgent  data  as  an  evasion  was  documented   in  Phrack  Magazine  2001.     •  ProblemaEc  for  IPS  devices  because  the  choice  between   handling  data  as  inline  or  out-­‐of-­‐bound  is  applicaEon   specific.   •  Urgent  pointer  evasion  is  sEll  efficient  against  many  IPS   Urgent  
•  TCP  receive  window  is  the  amount  of  new   data  that  the  sending  side  is  willing  to  receive.   An  aNacker  can  adverEse  a  small  window  size   to  force  the  other  end  of  the  TCP  connecEon   into  sending  small  segments.     •  This  complements  sending  small  TCP   segments  by  allowing  the  aNacker  to  control   TCP  segment  sizes  in  both  direcEons.       TCP  Receive  Window  
•  A  tool  to  test  (NG)?(I[DP]S|FW)  protocol   analysis  and  reassembly  capabiliEes  by   applying  evasions  to  aNacks   •  Does  not  simulate,  does  real  aNacks  against   real  targets   •  Simple  Test  Scenario:  #shell  does  not  lie   – Send  aNack,  if  we  got  the  shell  back,  evasion  was   successful  and  DUT  failed   What  is  Evader  
•  Built  on  a  proprietary  TCP/IP  stack.   •  Has  applicaEon  clients  &  servers  for  higher   layer  protocols   Ø Complete  control  over  every  packet  sent.  
•  Exploits  are  divided  into  stages   –  Each  stage  corresponds  to  a  step  in  the  applicaEon   protocol   •  Evasions  can  be  targeted  to  all  or  just  a  range  of   stages   Ø TargeEng  to  specific  stages  criEcal  to  IPS   detecEon  makes  anomaly  based  blocking  more   difficult    
MSRPC  exploit  stages  
•  All  exploits  containing  shellcode  can  be  run   ’obfuscated’   – Generates  a  different  shellcode  encoder  and   possible  NOP  sled  for  each  execuEon.   – Makes  exploit  based  detecEon  harder.   •  Normal  versions  aNempt  to  look  like   commonly  found  public  exploits.  
•  Evader  contains  known  exploits  that  every  IPS  should  detect   •  CVE-­‐2008-­‐4250,  MSRPC  Server  Service  Vulnerability  [13].   –  A  buffer  overflow  vulnerability  in  Microso9  Windows  allowing  arbitrary  code   execuEon.  Widely  exploited  by  the  Conficker  worm.     –  Evader  targets  a  Windows  XP  SP2  host.   –  Protocols  used:  IP,  TCP,  NetBIOS,  SMB,  MSRPC.   •  CVE-­‐2004-­‐1315,  HTTP  phpBB  highlight   –  Input  sanitaEon  vulnerability  in  phpBB  allowing  arbitrary  PHP  execuEon.   Exploited  by  the  Santy.A  worm  in  2004.   –  Protocols  used:  IP,  TCP,  HTTP   •  CVE-­‐2012-­‐0002,  Windows  RDP  Denial  of  Service  [14].   –  Vulnerability  in  the  Remote  Desktop  Protocol  implementaEon  in  Microso9   Windows.     –  Exploit  in  Evader  crashes  unpatched  Windows  7  hosts.   –  Protocols  used:  IP,  TCP,  RDP    
•  In  theory,  for  the  selected  exploit,  the  Evader   could  produce  every  possible  data  stream   transmi;ng  the  payload,  but  in  pracEce  this   cannot  be  tested  since  there  are  virtually   endless  amount  of  combinaEons  and  stage   permutaEons.    
•  When  evasions  are  not  used,  IPS/NGFW   devices  detect  and  terminate  the  aNack   •  With  proper  evasions    applied,  IPS/NGFW   start  to  Fail   – Does  not  detect  anything   – Detect  something  that  cannot  be  terminated  due   to  risk  for  false  posiEve   – Detect  aNack,  claims  to  terminate  but  fails   terminaEon  
•  Evader  can  be  automated  with  another  tool   called  Mongbat   •  Mongbat  runs  evader  with  different  evasion   combinaEons  and  collects  results   – Successful  exploits  are  reported  along  with  a   command  line  for  easy  repeatability.   – Takes  packet  captures   – Basically  Mongbat+Evader=Evader  Fuzzer  
Mongbat  Single  Run  
•  Mongbat  randomly  selects  a  number  of   evasions  and  their  parameters  for  each  Evader   execuEon.   – No  special  care  is  taken  to  produce  only  legiEmate   traffic   •  The  vicEm  computer  is  used  to  validate  working   combinaEons    
•  Here  we  present  the  results  of  running  Mongbat   against  9  vendors’  commercial  IPS  devices.  The   vendors  include  most  Gartner  2012  IPS  and  2013   NGFW  Magic  Quadrant  leaders  and  challengers.     •  The  devices  have  up-­‐to-­‐date  so9ware  and   updates  installed.  We  have  aNempted  to   configure  the  devices  for  maximum  detecEon   and  blocking  while  sEll  allowing  the  Evader  clean   check  to  succeed.  
•  We  have  defined  12  evasion  test  cases.  The   tests  are  run  with  Mongbat  so  that  only  the   listed  evasions  are  used.   •   If  working  evasion  is  not  found  in  one  minute   the  test  case  is  marked  as  failed,  otherwise  as   success.      
#   Atomic  Evasions   0   Baseline  aNack  without  evasions   1   Paws  EliminaEon  Evasion   2   SYN  Retransmit  Evasion   3   IPv4  OpEons   4   TCP  Urgent  Data   5   TCP  Receive  Window   6   TCP  SegmentaEon  and  Reordering  (TSR)   Evasion  test  cases  
#   Evasion  CombinaNons   7   TCP  Paws  +  TSR   8   SYN  Retransmit  +  TSR   9   IPv4  OpEons  +  TSR   10   Urgent  Data  +  TSR   11   TCP  Receive  Window  +  TSR   12   All  Listed  Evasions   Evasion  test  cases  
Vendor 0 1 2 3 4 5 6 7 8 9 10 11 12 Vendor1                           Vendor2     x   x   x x   x x x x Vendor3     x               x   x Vendor4   x   x     x x   x x x x Vendor5   x x x       x   x     x Vendor6           x x x   x   x x Vendor7   x x x x x x x   x x x x Vendor8   x x   x x x x   x x x x Vendor9               x     x   x Results  for  MSRPC  without  stages  
Vendor   0   1   2   3   4   5   6   7   8   9   10   11   12   Vendor1                                                       Vendor2           x       x       x   x   x   x   x   x   x   Vendor3           x                   x   x       x       x   Vendor4       x       x           x   x   x   x   x   x   x   Vendor5       x   x   x               x   x   x           x   Vendor6                       x   x   x   x   x   x   x   x   Vendor7       x   x   x   x   x   x   x   x   x   x       x   Vendor8       x   x       x   x   x   x   x   x   x   x   x   Vendor9                               x   x       x       x   Results  for  MSRPC  with  stages  
•  All  vendors  are  able  to  stop  the  MSRPC  exploit   with  no  evasion  applied.  TCP  segmentaEon   and  reordering  by  itself  seem  to  go  through   most  vendors  IPS  devices.  When  this  is   combined  with  segments  desEned  for  PAWS   eliminaEon  and  applied  to  stages  almost  all   vendors’  inspecEon  can  be  bypassed.  
•  The  MSRPC  exploit  requires  mulEple  SMB   requests  and  responses  before  the   vulnerability  can  be  exploited.  This  allows  IPS   devices  to  perform  protocol  validaEon  and   possibly  terminate  evasion  aNempts  during   the  session  setup  phase.  Evasions  using  just  a   small  TCP  receive  window  probably  cause   some  devices  to  lose  protocol  state  due  to  a   failure  in  parsing  server  responses.  
Vendor   0   1   2   3   4   5   6   7   8   9   10   11   12   Vendor1                                                       Vendor2       x   x   x   x   x   x   x       x   x   x   x   Vendor3   x   x       x   x   x   x   x       x   x   x   x   Vendor4       x   x   x   x   x   x   x       x   x   x   x   Vendor5   x   x   x   x   x   x   x   x       x   x   x   x   Vendor6   x   x   x   x   x   x   x   x       x   x   x   x   Vendor7           x       x                       x       x   Vendor8   x   x   x   x   x   x   x   x       x   x   x   x   Vendor9       x   x               x   x           x   x   x   Results  for  HTTP  
•  All  vendors  were  not  able  to  block  the  obfuscated   HTTP  exploit  without  evasions.  The  complete  set  of   test  cases  was  sEll  run  to  see  if  the  devices  block  some   evasions  as  anomalies.  TCP  segmentaEon  and   reordering  was  again  successful  also  over  HTTP,   especially  when  combined  with  TCP  segments   containing  urgent  data.   •  In  cases  when  no  exploit  succeeded  Mongbat  executed   around  500-­‐2000  aNempts  in  the  60  second  test   period.  Most  successful  evasion  combinaEons  were   found  in  1-­‐10  aNempts.  
       DEMO  
Thank  You!     •  QuesEons  &  Comments   –  Olli-­‐Pekka.Niemi@stoneso9.com   –  An;.Levomaki@stoneso9.com   •  Evader  tool  free  download   –  hNp://evader.stoneso9.com  

Recommended

Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate EspionageUTD Computer Security Group
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 

Recommended

Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate EspionageUTD Computer Security Group
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloudshira koper
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
Network security
Network securityNetwork security
Network securitysyed mehdi raza
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?RIPE NCC
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Securitywolverinetyagi
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Logs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokLogs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokPhil Hagen
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersMehrdad Jingoism
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewallMhmud Khraibene
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
How Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network ProtocolHow Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network Protocolssuserc49ec4
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdfInfraj1Circle
 

More Related Content

What's hot

Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloudshira koper
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?RIPE NCC
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Securitywolverinetyagi
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Logs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokLogs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokPhil Hagen
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersMehrdad Jingoism
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 

What's hot (20)

Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Network security
Network securityNetwork security
Network security
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Security
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Logs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokLogs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to Grok
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 

Similar to Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides

How Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network ProtocolHow Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network Protocolssuserc49ec4
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxMahdiHasanSowrav
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptxLlobarro2
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?Rob Gillen
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Nikolay Savvinov
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustionphanleson
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanismibnu mubarok
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
After School cyber security class slides - Pat
After School cyber security class slides - PatAfter School cyber security class slides - Pat
After School cyber security class slides - PatDan Winson
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
Scanning & Penetration Testing
Scanning & Penetration Testing Scanning & Penetration Testing
Scanning & Penetration Testing Deris Stiawan
 

Similar to Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides (20)

How Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network ProtocolHow Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network Protocol
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
After School cyber security class slides - Pat
After School cyber security class slides - PatAfter School cyber security class slides - Pat
After School cyber security class slides - Pat
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Scanning & Penetration Testing
Scanning & Penetration Testing Scanning & Penetration Testing
Scanning & Penetration Testing
 

Recently uploaded

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 

Recently uploaded (20)

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 

Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides

  • 1. EVADING  DEEP  INSPECTION  FOR   FUN  AND  SHELL  
  • 2. Who  we  are   •  Olli-­‐Pekka  Niemi   –  Chief  Research  Officer,   Stoneso9   •  An;  Levomäki   –  Senior  Vulnerability   Analyst,  Stoneso9  
  • 3. •  IntroducEon  to  evasions   •  Previous  research   •  Evasions  explained   •  Evasion  tesEng  methodology     •  Results     Agenda  
  • 4. •  Network  intrusion  prevenEon  systems  (IPS)     – middleboxes  used  to  protect  hosts  and  services   – analyze  network  traffic  and  aNempt  to  alert  and   terminate  connecEons  that  are  deemed  harmful.   •  Next  GeneraEon  Firewalls  (NGFW)   – Firewalls  with  built  in  IPS  funcEonaliEes   •  We  treat  NGFW  as  IPS  in  this  presentaEon   IPS,  NGFW,  what?  
  • 5. •  Intrusion  PrevenEon  Systems  should    protect   vulnerable  hosts  from  remote  exploits   •  Exploits  can  apply  mulEple  evasion  methods   to  bypass  the  detecEon  capabiliEes  of  the  IPS   and  break  into  the  remote  protected  host  
  • 7. •  Successful  traffic  analysis  requires  that  the  IPS   device  interprets  traffic  in  the  same  way  as   the  host  it  is  protecEng   – TCP/IP  protocols  and  applicaEon  protocols  on  top   of  TCP/IP  are  rich  in  features.   – there  is  a  large  gap  between  how  protocols  should   be  used  and  how  they  can  be  used   Should  vs  Must  
  • 8. •  The  reason  that  evasions  work  is  the  old   robustness  principle  stated  by  Jon  Postel  in   RFC793          “be  conservaEve  in  what  you  do,          be  liberal  in  what  you  accept  from                  others”.     Why  
  • 9. •  We  call  deliberately  sending  traffic  in  a  way   that  is  difficult  to  analyze  by  a  middlebox  an   evasion  technique    
  • 10. •  Aren’t  evasions  just  some  protocol  anomalies   or  malicious  packets…   •    …that  can  be  dropped  by  the  IPS?  
  • 11. •  No.  Some  evasions  can  be  classified  as  an   aNack,  but  most  evasions  are  simply   alternaEve  ways  of  encoding  data.  
  • 12. •  Evasion  is  evasion  only  when  applied  with   aNack.  Blocking  connecEons  based  on  a   potenEal  evasion  without  normalizing  cause   false  posiEves  
  • 13. •  Most  of  IPS  devices  are  throughput  oriented   by  design.  Evasions  work  because   – the  IPS  devices  are  lacking  proper  understanding   and  analysis  of  the  protocol.   – TCP/IP  reassembly  implementaEon  shortcuts  to   favor  packet  throughput   – design  flaws  or  missing  features  
  • 14. •  Have  evasions  been  researched  before?   – Yes.    A  lot.  
  • 15. •  Ptacek,  Newsham:  “InserEon,  Evasion,  and  Denial  of  Service:   Eluding  Network  Intrusion  DetecEon”,  1998.   •  Raffael  Marty,  Thor  –  A  tool  to  test  intrusion  detecEon  systems  by   variaEon  of  aNacks,  2002   •  A.  Samuel  Gorton  and  Terrence  G.  Champion,  Combining  Evasion   Techniques  to  Avoid  Network  Intrusion  DetecEon  Systems,  2004   •  Giovanni  Vigna  William  Robertson  Davide  Balzaro;  :  TesEng   Network-­‐based  Intrusion  DetecEon  Signatures  Using  Mutant   Exploits,  2004     •  Shai  Rubin,  Somesh  Jha,  and  Barton  P.  Miller:  AutomaEc   GeneraEon  and  Analysis  of  NIDS  ANacks,  2004       •  Varghese,  et  al.,  DetecEng  Evasion  ANacks  at  High  Speeds  without   Reassembly,  Sigcomm,  2006.   Academic  Research  
  • 16. •  Horizon,  DefeaEng  Sniffers  and  Intrusion  DetecEon   Systems,  Phrack  Magazine    Issue  54,  1998,  arEcle  10  of   12.   •  Rain  Forest  Puppy:  A  look  at  whisker's  anE-­‐IDS  tacEcs, 1999   •  NIDS  Evasion  Method  named  "SeolMa",  Phrack  57,   Phile  0x03,  2001   •  Daniel  J.  Roelker  ,  HTTP  IDS  Evasions  Revisited,  2003   •  Brian  Caswell,  H  D  Moore,  ThermopEc   Camouflage:Total  IDS  Evasion,  BlackHat,  2006       •  Renaud  Bidou:  IPS  Shortcomings,  BlackHat  2006   Hacker  Research  
  • 17. •  Fragroute(r)  by  Dug  Song  ~1999   •  Robert  Graham:  SideStep,  2000   •  Rain  Forest  Puppy:  Whisker,  libwhisker   •  Raffael  Marty:  Thor,  2002   •  Metasploit  Framework   •  Immunity  Canvas   •  Core  Impact   •  Breaking  Point   •  Libnet   •  Scapy   •  Tcpreplay     •  Karalon   Tools  
  • 18. •  So  Why  do  evasions  sEll  work?  
  • 19. •  Evasion  detecEon  and  normalizaEon  is  difficult   •  Reduce  throughput     •  Anomaly  based  evasion  prevenEon  false  posiEves   •  Throughput-­‐wise  effecEve  packet  based  paNern   matching  miss  aNacks  deploying  evasions   •  Proper  TCP/IP  reassembly  requires  a  lot  of   memory  
  • 20. •  IPS  does  not  know  whether  a  packet  seen     reaches  the  desEnaEon   –  Packet  loss  may  have  occurred   –  Packet  will  be  discarded  by  the  desEnaEon   The  Problem  of  Stream  Reassembly   Packet  loss?   ANacker  
  • 21. •  The  IPS  knows  that  a  packet  reached  the   desEnaEon  when  it  receives   acknowledgement  from  the  desEnaEon     The  Problem  of  Stream  Reassembly   ANacker   ACK  
  • 22. •  The  aNacker  may  cra9  a  packet  that  will  be  dropped  by  the   desEnaEon,  while  the  IPS  is  fooled  to  classify  this  as  normal   (packet  loss)   •  The  aNacker  will  then  send  the  malicious  packet  that  the  IPS   will  pass  along  as  a  retransmission     –  There  are  mulEple  ways  of  doing  this:   •  TTL/IP  opEons/TCP  opEons/checksums   The  Problem  of  Stream  Reassembly   ANacker  
  • 23. •  At  the  point  of  triggering  the  vulnerability,  cra9  a   packet  that  is  not  malicious  looking  and  will  not   exploit  the  target   •  The    packet  will  be  dropped  by  the  target   •  IPS  does  not  know  that   •  Send  the  packet  that  will  compromise  the  target.     •  IPS  treat  this  packet  as  a  resend  due  to  packet   loss  and  passes  the  packet   •  Enjoy  shell  (IPS  does  not  log  anything)   ALack  Strategy  
  • 24. •  IPS  must  keep  every  unacked  packet  in   memory  to  avoid  being  evaded   – It  seems  that  most  do  not,  or  at  least  the   implementaEon  is  faulty   Proper  MiNgaNon  
  • 26. •  Payload  can  be  split  into  segments  of  arbitrary   size     •  Segments  can  be  sent  in  any  order   •  Too  many  small  TCP  segments  might  lead  into   anomaly  based  connecEon  terminaEon.  Apply   segmentaEon  only  when  actually  triggering   the  vulnerability  and/or  to  the  shellcode   – Most  boxes  are  sEll  vulnerable  to  this   TCP  SegmentaNon  and  Reordering  
  • 27. •  The  PAWS  (ProtecEon  Against  Wrapped   Sequence  numbers)  algorithm  is  defined  in   RFC1323   –  uses  TCP  Emestamps  to  drop  segments  that  contain   Emestamps  older  than  the  last  successfully  received   segment.     •  Its  use  as  an  evasion  was  described  already  by   Ptacek  and  Newsham  in  1998     –  SEll  works  against  most  of  today´s  IPS  devices       PAWS    
  • 28. •  PAWS  causes  problems  for  TCP  reassembly   when  the  IPS  does  not  know  which  segments   the  end  hosts  accept  or  discard.   •  TCP  segments  designated  for  PAWS   eliminaEon  can  be  created  by  duplicaEng  a   valid  TCP  header  and  moving  its  Emestamp   value  backwards.  The  actual  payload  can  be   arbitrary,  e.g.,  a  non-­‐malicious  version  of  a   protocol  message.   PAWS    
  • 29. •  Retransmit  SYN  with  first  segment  containing   payload   •  Most  IPS  devices  have  problems  with  the   unexpected  combinaEon  of  a  retransmiNed   SYN  flag  and  new  payload  in  an  established   connecEon   – IPS  devices  are  fooled  by  the  duplicated  SYN  and   pass  connecEon  uninspected   SYN  Retransmit  
  • 30.
  • 31. •  IPv4  packet  headers  can  contain  opEons.  If   any  of  the  opEons  are  invalid,  the  whole  IPv4   packet  should  be  discarded  by  the  receiving   host.  This  can  cause  problems  if  the  inspecEng   device  and  the  end  host  discard  different   packets.   IPv4  OpNons  
  • 32. •  Urgent  pointer  marks  TCP  payload  as  urgent   •  TCP  socket    handle  urgent  data  as  either  inline  or  out-­‐of-­‐ band.   –   Out-­‐of-­‐band  data  is  not  returned  via  normal  recv()  calls  and   gets  discarded  by  applicaEons  that  do  not  use  urgent  data.   Most  operaEng  systems  default  to  out-­‐of-­‐band  urgent  data     •  The  use  of  TCP  urgent  data  as  an  evasion  was  documented   in  Phrack  Magazine  2001.     •  ProblemaEc  for  IPS  devices  because  the  choice  between   handling  data  as  inline  or  out-­‐of-­‐bound  is  applicaEon   specific.   •  Urgent  pointer  evasion  is  sEll  efficient  against  many  IPS   Urgent  
  • 33. •  TCP  receive  window  is  the  amount  of  new   data  that  the  sending  side  is  willing  to  receive.   An  aNacker  can  adverEse  a  small  window  size   to  force  the  other  end  of  the  TCP  connecEon   into  sending  small  segments.     •  This  complements  sending  small  TCP   segments  by  allowing  the  aNacker  to  control   TCP  segment  sizes  in  both  direcEons.       TCP  Receive  Window  
  • 34.
  • 35. •  A  tool  to  test  (NG)?(I[DP]S|FW)  protocol   analysis  and  reassembly  capabiliEes  by   applying  evasions  to  aNacks   •  Does  not  simulate,  does  real  aNacks  against   real  targets   •  Simple  Test  Scenario:  #shell  does  not  lie   – Send  aNack,  if  we  got  the  shell  back,  evasion  was   successful  and  DUT  failed   What  is  Evader  
  • 36. •  Built  on  a  proprietary  TCP/IP  stack.   •  Has  applicaEon  clients  &  servers  for  higher   layer  protocols   Ø Complete  control  over  every  packet  sent.  
  • 37. •  Exploits  are  divided  into  stages   –  Each  stage  corresponds  to  a  step  in  the  applicaEon   protocol   •  Evasions  can  be  targeted  to  all  or  just  a  range  of   stages   Ø TargeEng  to  specific  stages  criEcal  to  IPS   detecEon  makes  anomaly  based  blocking  more   difficult    
  • 39. •  All  exploits  containing  shellcode  can  be  run   ’obfuscated’   – Generates  a  different  shellcode  encoder  and   possible  NOP  sled  for  each  execuEon.   – Makes  exploit  based  detecEon  harder.   •  Normal  versions  aNempt  to  look  like   commonly  found  public  exploits.  
  • 40. •  Evader  contains  known  exploits  that  every  IPS  should  detect   •  CVE-­‐2008-­‐4250,  MSRPC  Server  Service  Vulnerability  [13].   –  A  buffer  overflow  vulnerability  in  Microso9  Windows  allowing  arbitrary  code   execuEon.  Widely  exploited  by  the  Conficker  worm.     –  Evader  targets  a  Windows  XP  SP2  host.   –  Protocols  used:  IP,  TCP,  NetBIOS,  SMB,  MSRPC.   •  CVE-­‐2004-­‐1315,  HTTP  phpBB  highlight   –  Input  sanitaEon  vulnerability  in  phpBB  allowing  arbitrary  PHP  execuEon.   Exploited  by  the  Santy.A  worm  in  2004.   –  Protocols  used:  IP,  TCP,  HTTP   •  CVE-­‐2012-­‐0002,  Windows  RDP  Denial  of  Service  [14].   –  Vulnerability  in  the  Remote  Desktop  Protocol  implementaEon  in  Microso9   Windows.     –  Exploit  in  Evader  crashes  unpatched  Windows  7  hosts.   –  Protocols  used:  IP,  TCP,  RDP    
  • 41. •  In  theory,  for  the  selected  exploit,  the  Evader   could  produce  every  possible  data  stream   transmi;ng  the  payload,  but  in  pracEce  this   cannot  be  tested  since  there  are  virtually   endless  amount  of  combinaEons  and  stage   permutaEons.    
  • 42. •  When  evasions  are  not  used,  IPS/NGFW   devices  detect  and  terminate  the  aNack   •  With  proper  evasions    applied,  IPS/NGFW   start  to  Fail   – Does  not  detect  anything   – Detect  something  that  cannot  be  terminated  due   to  risk  for  false  posiEve   – Detect  aNack,  claims  to  terminate  but  fails   terminaEon  
  • 43. •  Evader  can  be  automated  with  another  tool   called  Mongbat   •  Mongbat  runs  evader  with  different  evasion   combinaEons  and  collects  results   – Successful  exploits  are  reported  along  with  a   command  line  for  easy  repeatability.   – Takes  packet  captures   – Basically  Mongbat+Evader=Evader  Fuzzer  
  • 45. •  Mongbat  randomly  selects  a  number  of   evasions  and  their  parameters  for  each  Evader   execuEon.   – No  special  care  is  taken  to  produce  only  legiEmate   traffic   •  The  vicEm  computer  is  used  to  validate  working   combinaEons    
  • 46. •  Here  we  present  the  results  of  running  Mongbat   against  9  vendors’  commercial  IPS  devices.  The   vendors  include  most  Gartner  2012  IPS  and  2013   NGFW  Magic  Quadrant  leaders  and  challengers.     •  The  devices  have  up-­‐to-­‐date  so9ware  and   updates  installed.  We  have  aNempted  to   configure  the  devices  for  maximum  detecEon   and  blocking  while  sEll  allowing  the  Evader  clean   check  to  succeed.  
  • 47. •  We  have  defined  12  evasion  test  cases.  The   tests  are  run  with  Mongbat  so  that  only  the   listed  evasions  are  used.   •   If  working  evasion  is  not  found  in  one  minute   the  test  case  is  marked  as  failed,  otherwise  as   success.      
  • 48. #   Atomic  Evasions   0   Baseline  aNack  without  evasions   1   Paws  EliminaEon  Evasion   2   SYN  Retransmit  Evasion   3   IPv4  OpEons   4   TCP  Urgent  Data   5   TCP  Receive  Window   6   TCP  SegmentaEon  and  Reordering  (TSR)   Evasion  test  cases  
  • 49. #   Evasion  CombinaNons   7   TCP  Paws  +  TSR   8   SYN  Retransmit  +  TSR   9   IPv4  OpEons  +  TSR   10   Urgent  Data  +  TSR   11   TCP  Receive  Window  +  TSR   12   All  Listed  Evasions   Evasion  test  cases  
  • 50. Vendor 0 1 2 3 4 5 6 7 8 9 10 11 12 Vendor1                           Vendor2     x   x   x x   x x x x Vendor3     x               x   x Vendor4   x   x     x x   x x x x Vendor5   x x x       x   x     x Vendor6           x x x   x   x x Vendor7   x x x x x x x   x x x x Vendor8   x x   x x x x   x x x x Vendor9               x     x   x Results  for  MSRPC  without  stages  
  • 51. Vendor   0   1   2   3   4   5   6   7   8   9   10   11   12   Vendor1                                                       Vendor2           x       x       x   x   x   x   x   x   x   Vendor3           x                   x   x       x       x   Vendor4       x       x           x   x   x   x   x   x   x   Vendor5       x   x   x               x   x   x           x   Vendor6                       x   x   x   x   x   x   x   x   Vendor7       x   x   x   x   x   x   x   x   x   x       x   Vendor8       x   x       x   x   x   x   x   x   x   x   x   Vendor9                               x   x       x       x   Results  for  MSRPC  with  stages  
  • 52. •  All  vendors  are  able  to  stop  the  MSRPC  exploit   with  no  evasion  applied.  TCP  segmentaEon   and  reordering  by  itself  seem  to  go  through   most  vendors  IPS  devices.  When  this  is   combined  with  segments  desEned  for  PAWS   eliminaEon  and  applied  to  stages  almost  all   vendors’  inspecEon  can  be  bypassed.  
  • 53. •  The  MSRPC  exploit  requires  mulEple  SMB   requests  and  responses  before  the   vulnerability  can  be  exploited.  This  allows  IPS   devices  to  perform  protocol  validaEon  and   possibly  terminate  evasion  aNempts  during   the  session  setup  phase.  Evasions  using  just  a   small  TCP  receive  window  probably  cause   some  devices  to  lose  protocol  state  due  to  a   failure  in  parsing  server  responses.  
  • 54. Vendor   0   1   2   3   4   5   6   7   8   9   10   11   12   Vendor1                                                       Vendor2       x   x   x   x   x   x   x       x   x   x   x   Vendor3   x   x       x   x   x   x   x       x   x   x   x   Vendor4       x   x   x   x   x   x   x       x   x   x   x   Vendor5   x   x   x   x   x   x   x   x       x   x   x   x   Vendor6   x   x   x   x   x   x   x   x       x   x   x   x   Vendor7           x       x                       x       x   Vendor8   x   x   x   x   x   x   x   x       x   x   x   x   Vendor9       x   x               x   x           x   x   x   Results  for  HTTP  
  • 55. •  All  vendors  were  not  able  to  block  the  obfuscated   HTTP  exploit  without  evasions.  The  complete  set  of   test  cases  was  sEll  run  to  see  if  the  devices  block  some   evasions  as  anomalies.  TCP  segmentaEon  and   reordering  was  again  successful  also  over  HTTP,   especially  when  combined  with  TCP  segments   containing  urgent  data.   •  In  cases  when  no  exploit  succeeded  Mongbat  executed   around  500-­‐2000  aNempts  in  the  60  second  test   period.  Most  successful  evasion  combinaEons  were   found  in  1-­‐10  aNempts.  
  • 56.        DEMO  
  • 57. Thank  You!     •  QuesEons  &  Comments   –  Olli-­‐Pekka.Niemi@stoneso9.com   –  An;.Levomaki@stoneso9.com   •  Evader  tool  free  download   –  hNp://evader.stoneso9.com