SlideShare a Scribd company logo

Ajit - Legiment Techniques - ClubHack2007

ClubHack
ClubHack
Technology
1 of 16
Download to read offline
Legiment Techniques of IDS/IPS Evasion Ajit Hatti hatti_ajit@yahoo.com
Overview ● Why learn the Evasion Techniques ? ● Introduction to Classical & Legiment Techniques of IPS/IDS evasion. ● Case study with Exchange MS03-046. ● Comparison between Classical & Legiment Techniques of evasion. ● Conclusion.
Why Learn Evasion Techniques? ● Security is important. ● Security shouldn't backfire. ● Security is a moving target. ● Proactive security management is need of the hour. ● Attack is the best defense.
Classical Evasion Techniques ● Polymorphic or Obfuscating attack payload ● Packet Fragmentation ● Protocol Violation ● Inserting Traffic (Reducing TTL) ● DOS
Legiment Techniques ● Introduction – It focuses on application protocols, the exploits, and the way IDS/IPS handles them. – Any existing exploit can be crafted in a way to evade the IPS/IDS. – Needs knowledge of the exploit and the application server being exploited.
Case-Study MS03-046 MS03-046 : – Vulnerability in Exchange Server Could Allow Arbitrary Code Execution. – XEXCH50 command accepts 2 parameters, first being the message size. XEXCH50 P1 P2 rn – Negative value of P1 results in buffer overflow.
Exploiting MS03-046 Classical Techniques : Fragmentation 1.1 XEX 1.2 CH5 <-- 451 Time out waiting for client input. Connection closed by foreign host 1.3 0 - 1.4 1 2 1.5 rn 1.6 [shell code] Limitations : ● TCP session span of IPS/IDS & Exchange can be tuned to be equal. ● Newer systems can detect & handle fragments.
Exploiting MS03-046 Legiment Techniques – Exchange operates in 2 modes. DATA mode and Command mode. – message body follows DATA command. – Craft a mail to put IDS in to DATA state keeping Exchange server in command state. – Then exploit the vulnerabilities in SMTP commands. – Similarly exploit vulnerabilities in message body putting IDS in command state Exchange server in DATA state.
Legimency for MS03-046 1: Altering Command Sequence ● Sending <RCPT TO> before <MAIL FROM> puts IDS in to DATA state and Exchange remains in Command state. ● Any commands going after this, are part of the message body for IDS and hence ignored.
Legimency for MS03-046 2 : Invalid Sender ● Sending invalid sender in <MAIL FROM>, keeps Exchange in command state, unless valid sender is sent. ● IDS cant decide the validity of the sender. ● Using this, IDS can be pushed in DATA state keeping Exchange in command state. ● Any commands going after this, are ignored by IDS as a part of message body.
Legimency for MS03-046 3: Non-Existent Recipient ● Sending invalid recipient in <RCPT TO>, keeps Exchange in command state unless valid recipient is sent. ● IDS cant decide the validity of the recipient. ● Hence IDS gets in DATA state, where as Exchange remains in command state. ● And thus, IDS can be evaded.
Legimency for MS03-046 4 : Exploiting BDAT flaw. ● BDAT accepts <SIZE> argument in decimal. ● For a large value of <SIZE>, Exchange spins it between negative and positive value. ● For Exchange, the effective value of 4294967296 is 0 and (4294967296 + 100) is 100. ● While IDS decodes message of size 4294967297, the malicious command is sent to Exchange.
Comparison ● More Effective – Legiment attacks can bypass most of the IPS/IDSs. – Can also be used to check possible false positives. ● Tough to tackle – IPS/IDS needs full-duplex, session state decoding to intercept the Legiment attacks. – Being more application specific, needs more efforts from vendors to tackle. ● Needs expertise for creation – Unlike classical techniques, Legiment techniques demand in depth knowledge of Application server.
Evasion Techniques and Success Rate Matrix Application Specific Obfusc ating Legiment Evasion Techniques Attack Payloads Tec hniques Network Specific DOS Attac ks, Fragmentation, Traffic insertion Protocol Voilation Low to Moderate Moderate to High Success Rate
Conclusion ● Classical Evasion techniques focuses to uncover Network layer flaws of IPS/IDS, so the application layer flaws were neglected. ● Legiment Techniques focuses solely on weakness in applications layer of IDS/IPS. ● Hackers, Pen-testers, IDS/IPS QA and vendors are equally benefited with Legiment Techniques. ● Legimency encourages to create more & newer techniques in various applications to improve the Security Systems.
Sincere Thanks ● Team ClubHACK. ● Linux & Open Source Community. ● The Audiences.

Recommended

Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
Wp ci securing_layer2
Wp ci securing_layer2Wp ci securing_layer2
Wp ci securing_layer2Amargo Durazno
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagramSyed Ubaid Ali Jafri
 
Network security
Network securityNetwork security
Network securitymustafa aadel
 
Security in network
Security in networkSecurity in network
Security in networkDaNang University of Technology
 
Resume
ResumeResume
ResumeMohd Jishan
 
Firewall
FirewallFirewall
FirewallArchanaMani2
 
Cr32585591
Cr32585591Cr32585591
Cr32585591IJERA Editor
 

Recommended

Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
Wp ci securing_layer2
Wp ci securing_layer2Wp ci securing_layer2
Wp ci securing_layer2Amargo Durazno
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagramSyed Ubaid Ali Jafri
 
Network security
Network securityNetwork security
Network securitymustafa aadel
 
Security in network
Security in networkSecurity in network
Security in networkDaNang University of Technology
 
Resume
ResumeResume
ResumeMohd Jishan
 
Firewall
FirewallFirewall
FirewallArchanaMani2
 
Cr32585591
Cr32585591Cr32585591
Cr32585591IJERA Editor
 
Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir
 
Introduction to Cyber security module - III
Introduction to Cyber security module - IIIIntroduction to Cyber security module - III
Introduction to Cyber security module - IIITAMBEMAHENDRA1
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
Describe firewalls
Describe firewallsDescribe firewalls
Describe firewallsВлад Панасенко
 
10.1.1.44.6790
10.1.1.44.679010.1.1.44.6790
10.1.1.44.6790Alok Tripathi
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 
IEL - Satya's 2nd Class
IEL - Satya's 2nd ClassIEL - Satya's 2nd Class
IEL - Satya's 2nd ClassHarish Lunani
 
Plaza 28 de julio macusani
Plaza 28 de julio macusaniPlaza 28 de julio macusani
Plaza 28 de julio macusaniYusof Blanco
 
Sergio
SergioSergio
Sergioramiro1djosemanuel
 
Web2.0 omar duran jesus fabregas
Web2.0 omar duran jesus fabregasWeb2.0 omar duran jesus fabregas
Web2.0 omar duran jesus fabregasomardm4
 
Ganadores concurso Love Flights
Ganadores concurso Love FlightsGanadores concurso Love Flights
Ganadores concurso Love FlightsIberia
 
Obama
ObamaObama
ObamaAntonino Castro
 
POM ARTICLE CBC MAGAZINE
POM ARTICLE CBC MAGAZINEPOM ARTICLE CBC MAGAZINE
POM ARTICLE CBC MAGAZINETammy Bertrand
 
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...Realidades Virtuais
 
Зырянова анонс Оценка секретарей
Зырянова анонс Оценка секретарейЗырянова анонс Оценка секретарей
Зырянова анонс Оценка секретарейMoscow Business School
 
Rails 3 - RS on Rails - 21aug2010
Rails 3 - RS on Rails - 21aug2010Rails 3 - RS on Rails - 21aug2010
Rails 3 - RS on Rails - 21aug2010Plataformatec
 
11 essencia de luz
11 essencia de luz11 essencia de luz
11 essencia de luzNelson Soares
 
Pesquisa brasil bola da vez deloitte e ibri
Pesquisa brasil bola da vez deloitte e ibriPesquisa brasil bola da vez deloitte e ibri
Pesquisa brasil bola da vez deloitte e ibriBlog do Torcedor/JC Online
 
Estout demo
Estout demoEstout demo
Estout demoBen Mazzotta
 
FRASES DE BILL GATES.
FRASES DE BILL GATES.FRASES DE BILL GATES.
FRASES DE BILL GATES.Jose María Medina García
 
Html
HtmlHtml
Html$ S
 
CRM Loyalty
CRM LoyaltyCRM Loyalty
CRM LoyaltyHarish Lunani
 

More Related Content

What's hot

Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir
 
Introduction to Cyber security module - III
Introduction to Cyber security module - IIIIntroduction to Cyber security module - III
Introduction to Cyber security module - IIITAMBEMAHENDRA1
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 

What's hot (6)

Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg Final
 
Introduction to Cyber security module - III
Introduction to Cyber security module - IIIIntroduction to Cyber security module - III
Introduction to Cyber security module - III
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
 
Describe firewalls
Describe firewallsDescribe firewalls
Describe firewalls
 
10.1.1.44.6790
10.1.1.44.679010.1.1.44.6790
10.1.1.44.6790
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
 

Viewers also liked

IEL - Satya's 2nd Class
IEL - Satya's 2nd ClassIEL - Satya's 2nd Class
IEL - Satya's 2nd ClassHarish Lunani
 
Plaza 28 de julio macusani
Plaza 28 de julio macusaniPlaza 28 de julio macusani
Plaza 28 de julio macusaniYusof Blanco
 
Web2.0 omar duran jesus fabregas
Web2.0 omar duran jesus fabregasWeb2.0 omar duran jesus fabregas
Web2.0 omar duran jesus fabregasomardm4
 
Ganadores concurso Love Flights
Ganadores concurso Love FlightsGanadores concurso Love Flights
Ganadores concurso Love FlightsIberia
 
POM ARTICLE CBC MAGAZINE
POM ARTICLE CBC MAGAZINEPOM ARTICLE CBC MAGAZINE
POM ARTICLE CBC MAGAZINETammy Bertrand
 
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...Realidades Virtuais
 
Зырянова анонс Оценка секретарей
Зырянова анонс Оценка секретарейЗырянова анонс Оценка секретарей
Зырянова анонс Оценка секретарейMoscow Business School
 
Rails 3 - RS on Rails - 21aug2010
Rails 3 - RS on Rails - 21aug2010Rails 3 - RS on Rails - 21aug2010
Rails 3 - RS on Rails - 21aug2010Plataformatec
 
Html
HtmlHtml
Html$ S
 
A Legacy of Light and Dark Generation 2 Chapter 1
A Legacy of Light and Dark Generation 2 Chapter 1A Legacy of Light and Dark Generation 2 Chapter 1
A Legacy of Light and Dark Generation 2 Chapter 1AuroraDay01
 
Marketing and the customer lifecycle
Marketing and the customer lifecycleMarketing and the customer lifecycle
Marketing and the customer lifecycleweichengwendao
 

Viewers also liked (20)

IEL - Satya's 2nd Class
IEL - Satya's 2nd ClassIEL - Satya's 2nd Class
IEL - Satya's 2nd Class
 
Plaza 28 de julio macusani
Plaza 28 de julio macusaniPlaza 28 de julio macusani
Plaza 28 de julio macusani
 
Sergio
SergioSergio
Sergio
 
Web2.0 omar duran jesus fabregas
Web2.0 omar duran jesus fabregasWeb2.0 omar duran jesus fabregas
Web2.0 omar duran jesus fabregas
 
Ganadores concurso Love Flights
Ganadores concurso Love FlightsGanadores concurso Love Flights
Ganadores concurso Love Flights
 
Obama
ObamaObama
Obama
 
POM ARTICLE CBC MAGAZINE
POM ARTICLE CBC MAGAZINEPOM ARTICLE CBC MAGAZINE
POM ARTICLE CBC MAGAZINE
 
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
Videojogos e Web 2.0: desafios para a formação dos bibliotecários (programa e...
 
Зырянова анонс Оценка секретарей
Зырянова анонс Оценка секретарейЗырянова анонс Оценка секретарей
Зырянова анонс Оценка секретарей
 
Rails 3 - RS on Rails - 21aug2010
Rails 3 - RS on Rails - 21aug2010Rails 3 - RS on Rails - 21aug2010
Rails 3 - RS on Rails - 21aug2010
 
11 essencia de luz
11 essencia de luz11 essencia de luz
11 essencia de luz
 
Pesquisa brasil bola da vez deloitte e ibri
Pesquisa brasil bola da vez deloitte e ibriPesquisa brasil bola da vez deloitte e ibri
Pesquisa brasil bola da vez deloitte e ibri
 
Estout demo
Estout demoEstout demo
Estout demo
 
FRASES DE BILL GATES.
FRASES DE BILL GATES.FRASES DE BILL GATES.
FRASES DE BILL GATES.
 
Html
HtmlHtml
Html
 
CRM Loyalty
CRM LoyaltyCRM Loyalty
CRM Loyalty
 
A Legacy of Light and Dark Generation 2 Chapter 1
A Legacy of Light and Dark Generation 2 Chapter 1A Legacy of Light and Dark Generation 2 Chapter 1
A Legacy of Light and Dark Generation 2 Chapter 1
 
Uttam
UttamUttam
Uttam
 
Agenda
AgendaAgenda
Agenda
 
Marketing and the customer lifecycle
Marketing and the customer lifecycleMarketing and the customer lifecycle
Marketing and the customer lifecycle
 

Similar to Ajit - Legiment Techniques - ClubHack2007

Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future fraudsRanjeet Kumar
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaShivamSharma909
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineerShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
DDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosDDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosHaltdos
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET Journal
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of DevicesKai Hudalla
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled InterruptsAnshuman Biswal
 

Similar to Ajit - Legiment Techniques - ClubHack2007 (20)

Legiment Techniques of IDS/IPS Evasion
Legiment Techniques of IDS/IPS EvasionLegiment Techniques of IDS/IPS Evasion
Legiment Techniques of IDS/IPS Evasion
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 
Lte and future frauds
Lte and future fraudsLte and future frauds
Lte and future frauds
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Day4
Day4Day4
Day4
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 
Securityic2
Securityic2Securityic2
Securityic2
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
DDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosDDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-Haltdos
 
6
66
6
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack Detection
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Aensis idps 1000 v ext_eng
Aensis idps 1000 v ext_engAensis idps 1000 v ext_eng
Aensis idps 1000 v ext_eng
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of Devices
 
Topic22
Topic22Topic22
Topic22
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled Interrupts
 

More from ClubHack

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 

More from ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Ajit - Legiment Techniques - ClubHack2007

  • 1. Legiment Techniques of IDS/IPS Evasion Ajit Hatti hatti_ajit@yahoo.com
  • 2. Overview ● Why learn the Evasion Techniques ? ● Introduction to Classical & Legiment Techniques of IPS/IDS evasion. ● Case study with Exchange MS03-046. ● Comparison between Classical & Legiment Techniques of evasion. ● Conclusion.
  • 3. Why Learn Evasion Techniques? ● Security is important. ● Security shouldn't backfire. ● Security is a moving target. ● Proactive security management is need of the hour. ● Attack is the best defense.
  • 4. Classical Evasion Techniques ● Polymorphic or Obfuscating attack payload ● Packet Fragmentation ● Protocol Violation ● Inserting Traffic (Reducing TTL) ● DOS
  • 5. Legiment Techniques ● Introduction – It focuses on application protocols, the exploits, and the way IDS/IPS handles them. – Any existing exploit can be crafted in a way to evade the IPS/IDS. – Needs knowledge of the exploit and the application server being exploited.
  • 6. Case-Study MS03-046 MS03-046 : – Vulnerability in Exchange Server Could Allow Arbitrary Code Execution. – XEXCH50 command accepts 2 parameters, first being the message size. XEXCH50 P1 P2 rn – Negative value of P1 results in buffer overflow.
  • 7. Exploiting MS03-046 Classical Techniques : Fragmentation 1.1 XEX 1.2 CH5 <-- 451 Time out waiting for client input. Connection closed by foreign host 1.3 0 - 1.4 1 2 1.5 rn 1.6 [shell code] Limitations : ● TCP session span of IPS/IDS & Exchange can be tuned to be equal. ● Newer systems can detect & handle fragments.
  • 8. Exploiting MS03-046 Legiment Techniques – Exchange operates in 2 modes. DATA mode and Command mode. – message body follows DATA command. – Craft a mail to put IDS in to DATA state keeping Exchange server in command state. – Then exploit the vulnerabilities in SMTP commands. – Similarly exploit vulnerabilities in message body putting IDS in command state Exchange server in DATA state.
  • 9. Legimency for MS03-046 1: Altering Command Sequence ● Sending <RCPT TO> before <MAIL FROM> puts IDS in to DATA state and Exchange remains in Command state. ● Any commands going after this, are part of the message body for IDS and hence ignored.
  • 10. Legimency for MS03-046 2 : Invalid Sender ● Sending invalid sender in <MAIL FROM>, keeps Exchange in command state, unless valid sender is sent. ● IDS cant decide the validity of the sender. ● Using this, IDS can be pushed in DATA state keeping Exchange in command state. ● Any commands going after this, are ignored by IDS as a part of message body.
  • 11. Legimency for MS03-046 3: Non-Existent Recipient ● Sending invalid recipient in <RCPT TO>, keeps Exchange in command state unless valid recipient is sent. ● IDS cant decide the validity of the recipient. ● Hence IDS gets in DATA state, where as Exchange remains in command state. ● And thus, IDS can be evaded.
  • 12. Legimency for MS03-046 4 : Exploiting BDAT flaw. ● BDAT accepts <SIZE> argument in decimal. ● For a large value of <SIZE>, Exchange spins it between negative and positive value. ● For Exchange, the effective value of 4294967296 is 0 and (4294967296 + 100) is 100. ● While IDS decodes message of size 4294967297, the malicious command is sent to Exchange.
  • 13. Comparison ● More Effective – Legiment attacks can bypass most of the IPS/IDSs. – Can also be used to check possible false positives. ● Tough to tackle – IPS/IDS needs full-duplex, session state decoding to intercept the Legiment attacks. – Being more application specific, needs more efforts from vendors to tackle. ● Needs expertise for creation – Unlike classical techniques, Legiment techniques demand in depth knowledge of Application server.
  • 14. Evasion Techniques and Success Rate Matrix Application Specific Obfusc ating Legiment Evasion Techniques Attack Payloads Tec hniques Network Specific DOS Attac ks, Fragmentation, Traffic insertion Protocol Voilation Low to Moderate Moderate to High Success Rate
  • 15. Conclusion ● Classical Evasion techniques focuses to uncover Network layer flaws of IPS/IDS, so the application layer flaws were neglected. ● Legiment Techniques focuses solely on weakness in applications layer of IDS/IPS. ● Hackers, Pen-testers, IDS/IPS QA and vendors are equally benefited with Legiment Techniques. ● Legimency encourages to create more & newer techniques in various applications to improve the Security Systems.
  • 16. Sincere Thanks ● Team ClubHACK. ● Linux & Open Source Community. ● The Audiences.