Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 8 – Scenario Two Findings – Encryption


SCENARIO 2.3 – ENCRYPTION
EXPERIMENT 8 – SSH TUNNELS

Encrypted data makes it very difficult for IDSs to examine the payload for any attacks because it can’t actually see it, which is one of the limitations that exist in IDSs. For this part of the experiment the author used SSH tunnels to encrypt the traffic between the attacker and the target. Figure 6.45 shows the attacker creating a dynamic SSH port listening on the localhost on port 8888 and an SSH forwarder listening on localhost port 8881 forwarding the traffic to destination target 192.168.59.130 on destination port 3632 (DISTCC).

Figure 6.45: SSH tunnel being created on the localhost

What this means is that any traffic would be directed by the attacker to port 8888 on the localhost, which will be encrypted by the SOCKS 5 SSH tunnel and passed out of local port 8881 and then forwarded to the destination target 192.168.59.130 to destination port 3632, which is the DISTCC vulnerable service.

Figure 6.46: Exploit sent to target via encrypted tunnel

Figure 6.46 above shows the exploit being executed and a shell opened and as illustrated by figure 6.47 no alerts raised, which means that the technique successfully evaded detection.

Figure 6.47: Snort Statistics

As can be seen here out of all the packets that have been received and analysed zero alerts have been generated.

In the upcoming posts, we will discuss all the findings, Future work and conclude this series with a closing discussion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s