CEHv12-12 - Network and Perimeter Hacking - Evading Firewalls, IDS, and Honeypots

In

IDS and IPS

  • Definition: critical tools in network security:
    • IDS detects suspicious activities and generates alerts.
    • IPS detects and actively prevents threats by blocking malicious traffic.
Feature IDS IPS
Functionality Detects intrusions and generates alerts. Detects and actively blocks threats.
Action Passive (alert only). Active (blocks malicious traffic).
Placement Monitors network or host traffic. Directly in the traffic flow (inline).

  • Types:

    1. Network-Based (NIDS/NIPS):
      • Monitors all network traffic.
      • Deployed at network entry/exit points.
    2. Host-Based (HIDS/HIPS):
      • Monitors traffic on individual systems.
      • Installed on operating systems (e.g., servers).

  • Alert types: based on activity:

    • True Positive: Real attack detected, alert sent.
    • False Positive: Alert triggered, but no attack occurred.
    • True Negative: No attack, no alert.
    • False Negative: Real attack occurred, but no alert was triggered.

  • Tools:

    1. Snort : open-source IDS/IPS with customizable rules, monitors network traffic for known patterns (e.g., scans (Xmas scan, FIN scan), exploits).
    2. Zeek (formerly Bro): network security monitoring tool. , focuses on traffic analysis and anomaly detection.
    3. Suricata: advanced IDS/IPS that supports multi-threading. Often used with Snort rules for simplicity.
    4. YARA: detects malware by matching files against custom rules. Useful for identifying IOCs (Indicators of Compromise).

  • Evasion techniques:

    • Packet Fragmentation: splitting attack payloads into smaller packets.
    • Session Splicing: breaking payloads across multiple packets.
    • Decoys: using multiple sources to obscure the attacker’s identity.
    • Obfuscation: encoding payloads (e.g., Base64, Unicode).
    • DoS Attacks: overloading IDS/IPS to force failure (e.g., fail open).
    • Insertion Attacks: sending malformed packets to bypass detection.

Example: TTL Attacks

  1. Fragmented packets have varying TTL (Time to Live) values.
  2. Low TTL fragments get dropped by the network.
  3. Reassembled fragments bypass detection systems.
  • Defense strategies:
    • Baseline behavior: understand normal activity to detect anomalies.
    • Patch management: regularly update and patch IDS/IPS systems.
    • Rule tuning: adjust rules to minimize false positives.
    • Disallow lists: block known malicious behaviors and payloads.

Firewalls

Network security tool used to filter and control incoming and outgoing traffic based on predefined rules. They can be hardware, software, or both; they actcts as a “bouncer,” determining which traffic to allow or deny based on rules.

  • Firewalls lists: they filter traffic using allow/deny lists (whitelisting/blacklisting). Implicit Deny is a common security practice to block all traffic except explicitly allowed connections. There are 2 main types:

    • Allow List: allows specific trusted traffic and blocks all others.
    • Deny List: blocks specific untrusted traffic and allows all others. Used when you can’t identify all trusted sources but know certain threats.

  • Deployment Strategies:

    1. Gateway Firewalls: Deployed on routers to control access at the network perimeter.
    2. Bastion Hosts: Hardened devices that act as entry points into a network.
    3. DMZ (Demilitarized Zone):
      • A network segment that isolates public-facing servers (e.g., web servers) from internal networks.
      • Prevents direct access to internal systems from the internet.

  • Types of Firewalls:

    1. Packet filtering firewalls:
      • Operates at OSI Layer 3 (Network layer).
      • Filters based on IP addresses, protocols, and port numbers.
    2. Circuit-level gateways:
      • Operates at OSI Layer 5 (Session layer).
      • Verifies legitimate sessions before allowing traffic.
    3. Application layer firewalls : (e.g. WAFs block SQL injection attacks)
      • Operates at OSI Layer 7 (Application layer).
      • Filters traffic for specific applications like HTTP or FTP.
    4. Stateful firewalls :
      • Tracks the state of active connections.
      • Only allows traffic that is part of an established session.
    5. Next-Generation firewalls (NGFWs) : combines traditional firewall capabilities with advanced features like SSL inspection and intrusion prevention.
    6. Other Types:
      • Proxy firewalls: filter traffic by acting as an intermediary between clients and servers.
      • VPNs: provide encrypted tunnels that block unauthorized access.

  • Evasion Techniques:

    • Firewalking: Testing TTL values to probe firewall rules.
    • IP Spoofing: Faking source IP addresses to bypass rules.
    • Packet Fragmentation: Breaking packets into small fragments to evade detection.
    • Denial of Service (DoS): Overwhelming the firewall to make it fail open, allowing all traffic.
    • Tunneling Traffic: Hiding malicious data within legitimate traffic (e.g., HTTPS, DNS).
    • Proxies: Using a proxy server to bypass IP-based filtering.

  • Defense strategies:

    1. Implicit Deny: Block all traffic by default unless explicitly allowed.
    2. Ingress and Egress Rules: Ensure traffic is filtered both entering and exiting the network.
    3. Regular Updates: Apply security patches to prevent exploitation of vulnerabilities.
    4. Testing and Review: Periodically test and refine rules to ensure they are effective.
    5. Logging and Monitoring: Use SIEM solutions to monitor firewall activity and detect anomalies.

  • Implementing firewalls: follow layers model:

    • Network Layer (Layer 3): controls traffic based on IP addresses, protocols, and ports. Common in routers and standalone firewalls.
    • Transport Layer (Layer 4): filters traffic based on TCP/UDP port numbers and connection states. Used in stateful firewalls.
    • Application Layer (Layer 7): inspects the contents of packets for specific applications (e.g., HTTP, FTP). Used in application firewalls and web application firewalls (WAFs).

  • Evading firewalls

    • Firewalking: technique used to determine the rules of a firewall by sending packets with varying TTL values and analyzing the responses. It helps attackers map the firewall rules and identify open ports.
    • IP Spoofing: altering the source IP address of packets to impersonate a trusted host. This can bypass IP-based access controls and make malicious traffic appear to come from a legitimate source.
    • Fragmentation: involves breaking a packet into smaller fragments to evade detection by firewalls that do not reassemble fragmented packets before inspection. This can bypass filters that detect specific patterns in larger packets.
    • Tunneling: encapsulates one type of traffic within another protocol to bypass firewalls. Common examples include using HTTP or DNS to tunnel other types of traffic, making it appear as normal web or DNS traffic to evade firewall rules.

Honeypots

Environments that attract and trap attackers by mimicking real systems or data. They allow administrators to monitor and analyze attacker behavior without risking real systems.

  • Types by interaction levels:

    • Low Interaction: simulates only basic services and interactions. Minimal engagement with attackers (e.g. a simple web server that logs attempted connections and basic interactions).
    • Medium Interaction: provides more realistic services and interactions. Engages attackers longer but still does not mimic a full operating system (e.g. a virtual machine that simulates a range of services like FTP, SSH, and HTTP, allowing attackers to perform more extensive actions).
    • High Interaction: fully functional systems that mimic real production environments. Engages attackers for extended periods, providing deep insights (e.g. complete operating system set up with real applications and data to observe complex attack patterns).
    • Pure Interaction: real systems used as honeypots. No simulation; attackers interact with actual operating systems and services (a real server with a standard OS and applications deployed as a honeypot to gather comprehensive data on attacker methods).

  • Varieties:

    • Client honeypots: simulate client-side applications to detect malicious servers (e.g. a web browser honeypot that visits websites to identify drive-by downloads and other client-side attacks).
    • Database honeypots: mimic database systems to attract attackers targeting database services (e.g. a fake MySQL server designed to log SQL injection attempts and unauthorized access attempts).
    • Spam honeypots: designed to attract and collect spam messages for analysis (e.g. an email server that accepts all incoming messages to gather spam for studying spammer tactics and origins).
    • Malware Honeypots: attract and capture malware to study its behavior and propagation (e.g. a virtual environment that allows malware to infect it, recording the malware’s actions and analyzing its impact and communication patterns).