Ce hv8 module 17 evading ids, firewalls, and honeypots

1,048 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,048
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
268
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ce hv8 module 17 evading ids, firewalls, and honeypots

  1. 1. Evading IDS, Firewalls, and Honeypots Module 17
  2. 2. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Evad in g IDS, Firew alls, and Honeypots Module 17 Engineered by Hackers. Presented by Professionals. CEH E t h ic a l H a c k in g ‫-ייי‬ a n d C o u n te r m e a s u r e s v 8 Module 17: Evading IDS, Firewalls, and Honeypots Exam 312-50 Module 17 Page 2550 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. R u s s ia n S e r v ic e R e n ts A c c e s s T o October 23, 2012 12:30 PM H a cke d C o rpo rate P Cs Service provides stolen remote desktop protocol credentials, letting buyers remotely log in to corporate servers and PCs, bypassing numerous security defenses. Want to infiltrate a business? An online service sells access credentials for some of the world's biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server or PC located inside a corporate firewall. That finding comes by way of a new report from information security reporter Brian Krebs, who's discovered a Russian-language service that traffics in stolen Remote Desktop Protocol (RDP) credentials. RDP is a proprietary Microsoft standard that allows for a remote computer to be controlled via a graphical user interface. The RDP-renting service, dubbed Dedicatexpress.com, uses the tagline "The whole world in one service" and is advertised on multiple underground cybercrime forums. It serves as an online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide. h ttp ://w w w .in fo rm a tio n w e e k .co m Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S e c u r it y N e w s R u ssia n S ervice R ents A ccess To H ac k ed C o rp o rate PCs Source: http: //w ww .i nfo rm at ion we ek. co m Service provides stolen r e m o t e d e s k to p protocol credentials, letting buyers remotely log in to co rpo ra te servers and PCs, bypassing n u m ero us security defenses. Want to infiltrate a business? An online service sells access credentials for s om e of th e world's biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server or PC located inside a co rp or a te firewall. That finding comes by way of a new repor t from information security repo rt er Brian Krebs, who's discovered a Russian-language service th at traffics in stolen Remote Desktop Protocol (RDP) credentials. RDP is a proprietary Microsoft s tandard th at allows for a re m o t e c o m p u t e r to be controlled via a graphical use r interface. The RDP-renting service, du b b e d Dedicatexpress.com, uses t h e tagline "The whole world in one service" and is advertised on multiple unde rgr oun d cybercrime forums. It serves as an online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide. Module 17 Page 2551 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Here's how Dedicatexpress.com works: Hackers submit their stolen RDP credentials to th e service, which pays t h e m a commission for every rental. According to a screen grab published by Krebs, t h e to p submitters a re "lopster," with 12,254 rentals, followed by "_sz_", with 6,645 rentals. Interestingly, submitters can restrict wh a t t h e machines may be used f o r - f o r example, specifying th at machines aren 't t o be used t o run online gambling op erations or PayPal scams, or t h a t th ey can't be run with administrator-level credentials. New users pay $20 t o join th e site, after which they can search for available PC and server RDP credentials. Rental prices begin at just a few dollars and vary based on t h e machine's processor speed, upload and download bandwidth, and th e length of time t h a t t h e machine has been consistently available online. According t o Krebs, th e site's managers have said they w o n 't traffic in Russian RDP credentials, suggesting t h a t th e site's own er s are based in Russia and don't wish t o antagonize Russian authorities. According to security experts, Russian law e n fo r c e m e n t agencies typically turn a blind eye to cybercrime gangs operating inside their borders, providing they do n't target Russians, and t h a t t h e s e gangs in fact occasionally assist authorities. W hen reviewing t h e Dedicatexpress.com service, Krebs said he quickly discovered th at access was being rented, for $4.55, to a system t h a t was listed in t h e Internet addres s space assigned to Cisco, and t h a t several machines in th e IP addres s range assigned t o Microsoft's managed hosting network we re also available for rent. In th e case of Cisco, th e RDP credentials-u s e rn a m e and p a s s w o r d - w e r e both "Cisco." Krebs r ep or ted t h a t a Cisco source told him th e machine in question was a "bad lab machine." As th e Cisco case highlights, poor u s e rn a m e and password combinations, combined with re m o te -c on tro l applications, give attackers easy access t o co rp or a te networks. Still, even complex us e rn a m es and passwords may not stop attackers. Since Dedicatexpress.com was foun ded in 2010, it's offered access to a b o u t 300,000 different systems in total, according to Krebs. Interestingly, 2010 was t h e s a m e year th at security researchers first discovered t h e Georbot Trojan application, which scans PCs for signs t h a t remote-control software has be en installed and t h e n captures and transmits related credentials to attackers. Earlier this year, security researchers at ESET found th at wh en a Geor bot-infected PC was unable to contact its designated comman d-an d-co ntro l server to receive instructions or transmit stolen data, it instead con tac te d a server based in th e country of Georgia. W hen it co m e s to built-in r e m o t e access t o Windows machines, RDP technology was first included in t h e W in d o w s XP P r o f e s s io n a l - b u t not H om e -v e r s io n of th e operating system, and it has be en included in every edition of Windows released since then. The current software is du bb e d Remote Desktop Services (for servers) and Rem ote Desktop Connection (for clients). Might W in do w s 8 security i m p r o v e m e n ts help prevent unauthorized people from logging onto PCs using stolen r e m o t e desktop protocol credentials? That's not likely, since Microsoft's new operating s y s t e m - s e t to d e b u t later this w e e k - in c lu d e s th e latest version, Rem ote Desktop Protocol 8.0, built in. Module 17 Page 2552 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Microsoft has also released a free Windows 8 Remote Desktop application, filed in th e "productivity" section of Windows Store. According to Microsoft, "the new Metro-style Remote Desktop ap p enables you t o conveniently access your PC and all of your co rpo ra te resour ces from anywhere." "As many of you already know, a salient feat ure of Windows Server 2012 and Windows 8 is th e ability to deliver a rich user experience for r e m o t e desktop users on corpo rate LAN and WAN networks," read a recent blog post from Sh a n m u g a m Kulandaivel, a senior program man ag er in Microsoft's Rem ote Desktop Virtualization te a m . Despite such capabilities now being built into n u m er o u s operating syste ms-in clud ing Linux and Mac OS X - m a n y security experts r e c o m m e n d deactivating or removing such tools wh en they 're not need ed. "Personally, I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one's software footprint and related attack surface," said Wolfgang Kandek, CTO of Qualys. He m ad e t h o s e c o m m e n ts earlier this year, after th e source code for Symantec's pcAnywhere Windows remot e-a cce ss software was leaked to t h e Internet by hacktivists. Security experts w e r e concer ne d th at attackers might discover an exploitable zeroday vulnerability in th e remot e-acc ess code, which would allow t h e m to remotely access any machine th at had t h e software installed. Copyright © 2012 UBM Tech By Mathew J.Schwartz http://www.inforrr1ationweek.com/securitv/attacks/russian-service-rents-access-to-hackedc/240009580 Module 17 Page 2553 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker M odule O bjectives C EH J Ways to Detect an Intrusion J Firewalls J Types of Intrusion Detection Systems J Honeypot Tools J General Indications of Intrusions J Evading IDS J Firewall Architecture J Evading Firewalls J Types of Firewall J Detecting Honevoots J Firewall Identification J Firewall Evasion Tools J How to Set Up a Honeypot J Packet Fragment Generators J Intrusion Detection Tools J Countermeasures J How Snort Works J Firewall/IDS Penetration Testing Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le O b je c t iv e s ‫ *—־־‬Today, hacking and c o m p u t e r system attacks are c om m on , making th e impor tan ce of ‫׳‬ intrusion detection and active protection all th e m ore relevant. Intrusion detection systems (IDSes), intrusion prevention systems (IPSes), firewalls, and ho neypots are th e security mechanisms im p lem en ted to secure networks or systems. But attackers are able t o manage even t h e s e security mechanisms and trying to break into t h e legitimate system or netw ork with th e help of various evasion techniques. This module will familiarize you with: e Ways t o Detect an Intrusion © Firewalls e Types of Systems e Honeypot Tools © Evading IDSes Intrusion Detection e General Indications of Intrusions e Evading Firewalls © Firewall Architecture © Detecting Honeypots © Types of Firewalls © Firewall Evasion Tools e Firewall Identification © Packet Fragment G enerators e How to Set Up a Honeypot © Counte rme asu re s © Intrusion Detection Tools © Firewall/IDS Penetration Testing ^1 °dff0wP^10rl4W0rks Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly
  7. 7. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Module Flow C EH Copyright © by EG-G*nncil. All Rights Reserved. Reproduction is Strictly Prohibited. ^ = — M o d u le F lo w (3 = To und ers ta nd IDSes, firewalls, and honeypots, evasion techniques used by th e attackers to break into t h e target network or system, it is necessary to un de rst an d th ese mechanisms and how they preve nt intrusions and offer protection. So, let us begin with basic IDS, firewall, and ho ne ypo t concepts. IDS, Firewall an d Ho ne yp ot Concepts Detecting H one ypo ts IDS, Firewall an d H o ne yp ot System Firewall Evading Tools Evading IDS Evading Firewall ’ C o u n t e rm e a s u r e Pe ne tra tio n Testing This section introduces you with t h e basic IDS, firewall, and hon ey po t concepts. Module 17 Page 2555 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Intrusion Detection Systems (IDS) and their Placement CEH 1111 .1 1 2 —. 1U1‫־‬ User Intranet j An intrusion detection system (IDS) gathers and analyzes information from within a com puter or a network, to identify the possible violations of security policy, including unauthorized access, as well as m isuse J An ID is also referred to as a "packet-sniffer," which intercepts packets traveling along various com unication m S m edium s and protocols, usually TCP/IP J The packets are analyzed after they are captured _J The IDS filters traffic for signatures that m atch intrusions, and signals an alarm when a m atch is found Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ^ In t r u s io n P la c e m D e t e c t io n S y s t e m s ( ID S e s ) a n d t h e ir e n t An intrusion detection system is used t o mo ni to r and p r o te c t n e tw o rk s or systems for malicious activities. To alert security personnel a b o u t intrusions, intrusion detection systems are highly useful. IDSes are used to monitor network traffic. An IDS checks for suspicious activities. It notifies th e administrator a b o u t intrusions immediately. Q An intrusion detection system (IDS) ga thers and analyzes information from within a co m p u t e r or a network, t o identify t h e possible violations of security policy, including un a ut hor ize d access, as well as misuse 0 An IDS is also referred to as a "packet-sniffer," which intercepts packets traveling along various communication m ediums and protocols, usually TCP/IP © The packets are analyzed after th ey a re captur ed Q An IDS evaluates a susp ecte d intrusion once it has taken place and signals an alarm Module 17 Page 2556 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots User Exam 312-50 Certified Ethical Hacker Intranet FIGURE 17.1: Intrusion Detection Systems (IDSes) and their Placement Module 17 Page 2557 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker How IDS Works CEH U rtifM tUx*l lUckM Signature file com parison v * Anomaly Detection - » ‫׳‬x Alarm notifies admin and packet can be dropped Action Rule Stateful protocol analysis •V b Connections are cut down from that IP source ‫§ < ״‬ Packet is dropped S w itch Copyright © by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited. H o w a n ID S W o r k s The main purposes of IDSes are th at t h ey not only p r e v e n t intrusions but also alert th e a d m in is tr a to r imm edi ate ly w h e n t h e attack is still going on. The administrator could identify m e t h o d s and techni qu es being used by th e intruder and also th e source of attack. An IDS works in th e following way: Q IDSes have sensors to d e t e c t signa tures and s o m e advanced IDSes have behavioral activity detection t o d e te r m i n e malicious behavior. Even if signatures don't match this activity detection system can alert administrators a b o u t possible attacks. 9 If th e signature matches, t he n it moves to t h e next step or the c on ne ct io ns are cut d o w n from t h a t IP source, th e packet is dro pp ed, and th e alarm notifies th e admin and th e packet can be dr opped. Q Once t h e signature is matched, t h en sensors pass on a n o m a l y dete cti on, w h e t h e r th e received packet or requ es t matches or not. Q If t h e packet passes th e an omaly stage, t h e n stateful protocol analysis is done. After th at thro ug h switch th e packets are passed on to t h e network. If anything mismatches again, th e connections are cut do wn from t h a t IP source, th e packet is dr opped, and th e alarm notifies th e admin and packet can be dropped. Module 17 Page 2558 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker ID S P r e p r o c e s s o r ID S — 1V S n tu file ig a re c ma o o pris n Switch FIGURE 17.2: How an IDS Works Module 17 Page 2559 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Ways to Detect an Intrusion CEH S ig n a tu r e R e c o g n itio n It is also known as misuse detection. Signature recognition tries to identify events that misuse a system / A n o m a ly D e te c tio n Tl nr L It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system P ro to c o l A n o m a ly D e te c tio n In this type of detection, models are built to explore anomalies in the way vendors deploy the TCP/IP specification Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ^ — W a y s to D e t e c t a n In t r u s io n An intrusion is d e te c te d in t h r e e ways. S ig n atu re D etectio n ‫ * —יי‬Signature recognition is also known as misuse de tec tio n. It tries to identify events —‫׳‬ th at indicate an abu se of a system. It is achieved by creating models of intrusions. Incoming events are co m p a r ed with intrusion models t o make a detection decision. While creating signatures, t h e model must de te c t an attack without disturbing th e normal traffic on the system. Attacks, and only attacks, should match th e model or else false alarms can be gene rated . © The simplest form of signature recognition uses simple pattern matching to c om pa r e th e network packets against binary signatures of known attacks. A binary signature may be defined for a specific portion of th e packet, such as th e TCP flags. © Signature recognition can de tec t known attacks. However, t h e r e is a possibility th at ot her packets th at match might re pr e s en t th e signature, triggering bogus signals. Signatures can be customized so t h a t even well-informed users can c rea te th em . © Signatures th at a re fo rm e d improperly may trigger bogus signals. In or der t o de tect misuse, th e n u m b e r of signatures required is huge. The more t h e signatures, t h e more Module 17 Page 2560 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker attacks can be dete cte d, thou gh traffic may incorrectly match with t h e signatures, reducing th e pe rfor mance of t h e system. © The bandwidth of th e network is co n su me d with t h e increase in th e signature da tabase. As th e signatures are co mp ar ed against t h o s e in t h e d ata ba se, th e r e is a probability that th e maximum n u m b e r of comparisons cannot be made, resulting in certain packets being dropped. © New virus attacks such as A D M uta te and Nimda c rea te t h e need for multiple signatures for a single attack. Changing a single bit in s o m e attack strings can invalidate a signature and c rea te th e need for an entirely ne w signature. © Despite problems with signatu re-based intrusion detection, such systems a re popular and work well w h e n configured correctly and mon itore d closely A nom aly D etectio n Anomaly detection is otherwise called " no t-u se de te c ti o n .‫ ״‬Anomaly detection differs from t h e signature recognition model. The model consists of a d a ta b a s e of anomalies. Any event t h a t is identified with t h e d a t a b a s e in considered an anomaly. Any deviation from normal use is labeled an attack. Creating a model of normal use is th e most difficult task in creating an anomaly de tector. © In t h e traditional m et h o d of anomaly detection, im po rta nt data is kept for checking variations in network traffic for t h e model. However, in reality, t h e r e is less variation in n e t w o r k traffic and t o o many statistical variations making t h e s e models imprecise; s o m e events labeled as anomalies might only be irregularities in network usage. © In this type of approach, t h e inability t o instruct a model thoroughly on t h e normal network is of grave concern. These models should be trained on t h e specific network th at is to be policed. 2 P rotocol A nom aly D etectio n Protocol anomaly detection is based on th e anomalies specific t o a protocol. This model is integrated into th e IDS mod el recently. It identifies th e TCP/IP protocol specific flaws in the network. Protocols are created with specifications, known as RFCs, for dictating proper use and communication. The protocol anomaly de te c to r can identify ne w attacks. © There are new attack m e t h o d s and exploits t h a t violate protocol stan da rd s being discovered frequently. © The pace at which th e malicious signature att a ck e r is growing is incredibly fast. But th e network protocol, in comparison, is well defined and changing slowly. Therefore, th e signature d a ta b a s e must be u p d a te d frequently t o d e te c t attacks. © Protocol anomaly de tection systems are easier to use because they require no signature updates Module 17 Page 2561 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker 6 Protocol anomaly de tec tor s are different from t h e traditional IDS in how they present alarms. © The best way to pr esent alarms is to explain which part of t h e state system was compromised. For this, th e IDS ope rat ors have to have a t ho rou gh knowledge of th e protocol design; th e best way is t h e d o c um e nt at io n provided by t h e IDS. Module 17 Page 2562 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Types of Intrusion Detection Systems N e tw o rk -B a se d Intrusion D etectio n CEH H ost-B ased Intrusion Detection © These mechanisms typically consist of a black IT. These mechanisms usually include auditing for events that occur on a specific host box that is placed on the network in the promiscuous mode, listening for patterns These are not as common, due to the overhead they incur by having to monitor each system event indicative of an intrusion nwn £ 3 Log File M onitoring File In te g rity C he ckin g These mechanisms check for Trojan horses, or files that have otherwise been modified, indicating an intruder has already been there, for example, Tripwire Q These mechanisms are typically programs that parse log files after an event has already occurred, such as failed log in attempts /‫׳‬f V Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. T y p e s o f In t r u s io n D e t e c t io n S y s t e m s Basically ther e are four types of intrusion detection systems are available. They are: N etw o rk -b ased In tru sio n D etectio n The NIDS checks every packet entering t h e network for th e presen ce of a n o ma lie s and incorrect da ta. Unlike th e firewalls th at are confined to t h e filtering of data packets with vivid malicious co nten t, t h e NIDS checks every packet thoroughly. An NIDS c a p tu re s and inspects all traffic, regardless of w h e t h e r it is permitted. Based on th e content, at either t h e IP or application-level, an alert is gen era ted . Network-based intrusion detection systems t e n d to be more distributed t h an h o s t- b a s e d IDSes. The NIDS is basically designed t o identify th e anomalies at t h e router- and host-level. The NIDS audits t h e information contained in t h e data packets, logging information of malicious packets. A t h r e a t level is assigned to each risk after th e data packets are received. The t h re a t level enables t h e security t e a m to be on alert. These mechanisms typically consist of a black box t h a t is placed on t h e netw ork in t h e promiscuous mode, listening for pa tterns indicative of an intrusion. H o st-b ased In tru sio n D etectio n In t h e host-based system, t h e IDS analyzes each system's behavior. The HIDS can be installed on any system ranging from a de sktop PC t o a server. The HIDS is m o re versatile th an Module 17 Page 2563 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker th e NIDS. One example of a host-based system is a program t h a t op e ra te s on a system and receives application or operating system audit logs. These programs are highly effective for detecting insider abuses. Residing on th e trust ed network systems themselves, they are close to th e network's a uth en tic ate d users. If o ne of t h e s e users a t t e m p t s unauthorized activity, hostbased systems usually de tec t and collect t h e mo st pertinent information promptly. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification. HIDSes are more focused on changing aspects of t h e local systems. HIDS is also m ore platform-centric, with more focus on t h e Windows OS, but t h e r e are ot her HIDSes for UNIX platforms. These mechanisms usually include auditing for events that occur on a specific host. These a re not as co mmo n, due t o th e ove rhead t he y incur by having to monitor each system event Log F ile M o n ito rin g A Log File Monitor (LFM) monitors log files crea ted by netw ork services. The LFT IDS searches th rough t h e logs and identifies malicious events. In a similar m a n n e r to NIDS, t h e s e systems look for pa tterns in t h e log files th at suggest an intrusion. A typical example would be parsers for HTTP serve r log files t h a t look for intruders w ho try well-known security holes, such as th e "phf" attack. An example is swatch. These mechanisms are typically programs t h a t parse log files after an event has already occurred, such as failed log in a t t e m p t s . F ile In te g rity C h e c k in g 1 PH ‫׳‬ 1 ------- These mechanisms check for Trojan horses, or files th at have ot herwise been modified, indicating an intruder has already been there, for example, Tripwire. Module 17 Page 2564 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker System Integrity Verifiers (SIV) CEH J Tripwire is a System Integrity Verifiers (SIV) that monitors system files and detects changes by an intruder I ▼Severity + Trxiwrt - N 52 • ‫ ■נש‬O EM T -SYS j ’ J ' 6 ?0 .1 □ &u CWWOWV 1 0 1 ‫ י‬SYS jk J 1 ‫׳‬ ■ £11• r*‫״‬ ewmoowsi MJLTRASVS t it! CWltOOWSI v«feya W '“ 1 M 9 £ |M 0 d ^ ‫״‬ h i CW N00W Vpeecey* 1 J ‫־‬ 3y locator‫־‬ rJ D ^ AtJenU J5 0yT yo* '* M a n * 3.04c Hi J Commerce Server □ jjByic-ato Hc G v 6 M n o* ‫ ־‬c 0 e W J Databeeo Server! 0 j j By Serve• '.oc# G0 ‫׳‬oe 5C4e W _ $ Desktop• HI J w WJ ‫ם‬ Server* W*6 Server• UJ ■ H 1e 0 a 31 10 0 A 31 10 0 31 Jl 10 0 8 10 0 ■ A 31 1c 0 ■a 10 0 A -J ‫־־‬ 31 3j 10 0 ■ A 3j 10 0 A r> ] 10 0 "H £1‫״‬ 1 1 C W O ‫׳‬JV » W%*y 1 1 V WO S W SV iti CW DOW UMMDty* 1N in cwwoowsv V P SYS ‫ם‬ ♦ _J ‫ם‬ ‫«״‬ ‫ ם‬hJ CWWOOW* 'CXGTHKSYS CW N O Sl MD W □ ill By Service ♦ _$ 10 0 21 ._.‫׳‬J ‫־‬ 'm rn ad aya d x k ‫ם‬ * -J *■, 'J 31 □ alj R o Ned•G o« roup 'ypo a h ttp :/ /w w w . trip w ire, com n r Copyright ® S y s t e m In t e g r it y V e r if ie r s by EC-CMHCil. All Rights Reserved. Reproduction is Strictly Prohibited. ( S IV ) Source: http://www.tripwire.com A System Integrity Verifier (SIV) m o n i to rs sys tem files to de te r m i n e w h e t h e r an intruder has changed t h e files. An integrity monitor watches key system objects for changes. For example, a basic integrity monitor uses system files, or registry keys, t o track changes by an intruder. Although they have limited functionality, integrity monitors can add an additional layer of protection to ot her forms of intrusion dete cti on. E hmm ■ I .Zj 1□ ‫_ ־‬j e J a** ,‫״‬ □ By Type fiode Group JfcJ 1 □ S 5 ( -to t ,iooe Grouo o :omnerce Server I □ By Locatr »» 0eGr©oc Dataoese Server* I □ jS By Servce fioae Group - - JfcJ CWNOOWS UA.TRASVS 8 3*0 a ‫ מ‬J w bl ‫ם‬ 1‫ * ״‬i Server ■ ■ ffl ‫י‬V«fc Servers 1* ‫ח‬ 1 0 W M **o n O C . □ ill □ 51J , ■ f IC O A Jgl "ccilcehoo Qj ev »4.2004 S S401 Ai 10 C 9 10 C 3J 10 C A J l fg , , Jgl M odtfcabcn 51J S J >wYr « oti J -* 5 IC O » S 20MS 4 52 « ‫־.׳‬ 1 • ■ Jgl llcdil ‫י -זיו־‬ ‫־‬ u □ — lV N O Y V hdmfi»y» (A O l/ S ‫®־‬ow* W i S S VM O W 'OXGTVKSYS N O SV U T Sevtnty Current Verwor 3j r< ST S' ‫ ־‬J t J tM 8 335 SI J Change lype 2 15 fc] 8 3*3 S J Prem•*• fiesor* element _j.J 1 ' 31 A » « . .‫« ״ ״‬ 3 1 3 1 3 1 a & -co,-.‫13 ■-׳״‬ & l ‫•. וי‬ ‫13 ' ־ו,־‬ IC O «< : ‫׳■׳-׳‬ A IC O A IC O ■ A IC O •A too J Jl F IG U R E 17.3: System Integrity Verifiers (SIV ) Screenshot Module 17 Page 2565 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker General Indications of Intrusions G e n e r a l In d ic a t io n s C EH ■ — o f In t r u s io n s Following are th e general indications of intrusions: F ile S ystem In tru sio n s By observing th e system files, you can identify t h e presen ce of an intruder. The system files record t h e activities of t h e system. Any modification or deletion in th e file attributes or th e file itself is a sign t h a t t h e system was a targe t of attack: © If you find new, u n k n o w n file s/p ro gra ms on your system, t h e n th e r e is a possibility th at your system has been intruded. The system can be compro mise d t o t h e point th at it can in turn c o m p r o m is e o t h e r sys tem s in your network. © When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When t h e intruder obtains th e Administrator privilege, he or she changes th e file permissions, for example, from Read-Only t o Write. Q Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all of your system files. Q Presence of rogue suid and sgid files on your Linux system th at do no t match your m aster list of suid and sgid files could indicate an attack. Module 17 Page 2566 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker 6 You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. © Missing files are also sign of a probable intrusion/attack. LJ 1 g N etw ork In tru sio n s 6 Sudden increase in bandwidth co nsumption is an indication of intrusion. © Repeated probes of t h e available services on your machines. © Connection requests from IPs ot he r th an t h o s e in the network range are an indication th at an u n a u t h e n t i c a t e d us e r (intruder) is a tte m p tin g to con n ect to t h e network. © You can identify r ep e a te d a t t e m p t s to log in from r e m o t e machines. © Arbitrary log data in log files indicates a t t e m p t s of denial-of-service attacks, bandwidth consumption, and distributed denial-of-service attacks. Module 17 Page 2567 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker General Indications of System Intrusions CEH Short or Unusual graphic displays Unusually slow Modifications to system software and incomplete logs or text messages system performance configuration files Missing logs or logs with incorrect permissions or ownership System crashes or reboots Gaps in the system accounting Unfamiliar processes Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. G e n e r a l In d ic a t io n s o f S y s t e m In t r u s io n s To check w h e t h e r th e system is atta cke d, you need to check certain p a ra m e t e rs t h a t clearly indicate th e presence of an intruder on th e system. W hen an intruder a t t e m p t s t o break into t h e system, he or she a t t e m p t s to hide his or her presence by modifying certain system files and c onfigurations t h a t indicate intrusion. Certain signs of intrusion include: Q System's failure in identifying valid user Q Active access to unus ed logins 9 Logins during non-working hours © New user accounts ot her th an th e accounts cre ate d 9 Modifications to system softw are and configuration files using Administrator access and th e presence of hidden files Q Gaps in system audit files, which indicate th at t h e system was idle for t h a t particular time; he gaps actually indicate t h a t th e i ntruder has a t t e m p t e d t o erase t h e audit tracks © The s ystem's pe rfor mance de cre as es drastically, consuming CPU t ime Q System crashes suddenly and reb oots without user intervention Module 17 Page 2568 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker 6 The system logs a re to o s hort and incomplete © Timestamps of system logs are modified to include s trange inputs © Permissions on t h e logs are changed, including th e ownership of th e logs © System logs are deleted © Systems pe rfor mance is abnormal, t h e system responds © Unknown processes are identified on t h e system Q Unusual display of graphics, pop-ups, and text messages Module 17 Page 2569 in unfamiliar ways observed on th e system Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firew all Firewalls are hardware and/or software designed to prevent unauthorized access to or from a private network They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet CEH UftMM ilk,<1 N hM 4 M Firewalls examine all messages entering or leaving the Intranet and blocks those that do not meet the specified security criteria Firewalls may be concerned with the type of traffic or with the source or destination addresses and ports Secure Private Local Area Network r v ? =Specified traffic allowed * =Restricted unknown traffic Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. F ir e w a lls A firewall is a set of related programs located at t h e n e t w o r k g a te w a y server th at protects th e resources of a private network from users on o t h e r networks. Firewalls are a set of tools t h a t monitor th e flow of traffic b e tw e e n networks. A firewall, placed at th e network level and working closely with a router, filters all network packets t o d e te r m i n e w h e t h e r or not to forward t h e m tow ard their destinations. A firewall is often installed away from t h e rest of t h e network so t h a t no incoming requ es t can get directly t o a private network resource. If configured properly, systems on one side of th e firewall are pr otected from systems on th e ot her side of th e firewall. © A firewall is an intrusion d e tec tio n m e c h a n is m . Firewalls are specific to an organization's security policy. The settings of th e firewalls can be ch anged t o make appropriate changes t o th e firewall functionality. 0 Firewalls can be configured to restrict incoming traffic t o POP and SNMP and t o enable email access. Certain firewalls block t h e email services to secure against spam. Q Firewalls can be configured to check inbound traffic at a point called th e "cho ke p o i n t / ‫׳‬ w h e r e security audit is performed. The firewall can also act as an active " p h o n e tap" tool in identifying th e intruder's a t t e m p t to dial into th e m o d e m s within th e network Module 17 Page 2570 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker th at is secured by firewall. The firewall logs consist of logging information t h a t reports to t h e administrator on all th e a t t e m p t s of various incoming services. Q The firewall verifies t h e incoming and outgoing traffic against firewall rules. It acts as a router to move data b e tw e e n networks. Firewalls man ag e access of private networks t o host applications. 0 All th e a t t e m p t s to log in to t h e netw ork are identified for auditing. Unauthorized a tt e m p t s can be identified by e mb ed di ng an alarm th at is triggered wh en an unauthorized user a tt e m p t s t o login. Firewalls can filter packets based on address and types of traffic. They identify t h e source, destination addresses, and port nu m be rs while address filtering, and th ey identify types of network traffic w h e n protocol filtering. Firewalls can identify th e state and attributes of th e data packets. Secure Private Local Area Network Public Network /‫= ׳‬Specified traffic allowed JOt =Restricted unknown traffic FIGURE 17.4: Working of Firewall Module 17 Page 2571 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firew all Architecture CEH Bastion Host: S S Bastion host is a computer system designed and configured to protect network resources from attack Traffic entering or leaving the network passes through the firewall, it has two interfaces: 6 public interface directly connected to the Internet 6 private interface connected to the Intranet Screened Subnet: S 2 2 The screened subnet or DMZ (additional zone) contains hosts that offer public services The DMZ zone responds to public requests, and has no hosts accessed by the private network Private zone can not be accessed by Internet users Multi-homed Firewall: S In this case, a firewall with three or more interfaces is present that allows for further subdividing the systems based on the specific security objectives of the organization Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited F ir e w a ll A r c h it e c t u r e Firewall architecture consists of t h e following elements: B astion ho st The bastion host is designed for t h e pur pose of de fe ndi ng against attacks. It acts as a mediator b e tw e e n inside and outside networks. A bastion host is a co m p u t e r system designed and configured t o protect n e t w o r k res our ces from attack. Traffic entering or leaving t h e network passes thro ugh th e firewall, it has t w o interfaces: © Public interface directly co nn ect ed t o t h e Internet 0 Private interface co nne cte d to t h e intranet Intranet F IG U R E 17.5: Bastion Host A rchitecture Module 17 Page 2572 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker IU T> ■Ill'll■ S creen ed su b n et A sc ree ne d s ub n e t is a network architecture t h a t uses a single firewall with thre e network interfaces. The first interface is used to co nnect t h e Internet, t h e second interface is used t o co nnect t h e DMZ, t h e third interface is used t o co nnect t h e intranet. The main advan tage with th e screen ed s u b n e t is it separ ate s t h e DMZ and Internet from th e intranet so t h a t w h e n th e firewall is comprom ised access t o t h e i ntranet w o n 't be possible. 6 The scree ne d s ub ne t or DMZ (additional zone) contains hosts t h a t offer public services © Public zone is directly conne cted t o t h e Internet and has no hosts controlled by t h e organization © Private zone has systems t h a t Internet users have no business accessing FIGURE 17.6: Screened Subnet Architecture ‫ ״‬J M u lti-h o m ed fire w all [ J A multi-homed firewall generally refers to t w o are m o re netw ork s. Each interface is co nne cte d to th e s e p a r a t e n e tw o r k s e g m e n t s logically and physically. A multi-homed firewall is used t o increase efficiency and reliability of an IP network. In this case, m o re than th re e interfaces are pr es e nt th at allow for further subdividing t h e s ystems based on t h e specific security objectives of t h e organization. Intranet Internet FIGURE 17.7: Multi-Homed Firewall Architecture Module 17 Page 2573 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker DeMilitarized Zone (DMZ) I C EH DMZ is a network that serves as a buffer between the internal secure network and insecure Internet It can be created using firewall with three or more network interfaces assigned with specific roles such as Internal trusted network, DMZ network, and external un-trusted network (Internet) Firewall Intranet DMZ Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. D e m ilit a r iz e d Z o n e ( D M Z ) The DMZ is a hos t c o m p u t e r or a n e tw o r k placed as a neutral network b e tw e e n a particular firm's internal, or private, netw ork and outside, or public, netw ork to prevent th e outside user from accessing th e co mp an y's private data. DMZ is a network th at serves as a buffer b e tw e e n th e internal secure n e tw o r k and insecure in te r n et It is created using a firewall with th re e or m ore network interfaces assigned with specific roles such as Internal t ru s te d network, DMZ network, and External un-trusted netw ork (Internet). Module 17 Page 2574 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker FIGURE 17.8: Demilitarized Zone (DMZ) Module 17 Page 2575 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker T yp es o f Firew all CEH Packet Filters Circuit Level Gateways Application Level Gateways Stateful M ultilayer Inspection Firewalls Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. T y p e s o f F ir e w a lls A firewall refers t o a h a r d w a r e device or a so ft w a r e p ro g ra m used in a system to prevent malicious information from passing through and allowing only t h e approved information. Firewalls are mainly categorized into four types: © Packet filters Q Circuit-level gateways Q Application-level gateways 6 Stateful multilayer inspection firewalls Module 17 Page 2576 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Packet Filterin g Firew all CEH Urti*W itkM l lUckw Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP), they are usually a part of a router Depending on the packet and the criteria, the firewall can drop the packet and forward it, or send a m essage to the originator In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded Rules can include the source and the destination IP address, the source and the destination port number, and the protocol used = Traffic allowed based on source and destination IP address, packet type, and port number X = Disallowed Traffic Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. P a c k e t F ilt e r in g F ir e w a ll A packet filtering firewall investigates each individual pa c ke t passing through it and makes a decision w h e t h e r to pass th e packet or drop it. As you can tell from their name, packet filter-based firewalls co nc en tra te on individual packets and analyze their he a d er information and which way they are directed. Traditional packet filters make t h e decision based on t h e following information: © Source IP address: This is used t o check if t h e packet is coming from a valid source or not. The information ab ou t t h e source IP address can be found from t h e IP h e a d e r of th e packet, which indicates t h e source system address. 9 Destination IP address: This is used t o check if th e packet is going t o th e correct destination and t o check if t h e destination accepts t h e s e types of packets. The information a bo ut th e destination IP address can be found from t h e IP he a d er of th e packet, which has t h e destination address. © Source TCP/UDP port: This is used t o check t h e source po rt for th e packet. © Destination TCP/UDP port: This is used to check th e destination port for t he services to be allowed and th e services t o be den ied . Module 17 Page 2577 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Q Exam 312-50 Certified Ethical Hacker TCP cod e bits: Used to check w h e t h e r th e packet has a SYN, ACK, or o t h e r bits set for th e connection to be made. Q Protocol in use: Used to check w h e t h e r t h e protocol th at t h e packet is carrying should be allowed. This is be cause s o m e networks do not allow t h e UDP protocol. © Direction: Used to check w h e t h e r t h e packet is coming from th e packet filter firewall or leaving it. 6 Interface: Used to check w h e t h e r or not t h e packet is coming from an unreliable site. Network 5 Application Firewall 4 TCP 3 Internet Protocol (IP} 2 Data Link 1 Physical ............... xi if FIGURE 17.9: Packet Filtering Firewall = Traffic allowed based on source and destination IP address, packet type, and port num ber = Disallowed Traffic Module 17 Page 2578 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Circuit-Level Gateway Firew all - Traffic a llo w e d based on ^ session rules, such C EH as w h e n a session is in itiate d b y a recognized co m p u te r = D isallo w e d Traffic Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. C irc u it-le v e l G a te w a y F ire w a ll Circuit-level gateways work at the session layer of the OSI model or the TCP layer of TCP/IP. A circuit-level gateway forwards data between the networks without verifying it. It blocks incoming packets into the host, but allows the traffic to pass through itself. Information passed to remote computers through a circuit-level gateway appears to have originated from the gateway, as the incoming traffic carries the IP address of the proxy (circuit-level gateway). A circuit-level gateway gives the controlled network connection to the network between the system, internal and external to it. For detecting whether or not a requested session is valid, it checks the TCP handshaking between the packets. Circuit-level gateways do not filter individual packets. Circuit-level gateways are relatively inexpensive and hide the information about the private network that they protect. Module 17 Page 2579 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker 5 Application 4 TCP Firewall • ‫...... ® * ז‬ 3 In te rn e t Protoco l (IP) 2 Data Link 1 Physical FIGURE 17.10: Circuit-level Gateway Firewall = Traffic allowed based on session rules, such as when a session is initiated by a recognized computer = Disallowed Traffic Module 17 Page 2580 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Application-Level Firewall CEH J Application-level gateways (proxies) can filter packets at the application layer of the OSI model J Application-level gateways configured as a web proxy prohibit FTP, gopher, telnet, or other traffic J J Application-level gateways examine traffic and filter on application-specific commands such as http:post and get Incoming and outgoing traffic is restricted to services supported by proxy; all other service requests are denied 5 Application 4 TCP 3 Internet Protocol (IP) 2 Data Link 1 Physical = T ra ffic a llo w e d based o n s p e c ifie d a p p lic a tio n s (such as a b ro w s e r) o r a p ro to c o l, such as FTP, o r c o m b in a tio n s = D isa llo w e d T ra ffic Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. A p p lic a tio n -le v e l F ire w a ll ‫ ־־‬Proxy/application-based firewalls concentrate on the Application layer rather than just the packets. © These firewalls analyze the application information to make decisions about whether or not to transmit the packets. Q A proxy-based firewall asks for authentication to pass the packets as it works at the Application layer. 9 A content caching proxy optimizes performance by caching frequently accessed information instead of sending new requests for the same old data to the servers. Module 17 Page 2581 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Network In te rn e t • 5 Application Firew all 4 TCP 3 In te rn e t Protoco l (IP) 2 Data Link 1 Physical FIGURE 17.11: Application-level Firewall Module 17 Page 2582 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Stateful M ultilayer Inspection Firewall CEH J Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls J They filter packets at the network layer, to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer 5 Application 4 TCP 3 Internet Protocol (IP) 2 Data Link 1 Physical = Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules X = Disallowed Traffic Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S ta te fu l M u ltila y e r I n s p e c tio n F ire w a ll Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. The inability of the packet filter firewall to check the header of the packets to allow the passing of packets is overcome by stateful packet filtering. Q This type of firewall can remember the packets that passed through it earlier and make decisions about future packets based on memory 9 These firewalls provide the best of both packet filtering and application-based filtering 9 Cisco PIX firewalls are stateful 9 These firewalls tracks and log slots or translations Module 17 Page 2583 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firewall N etw ork FIGURE 17.12: Stateful Multilayer Inspection Firewall ^ = Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules - Disallowed Traffic Module 17 Page 2584 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firew all Identification: Port Scanning Port scanning is used to identify open ports and services running on these ports Some firewalls will uniquely identify themselves in response to simple port scans r Pftl - Open ports can be further probed to identify the version of services, which helps in finding vulnerabilities in these services For example: Check Point's FireWall-1 listens on TCP ports 256, 257, 258, and 259, NetGuard GuardianPro firewall listens on TCP 1500 and UDP 1501 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F ire w a ll Id e n tific a tio n : P o rt S c a n n in g Systematically scanning the ports of a computer is known as port scanning. Attackers use such methods to identify the possible vulnerabilities in order to compromise a network. It is one of the most popular methods that attackers use for investigating the ports used by the victims. A tool that can be used for port scanning is Nmap. A port scan helps the attacker find which ports are available (i.e., what service might be listening to a port); it consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness. Some firewalls will uniquely identify themselves using simple port scans. For example: Check Point's FireWall-1 listens on TCP ports 256, 257, 258, and 259 and Microsoft's Proxy Server usually listens on TCP ports 1080 and 1745. Module 17 Page 2585 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firew all Identification: Firew alking J A technique that uses TTL values to determine gateway ACL filters and map networks by analyzing IP packet responses J Attackers send a TCP or UDP packet to the targeted firewall with a TTL set to one hop greater than that of the firewall J C EH If the packet makes it through the gateway, it is forwarded to the next hop where the TTL equals one and elicits an ICMP "TTL exceeded in transit" to be returned, as the original packet is discarded J This method helps locate a firewall, additional probing permits fingerprinting and identification of vulnerabilities Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F ire w a ll Id e n tific a tio n : F ire w a lk in g Firewalking is a method used to collect information about remote networks that are behind firewalls. It probes ACLs on packet filtering routers/firewalls. It is same as that of tracerouting and works by sending TCP or UDP packets into the firewall that have a TTL set at one hop greater than the targeted firewall. If the packet makes it through the gateway, it is forwarded to the next hop where the TTL equals zero and elicits a TTL "exceeded in transit" message, at which point the packet is discarded. Using this method, access information on the firewall can be determined if successive probe packets are sent. Firewalk is the most well-known software used for firewalking. It has two phases: a network discovery phase and a scanning phase. It requires three hosts: © Firewalking host: The firewalking host is the system, outside the target network, from which the data packets are sent, to the destination host, in order to gain more information about the target network. © Gateway host: The gateway host is the system on the target network that is connected to the Internet, through which the data packet passes on its way to the target network. © Destination host: The destination host is the target system on the target network that the data packets are addressed to. Module 17 Page 2586 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firew all Identification: Banner Grabbing c EH (citifwd ItkKJl NMkw w M ic r o s o ft Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. 51 F i r e w a l l I d e n t i f i c a t i o n : B a n n e r G r a b b i n g 1 Banners are messages sent out by network services during the connection to the service. Banners announce which service is running on the system. Banner grabbing is a technique generally used by the attacker for OS detection. The attacker uses banner grabbing to discover services run by firewalls. The three main services that send out banners are FTP, Telnet, and web servers. Ports of services such as FTP, Telnet, and web servers should not be kept open, as they are vulnerable to banner grabbing. A firewall does not block banner grabbing because the connection between the attacker's system and the target system looks legitimate. An example of SMTP banner grabbing is: telnet mail.targetcompany.org 25. The syntax is: " < s e r v ic e n a m e > < s e r v ic e r u n n in g > < p o r t n u m b e r> " Banner grabbing is a mechanism that is tried and true for specifying banners and application information. For example, when the user opens a telnet connection to a known port on the target server and presses Enter a few times, if required, the following result is displayed: C:>telnet www.corleone.com 80 HTTP/1.0 400 Bad Request Server: Netscape - Commerce/1.12 Module 17 Page 2587 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker This system works with many other common applications that respond on a set port. The information generated through banner grabbing can enhance the attacker's efforts to further compromise the system. With information about the version and the vendor of the web server, the attacker can further concentrate on employing platform-specific exploit techniques. Module 17 Page 2588 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Honeypot CE H A honeypot is an information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise A honeypot can log port access attempts, or monitor an attacker's keystrokes. These could be early warnings of a more concerted attack Honeypot DMZ # Packet Filter Firewall ‫1 ם‬ ‫׳‬ Internet Attacker W eb Server Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited H oneypot A honeypot is a system that is intended to attract and trap people who try unauthorized or illicit utilization of the host system. Whenever there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with many different security applications. Some honeypots can be used to help prevent attacks; others can be used to detect attacks; while a few honeypots can be used for information gathering and research. Examples: © Installing a system on the network with no particular purpose other than to log all attempted access. Q Installing an older unpatched operating system on a network. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the system and further track what the intruder attempts to do with the system once it is compromised. Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing him/her access to the network. Module 17 Page 2589 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Any existing system can be "honeypot-ized." For example, on WinNT, it is possible to rename the default administrator account and then create a dummy account called "administrator" with no password. WinNT allows extensive logging of a person's activities, so this honeypot tracks users who are attempting to gain administrator access and exploit that access. Web Server FIGURE 17.13: Working of Honeypot Module 17 Page 2590 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Types of Honeypots L o w -in te ra c tio n H o n e y p o ts These honeypots simulate only a limited number of services and H ig h -in te ra c tio n H o n e y p o ts applications of a target system or network These honeypots simulates all services and applications - Can not be compromised Can be completely compromised by completely attackers to get full access to the ■ Generally, set to collect higher system in a controlled area level information about attack vectors such as network probes Capture complete information about an attack vector such attack techniques, tools and intent of the and worm activities Ex: Specter, Honeyd, and attack r Ex: Symantec Decoy Server and Honeynets Copyright © by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited. T y p e s of H o n e y p o ts Honeypots are mainly divided into two types: L o w -in teractio n H oneypot They work by emulating services and programs that would be found on an individual's system. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error. They capture limited amounts of information, mainly transactional data and some limited interaction Ex: Specter, Honeyd, and KFSensor Honeyd is a low-interaction honeypot. It is open source and designed to run primarily on UNIX systems. Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs connections to any UDP or TCP port. In addition, the user can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring port 21 (TCP). When an attacker connects to the emulated service, not only does the honeypot detect and log the activity, but also it captures all of the attacker's interaction with the emulated service. Module 17 Page 2591 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker In the case of the emulated FTP server, an attacker's login and password can be potentially captured; the commands that were issued, what they were looking for, or their identity can be tracked. Most emulated services work the same way. They expect a specific type of behavior, and then are programmed to react in a predetermined way. H ig h -in teractio n H oneypot Honeynets are a prime example of a high-interaction honeypot. A honeynet is neither a product nor a software solution that the user installs. Instead, it is architecture, an entire network of computers designed to attack. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network, intended victims are placed and the network has real computers running real applications. The "bad guys" find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a honeynet. All of their activity, from encrypted SSH sessions to email and file uploads, is captured without them knowing it by inserting kernel modules on the victim's systems, capturing all of the attacker's actions. At the same time, the honeynet controls the attacker's activity. Honeynets do this by using a honeywall gateway. This gateway allows inbound traffic to the victim's systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim's systems, but prevents the attacker from harming other non-honeynet computers. H o w to S et U p a H o n e y p o t Follow the steps here to set up a honeypot: © Step 1: Download or purchase honeypot software. Tiny Honeypot, LaBrea, and Honeyd are some of the programs available for Linux systems. KFSensor is software that works with Windows. Q Step 2: Log in as an administrator on the computer to install a honeypot onto the computer. Q Step 3: Install the software on your computer. Choose the "Full Version" to make sure every feature of the program is installed. © Step 4: Place the honeypot software in the Program Files folder. Once you have chosen the folder, click"OK and the program will install. Q Step 5: Restart your computer for the honeypot to work. 9 Step 6: Configure the honeypot to check the items that you want the honeypot to watch for, including services, applications, and Trojans, and name your domain. Module 17 Page 2592 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker M odule Flow CEH Copyright © by EG-GoililCil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u le F lo w Previously, we discussed the basic concepts of three security mechanisms: IDSes, firewalls, and honeypots. Now we will move on to detailed descriptions and functionalities of these security mechanisms. IDS, Firewall and Honeypot Concepts * 1‫?י‬ Detecting Honeypots IDS, Firewall and Honeypot System Firewall Evading Tools Evading IDS Countermeasure Penetration Testing Evading Firewall V This section describes the intrusion detection system Snort. Module 17 Page 2593 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Intrusion D etection Tool: Snort Snort is an open source network intrusion detection system, capable of performing realtime traffic analysis and packet logging on IP networks It can perform protocol analysis and content searching/matching, and is used to detect a B variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SM B probes, and OS fingerprinting attempts It uses a flexible rules language to describe B traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture Uses of Snort: » Straight packet sniffer like tcpdump Q » Packet logger (useful for network traffic debugging, etc.) CEH Command Prompt c:Soortb1n>»nort -c c:Sooxfcefccsnoxfc.conf -1 c:Snortlog -i 2 —= Initialiiation Coaplete = — -*> Snort! < *oVersion 2.9.0.2-O BC-KySQ D L-Fle*RBSP-W 32 G B (Build 9 ) IH R 2 •• • * By Kartin Boejch £ The Snort T : httf://m eam nr.snort.ory/snort/snort-tea Copyright (C 1 9 -2 1 Soarcefire, Inc., et al. ) 98 00 dsinf P R version: 8.10 201 -0 -2 CH 0 6 5 Using ZLTB version: 1.2.3 Rules Hnfine: SFSHORTDHTBCTIOHHNGINB Version 1.12 <Bo!ld 1 > 8 Preprocessor □bject: SFSSLPP Version 1.1 <Build 4 > Preprocessor □bject: SFSSB Version 1.1 < BaxId 3 > Ccaencinf packet processing (pid= 5896) 85: Session e!cee< configured h i bytes to queue 1 4 5 6 using 1 4 9 9 bytes ( led 087 087 client qaeae). 192.168.168.7 1 6 6 —> 92.46.53.163 8 (0) : !.*state 0*1 UTPlags 11 0 Ban t i f for packet processing w 5985.944000 seconds as Snort processed 1 7 4 packets. 17 Snort ran for 0 days 1 boars 3 m 9 inutes 4 seconds 5 Pkta/hr: 174 17 Fkts/m in: 18 1 Pkts/»«c: 1 SS: Pruned session from cache that w using 1 9 9 7 bytes (purge w as 084 hole cad 1*2.168.168.7 1 6 6 - > 92.46.53.163 8 (0) : Llstatr 0 LW 11 0 *1 Plags 0.222003 179 440 1 7 4 ( 7.983%) 17 1 5 0 ( 92.011%) 377 0( 000) . 0% 1 5 1 ( 92.017%) 376 » Network intrusion prevention system h :/ w w n rt.o ttp / w .s o rg Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. % . I n t r u s i o n D e t e c t i o n T o o l: S n o r t Source: http://www.snort.orR Snort is an open source network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting, attempts etc. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc.), or a full-blown network intrusion prevention system. Module 17 Page 2594 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Command Prompt ‫ם‬ Snort‫ ־‬Comma n d s . c : S n o r t bin>snort -c c:Snorte t c s n o r t . c o n f -1 c : S nortlog -i 2 — Initialization Compl e t e — — , ‫ > * ־‬Snort! < * ‫־‬ o" )*‫ ׳‬V e r s i o n 2 . 9 .0. 2 - O D B C ‫־‬M y S Q L ‫־‬F l e x R E S P ‫־‬W I N32 GRE (Build 92) ‫י ,, י‬ B y Martin Roe s c h & Th e Snort Team: http://w w w . s n o r t . o r g / s n o r t / s n o r t ~ t e a m Copy r i g h t (C) 1998-2010 Sourcefire, Inc., e t a l . U s i n g FCRE version: 8.10 2010-06-25 U s i n g ZLIB version: 1.2.3 R u l e s Engine: SF S N ORT D E T E C T I O N E K O I N E V e r s i o n 1.12 < B u i l d 1 G> P r e p r o c e s s o r Object: SF_SS L P P V e r s i o n 1.1 < B u i l d 4> P r e p r o c e s s o r Object: SF_SSH V e rsion 1.1 < B u i l d 3> C o m m encing p a c k e t p r o c e s s i n g (pid=5896) S 5 : Session e x c e e d e d c o n f i g u r e d ma x b y t e s to q u e u e 1048576 u s i n g 1048979 b y t e s ( client q u e u e ) . 1 9 2 . 1 6 8.168.7 1 1 616 — > 92.46.53.163 80 (0) : LW s t a t e 0x1 LWFlags 0x2003 *** Caught Int-Signal Run time for pac k e t p r o c e s s i n g was 5 9 85.944000 seconds Snort p r o c e s s e d 11774 packets. Snort ra n for 0 days 1 hours 3 9 minutes 45 seconds Pkts/hr: 11774 Pkts/min: 118 Pkts/sec: 1 S5: Pruned se s s i o n f r o m cache that was u s ing 1098947 b y tes (purge whole cache). 192.168.168.7 11616 - - > 9 2 . 4 6.53.163 80 (0) : LWstate 0x1 LWFlags 0x222003 Packet I/O Totals: Received: Analyzed: Dropped: Filtered: Outstanding: Injected: 147490 11774 135707 ( 7.983%) ( 92.011%) 0 ( 0 0% .0 0 ) ( 92.017%) 0 135716 FIGURE 17.14: Working of Snort in Command Promt Module 17 Page 2595 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker ‫נ‬ How Snort Works CEH Urt1fw4 ilhiul lUtbM Decoder: Saves the captured packets into a heap, identifies link level protocols, and decodes IP Detection Engine: It matches packets against rules previously saved in memory Rules Files: These are plain text files which contain a list of rules with a known syntax Output Plug-ins: These modules format notifications so operators can access in a variety of ways (console, extern flies, databases, etc.) Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited. ft A H ow S no rt W o rk s The following are the three essential elements of the Snort tool: Q Decoder: Saves the captured packets into heap, identifies link level protocols, and decodes IP. © Detection Engine: Matches packets against rules previously charged into memory since Snort initialization. Q Output Plug-ins: These modules format the notifications for the user to access them in different ways (console, extern files, databases, etc.). Module 17 Page 2596 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Reporting and Alerting Engine (ACID) A V ‫־*י‬ V ..>o c m oJ Databases A Primary NIC Webservers Decoder Adm inistrator Base Detection Engine NIC in Promicuous mode sniffing network traffic Dynamic Loaded Libraries Output Plugins Rule Set Rules Files: These are plain text files which contain a list of rules with a known syntax FIGURE 17.15: How Snort Works Module 17 Page 2597 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Snort Rules CEH B Snort's rule engine enables custom rules to meet the needs of the network B Snort rules help in differentiating between normal Internet activities and malicious activities B Snort rules must be contained on a single line, the Snort rule parser does not handle rules on B Snort rules come with two logical parts: multiple lines S Rule header: Identifies rule's actions such as alerts, log, pass, activate, dynamic, etc. S Rule options: Identifies rule's alert messages Exa m p le : Rule Protocol Rule Port v y "m o un td j a l e r t i j t c p •a ny ! - > : 1 9 2 . 1 6 8 . 1 . 0 / 2 4 : : l l l j ( c o n t e n t ::‫׳‬ A A A A Rule Action Rule Format Direction Rule IP address a c c e s s ":;) Alert message Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. S nort R u le s Snort uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing. Snort decodes all the packets passing through the network media to which it is attached by entering promiscuous mode. Based on the content of the individual packets and rules defined in the configuration file, an alert is generated. There are a number of rules that Snort allows the user to write. In addition, each of these Snort rules must describe the following: e Any violation of the security policy of the company that might be a threat to the security of the company's network and other valuable information © All the well-known and common attempts to exploit the vulnerabilities in the company's network 0 The conditions in which a user thinks that a network packet(s) is unusual, i.e., if the identity of the packet is not authentic Snort rules, written for both protocol analysis and content searching and matching, should be robust and flexible. The rules should be "robust"; it means the system should keep a rigid check on the activities taking place on the network and notify the administrator of any potential intrusion attempt. The rules should be "flexible"; it means that the system must be compatible Module 17 Page 2598 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker enough to act immediately and take necessary remedial measures, according to the nature of the intrusion. Both flexibility and robustness can be achieved using an easy-to-understand and lightweight rule-description language that aids in writing simple Snort rules. There are two basic principles that must be kept in mind while writing Snort rules. They are as follows: © No written rule must extend beyond a single line, so rules should be short, precise, and easy-to-understand. © Each rule should be divided into two logical sections: © The rule header © The rule options The rule header contains the rule's action, the protocol, the source and destination IP addresses the source and destination port information, and the CIDR (Classless Inter-Domain Routing) block. The rule option section includes alert messages, in addition to information about which part of the packet should be inspected in order to determine whether the rule action should be taken. The following illustrates a sample example of a Snort rule: Rule Protocol Rule Port y y a le rt jitcp :any :->:192 .168 .1. 0/24j:lll {c o n t e n t | 00 01 86 a5 | "; msg: "mountd access"?) '1 ; • Module 17 Page 2599 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Snort R ules: R ule A ctions and IP P rotocols Rule A ctions J The rule header stores the complete set of rules to identify a packet, and determines the action to be performed or what rule to be applied J The rule action alerts Snort when it finds a packet that matches the rule criteria J Three available actions in Snort: 6 Alert - Generate an alert using the selected alert method, and then log the packet « Log - Log the packet 6 Pass - Drop (ignore) the packet IP Protocols Three available IP protocols that Snort supports for suspicious behavior: TCP II UDP III ICMP Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited S n o rt R u le s : R u le A c tio n s a n d IP P r o to c o ls _______ I Source: http://manual.snort.org The rule header contains the information that defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort "what to do" when it finds a packet that matches the rule criteria. There are five available default actions in Snort: alert, log, pass, activate, and dynamic. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and drop. 6 Alert - generate an alert using the selected alert method, and then log the packet Q Log - log the packet Q Pass ‫ ־‬ignore the packet 0 Activate - alert and then turnon another © Dynamic - remain idle untilactivatedby an activate rule, then act as a log rule Q Drop - block and log the packet dynamic rule © Reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP Module 17 Page 2600 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots 6 Exam 312-50 Certified Ethical Hacker Sdrop - block the packet but do not log it The Internet protocol (IP) is used to send data from one system to another via the Internet. The IP supports unique addressing for every computer on a network. Data on the Internet protocol network is organized into packets. Each packet contains message data, source, destination, etc. Three available IP protocols that Snort supports for suspicious behavior: 6 TCP: TCP (transmission control protocol) is a part of the Internet Protocol. TCP is used to connect two different hosts and exchanges data between them. Q UDP: UDP, the acronym of User Datagram Protocol, is for broadcasting messages over a network. Q ICMP: The Internet Control Message protocol (ICMP) is a part of the Internet protocol. It is used by the operating systems in a network to send error messages, etc. Module 17 Page 2601 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Snort Rules: The D irection Operator and IP A ddresses CEH T h e Direction Operator J This operator indicates the direction of interest for the traffic; traffic can flow in either single direction or bi-directionally J Example of a Snort rule using the Bidirectional Operator: log >192.168.1.0/24 any < 192.168.1.0/24 23 > IIIIIIIIIIIIIIIIIIII IP Addresses J Identifies IP address and port that the rule applies to J Use keyword " a n y ‫ ״‬to define any IP address J Use numeric IP addresses qualified with a CIDR netmask J Example IP Address Negation Rule: a le rt " |00 tcp 01 86 !1 9 2 .1 6 8 .1 .0 / 2 4 a 5 | ‫;״‬ m sg: any -> "e x te rn a l 1 9 2 .1 6 8 .1 .0 / 2 4 m ountd 111 (c o n te n t: a c c e s s 1; ) ' Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited. M l S n o rt R u le s : A d d resses The D ire c tio n O p e ra to r and IP The direction operator ‫ $>$־‬indicates the orientation, or direction, of the traffic that the rule applies to. The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host. There is also a bidirectional operator, which is indicated with a $<>$ symbol. This tells Snort to consider the address/port pairs in either the source or destination orientation. This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions. Also, note that there is no $<$- operator. In Snort versions before 1.8.7, the direction operator did not have proper error checking and many people used an invalid token. The reason the $<$‫־‬ does not exist is so that rules always read consistently. The next fields in a Snort rule are used to specify the source and destination IP addresses and ports of the packet, as well as the direction in which the packet is traveling. Snort can accept a single IP address or a list of addresses. When specifying a list of IP address, you should separate each one with a comma and then enclose the list within square brackets, like this: [192.168.1.1,192.168.1.45,10.1.1.24] Module 17 Page 2602 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker When doing this, be careful not to use any whitespace. You can also specify ranges of IP addresses using CIDR notation, or even include CIDR ranges within lists. Snort also allows you to apply the logical NOT operator (!) to an IP address or CIDR range to specify that the rule should match all but that address or range of addresses. Module 17 Page 2603 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Snort Rules: Port Numbers Port numbers can be listed in different ways, including "any" ports, static port definitions, port ranges, and by negation Port ranges are indicated with the range operator Example of a Port Negation lo g tcp any Protocols -> 1 9 2 .1 6 8 .1 .0 / 2 4 !6 0 0 0 :6 0 1 0 IP address anyanyUDPLog ‫<־‬ anyanyTCPLog anyTCPLog any < :1024 < Log U D P traffic coming from an y port and d estination 92.168.1.0/24 1:1024 ports ranging from 1 to 1024 Log TCP traffic from any port going to ports 192.168.1.0/24 :5000 less than or equal to 5000 192.168.1.0/24 400: Log TCP traffic from th e w e ll know n ports and going to ports g re ater than or equal to 400 Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. S nort R u le s : P o rt N u m b e r s Port numbers may be specified in a number of ways, including any ports, static port definitions, ranges, and by negation. Any ports are a wildcard value, meaning literally any port. Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc. Port ranges are indicated with the range operator The range operator may be applied in a number of ways to take on different meanings. Example of Port Negation: log tcp any any -> 192.168.1.0/24 !6000:6010 1 Protocols Action IP address Log U D P any any -> 92.168.1.0/24 1:1024 Log UDP traffic coming from any port and destination ports ranging from 1 to 1024 Log TCP any any -> 192.168.1.0/24 :5000 Log TCP traffic from any port going to ports less than or equal to S000 Log TCP any :1024 -> 192.168.1.0/24 400: | Log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 400 T A BLE 17.1: Po rt Num bers Module 17 Page 2604 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Intrusion D etection System : Tipping Point e TippingPoint IPS is inserted seamlessly and transparently into the network, it is XXXXXXXX - /itta c k s P e r A ctio ‫ו‬ IA ‫כ‬ c , an in-line device 9 ^ 30 k Each packet is thoroughly inspected to determine whether it is malicious or 2 0 10 legitimate e CEH ‫5־‬ ‫ ״‬k £‫־‬ Hon 1 6 :0 0 °‫־‬ Mon 2 0 :0 0 Tue 0 0 :0 0 Tue 0 4 :0 0 Tue 0 8 :0 0 Tue 1 2 :0 0 Fro■ 2009/09/21 1 2 :2 2 :5 2 To 2 00 9/09/22 1 2 :2 2 :5 2 It provides performance, application, and infrastructure protection at gigabit speeds through total packet inspection 3 k © H P e r m it t e d □ B lo c k e d □ D is c a r d e d I n v a l i d G raph L a s t U p d a te d : L a s t: 2 7 .3 9 k A vg: 1 3 .7 9 k L a s t: 0 .0 0 A vg: 0 .0 0 L a s t: 6 9 .3 8 Avg: 6 6.9 1 Tue 22 Sep 1 2 :2 0 :0 2 CEST 2009 M ax: M ax: M ax: 4 0 .3 8 k 00 .0 8 1 .3 3 XXXXXXXX - A ttack s P e r P ro to c o l 40 k 30 k 2 0 10 k k Hor 1 6 :0 0 Mon 2 0 :0 0 Tue 0 0 :0 0 Tue 0 4 :0 0 Tue 0 8 :0 0 T ue 1 2 :0 0 rro■ 2 0 0 9/09/21 12:22:2‫ כ‬T 2009/09/22 12:22:2‫כ‬ o M ax: M ax: Mx a: Mx a: 3 .6 7 k Avg: 3 .9 0 k ■ IC M P L a s t: Avg: 1 .0 4 k 8 8 6 .0 8 □ UDP L a s t: Avg: 8 .9 4 k 2 2 .9 0 k □ TCP L a s t: Avg: ■ IP - O t h e r L a s t: G raph L a s t U p d ate d : T ue 22 Sep 1 2 :2 0 :0 2 C EST 2009 00 .0 00 .0 6 .0 6 k 6 .6 1 k 3 5 .8 5 k 00 .0 http://hl7007.w w w l.h p.com In tru sio n D etectio n System : T ip p in g P oint Source: http://hl0163.wwwl.hp.com TippingPoint IPS is inserted seamlessly and transparently into the network; it is an in-line device. Each packet is thoroughly inspected to determine whether it is malicious or legitimate. It provides performance, application, and infrastructure protection at gigabit speeds through total packet inspection. Module 17 Page 2605 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker XXXXXXXX ‫ ־‬Attacks Per Action 40 k 30 k 20 k 10 k 0 Mon 16:00 Mon 20:00 Tue 00:00 Tue 04:00 Tue 08:00 Tue 12:00 Fron 2009/09/21 12:22:52 To 2009/09/22 12:22:52 8 Perm itted L a s t: 27.39 k Avg: 13.79 k □ Blocked L a s t: 0.00 Avg: 0.00 □ Discarded In v a lid L a s t; 69.38 Avg: 66.91 Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009 Max: Max: Max: 40.38 k 0.00 81.33 XXXXXXXX • Attacks Per Protocol 40 k 30 k 20 k 10 k 0 H |J W1A1 11. “ w l^ .hr 1 J ° f ^ __1_^——% * Mon 16:00 Mon 20:00 Tue 00:00 Tue 04:00 Tue 08:00 Tue 12:00 Fron 2009/09/21 12:22:52 To 2009/09/22 12:22:52 ■ ICMP 3.67 k Avg: L a s t: 3.90 k Max: □ UDP Avg: 1.04 k Max: L a s t : 886.08 □ TCP L a s t: 22.90 k Avg: 8.94 k Max: ■ IP-O ther Avg: Max: L a s t: 0.00 0.00 Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009 6 .06 k 6.61 k 35.85 k 0.00 FIGURE 17.17: Tipping Point Screenshot Module 17 Page 2606 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Intrusion Detection Tools CE H IBM Security Network Intrusion Prevention System http://w w w -01.ibm . com Cisco Intrusion Prevention Peek & Spy M http://netw orkingdynam ics.com Systems http ://w w w .cisco.com INTOUCH INSA-Network Security Agent AIDE (Advanced Intrusion Detection Environment) h ttp ://w w w . ttinet. com ‫יי‬ h ttp ://a id e , sourceforge.net Strata Guard Q h ttp ://w w w . s tillsecure.com □ U C IDP8200 Intrusion Detection and Prevention Appliances Q Q SNARE (System iNtrusion Analysis & Reporting Environment) h ttp ://w w w . intersectalliance. com Vanguard Enforcer BH| http://www.go2s/anguard.com https :/ / w w w .juniper, net Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. I n t r u s i o n D e t e c t i o n T o o ls ^ Intrusion detection tools detect anomalies. These tools, when run on a dedicated workstation, read all network packets, reconstruct user sessions, and scan for possible intrusions by looking for attack signatures and network traffic statistical anomalies. In addition, these tools give real-time, zero-day protection from network attacks and malicious traffic, and prevent malware, spyware, port scans, viruses, and DoS and DDoS from compromising hosts. A few of intrusion detection tools are listed as follows: 0 IBM Security Network Intrusion Prevention System available at http://www-01.ibm.com © Peek & Spy available at http://networkingdvnamics.com Q INTOUCH INSA-Network Security Agent available at http://www.ttinet.com 0 Strata Guard available at http://www.stillsecure.com © IDP8200 Intrusion Detection and Prevention Appliances available at https://www.juniper.net Q OSSEC available at http://www.ossec.net © Cisco Intrusion Prevention Systems available at http://www.cisco.com Module 17 Page 2607 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker © AIDE (Advanced Intrusion Detection Environment) available at http://aide.sourceforge.net © SNARE (System iNtrusion Analysis & Reporting Environment) available at © http://www.intersectalliance.com © Vanguard Enforcer available at http://www.go2vanguard.com Module 17 Page 2608 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Intrusion Detection Tools (C ont’d) M i s V S ^ ‫ן יי ןן‬ Check Point Threat Prevention Appliance FortiGate h ttp ://w w w .fo rtin e t. com h ttp ://w w w . checkpoint, com fragroute http ://w w w . m onkey, org ‫&.׳‬ Enterasys® Intrusion Prevention System h ttp ://w w w .enterasys.com Next-Generation Intrusion Prevention System (NGIPS) StoneGate Virtual IPS Appliance h ttp ://w w w . sourcefire.com http ://w w w .5 tonesoft.co m Outpost Network Security Cyberoam Intrusion Prevention System h ttp://w w w .agnitum .com ‫ם‬ — 1if‫־‬i CE H Check PointIPS-1 h ttp ://w w w . checkpoint, com V4 http ://w w w .cyb eroam .com McAfee Host Intrusion Prevention for Desktops h ttp ://w w w .m ca fe e . com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. I n t r u s i o n D e t e c t i o n T o o l s ( C o n t ’d) In addition, to the previously mentioned intrusion detection tools, there are few more tools that can be used for detecting intrusions: © Check Point Threat Prevention Appliance available at http://www.checkpoint.com Q Fragroute available at http://www.monkey.org © Next-Generation Intrusion Prevention System (NGIPS) available at http://www.sourcefire.com Q Outpost Network Security available at http://www.agnitum.com Q Check Point IPS-1 available at http://www.checkpoint.com © FortiGate available at http://www.fortinet.com © Enterasys® Intrusion Prevention System available at http://www.enterasys.com 6 StoneGate Virtual IPS Appliance available at http://www.stonesoft.com Q Cyberoam Intrusion Prevention System available at http://www.cyberoam.com 9 McAfee Host Intrusion Prevention for Desktops available at http://www.mcafee.com Module 17 Page 2609 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  62. 62. Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Exam 312-50 Certified Ethical Hacker Firewall: ZoneAlarm PRO Firewall C EH lil£ l Z o n eA la rm PRO Rrewall A URCOMHUIER IS SECURE YO Scan Update unc< 4> Tod3 Hi IDENTITY A UA IA A p h nC n l p lim o o tro Blocks dangerous betavtcre and inajthoiUed Irtwnst Uar«n>l«br* !,prg-g-w wr»»d . , PC T n U uc p ^ Het Vj ✓ S'.iv^n I1«« you‫־‬computerfo‫ ׳‬Imiwved performsiKe. ftorcbaed-iewimge V0 ✓ ✓ Q l Check Point %‫׳׳‬ r* ✓ V V * Log V * V vt vf V, jd V Y *1 * * y! y! Everts Bkxked NetBIOS broadcasts Blocked outgoing N Bos nane requests et Bfcckfd oackeU fa racwl connaaioni Blocked ‫׳‬x r •SYN TCP pKkets Blocked nouted jackets Blocked loopback packets Blocked ncnJP packet• Blocked fragmerted IP packets Other blocked IP packets M Safe violations ail Lock violators Bfccked 1ppltr*en« Anuvrus/Artnpywr* •vert# Antivfus.'Arti-cpywre •earning *rorc Aouvnjs/Affrapyw•(• pcwecton not t&xd ~ v ! Omkft 1 O H ‫־‬ | tm [ Q IC If‫ ־‬Cn * ao ] h :/ w wz n a rmc m ttp / w . o e la , o Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F ire w a ll: Z o n e A la rm P R O F ire w a ll / mi Source: http://www.zonealarm.com ZoneAlarm PRO Firewall blocks attackers and intruders from accessing your system. It monitors programs for suspicious behavior, spotting and stopping new attacks that bypass traditional antivirus protection. It prevents identity theft by guarding your personal data. It even erases your tracks allowing you to surf the web in complete privacy. Furthermore, it locks out attackers, blocks intrusions, and makes your PC invisible online. In addition, it filters out annoying and potentially dangerous email. Module 17 Page 2610 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×