===================[ Evading network intrusion detection ]=================== Network intrusion detection systems (NIDS) appeared in 1990s; now they are more frequently called Network Intrusion Prevention Systems (NIPS). The idea of NIDS/NIPS systems is that they watch packets heading to hosts on a network, look for signs of attacks, and---in case of NIPS---block these packets. The difference between NIPS and firewalls is not that large. When people talk about firewalls, they usually mean a device that inspects all packets passing through to hosts on the network, and blocks undesirable ones based on destinations, sources, port numbers, protocol numbers, or some fields in the packet's headers. When people speak of NIPS, it is usually assumed that its decisions are more complex, and can include the contents of the packets, which is matched against known attack payloads with pattern matching rules or with some statistics (so-called anomaly detection). Evading NIDS/NIPS is something attackers got very good at. The basic idea is that the algorithms that a NIDS uses for assembling data streams from packets (to match the rules against) aren't quite the same as those of the target hosts. The attacker can use these differences to cause the NIDS to miss the attack. There are several classic papers on this. Read them. From security industry/hackers: http://insecure.org/stf/secnet_ids/secnet_ids.html http://www.symantec.com/connect/articles/evading-nids-revisited It is important to understand how these packets are constructed. Keep peeking at http://nmap.org/book/tcpip-ref.html and http://www.tcpipguide.com/. From academia: https://www.usenix.org/legacy/events/sec01/full_papers/handley/handley.pdf http://www.icir.org/vern/papers/activemap-oak03.pdf -------------[ Exercises ]------------- 1. There are two IDS evasion tools that do slightly different things: fragroute and fragrouter. They both fragment packets to make reassembly harder for the IDS http://tools.kali.org/information-gathering/fragrouter source: http://git.kali.org/gitweb/?p=packages/fragrouter.git;a=snapshot;h=f6fedf2;sf=tgz (also in my netreads/ directory as fragrouter-f6fedf2.tgz) https://www.monkey.org/~dugsong/fragroute/ Understand these tools and get them to work. Look at the packets they send. Replicate this functionality in Scapy. These tools are packaged with Kali Linux. To build them on Debian, you will first need to install some dependencies: libnet, libdnet, and libevent. Note that an older version of libnet is packaged with fragrouter (but not with fragroute), and different versions of libnet are not compatible. Libnet was how you built IP and TCP packets before Scapy: with C functions and Unix IP raw sockets. Libnet gave you helper functions for calculating IP and TCP checksums, as needed for the crafted packets. To learn more about libnet and tools built with it, see http://packetfactory.openwall.net/projects/libnet/ and http://packetfactory.openwall.net/projects/ Libdnet (http://libdnet.sourceforge.net/) is an improvement on libnet, giving more advanced functionality. Libdnet includes a command-line tool, dnet, that can build and send packets from command line, in hex. Look at the list of tools that use libdnet. Now Scapy gives you more functionality (and subsumes libdnet). 2. Test that HTTP and DNS requests processed through fragrouter and fragroute Write scripts for Scapy and NFQUEUE or IPQUEUE to detect these attacks and drop these fragmented packets. Check that normal connections still get through!