RE: Evading IDS?

From: Mark G. Spencer (mspencer@evidentdata.com)
Date: Thu Mar 18 2004 - 19:05:25 EST


Hi Karl,

I've tried a variety of Nikto IDS evasion techniques and continued to get
each of my respective IP's blacklisted. Interestingly enough, running nmap
3.48 with default options against the entire class C works fine. Version
probing seems to be giving me good (or at least consistent) information,
e.g. Cisco VPN concentrators, Cisco routers, etc. Actually, I know the nmap
version probing VPN information is correct because I tried to log into them.
;)

For testing purposes tonight, I am going to use fragroute IDS evasion
instead of Nikto or Nessus IDS evasion and report back regarding success or
failure.

I may also get access to Kavado ScanDo for this project and will use its
proxy features.

Thanks,

Mark

-----Original Message-----
From: Levinson, Karl [mailto:Karl.Levinson@dhs.gov]
Sent: Thursday, March 18, 2004 2:29 PM
To: 'Mark G. Spencer'; pen-test@securityfocus.com
Subject: RE: Evading IDS?

-----Original Message-----
> From: Mark G. Spencer [mailto:mspencer@evidentdata.com]

> Any advice on how to evade the IDS? I know Nessus and Nikto offer a
variety of IDS evasion techniques,

Why not try them?

I would want to know whether you are being blocked by network IDS or
host-based IDS, because the evasion techniques are different. If the IDS is
alerting on your excessive use of the HTTP track and trace verbs [just a
guess], you could try generating such HTTP requests or your entire scan
through an encrypted HTTPS session. If you do not get blocked, then I would
guess that NIDS type of evasion may help. If you do get blocked, then NIDS
type of evasion may not work.

If you really are being blocked by use of the track and trace verbs, then
disabling those tests might help.

The IDS evasion techniques in Nikto / libwhisker are described below:

http://www.wiretrip.net/rfp/txt/whiskerids.html
http://www.sans.org/rr/papers/30/339.pdf
http://www.insecure.org/stf/secnet_ids/secnet_ids.html

Most of them would probably be more effective at evading NIDS, with the
*possible* exception of premature request ending and/or session splicing,
depending on the IDS method. Give those a try.

I would also recommend determining which IDS they are using on which OS, and
read about the features and flaws in that IDS. It may not be safe to assume
it is a Cisco IDS.

You might also consider a different type of web assessment tool as well,
such as a proxy type like WebProxy atstake.com instead of a scanner.

Note that the Nikto readme states:

"Nikto leaves a footprint on a server it scans--both in an invalid 404 check
and in the User-Agent header. This can be changed by forcing the
$NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source code,
OR, if any IDS evasion (-e) option is used. Note that it's pretty obvious
when Nikto is scanning a server anyway--the large number of invalid requests
sticks out a lot in the server logs, although with an IDS evasion technique
it might not be extremely obvious that it was Nikto."

> but am I correct in assuming that a vendor such as Cisco (or any large
vendor) has taken well-known
> evasion techniques into account?

No, especially not when you're talking network IDS. NIDS can detect many
kinds of evasion techniques, but when trying to see past the evasion
technique to see what actually was done, IDS often has a choice of two or
more different ways to interpret the data, and quite often the IDS has to
choose one method or another to interpret the data. Which means that if you
used the other method, IDS reports it has found something suspicious but
can't tell you what exactly it is, and may choose not to block access based
on that particular alert. Also, IDS will always have finite computing
resources that can be starved and which make it generally undesirable to be
overly thorough in inspecting traffic. So, there are still ways to evade
IDS.

Feel free to let me know what ends up happening, I'd be curious.

- karl

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT