Evader is a tool produced by Stonesoft which provides a ready-made test lab to test IP evasion techniques. Stonesoft claims that this tool should be used to test your network security solutions effectiveness against the protection and detection of threats. Other than marketing and hype, Stonesoft as always provided innovative solutions in the network security market. You might remember the old days of Stonebeat Full cluster software that was used by vendors like Checkpoint to create high availability and load sharing scenarios.
The evader tool has the ability to test IP evasion techniques against two vulnerabilities: CVE-2004-1315 and CVE-2008-4250. For the first one, the tool has available 24 evasion methods which 9 are at application layer, 2 at network layer and 13 at the transport layer. The test lab cover CVE-2004-1315 and it can be easily downloaded and deployed using VMware. The documentation is clear and provides step-by-step guidance.
Essentially, the virtual machine contains an installed Linux, Apache, MySQL, Php and as deployed the PHP Bulletin Board version 2.0.10. This application is vulnerable to CVE-2004-1315. The Santy worm back in 2004 used this vulnerability to abuse and deface websites.
In the tested version of evader the available evasion technques are:
http_header_lws – HTTP header linear whitespace
http_known_user_agent – HTTP known user agent
http_request_line_separator – HTTP request line separator
http_request_method – HTTP request method
http_request_pipelined – HTTP request pipelined
http_url_absolute – HTTP URL absolute
http_url_dummypath – HTTP dummy paths
http_url_encoding – HTTP URL encoding
http_version – HTTP request version
ipv4_frag – IPv4 fragmentation
ipv4_opt – IPv4 options
tcp_chaff – TCP Chaff
tcp_initialseq – TCP initial sequence number
tcp_inittsopt – TCP timestamp option settings
tcp_nocwnd – Disable TCP congestion avoidance
tcp_nofastretrans – Disable TCP fast retransmit
tcp_order – TCP segment order
tcp_overlap – TCP segment overlap
tcp_paws – TCP PAWS elimination
tcp_recv_window – TCP receive window
tcp_seg – TCP segmentation
tcp_timewait – TCP TIME-WAIT decoys
tcp_tsoptreply – TCP timestamp echo reply modifications
tcp_urgent – TCP urgent data
I decided to take a deeper look and downloaded the evader version 0.9.8.557. After that created a small lab to test the tool against the Checkpoint product with Firewall and IPS blade enable. Mainly, I created an account on Checkpoint User Center and requested a trial license of 15 days and downloaded the ISO image of Checkpoint R75.40 with software blades. Installed the system as Security Gateway and Security Management Server. Configured IP addressing, rules and routing to suit test scenario. The lab setup wouldn’t take long if you are familiar with Vmware and Checkpoint.
Interesting is that, either default or recommended IPS profile from Checkpoint R75.40 does not catch the attack used against CVE-2004-1315. I used evader and metasploit. Looking deeper at signatures from Checkpoint Web Intelligence – Malicious codes – General HTTP worm catchers, the signature that eventually should catch this attack is called Sanity.A Worm. However, the regular expression available for this attack needs to be adjusted. After that the attack is successful detected and/or prevented. From the moment that the security solution detects the attack we can start using the evasion techniques to test its effectiveness. In this case, after having the signature configured properly on the Checkpoint IPS the evasion techniques I tried (time limitation was a factor) were all detected/prevented. With an overall protection score of 98.3% on the NSS labs report that would be the expected result.
Understanding threats, identify their causes and implement effective countermeasures takes time but will help you reducing risk and exposure. With this I mean that its generally worth doing your assessment and use this kind of tools against the security products that protect you assets to have a better understanding of the technical advantages and drawbacks. Security companies want to make you think you are as secure as possible and that eventually provides you a false sense of security.
If you are interested in intrusion analysis and/or configuring IDS/IPS systems. If you would like to have a peek behind the scenes on how the packets look like when crafted with evasion techniques such as fragmentation attacks or obfuscation. Then evader is definitely a good start. The tool illustrates quite well a significant amount of attack vectors. You can use it to complement frameworks like Metasploit to learn or reinforce skills about evasion techniques.
[2017-02-10]: The Evader tool is no longer available but I kept a copy here: Evader, for the ones that are interested in playing with it.
In addition to this write up, the following references will give all you need to acquire more knowledge about Intrusion Detection Evasion:
Insertion Evasion and Denial of Service Eluding Network Intrusion Detection
Ptacek & Newsham, 1998
The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection
Stefan Axelsson, 1999
A Strict Anomoly Detection Model for IDS
sasha / beetle, 2000
IDS Evasion Techniques and Tactics
Kevin Timm, 2002
Combining Evasion Techniques to Avoid Network Intrusion Detection Systems
Gorton & Champion, 2003
Intrusion Detection System (IDS) Evasion
Thermoptic Camouflage: Total IDS Evasion
Caswell & Moore, 2006
HD Moore, CanSecWest 2006
How to test an IPS
Networks Environment Detection of DDoS and IDS Evasion Attacks in a High-Speed
Oh, Park Jang & Jeon, 2007
Active Mapping : Resisting NIDS Evasion without Altering Traffic
Umesh Shankar, Vern Paxson
Intrusion Detection FAQ: How does Fragroute evade NIDS detection?