 network ice and the chief architect of a black ice intrusion detection system and what I'll be discussing today is some of our experiences of running IDS systems in the battlefield in particular I'll be discussing how to evade or how people are evading intrusion detection systems and then I'll be introducing some new methods that we've been working on that allow hackers to implement new methods of invading intrusion detection systems to start with I'm going to talk about a little bit about the background and the surrounding areas of intrusion detection systems and how this applies it's basically marketing dribble but you have to bear with me for a moment IDS systems are sort of like weaponry in the war against hackers but they're kind of like flaky weaponry it's kind of a tank that you might take out to a battlefield and the soldier walks up behind it aims a gun at it and the tank explodes this is like in the movie Kelly's Heroes from 1968 where Donald Sutherland plays oddball who gets behind a German Panzer tank and a small little missile at it and then poof the tank blows up and the way he was able to do this was by a foot soldier running around behind the tank rather than the frontal assault where all the armor is of course all tanks can be blown up the only question is is whether you do it with a nuke or howitzer or with a handgun IDSes are a lot like radar systems that trigger on the passing flight of flocks of birds and automatically launch missiles at them while at the same time not detecting enemy fighter planes that are bearing down on you during the Iran-Iraq war the Iranian the Iraqi and still enough the Iran-Iraq war the Gulf War desert storm the Iraqi soldiers were famous for throwing down their weapons and running away this was their primary battle strategy so these analogies in the weaponry in the war against hackers IDS systems are a lot like this they they work well in the laboratory I can bring my IDS system in I can run exploit script I can say see my IDS catches this attack but when you put them into the real world into the battle conditions they start to fail they start to flee the battlefield they blow up from behind they trigger on the passing flights of birds now here's the the blatant marketing pitch network ice right now we estimate is the the market leader in intrusion detection system we're only like number five in terms of the monetary value whatever from 1999 according to internet week but we believe that more traffic is being monitored by black ice than any other intrusion detection system and this is partially because we run on lots of ISP backbones and high-end websites because we can keep up with the traffic where a lot of others fail but also because we've got it running on 2 million desktops we have two versions we have black ice defender which is a personal IDS that runs on a desktop computer and then black ice century which is a traditional network-based intrusion detection system like snort or real secure or net ranger and so forth and the competition's products the first of all the exploit signatures are not as extensive as they would have you believe there's lots of decodes as a sort of say well somebody logged in and that's about it there are lots of port numbers they trigger on there's lots of CGI strings we just add one right after the other and you get beyond all that and really hunt down the exploit signatures they have they're not nearly as extensive as you would think even ours because for a list you'll see lots of CGI programs lots of ports though we do have lots of other good exploit signatures existing technologies are easily evaded by really commonly available programs these these aren't you know really uber hacker programs there are things you can download configure and run like fried rudder whisker and another stuff I'll also be introducing some new techniques that really will put them in knots and they also die you know pretty gruesomely under heavy load or complex traffic as I could say that they they'll easily flee the field of battle like Iraqi soldiers to start my talk of the technical side of things now now that I'm done with the marketing stuff you see that the marketing department pays for my flight out here in my hotel so I have to sort of throw them a bone here what is a network IDS fundamentally it's shown this little diagram you have a hacker and he wants to break into your website or behind your website into your corporation your external presence is the web server the FTP server the name server your mail exchanger the network IDS will monitor the network traffic looking for signs of intrusions against your your computers hopefully it will tip you off that someone's actively attacking you and if they break in it'll tell you how they did it however a network intrusion detection system is there a Sean hedges in the room okay thank you and the feds are looking for him is there a Sean hedges so in the previous diagram I tried to emphasize the fact that network intrusion detection systems detect that they're happening but don't necessarily protect you they're sort of a early warning system and then a post forensic system they're like a detective that witnesses that doesn't witness the actual crime that tries to piece together the clues afterwards like the the Colombo movies and television shows where he comes in 15 minutes after the crime has happened and then he tries so over the course of the show pieces together the clues until he figures out what happened and hackers are really really good at at least really good hackers I should say they're really good at smudging these clues and hiding their fingerprints so a network IDS system is like a detective or a sleuth and it really isn't like the psychic system that sort of how knows everything that happened and tells you exactly that you've been broken into or not they detect it's not really a protection thing it's an enhancement to your protection now I'm gonna start talking about classic evasion techniques the first one was written not quite sure when it was written a year and a half ago two years ago called frag router it was written by reseller of NFR to really to really irk the the market leaders like Cisco and ISS is a very simple utility you can download it run it it's what it does is as shown by the little two diagrams here is it fragments the attack most idea systems bring a packet look for signature and say well as a sign of intrusion a common intrusion is the phf attack it's the one that we all use now as the sort of the standard one that we've been trying when we describe signatures what frag router does is it fragments that across three different packets so none of the three packets now contain the signature CGI bin phf you see a little bit of CGI bin and a little bit of phf in each packet but not the whole signature this causes the idea system to be completely silent frag router also goes through a lot of firewalls most firewalls have a configuration option saying disallow fragments but it's frequently not configured correctly and since you can fragment packets so they can't get a good reading on the port number they'll allow the packets on through frag router requires an extra machine the hacker sets up this extra machine on his own side he he then passes all of the the traffic on through and the frag rather than automatically fragments whatever it is it could be in the attack the ideas of the victim side can no longer detect the attack and it's pretty much silent some ideas is at least give a little bit of indication and we'll say I'm seeing an excessive number of fragments but they have no visibility into what's really going on in that which is common utility that pretty much is the first thing the hacker is going to run against your site when they're attacking you has a couple stealth features the first stealth feature of NMAP was this stealth scan or half open scan or sin scan and what it does is it doesn't complete the TCP connection it starts it but doesn't complete it and this evaded lots of host based intrusion detection systems because they would only start the logging process once the connection had completed but from the network side of things this doesn't evade network intrusion detection systems at all we see all the sin packets as a matter of fact when you see lots of these connections not being completed we actually can tell that it's a stealth scan but there are other stealth scan features of NMAP that do evade intrusion detection systems and that's again using the fragmentation technique is you fragment the sin and then the idea system can't put it together and figure out what it is and doesn't know what it is and doesn't detect the sin scan and it evades some firewalls evades some IDS systems I recently tested one IDS from a vendor that claimed to support a reassembly but yet could not detect the NMAP sin scan the fragmented one another classic evasion technique is to flood the IDS to attack it at yours itself lots of IDS is fail under these DDDOS attack distributed denial service attacks I heard one vendor recently comment that they can do like 30,000 and even more packets per second which is more than you'll ever see on normal networks normal 100 megabit networks but yet they do fail still under 148,000 frames per second under heavy loads and yes they're not normal but that's what the hacker does is they create abnormal conditions a buffer overflow isn't normal it's abnormal vendors are designing for normal case not so much the exceptional case today's IDS is are built under the same assumptions that applications are built under which is to say you're building for what normal people normally do for that 80% of what normally happens IDS is really need to be built for that 20% exceptional cases and by the way packets per second is often the more difficult thing that IDS is have to handle rather than bits per second most IDS is can handle 100 megabits per second but they can't handle the fully loaded and saturated network with lots of small packets as a matter of fact the maximum for 100 megabit networks is 148,800 packets per second that's actually only about 66 megabits per second because of spacing between frames but it'll kill most IDS's and when they fail they fail really hard I show three graphs here are three possibilities let's say that the number 100 represents the maximum that you can put across that wire and maybe the IDS fails at about 75% well IDS number one in this diagram shows that the IDS basically processes 75% of traffic and drops the other 25% no matter what that traffic is what really happens is that IDS is start to degrade so you pump the more traffic you pump in the the fewer that's actually processing over time so you pump in 75 it processes 75 you pump in 80 it now processes 70 you pump in 90 now processes 60 in reality they really act like IDS number three is soon after they reach their limit they start failing really really fast a lot of them when you do pump in that full 148,000 frames per second they actually detect zero frames now run that test against a couple of competitors that's indeed what they do black ice can handle 148,000 frames per second this little notebook is a 400 megahertz Pentium 2 and I've pumped 148,000 frames per second at it with a little smart bits tester it's actually kind of cool that's because the founders of network ice we we come from the sniffer world and this is the same diagram we would use to describe sniffers we look at our competitors and we would say they do the same thing you pump in too much traffic and they go to zero so network generally try to do the same optimizations is try to optimize the system to at least fail gracefully when it's going to fail a network general started with sniffers on 286's so on 10 megabit networks the engineer that wrote the drivers with 286 on 10 megabits is the one who wrote the drivers for 100 megabits at the network ice so how can you generate that if you're a hacker you want to flood the system a lot of DDOS attacks will work if you're trying to attack yahoo or eBay or e-tray all these other major websites and they've got really fast links they got gigabit links how you're going to flood them one easy way is with a smurf or a fraggle attack my home network I'm running off with DSL and I see this a lot I see lots of people trying to use my whole area around my home to do these attacks the way they work is is the hacker sends in a ping to the broadcast address for my whole area the router then splits that out essentially and sends a ping to everybody in that subnet well by spoofing the IP address of the victim everyone that subnet response that victim so even though the hacker has maybe a dial-up line they can just do some pretty severe damage against a victim's guy gigabit line that's what we do in my home network my machine of course doesn't respond to these things or to the to UDP echoes but I see the attempts now let's say that the victim only has a t1 line and the IDS is behind it on a hundred megabit well you're not going to be able to overflow and you can overflow the t1 line but the IDS itself will not be overflowed because it's still only processing 1.5 megabits per second but you can do a lot of internal smurfs that you send the smurf inside through to the corporation and the corporation basically smurfs itself and the IDS overloads now in a hundred megabit network a similar technique is jamming this is like radar jamming back in World War two and World War one when radars were first developed they equally developed lots of techniques against radars and the easiest way was to jam the radar flood it with electronic signals that didn't know how to handle or too much signal and it would basically die you can do this against a lot of IDSes from a dial-up line you run attacks that generate lots and lots of frames with lots and lots of signatures the IDSes attempt to be really robust and try to log each and every attack so you do a decoy scan which spooks your IP address or one target which spooks most of its attacks IP addresses and you just keep running it on your dial-up line eventually the database will fill up with all these events and keel over a lot of vendors use access databases which keel over really really easily we use we allow access but we recommend other databases real databases one of our vendor has a interesting message I found that every single customer that uses this vendor product that ever talked to is familiar with this error message which is db high watermark reached is also a queue of overflow message and they all are familiar with this message because they get it and they have to go in and start cleaning out their database this is one of the ways that they flee from the field of battle another classic evasion technique is rainforest puppies whisker it changes the signature of how the attack appears on the wire but doesn't change its meaning and here's an example of all these attacks are the same they all mean the first one which is CGI bin phf and it changes this pattern one way is to use the head command rather than the get command it doesn't get the full file but we'll test to see if it's there and can often do a lot of buffer overflow exploits with it you can URL encode the characters so like percent 63 is a C you can append some extra slashes which a lot of web servers just strip out to meaning one slash you can go descend directories and pop back up again with the dot dot so a foobar slash dot dot means the same as nothing you can put a slash and a dot in the middle of it or a string of these as many as you want and all they really mean is the same directory so tells the web server go into CGI bin then go into the same directory and if you repeat them it's going to same directory same directory same directory and then execute phf another one takes advantage i believe this is windows of putting the percent zero zero which encodes a null string if the HTTP server is doing string copies it will fail to copy the rest of the string or if the the web server doesn't do that and doesn't do the string copy it gets the entire string but if you do a string copy on the ids it will fail to get the entire string and the rest of it's ignored when rfp released this he released he released his original whisker scanner with just the head command as being the ids evasion technique and then a few months later i'm not quite sure how long later he released next version they had 10 of these style of ids evasion techniques most of them would only work on specific web servers these other ones listed here are pretty much generic i uh i pulled out this the head and the two of these are sort of off to the side because those are the ones that affected black eyes is the i was kind of ticked off on this first release because it immediately evaded us and i had to go in and fix the head and re-release you know release a patch but then i went through and try to figure out everything else he might be adding because he claims he's going to add some more ids evasion techniques and i figured out nine of them i didn't quite catch the tenth one and the cool thing is as we release patches to our product very quickly after our whisker was released both versions a lot of vendors today still can't catch these or at least catch all of them especially if you combine multiple techniques like encode in url encoding and then add the the dot directory of self-referencing directories and whiskers just a cgi scanner it scans a website looks for a few hundred possible scripts that the website might be running if you're a script kitty and you want to break into a website this first thing you're going to do is run whisker on it find out it's got one cgi one of the hundreds of cgi programs vulnerable then you'll exploit that cgi program when you do the exploit you have to do the evasion yourself like in this case i've shown how to access a website for the phf and put the uh put the self-referencing directory a dot and then to encode the dot with url encoding which comes out as a percent to e my website actually has a what looks to be a phf script on robbergram.com which is my website just so i uh have fun with hackers that try to access it actually i do a lot of stuff on my website if you scan around you'll find lost these little little easter eggs on it the next classic evasion now i believe somebody yesterday discussed this i wanted to go to it but the room was filled and i couldn't ever get into it to see how much of that's overlapping with this it probably overlaps entirely probably showed a lot more techniques um fed spying on us again uh when you write it buffer overflow one characteristic that you see for most of them is that they have these fillers of of no op codes to to align where they want to jump into the code for example on the x86 architecture the nine zero op code is a no op it does nothing a lot of cps have multiple no op codes so simply by replacing the standard no op with a different no op you can evade the signature looking for no op codes you can also fill it with normal ops stuff that you know actually do things if you're an overwrite register your no op code could actually just be an increment of the register you're about to overwrite later on x86 has lots of no ops being a nice little sys processor it you know provides us lots of complicated ways to do nothing now if you want to be truly evil when you do that fill most of most of these exploit scripts start with a little fill of fill all the no ops you like this little for loop here if you want to be nasty what you do is you create your little table what you want to be your no op codes and your random lookup so every time you run your script you'll have a different signature on the wire so even if i'm looking for certain patterns of no ops it still won't work because they're different patterns every single time and the reason this affects network based intrusion detection systems is that they're mostly based upon the packet grep technology which is bringing a packet look for a pattern but alternative technology that i know at least one company is using is a protocol decoding it doesn't really care about the exact pattern that you're using what it cares about is that you're doing something suspicious in this case if you're doing a buffer overflow attack against a pop three server rather than looking for the actual overflow itself you say hey he's just entered in a username that's a thousand characters long and it's got some binary in the username this is something extremely suspicious now what you can you know evade that actual pattern of buffer overflow all you want we still detect the fact that you've got the suspiciously long username as i mentioned before lie these intrusion detection systems have a long list of ports that are suspicious ports like back orifice is three one three three seven sub seven uses two different ports but these things can run on any any port if you look on your firewall logs right now you'll see lots of scans for port two seven three seven four and one two four three for the sub seven Trojan horse you're seeing lots and lots and lots of these scans so you're thinking i see so many of these scans it must be that everyone's writing sub seven on the default ports but actually looking at our own what we've seen on the on the net is that most successful compromises are actually at non default ports with non default passwords and we can see this sort of stuff because we run on some isp backbones and our customer base actually sends us a large number of these files when our product detects the fact that they've been exploited so the real danger is is that you've got these Trojan horses running on non default ports and the uh the default ports are just noise and the reason they're so common is not because people are running at those ports is because the scanner the sub seven itself contains a built-in scanner i compromise one person and the first thing i do is i tell that one person to scan the whole internet looking for other possible uh victims it rarely finds them though at the default ports the way these Trojan infections work is that a hacker wants to get the Trojan on your computer it might do so by posting to use net some victims somewhere in the world unrelated to the hacker goes to use net group says hey great this is a great new porn picture viewer or something downloads the program runs it and infects themselves now if it's drawing a non default port or a non default password one way that the hacker can find who that is is by telling the Trojan horse to notify them and he can't notify a hacker directly because then it's like a clear finger pointing for the feds to follow so instead the hacker has the notify a third party which can be done with email irc icq or a number of other options the hacker then logs on to that third party system and finds the victims that have all notified themselves to him at that point he uses the password important number two to break into this victim's machine this is the sub seven edit server uh program which sets all these values of how it's going to actually compromise the person you can see that it will notify via icq via irc which irc servers um email systems and so forth when the cool things it has is that it can use a random port on startup which means every time it runs it's going to run that different port so that there's no amount of scanning for ports they'll ever find this system because they'll always run at some other port but yet having an irc notify is um will always tell the hacker exactly which ports currently in use so even if you're a user with a with a notebook computer maybe on the road dialing up every time you dial up you notify the hacker where you are and he'll come find you it's from our own evidence it looks like the irc is the most popular way for notify the hacker so those are the standard evasion techniques that people are using today they're very simple to use um it's it's not really too difficult now we get into some uber evasion uh the techniques uh the first is the theory as i mentioned before uh packet grep systems are looking on the wire for patterns logically according to the osi model that belongs in the presentation layer uh the osi model was this model developed back in the 80s it's a very big bureaucratic process and it's supposed to be the the overall end all of describing how uh technologies like this should work it tries to find okay layer one you're worried about cabling getting the bits across the wire label two is uh getting two machines to actually talk and send data to each other um getting frames what they call across the wire layer three is getting ip end to end across the entire internet on just locally tcp is getting two applications they talk to each other the session layer is this meaningless thing that ever and actually never turned out to be worthwhile in practice and no one ever uses it uh the presentation layer by the way there's lots of books about osi model and when you look for the description of the session layer it always comes down down to two things the session layer is something that manages sessions well what's the session well it's in one of these things that you get in the session layer and so i i i've looked the other time i find a new book on the osi model i looked to see if they've actually defined it anyway it's not circular i never found one that does well i found one a long time ago and really the session layer came from these old teletype terminal type things and there are some concepts in there that never apply outside of that environment so then there's the presentation layer and back in the osi model they wanted to negotiate the presentation layer but really lots of protocols have a presentation layer even though it's not really a separate entity and all it's specifying is how data is formatted across the network um for example in smtp it might be the mime encoding sort of a presentation layer type concept and the application layer is the mail the irc uh ftp web and so forth rpc has a very distinctive presentation layer one of the lesser known things about the about that layer is something called record marking is when you send rpc packets across a tcp connection tcp creates this virtual byte stream so you must know when a command ends and ends and begins and so do they do that with this record marking code now lots of protocols do this but what what rpc has added to that whole mix is um the ability to fragment the records so most protocols when running over tcp they have a length field that's the first field it says the length of the command so even though tcp might segment out into multiple packets they know exactly how many bytes are in that command tcp adds something where you can send multiple of these length encoded items that all then combine back into the common original record and the way that would work is uh in this little diagram here i have the normal record which is the rpc command in white which is prefixed with a four byte length field the top bit of that length field says um whether there will be another whether it's the last uh fragment of this record or whether more fragments follow across the tcp connection so i guys split in this case in this diagram that white command into two fragments each with this own record mark the first one says that another record fragment follows and the last one says uh this that's the last fragment in the whole stream now if you want to be nasty you want to randomly uh combine the tcp layer segmenting and the rpc layer record marking and then one of the cool things is normally in normal traffic these things are always working together you see a tcp segment across the wire it always starts with a record mark but doesn't have to be so in this third little diagram here i show where i fragmented uh the tcp segment separately from the record marking segment so i'm sending four tcp segments um for that original request so the upshot of that is is that you're not going to find a traditional rpc pattern um in that tcp connection so i wrote a little code i'll be posting this to my website after defcon and what it does is you replace your traditional socket send function that sends the data across the wire in your exploit script with my send what my send does is it randomizes where it's going to record mark and fragment the stuff and where it's going to segment on the t at the tcp layer uh if you're familiar with x with rpc it has x dr has a very distinctive uh rule that everything has to be fragmented on four or everything has to be on four byte boundaries so all integers must be four bytes you can't have a three byte integer a string of someone's name that's nine bytes long has to be padded out to an even 12 bytes with with nulls at the end but that x dr restriction does not apply to record marking i point this out because the first time i did the uh the the anti evasion stuff in black ice i made the assumption that was x dr and then i played around with the spec realized it didn't have to apply try it out on the exploit script and sure enough it evaded so i had to change my code yet again so anyways we call them the my send function instead of your normal send function that you have as part of your exploit script it calls the my send upper function which as the record markings uh stuff to it uh with a random length field and then passes it to the tcp layer where i again then randomized how long the tcp segment is going to be i also put a little random sleep time there so if you're trying to like find you know the the traffic over time it that messes up too and what i come up with is something that looks like this is randomized where i'm going to record frag and randomized where i'm going to tcp segment so if my original command is like a port dump command port dump is a scanning technique you scan an rpc server and tell and ask it what services are running this is how you hunt down to see which ones might be vulnerable that you're in an exploit with buffer overflow exploits this is what the packet looks like in in hex right below it is a decode the first four bytes are that record frag the byte the first byte is that little bit saying that there's uh it's the last record frag in the sequence because it normally doesn't record frag on requests then you have the xid the message type it calls this rpc version two which is all rpc we use today uh support map command its port map version two the procedure is dump which is procedure number four there's no authentication or verification here's what it looks like after it gets through my the my send functions the first packet has a tcp segment of zero and zero the next packet has a tcp segment of zero five and and so on and so forth those first four bytes of course other are the record marking stuff where i've randomly chosen that the first record is going to be five bytes long and then even i the random by the randomization of the uh of the packet even that record mark itself was segmented in the tcp segments so i have about one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen six seven so i've got seventeen packets there where originally i had only one packet it's also about seventy bytes long where the original packet was about forty bytes long and this of course gives ids's fits most ids's still don't reassemble tcp streams but even if they did the stream wouldn't look like anything like they've ever seen with rpc so they don't detect the port map attack now i've tried this against a number of the other um ids's and sure enough they detect the normal one but they don't detect the evaded one and this is particularly important because of the way that a lot of ids's work what i assume they work with um with rpc is rpc runs at services at random ports like cmsd calendar messenger service at exploit that a lot of solaris machines fell victim to last year runs at a randomly chosen port when it starts up at registered with port map or at the well known port of one eleven and tells it which port it's running at back at network general when we worked on the sniffer the way we got around this fact was by using a heuristic called smells like where we looked at an rpc request and say does this look like an rpc request rpc is kind of cool because it's very distinctive you have that record mark you have the x id which is random the message type is either zero one so you got four bytes that are either going to be zero one rpc versions always choose that field must be two and so on so forth we can really distinctively say 99.9% of the time whether it's rpc but in this packet those rules don't apply it looks nothing like rpc anymore according to those heuristics and heuristics that try to deal with the record mark can always be evaded by carefully constructing your record to look like something else so the only way to get around that is the the the ids needs to not use those heuristics and must instead keep a lot more state around must profile the target to say i see a port map response come back therefore i know which ports all the services are running out so that's rpc record fragging that was suggested to me by dug song who wrote the original frag router he's working on like a frag proxier i'm not quite sure what he's working on that will do this automatically for you where's my code you have to sort of add to your script and change the script next one something that i discovered myself where i'm using the telnet channel on ftp to read the ftp specification it says that the control channel is really telnet now later on host requirements rc says no it's really not telnet it's just something that looks a lot like telnet uh using the same option strings the out of band option communication what telnet has is strings that start with ff a byte with all ones followed by either one or two bytes of the option code and in the telnet user just really complex you can negotiate which terminal you are what your backspace character is going to be a lot of other stuff in the normal telnet environment that issues so bad you can basically avoid any ids detection on the telnet channel you can reconfigure your your backspace character to be q or something like that so the ids is seeing a string of qs but the target system is seeing a string of of backspaces but in the ftp case it's not that can be negotiated all they can negotiate is whether to use the abort option when the abort telnet option code everything else is a null option so an ff followed by any other byte is pretty much ignored in the ftp command channel so when you log on as in this case user rob you can put in that ff and then another byte uh the f1 is the telnet null opcode but any byte will do because it will strip it out and ignore it so instead of seeing user rob you see this user you know garbage rob and it's past like garbage and foo and this is a lot like conceptually like rpc it's at the presentation layer of the osi model i'm changing how i'm formatting this the stuff so you think through all of the um the exploits that ftp can do they're all pretty much run across the uh the control channel like bounce scans the tar compress execute bug buffer overflows change working directory to root uh logging on with username password a site exec has been last site exec holes lately print out style format bugs shell characters and so forth now as i was working on this and testing it out to find a number of problems unix supports this three this three character do don't command negotiation where the client logs on and says i want to do something or other and the server comes back and says no i don't support that or i do support it um and the cool thing about that is is you can desynchronize an ids because you can start up and say send the do command ftq ftp comes back and says won't the ftp by the way specification now with host requirements rc says that it should respond with the won't for everything because it shouldn't really support telnet so you can send you can pepper your code with these like you can send a command like user password in the middle of the user string send the do command and you'll get back to this don't command uh and it'll really confuse the ids unfortunately windows ftp implementation from microsoft doesn't support the three character code only the two character evasion stuff it also has that same null problem with as whisker does with the string copy so you can send the null to it prefixed by the option code then we'll stop processing the string and the after it won't be interpreted by the server now if the ids interprets that string it will no longer figure out what the users or the hackers really doing but of course if it does do the same logic as the windows nt stuff then it will no longer be able to detect all the attacks against the unix ftp server now there's also the problem that a lot of windows ftp servers you might download off the web don't support any of this option stuff at all so uh what you really need to do is to profile the target and figure out what kind of ftp server is the target running and adjust your ids algorithms accordingly also if you're writing the exploit scripts you equally have to profile the target for example a lot of scripts run across the anonymous authentication so the first thing you should do is encode the user string so you get back an error you know it's not handling the option code if you're saying okay anonymous is allowed to log in or guest accounts allowed allowed to log in but you know that it did accept the option code and you should use option codes from then on you can use the same technique back used in the rpc record fragging is randomized the whole thing like just every character is either randomly the original character or one prefixed by uh the option evasion stuff so here's an example of where i do the change current working directory to root a log on is anonymous and i send that uh corruption in the user string but the server supports ftp or telnet options and says great guest account log in okay continue on i then do the exploit change current working directory to root and i insert my little option codes in there so it doesn't look anything like change current working directory to root and indeed all the other ids fail to detect this though on the server i got back 250 uh success meaning i actually was able to change my current working directory to root and i can grab any file off the server i want a similar technique using sort of the the presentation formatting of the uh data is within that dns first of all you have a case sensitivity issue uh i noticed that live ids is assumed that the case will be either all uppercase or all lowercase the second thing is is that dns supports this name compression thing where it splits up names um in order to to compress responses and requests this has long been used to crash ids and to crash sniffers because you can cause it to reference itself in an infinite loop the way this compression works is that you have like one name maybe i try to reference www.yahoo.com it comes back and says well actually there's lots of servers that are www.yahoo.com they're like ww1 ww2 and so forth now in order to compress that dns response the first one says the full yahoo.com and the second ones have a pointer saying continue on now with the rest of the the original yahoo.com so when you look at the text decode of it you see something that looks a lot like this you see in the clear text the first name followed by a lot of other just fractions of the name and this is where you can crash an ids or a sniffer is where you make that self-referential loop saying reference myself and continue here and it'll continue to continue here and hang or you can tell it to point off to never neverland where it will crash so i wrote a little version bind scanner in the bind berkeley internet name game in which service is like 90% of all name requests on the internet you can query which version of the software is running and it comes and you have a special record called a text record that's in the chaos class with the string that you're looking up version dot bind and that's like hard code the code is an easter egg that returns what version is running like 8.22 or 4.31 or something like that well i have ids detect this because it's a common scanning thing you do when you're attacking a dns server so i did two evasions here one of which is i changed the name to be capital v and small version capital b and small ind i played around with this for a couple of days i couldn't i use all sorts of different arrangements by using this name compression by taking the second part of the name and pointing it off somewhere else in the packet and i finally came down to the only way i could figure out how to get to work by going to the source code of bind of course was to put the dot bind after the end logical end of the dns portion of the packet so that i see version where you see that plus here in the text decode it's actually specifying the offset where to find bind and the web server will paste this back together to version dot bind and return you the correct string but if you're looking for version dot bind in the packet you're not going to see that as a contiguous signature that you can trigger on so we post that that that dns scanner to my website as an example after defcon problem is i couldn't get to quite work on linux there's a clock i throttle it for like bulk scanning and the the clock function on linux wasn't quite working i don't know why it would stop incrementing after a while all these evasion techniques which i discovered after i wrote the presentation here are at the osi presentation layer like http rpc ftp dns they're all changing how the data is formatted but not the meaning of the data so i decided that it'd be kind of cool to actually add these to directly into end map so that end maps ftp bounce scans will automatically evade and rpc no proc evade uh all the no proc stuff it does to detect rpc services will also evade the ids so today's networks the most popular way you can exploit a site is through dns through bind huge number of bind exploits over the past year ftp you know there's a new one discovered every week new exploit into ftp rpc services uh suns the laurist machines and linux boxes have been exploited with rpc uh a lot in the last few years of course http with all the cgi stuff will never and you'll always be able to break into boxes with that and of course trojan horses so these are most popular ways that people are actually hacking into systems today and of course the easiest way of evading ids is are using those protocols that just demonstrated i like to do this you know back and forth along with the frag and the flood and the jam techniques of of um either fragmenting any ver any attack with fragmentation or flooding or jamming the ids sensor bringing it down so uh the idea of evading ids with protocols is still not a widely researched topic in the hacker community um i've been just working on a few protocols because they're the most commonly used and found i can easily add to these protocols the ability to to evade ids including black guys which is why i fixed it so it no longer works lots of protocols are vulnerable to these presentation layered layer attacks or application layer evasion and the reason i'm presenting it is because um a lot of the competitors still haven't dealt with fragmentation which is like really really old they really need to be kicked in the pants and say you need to add these to your products the uh as i started with the presentation here the ids vendors are selling you a tank that some you know oddball can walk up behind with a like a grenade and blow it up and this is not a really good state of the industry right now so this is the end of the presentation i'll be posting the slides to uh to this url my own personal website i've got a fact on generic network intrusion detection stuff at my website and we'll be coming out with a linux version a lot of you might be interested in beta in about a month are there any questions there