Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 5 – Tools and Procedures


Welcome back all, this part of the series we will test some of the methods described previously as outlined on the upcoming sections where we will discuss the tools and the procedures followed to attempt such tests and then in the final sections of this series we will discuss the results.

The tools used in this study are all preinstalled into Backtrack operating system with the exception of snort; although snort is also installed in Backtrack a separate installation was used. The tools discussed in this chapter are used throughout the experiments.

Please note that as previously mentioned, this series contained sections from an entire Distinctions Grade MSc. Dissertation that I have attempted as part of my master’s degree years back and I have tried my best to keep it without any modifications as best as I can.

The dissertation is very long and as was described by my supervisor, was a PHD grade level research, therefore I have tried to keep it as short as possible for this blog series without impacting the benefits I am intending to pass forward to the InfoSec community and I hope you all enjoy it.

Snort IDS

According to Richard Bejtlich (2005, pg 149) snort is a network intrusion detection system that can also be used for packet capture and analysis.

Snort NIDS in standby mode

A more detailed description of snort is given by (Brandon Franklin 2006, p.3):

Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. It’s a lightweight, network-based IDS that can be set up on a Linux or Windows host. While the core program uses a Command Line Interface (CLI), graphical user interfaces (GUIs) can also be used. Snort operates as a network sniffer and logs activity that matches predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

Snort consists of two basic parts:

  • Header where the rules “actions” are identified.
  • Options where the rules “alert messages” are identified.

For this study snort was used because it’s an Open Source tool that requires no fee to download and install. Also it is the most widely used IDS by organisations around the world and many of the main commercial systems out there are based on snort and use the same or similar signature structure (Graziano 2011). The IDS was installed on CentOS operating system to monitor network 192.168.0.0. Three configuration files were used:

  • First file was configured to only have the rules activated.
  • Second file was configured to only have the pre-processors activated.
  • Third file was configured to run snort in full mode, meaning the pre-processors and all rules were activated.

Snort configurations file 1A – rules only

The Figure, shows the first screenshot of configuration file 1, which is the rules only, as shown only the stream5 pre-processor was left active. This is due to snort needing this in order for it to operate and without it snort would not run.

The Figure below, shows screenshot of the same file but displaying the rules that are activated.

Snort configurations file 1 B – rules only


Snort configurations file 2A – pre-processors only

The figure above shows the second configurations file displaying the pre-processors being activated and figure 4.5 below shows the same file displaying the rules being deactivated.

Snort configurations file 2B – pre-processors only

Finally the screenshots shown in figure 4.6 and 4.7 shows snort’s configurations file 3, which runs snort in full mode (pre-processors and rules are activated).

Snort configurations file 3A – full mode


Snort configurations file 3B – full mode

TCPDump

Tcpdump is a packet capture and analysis package, it is installed with libpcap and maintained by the developers of libpcab themselves. Libpcap is the packet capture library used by tcpdump. This tool as well as wireshark was chosen for the same reasons discussed previously. It is Open Source ready available in most OS and was used during the IDS module course.

Tcpdump on standby

The default behavior of tcpdump is that it puts the interface into promiscuous mode, this means that it will listen to everything that is happening on that interface (Graziano 2011). There are many different options that can be used to analyse traffic, these options enable analysts to look at different levels of the packet at different layers. Another tool that can be used to capture and analyse traffic is wireshark.

Wireshark is a graphical packet capture and analysis tool that is also open source software. As explained by (Bejtlich 2004, p.162) this tool should not be used with a trace that is bigger than a few megabytes and if a need arises to do so session data needs to be used. He also mentioned that the main strengths of wireshark are its decoding ability and rapid visual comparison.

Fragroute and Fragtest

Fragroute and fragtest comes as part of the same package; fragroute is a packet fragmentation tool, as described by (Bejtlich 2004, p.534) fragroute captures the traffic and then modifies it to implement many of the fragmentation attacks discussed in chapter two and explained by (Newsham 1998). Fragtest is used to test the remote target TCP/IP stack; it offers six tests as described below:

  • Ping: sends an ICMP echo request to the target.
  • Ip-opt: sends ICMP echo request with different IP options to check which ones are supported by the remote target.
  • Frag: sends an ICMP echo request in 8-byte fragments.
  • Frag-new: as above except that it sends it with an overlapping 16 byte fragments, favouring newer data reassembly.
  • Frag-old: as above except that it favours old data reassembly.
  • Frag-timeout: sends an ICMP echo request as 8-byte fragments, deleting the last fragment and waiting for an ICMP time-exceeded-reassembly reply.

The above options are as described by (Bejtlich 2004, p.534).


Fragroute fragmenting nmap SYN scan

Nmap

Nmap is a network scanning tool that was developed to map out networks. There are many tools available out there that performs the same job; however nmap is the most popular one and is used by many security professionals to do some security tests on the networks they supervise. This tool is also used by attackers to map out their target network.

The popularity of the tool meant that the majority if not all modern IDSs have incorporated methods and techniques to detect this tool. However Nmap comes with built-in tricks to help defeat detection; combining these tricks with other evasion techniques would make it very difficult for IDSs to detect it.

One would ask why it is important to hide the scans from IDSs. The answer would be that many organisations customise their IDSs to flag an alert after so many scans and others would totally block the scans from the start. On many occasions this would defeat the attacker’s task because the attacker would need to gather information about his/her target in order to be able to choose a suitable exploit to compromise a system.

This study makes use of nmap to send some reconnaissance traffic to detect what services are running on the target; the aim of this is how evasion techniques such as fragmentation can be used to hide these scans and not the scans themselves, as these scans would most certainly be detected by Snort and all other IDSs if sent directly without evasion.

Nmap SYN scan

Snort detecting nmap SYN scan

Metasploit

According to (Kevin Beaver 2007, p.21):

The MSF is an open-source tool, which provides a framework for security researchers to develop exploits, payloads, payload encoders, and tools for reconnaissance and other security testing purposes. Although, it initially started off as a collection of exploits and provided the ability for large chunks of code to be re-used across different exploits, in its current form it provides extensive capabilities for the design and development of reconnaissance, exploitation, and post-exploitation security tools.

This framework was used at the last phase of scenario two; the idea was to use one of the exploits and run it through fragroute to see if it would evade detection. Then finally the framework’s evasion method was used directly without fragroute.

Metasploit makes it very easy and fast to exploit systems due to the huge amount of tested exploits that are already available as part of the framework’s package. This tool is Open Source and can be freely downloaded and installed, however it also comes pre-installed in Backtrack so there was no need to install it. It is very popular tool and been around for a long time and used by attackers as well as researchers.

Carrying out attacks using this tool was quite important for this study and should be well covered by IDS developers and researchers. If attacks from this tool have managed to evade detection it would confirm the author’s opinion about well-known evasion methods “will continue to present a real challenge for IDSs especially when combined with other methods”.

Metasploit framework

Metasploit running an exploit

Procedure

It is very important to put IDSs under vigorous tests to find out how effective they are and how much they can handle. These tests can be in a number of different forms such as:

  • Testing the IDSs performance.
  • Testing the IDSs resistance to DoS attacks.
  • Testing the IDSs handling of reconnaissance attacks.
  • Testing how malware and evasion attacks will be handled by the IDSs.

This study focuses on investigating IDSs ability to detect evasion techniques used to conceal attacks (reconnaissance, exploits) that are known to be detected by any IDS.

The experiment was divided into two scenarios:

Scenario One – No evasion: this part consists of three phases. First phase operates snort in rule only mode (all rules are activated and the pre-processors are deactivated), second phase is the other way round (rules are deactivated and the pre-processors are activated) and the third phase operates snort in full mode (all rules and pre-processors are activated). This is because the pre-processors decodes all traffic before passing it to the signature engine; thus running the experiments in this way confirms the functionality of each component.

Scenario Two – the second scenario focuses on applying two of the evasion techniques discussed in chapter two. The IDS here will monitor in full mode (rules and pre-processors), in each of the three phases of this scenario data is captured and analysed using packet capture and analysis tools such as tcpdump. Table 5.1 outlines these scenarios and their objectives.

Scenarios

Objectives

Scenario One – No Evasion
Nmap SYN scans:

Normal

Fragmented

This is really to test the IDSs configuration and confirms that the IDS able to detect the attacks. It checks the rules by deactivating the pre-processors, then checks the pre-processors by deactivating the rules and finally checks the IDS one final time by activating both. Then performs the tests again in the same manner but by using nmap’s fragmentation option. This way it sets the scene for scenario two and ensures that any attacks that skipped detection in scenario two have done so because of the technique used and not because of misconfiguration.
Scenario Two – Evasion techniques – Fragmentation
Nmap SYN scan

Normal

Fragmented

The SYN scan was implemented in two stages; each stage is made up of three phases. The first stage uses a normal SYN scan that is passed through fragroute in three different configurations (fragroute default configuration, ip_frag 8 and finally tcp_seg4 configuration), each configuration represents a phase.

The second test is the same but also combines nmap’s fragmentation option with fragroute. This tests snort’s ability to detect attacks that have been modified by fragroute. If it manages to detect it, the second test would check snort’s reaction when faced with an attack that has been combined with another (nmap’s fragmentation combined with fragroute’s modifications).

Scenario Two – Evasion – Metasploit
Metasploit’s evasion options (msf3) This phase looks at an important tool that has been widely used by both researchers and attackers, due to its flexibility. This stage looks at one of the exploits and evasion methods offered by the framework and examine snort’s ability to detect it.
Scenario Two – Evasion – Tunnels
SSH tunnels At this stage the author proves that all of these signatures that are available and have been tested and proved to be able to detect different types of evasion techniques can be easily circumvented by the use of encryption, which clearly illustrates the challenges that IDSs and IDS developers continue to face.

Outline of Scenarios and their objectives

Test Platform

VMware virtualisation platform was used to create three virtual machines; one had Backtrack, one with CentOS (used as the IDS) and one with Ubuntu. At first the idea was to simulate a full network that has all the common services running in an organisation network such as DHCP, DNS, Proxies, Web servers, etc.; then have a virtual machine with snort installed and integrated into sguil and other packages to create a network monitoring system (NSM usually implemented by enterprise networks) and finally a virtual machine (VM) with Backtrack installed, which will act as the attacker system.

The first part of the network setup and configuration was successfully completed as illustrated in the following screenshots:

DNS server


DHCP server


Web server

The above three screenshots demonstrates the successful operation of the three servers especially the web server and DNS server. Looking at the URL box it is clear that the DNS successfully translated http://www.samiehproject.com to the correct IP address, which resulted into the webpage being displayed.

The second part (Sguil) as shown below was completed but with one problem that drove this stage to an unsuccessful attempt.

Sguil setup stage – MySQL server


Sguil Login screen


Sguil console

Although the software loads and a console screen is presented there was no alerts generated. This was due to a problem with Barnyard dependencies that wasn’t compatible with Barnyard2, the new available version of Barnyard. This is a problem encountered by everyone the author came across at the time of the research when trying to search for a solution online and after many unsuccessful attempts it was recognised that this problem would take longer than feasible to solve (see appendix C for more details).

As a result the author decided on a simple setup that would be easy to implement and would be sufficient to achieve the objectives of the experiments.

This setup is as explained in the beginning of this chapter and outlined in table 5.2.

Virtual Machine

Backtrack

(the attacker)

CentOS

(the IDS)

Ubuntu

(Target)

VM version

VMware workstation 7.0

VMware workstation 7.0

VMware workstation 7.0

Guest OS type/version

GNU/Linux 2.6.x kernel

GNU/Linux 2.6.x kernel

GNU/Linux 2.6.x kernel

Number of CPUs

1

1

1

Memory

256

512

512

Network

Host-only

Host-only

Host-only

Virtual Disk Type

SCSI

SCSI

SCSI

Virtual Disk size

71 GB

16 GB

20 GB

Virtual Machine Hardware setup

As explained previously each of the scenarios is made of three main phases that tests the IDS in a certain way using the same attacks. Having established in scenario one that the IDS is correctly configured and can detect all of the attacks that will be passed to it, the second scenario was started. Although the main scenario for this study was scenario two, it was important however to carryout scenario one to form a procedure to check each component of the IDS and to check the IDS’s configurations and rules. Thus it was a way to ensure the accuracy of the experiment’s results and any techniques that succeeded in evading the IDS’s sensors have done so due to the effectiveness of the technique and not due to other issues.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s