Author: Billy.Lee, TianheSecu Source: antpower
Intrusion detection system, you can monitor network transmission, automatically detect suspicious behavior in real time, analyze illegal activities from external intrusion signals and internal interiors, and make a warning before the system is harmful, and the attack is real-time response, and provide remedial, to maximize Guarantee safety. However, "Tao is a feet, the magic is one feet", change a angle, if you are an attacker, how do you do it? Of course, according to the reason, the IDS development direction is to ensure the corresponding IDS attack method while ensuring enough excellent performance.
1. Rearrange the attack order
For example, the attack order is "a; b; c", and it can be successful in the order of "B; a; C". Many IDs will not detect the second attack. Logically this is an attractive statement, but modern attacks can be successful. These attacks will be discovered by many IDs. In complex attacks, some of them will be discovered by some IDS.
2. Put a standard attack by more than one person
An example of "a; b; c" is also used. If User X performs "A: B", the user Y is "C", then the attacker is almost certainly not discovered. Similarly, if you ask "A", "B", "C", the IDS is very likely to find a step in them, whether it is the user who executes it. Using multiple accounts really confuses administrators, but attacks are still discovered.
3. Complete a standard attack in multiple sessions
The first login is logged in to "a; b", then logout, then log in to the system for "C". Like Article 5. For example, there may be more rows of overflow scripts that get root privileges, but the most important thing is one line. For example, there must be a command, such as "SU", etc., making non-privileged users a privileged user.
4. Attack with multiple IP addresses / systems
Log in to X, Y, "a" from X, "B" from Y, "C" is performed from X. Similarly, random transformations of its IP, which will cause a small part of the network-based IDS. Some ids will find and record remote connections initiated from multiple IPs in a short period of time.
This approach is very significant when using a random agent list for network DDoS attack, unfortunately, many domestic IDs are not able to record this.
5. Define a macro for the command used in the attack
For example, set a shell variable $ zz for CP and then use $ ZZ instead of CP. Added complexity, but IDS will inevitably record this visit. Imagine, when Ids triggered in the "TPROF" program, the event is recorded. Similarly, a shell variable is defined for / etc / passwd, the IDS system will find access to the / etc / passwd file in a Telnet.
Therefore, such techniques are almost no role in host-based IDS such as Stalker, TripWire.
6. Define a macro for the command parameters
For example, use $ P instead / etc / passwd.
7. Use scripts instead of the input command
Usually Ids will not notice this script. This is the first attack technology that is really threatened. But did not mention things happened after the attack was successful. Tools like CMDS will record an abnormal login. Tripwire will also find some backdoors. If you give NMap, the tool to Strobe is a good idea, but once the network-based IDS will find them. If you perform a script that tries to get root privileges, many IDS products can feel changes in the attack. 8. Use different commands to complete the same function
For example, it is typically "echo *" equivalent to "LS" in UNIX shell. When attacking the system, you still need to run "TPROF". Even in another system, many IDS systems such as STALKER, SEOS will also find the transition from non-privileged users to privileged users.
9. Rennamed in the attack
For example, an attack uses a temporary file "xxx", you can rename it "YYY". This is just assumed that the IDS only determines only the specified file name according to the corresponding keyword.
10. Create a comparison table to translate keywords
Then make a character, for example, an SED is used to replace it.
11. Encryption
For example, using SSH, you can prevent SNIFFER, and network IDs generally include a SNIFFER function.
This approach is only useful to the network-based IDS. The host-based IDS can perform full control over user behavior under SSH.
12. Use the suffix symbol when sending, then switch back in other places
IDS will not understand these symbols.
14. With the whole duplex communication between the target machine, most of the IDS can't understand the additional character
Dragon, T_Sight and all versions of the DOD NID program can deal with these situations.
15. Use some known intrusion techniques to interact in an intrusion. IDS may not distinguish all
It is likely to find at least one invasion.
16. The result encoding the daemon sent, which will not be perceived by the IDS.
For example, if you use a Sendmail's bug to send a password file to you yourself, you can change the ":": "-" ":" - "through the pipe. This happens after the invasion is successful. How to deal with the Password file after the invasion is interested, but this is not a typical attack behavior.
17. Use the AWK script with the AWK script to exchange characters. Can escape IDS
This is not a new way. Select commands from a table with a line number, while the target performs the corresponding command. For example, you can type "15 * .com", and the target is executed "DIR * .com". This is just a new way to encrypt the shell command.
18. DOS IDS Sensor port. Make it fail
Many network-based IDS products have been securely configured to complete Sensor's work without IP stack. Some IDS products such as Dragon, without any open UDP or TCP ports. RealSecure, NetProwler, NetRanger also releases an IP stack to prevent attacks.
19. Attack IDS with pingflood
By sending a large PING package, you can make many systems running IDS crashes so that it will not find subsequent attacks. Or DOS technology. Many network IDs have higher security than surrounding environments.
20. Attack the platform that is running in IDS.
Many IDS runs on a commonly available operating system. Once the attack platform has, dealing with IDS is easy.
twenty one. Create a wrong audit record to confuse the IDS.
For example, sending packages between attack packages and normal packets allows attacks that look honest. NFR and Dragon Network IDs avoid these attacks. In general, host-based IDs do not exist these vulnerabilities. 25. Consolidate the disk space of the IDS system and then attack.
Fill the disk space with a harmless data, IDS will crash, and subsequent attacks will not be discovered. When does the IDS system crash? If the IDS system records all information, it may be noted by administrator. The attacker did only increase the alert of the administrator.
26. Stop the generation or acquisition of the audit record and then attack.
For example, create a number of processes, then the IDS system can no longer create audit processes. This is a local DOS attack. Many UNIX operating systems can resist these local attacks. The host IDS uses a separate process, which can also be avoided. Of course, if the server load is too heavy, the administrator pays too many processes.
27. Attack response system to interrupt communication.
For example, some IDS systems cut all traffic from the attack initiated. Forging the attack initiated from a particular host, the IDS system will cut off all the connections from that host, then attack this specific host. This is an attack I am very interested. If I understand the correctization, this means using the IDS automatically block the attack-IP address to block the protected network host. Some IDS products, such as CMDS, NetRanger, NetProwler, RealSecure can be associated with a firewall or router. When a specific event occurs, the router and the firewall will limit the traffic of a particular host. This technology has a problem of traffic, which is the cause of the firewall and IDS system. When traffic is limited, only traffic in the outer direction is limited. Then there is a breakthrough in the outside.
28. Reverse input.
Use a conversion tool to convert. Make the same thing when sending and accepted. This is just a new way to disguise shell.
29. Insert the symbol during input, and then convert to a prefix with AWK.
The IDS system will not interrupt the connection. It is only useful when watching the Telnet or Rlogin session on the network IDS. These technologies are difficult to use in other protocols such as FTP, HTTP, SMTP.
30. Use "Emacs" as the shell, use the Wipes and YANKS input / output command cache instead manually.
The IDS system will only see similar to Ctrl-W and Ctrl-Y when the target machine is executed. NFR and RealSecure will detect "Emacs" because people who do not use "Vi" are obviously Hacker. Again, this is just another way to hide the command. Usually only useful to Telnet and Rlogin.
Very slow input (it is best to have a few hours between each command). Because of the limit of cache size, your input is rushed away by a large number of ids. Network IDs has such a weakness. Host IDS is not. Some network IDs, such as NFR, Dragon, and the like can be configured enough to find a long-term low bandwidth network session.
31. Change to the target to escape IDS
This will be an effective attack if there is a topology knowledge. In order to carry out such an attack, a certain network analysis must be performed. This will be easily discovered by the network IDS system. This attack also asked the Passive IDS system.
32. Change the return route back from the target to avoid IDS
33. Use the source routing package to specify different routes to the target, you can escape some single IDS
Almost all firewalls, routers, and servers will discard and record source routing packages. 31, 32, 33 assume that the spare channels can reach the target, but in fact, the network IDs can be configured as a container.
34. From the protected network to attack with MODEM dial, you can escape the network IDS system
Of course, we have more ways to escape the IDS system, first observe them, and then start from they will not be aware. For example, we can release a virus to the Windows NT system protected by Axent IA, Blackice, and even RealSecure. These IDS systems do not detect the system-level virus. 35. Interference between the target and IDS. For network IDs, it can be used to change router communication.
Network IDS is implemented by listening to network communication. If the communication is not listened, then there will be no invasion. This attack is only when an attacker can change the internal network routing and have other access points from communication to traffic. Many network IDS systems can detect attempts to change the route.
36. Attack from the springboard. Attack will be aware, but they will not track (unless they are particularly good at tracking)
But this method is not to escape the IDS system. Just change the invasion host detected by IDS. And you may also monitor your behavior as a host.
37. Turn on a connection on the port that is not used
The premise of this is that an attacker has access to the target. New attacks will not begin in this way. There are many programs such as Netcat to do such things. Most of these programs can be found by the network IDS. Products such as RealSecure can even find a Loki ICMP session.
38. Communication with changes in the change, such as use in a word
This is just encrypted network transmission. Prerequisites are a corresponding system in the other party.
39. Use the IP package to encapsulate the IPX package to attack. IDS system may only pay attention to the IP package, but do not understand its content
But if the other party has an IPX-based IDS system, they will find this attack.
40. Use different tunnel protocol attacks. For example IP over SSL
Or encrypted transmission technology.
Define your own protocol for your new tool, then use it to attack. You control the target host, write your own encryption pipe, use it in front of the IDS system, which is not hiding the IDS system.
41. Generate a lot of false attack information to increase the NOISE level of IDS. This will make the administrator difficult to filter real attacks from a large number of information.
It is very interesting, but considering that the network management system is designed to handle and display information in a manner that is not understood. The IDS system is the same. For example, Dragong, in many different levels of extraction, with some different tools to find different data. Enterprises and products such as WebTrends tend to display all sorted security information with a very easy understanding. If an attacker does what is said before, he will increase the Alert level of the target.
43. Place the intrusion inside in a Word macro. Send a document to the target. IDS may not decode the attack instruction in the macro
Reference 34. Some products such as RealSecure will find suspicious Java and Activex downloads. Applications with virus detection can also be aware of such an attack.
44. Put the intrusion instructions in the macro of any other product you can think of.
45. Put the instruction into the compiled program (for example, a Trojan), then you want to let the target host download and execute
This is a classic attack. Common Trojans can be found by many hosts and network IDs. Some firewalls can even discover BO2K scanning. On the other hand, this is also one of the most serious problems facing today's computer security. It is almost impossible to check the binary and even source code to predict what it will do. IDS can't do it, but this is not the reason you throw away Ids products. When you want to send sensitive company information with E-mail, most of the IDS or firewall products will not find.
46. Use a rare protocol to attack. IDS may not know how to decode this package
The agreement is not a good word. If it means that different UDP / TCP ports, then the network IDs should find it. But many network IDs products are only suspicious of them can be understood by them. For attacks in non-ICMP, UDP, TCP, many IDs can be detected but cannot be identified. 47. Rewrive with the original released Exploit with different languages
I think this is not very useful. For example, the CHECK-CGI program has been propagated for several months, and more than 70 CGI vulnerabilities can be checked. It is ported from C to Perl, but there is no difference on the network layer. This method is only valid when IDS is only searching for a specific binarily.
49. The attack does not run the Unix system. Because almost all IDs today are for UNIX systems
A survey shows NetProwler, NFR Flight Jacket, NetRanger, Realsecure, Dragon, Blackice, can find most Windows NT classes
