N I L A D I C سه شنبه 16 آبان 1396 02:21 ق.ظ نظرات ()
### Denial of Service vs. IDS:
Another mechanism for getting around an IDS is to attack the IDS directly or exploit a
weakness in the system via a DoS attack.
A DoS or DDoS attack overwhelms or disables
a target in such a way as to make it temporarily or permanently unavailable. Through the
consumption of vital system resources, the overall performance of the target is adversely
impacted, making it less able, or completely unable, to respond to legitimate traffic, or at
least not function to the best of its ability.
If we target an IDS with a DoS attack, something interesting happens: The IDS
functions erratically or not at all. To understand this, think of what an IDS is doing and
how many resources it needs to do so. An IDS is sniffing traffic and comparing that traffic
to rules, which takes a considerable amount of resources to perform. If these resources can
be consumed by another event, then it can have the effect of changing the behavior of the
IDS. By using enumeration and system hacking methods it is possible for an attacker to
identify which resources are under load or are vital to the proper functioning of the IDS.
Once those resources are identified, the attacker can clog up or consume the resources to
make the IDS not function properly or become occupied by useless traffic.

### Obfuscating:
Because an IDS can rely on being able to observe or read information, the process of
obscuring or obfuscating code can be an effective evasion technique. This technique relies
on manipulating information in such a way that the IDS cannot comprehend or understand
it but the target can. This can be accomplished via manual manipulation of code or
through the use of an obfuscator. One example that has been successful against older IDSs
is the use of Unicode. By changing standard code such as HTTP requests and responses to
their Unicode equivalents, you can produce code that the web server understands but the
IDS may not.

### Crying Wolf:
Remember the story from your childhood of the boy who cried wolf? The shepherd boy
in the story cried wolf so many times as a joke that when the wolf was actually attacking
his flock no one believed him and his flock got eaten. The moral of the story is that liars
are rewarded with disbelief from others even when they tell the truth. How does this apply
to our IDS discussion? Essentially the same way as the boy in the story: An attacker can
target the IDS with an actual attack, causing it to react to the activity and alert the system
owner. If done repeatedly, the owner of the system will see log files full of information that
says an attack is happening, but no other evidence suggests the same. Eventually the system
owner may start to ignore these warnings, or what they perceive to be false positives,
and become lax in their observations. Thus an attacker can strike at their actual target in
plain sight.

### Session Splicing:
The type of evasion technique known as session splicing is an IDS evasion technique that
exploits how some types of IDSs don’t reassemble or rebuild sessions before analyzing
traffic. Additionally, it is possible to fool some systems by fragmenting packets or
tampering with the transmission of packets in such a way that the IDS cannot analyze them
and instead forwards them to the target host.

# NOTE: Tampering with the fragmentation of a packet can be a tremendously
effective way of evading an IDS. For example, adjusting the fragmentation
so that it takes longer to reassemble the fragments than the IDS will wait
can cause the fragments to be forwarded to a host. A second example
would be to adjust the fragments such that when they are reassembled
they overlap causing problems for the IDS, which again may result in the
fragments being forwarded on to the intended target.

### Fun with Flags
The TCP protocol uses flags on packets to describe the status of the packet. Knowledge of
these flags can yield benefits such as evasion techniques for IDSs.

### Bogus RST
RST is one of the many flags used to end two-way communications between endpoints. In
addition to these flags, checksums are used to verify the integrity of the packet to ensure
that what was received is what was sent originally. An attacker can use alteration of this
checksum to cause the IDS to not process the packet. What happens with some IDSs is that
upon receipt of an invalid checksum, processing stops and the traffic passes unimpeded by
the IDS without raising an alert.

### Sense of Urgency
The URG flag is used to mark data as being urgent in nature. Although it is used to indicate
which information is of an urgent nature, all information that flows before it is ignored in
order to process the urgent data. Some IDSs do not take this previous data into account
and let it pass unimpeded, letting an attack potentially pass without hindrance.

### Encryption
Some IDSs cannot process encrypted traffic and therefore will let it pass. In fact, of all the
evasion techniques, encryption is one of the most effective.

### IP Address Spoofing:
One effective way an attacker can evade a firewall is to appear as something else, such as
a trusted host. Using spoofing to modify address information, the attacker can make the
source of an attack appear to come from someplace else rather than the malicious party.

### Source Routing:
Using this technique, the sender of the packet designates the route that a packet should take
through the network in such a way that the designated route should bypass the firewall
node. Using this technique, the attacker can evade the firewall restrictions.
Through the use of source routing, it is entirely possible for the attacker or sender of
a packet to specify the route they want it to take instead of leaving such choices up to the
normal routing process. In this process the origin or source of a packet is assumed to have
all the information it needs about the layout of a network and can therefore specify its own
best path for getting to its destination.
By employing source routing, an attacker may be able to reach a system that would not
normally be reachable. These systems could include those with private IP addresses or those
that are protected under normal conditions from the Internet. The attacker may even be
able to perform IP spoofing, further complicating detection and tracing of the attack by
making the packet’s origin unknown or different from its actual origin.
Fortunately, the easiest way to prevent source routing is to configure routers to ignore
any source routing attempts on the privately controlled network.

### Fragmentation:
The attacker uses the IP fragmentation technique to create extremely small fragments and
force the TCP header information into the next fragment. This may result in a case where
the TCP flags field is forced into the second fragment, while filters can check these flags
only in the first octet. Thus the IDS ignores the TCP flags.

### IP Addresses to Access Websites:
A mechanism that is effective in some cases at evading or bypassing a firewall is the use of an
IP address in place of a URL. Since some firewalls only look at URLs instead of the actual IP
address, use of the address to access a website can allow an attacker to bypass the device.
( THIS IS VERY OLD BUT IN SOME CASES CAN BE EFFECTIVE )

####### Using ICMP Tunneling:
Yet another method to bypass or evade a firewall is through the use of ICMP tunneling. ICMP
can be used to bypass a firewall through a little-known part of the RFC 792 specification
(responsible for defining the operation of ICMP). The ICMP protocol defines the format and
structure of the packet, but not what the packet carries as part of its data portion. Due to
this ambiguous definition of the data portion, the contents can be completely arbitrary, thus
allowing for a diverse range of items to be included within the data section. This section can
include information regarding applications that can open a covert channel or plant malware.
The end result can be that an organization’s firewalls can be opened.
One tool that is effective at performing this type of task is Loki, which has the ability to
tunnel commands within an ICMP echo packet. Other similar tools are ncovert and 007shell,
both of which allow for the crafting of packets that can be used to bypass a firewall.

####### Using ACK Tunneling:
Pursuing a variation of a theme, you can also use ACK tunneling to bypass the scrutiny of a
firewall. ACK tunneling exploits the fact that some firewalls do not check packets that have
the ACK bit configured. The reason for this lapse is that the ACK packet is used to respond
to previous, and assumed legitimate, traffic that has already been approved.
An attacker can leverage this by sending packets with the ACK flag set using a tool such
as AckCmd.

### HTTP Tunneling:
An additional variation of the tunneling method involves exploiting the HTTP protocol.
This method may be one of the easiest ones to use mainly due to the fact that the HTTP
protocol is already allowed through many firewalls as part of normal operation. HTTP
traffic is considered normal due to the requirement for just about every company to have
Internet access or provide access to resources such as web servers and web applications to
the public and as such it does not appear abnormal.
One tool that may be used to exploit this situation is HTTPTunnel, which uses a
client/server architecture to facilitate its operation.

### Testing a Firewall and IDS:
With so many techniques and mechanisms at your disposal, you can now test your
defensive and monitoring capabilities.
# Overview of Testing a Firewall:
The following are the general steps and process for testing the integrity and capability of a
firewall, whether it is based on hardware or software:
1.      Footprint the target.
2.      Perform port scanning.
3.      Perform banner grabbing against open ports.
4.      Attempt firewalking.
5.      Disable trusted hosts.
6.      Perform IP address spoofing.
7.      Perform source routing.
8.      Substitute an IP address for a URL.
9.      Perform a fragmentation attack.
10.      Use an anonymizer.
11.      Make use of a proxy server to bypass a firewall.
12.      Use ICMP tunneling.
13.      Use ACK tunneling.

# Overview of Testing an IDS:
Much like testing a firewall, there is a general process for testing an IDS. It tends to be
something like the following:
1.      Disable trusted hosts.
2.      Attempt an insertion attack.
3.      Implement evasion techniques.
4.      Perform a DoS.
5.      Use code obfuscation.
6.      Perform a false positive generation technique.
7.      Attempt a Unicode attack.
8.      Perform a fragmentation attack.
It is important for you to remember that not every attack will work when testing a
firewall or IDS, but you should still log the results and make note of the way the devices
respond. When testing is completed, compare and analyze the results to see if you can
determine any patterns or behavior that may indicate the nature of the environment or
vulnerabilities present.