Attackers have a method that they work by. They follow phases to ensure success when attempting to breach a network. Many other aspects of these phases that don't fit conveniently into any rigid categories. The five phases of an attack are:

  1. Reconnaissance
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Clearing Tracks

To thwart the attempts of an attacker, the principals of preventing access must be understood.

Firewall Classes

Understanding Firewalls

Firewall Firewalls can be either software based or hardware devices that are used in the enforcement of security policies. Both can filter traffic based on a set of rules as traffic passes through them.

Routers are not firewalls and should never be considered as such. Network based firewalls will route traffic but this is only if the policy allows. Single hosts can be protected from both incoming and outgoing traffic by use of a host based firewall. Regardless of whether the firewall is software or hardware, all can create a troubleshooting nightmare should they not be configured carefully or correctly. This is the keystone to a business objective driven policy when it comes to firewall configuration.

Improvised configurations do not work well with firewalls. The configurations must be carefully thought through and any impact caused by the configuration must be considered. This should be done before the implementation of any firewall policies.

Physical or social engineering attacks cannot be protected against by any firewall. The most common weaknesses in any firewall are either leaving them in their default configurations or by careless implementation. Attackers are looking hard for these weaknesses and the best defensive measure it to prevent them from finding them by changing the default settings or by careful firewall configurations. Of equal importance is to understand both the benefits and the limitations of firewalls and prevent being lulled into the false sense of security by thinking their mere presence is equal to network security and protection.

Firewall Classes

Different types of firewalls exist each having their own niche in the market. Some products are multi-functional providing features such as routing and Demilitarized Zones (DMZ). These are the four common firewall classes:

  • Packet Filters
  • Circuit Level Gateways
  • Application Level Firewalls
  • Stateful Multilayer Inspection Firewalls

Packet Filters - Packet filters search for protocol information in the delivery and transport layers. The idea behind this is to filter out the obvious items first. Since every packet is a discreet single logical unit, packet filters only look at one delivery at a time. This method is computationally cheap very efficient.

Circuit Level Gateways - Circuit Level Gateways are a unique set of firewalls that protect the integrity of each end of the session, all without invading the confidentially of the data that is being exchanged. It is a socket level proxy as it creates entirely new connections that are based on the synchronizing of IP addresses and ports.

This method works by including a new translation of the sequence numbers that are tracked by TCP to help the receiving host reassemble all of the segments of data. It also prevents session hijacking and also helps obscure the true endpoints of any observed conversation.

Application Level Firewalls - Application Level Firewalls work on the Layer 7 level by looking at the content of each network packet. This includes all client server requests and information content that is delivered on the network.

Application Level Firewalls are computationally expensive as many factors ride far beyond simple a string pattern that must be matched and incorporated. Factors also include context and policies such as user profiles and time of day constraints. Once a policy violation is detected, there is a consideration as to whether or not log the evidence in a forensically sound manner, to redirect the user to another source or to log the alert allowing manual intervention in the determination as to what action should be taken.

Stateful Multilayer Inspection Firewalls - This class of firewall is a combination of all of the other three types of firewalls. They act by filtering packets at the network layer ridding the easiest data first and then send the remaining packets to the deep packet inspection engine. Deep packet inspection is a form of network packet filtering that examines the data of a packet searching for protocol non-compliance, viruses, spam, intrusions or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination.

Intrusion Detection Systems (IDS) Classes

IDS Classes

Intrusion Detection System Acting as a passive technique, intrusion detection is a critical part of network monitoring. It will only inform when an event has occurred but does not prevent or correct the situation by default. On the other hand, intrusion prevention systems perform on an active level. Sometimes using false positives turning these systems against the owners, this configuration and testing actively seeks out anything considered abnormal.

If trying to decide between the two, keep in mind that there is no "right choice." The decision has to be made by the consideration of its purpose and the best fit. While passive IDSs are prone to false positives and relay on administrative overhead in the form of analysis, it can look for a broad range of suspicious activity whereas active IDSs can create DoS situations if false positives are present and therefore must be tuned finely thus seeking out a much narrower scope of events.

Placement of these detection agents also play a role in the type of system that is chosen. The DMZ should alway have an agent present and one should also be in place to the inside of the firewall that will screen all internal networks.

There are several approaches to intrusion detection. Here are seven of the most common:

  • Signature Recognition
  • Anomaly Detection
  • Statistical Detection
  • Network-Based Intrusion Detection
  • Host-Based Intrusion Detection
  • Log File Monitoring
  • File Integrity Checking

Signature Recognition - Signatures are primarily recognizable characters of a packet such as a particular series of bytes or characters. The position, or offset of particular bytes can be of significance as well as specified fields values or protocol flag combinations.

Signal detection occurs in real time. After a suspect packet is detected, alerts can be placed in a log file almost immediately. If in place, an Incident Response Plan is activated and notifications can be sent. All of this is most often the greatest weakness of an IDS implementation. This weakness is because by the time the attack is noticed, the objective may have already been met and the attacker might be gone or at least changed the nature of their presence.

Should the IDS be running in "in-line" mode, it could interact with firewall software to implement new policy rules to block the attack. This is the function of an Intrusion Prevention System (IPS).

There is a drawback to signature detection and this is in the complexity and of the amount of the rule set that must be used. With it having to be constantly updated, it will not detect zero-day exploits, which are exploits that there are no signature rules yet available.

Anomaly Detection - Unusual events are what this type of IDS looks for. This means that it is critical to have a knowledge of what traffic is considered "normal." A baseline metric is needed and normal, expected traffic is given to the IDS. The IDS then will provide an alert if events other than what the baseline predicts take place.

This type of monitoring has an advantage as to where certain types of attacks that would normally evade signature analysis would be detected. Some of these attacks would be ARP poisoning or heavily fragmented packets that would cause unusual traffic. The disadvantage is that this IDS is only as good as it's baseline.

Statistical Detection - This IDS notices attacks that occur over time. Should an attacker try and scan very slowly, alerts are still triggered. Analysis, however, takes time and the attack may not be discovered until they have been completed, however at least the target will know the event has happened.

Network-Based Intrusion Detection - Considered "passive", this IDS just listens on the wire. Any form of analysis can be used.

Host-Based Intrusion Detection - This IDS is considered active since it can be invasive in order to monitor the behavior or actions of a host. As an example, if multiple emails are sent without a subject or content, the HIDS will block all email activity, notify the user and have the user confirm whether the actions were intended or not.

Log File Monitoring - Since log files have thousands of formats and each one is unique to the service that is being monitored, they present a challenge to analyze. Commercial tools are available that know of many popular formats and thus make reporting much easier, and they can provide real-time reporting as well.

File Integrity Checking - The class of IDS that keeps a database of hashes computed from critical files or directories on the system is the System Integrity Verifier (SIV). It recalculates these hashes either periodically or whenever the file is accessed. It then presents an alert when changes have been detected.

SIVs discover files that have been replaced, altered or corrupted. Unfortunately, files that change often are much more difficult to monitor. Fortunately, OS system files and program libraries are not subject to frequent changes and a new hash database must be computed after accepting patches or other security updates.

Interpreting Alerts

It is up to human intervention and analysis to determine if a response action is necessary or appropriate, and if so, to determine what the response should be should an alert to an alarm be triggered. If there is an immediate overreaction to the alert resulting in wasted time in a response to non-issues, not only is it a waste of time but can also create new problems.

The following are categories that are used for IDS alerts.

  • True Positive: An event triggering an alert for a real and present threat.
  • False Positive: An event triggering an alert showing a real threat when in fact it was not.
  • True Negative: An event not triggering an alert and in reality not a threat at all.
  • False Negative: An event not triggering an alert when in fact it was a real threat.

Events to Look for During An Analysis

Redundancy and different methods of detection are included in most of the best monitoring programs. Each threat possesses it's own risk factors to the organization. With this variance, each asset should be monitored differently.

Putting this into an example, consider a public web server and a database server. The web server will most likely be accessed by many people. Certain types of access is expected, however certain access types, such as directory traversals indicate one of the visitors is searching for documents or detect other flaws. Again, this could only be a search engine spider. Regardless, if we know from testing, there is nothing to find and most activities such as this is expected and should be ignored.

Now, looking at the database server, it should only be accessed by authorized processes and only when those processes are running correctly. They are only to attempt and perform certain actions. If anything outside of that is taking place it may be an indication that an attacker may have gained access and has a better position on the network, the query source has been compromised and the database must also be analyzed for any successful breaches.

You must be familiar with the threats and remember to not overreact. Just because a computer reboots on it's own does not necessarily mean it has been breached; it could be that the RAM needs reseated. On the other hand, you must remember that attackers may also try to cause a diversion and waste an administrator's time with false positives. These false positives will only be detected by redundant IDSs that are using different methods of detection. True positives must be responded to by an Incident Response Program (IRP) or and external team like a Computer Security Incident Response Team (CSIRT).

Here is a list of the most common items that a security team should be monitoring. Consider which form of detection would be the best and how an attacker might trigger a false positive or evade detection.

  • Modifications to system software and configuration files
  • Gaps in accounting systems
  • Unfamiliar user names
  • Arbitrary data in log files
  • Unusually slow performance
  • System crashes or reboots
  • Repeated probes on the available services on the machine
  • Missing logs
  • Repeated login attempts from the remote hosts
  • Short or incomplete logs
  • Unfamiliar processes
  • Logs containing strange timestamps
  • Missing files
  • Logs with incorrect permission or ownership
  • Abnormal system performance
  • Rogue files on the system that do not correspond to your master list of signed files
  • Unusual displays or text messages
  • The presence of new, unfamiliar files or programs
  • Change in file permissions
  • Unexplained changes in file size
  • Connections from unusual locations


The Nature of Honeypots

Honeypot Honeypots are designed to attract attackers with the idea that monitoring systems will allow the attacker to be observed. Honeypots come in different scales with a honeypot being a host, a honeynet is a network and a honeytoken is a piece of monitored data.

Before the deployment of a honeypot, a company or organization needs to verify that they are not violating the privacy rights of the attacker, (go figure...) Convert honeyposts deployed by third party projects rest in a different category.

The art to setting up a decoy victim is to make it appear legitimate. It must not stand out or seem in any way unusual or the attacker will notice and avoid it. With this, honeypots are not necessarily entirely exposed to risks, where a bastion host is used to describe one that is since it is completely exposed and completely hardened because it is getting no help. Honeypots cannot create additional risks or they could, and would be used against their attacker.

Honeypot Types

There are four different honeypot varieties that exist, all a matter of choice and a balance of risk, accuracy and administrative distraction from the production hosts. These levels are:

  • Physical Honeypots
  • Virtual Honeypots
  • Low Interaction
  • High Interaction

Physical Honeypots - These types are considered physical tests, fully functional and heavily monitored. They can be as simple as an unlocked bicycle leaning against a wall. Though it is there and unsecured, this does not mean the owner has given any permissions for anyone to take it.

Virtual Honeypots - Thus type is a sacrificial host setup on a network having real services running on a real OS but only containing fictional information, if any at all. Though this honeypots comes with great risk, it is the most convincing form of honeypot.

This type of honeypot will appear as a rogue infrastructure and cause internal time wasting should it not be formalized in configuration, release and without change management processes in place.

This IDS may have been told to pass all traffic coming from the honeypot and this can be a big mistake should the honeypot be compromised while remaining undetected. In this state, it could be used as a weapon against the network.

Low Interaction - This form appears to an attacker as an access point. It only logs probing activity, however, and since this host is of no production value, all access attempts are considered suspicious.

High Interaction - This form can be of great risk. Being able to be fully compromised, it must be separated from any network segment that has production value. The monitoring capabilities of this type of honeypot facilitates the gathering of information that would not be noticed by NIDS. By diligently monitoring the honeypot, detection of the larger plan of the attacker is possible and if the attacker manages to evade the network-based intrusion detection, hopefully the diversion will be discovered and attacked.

Testing and Evasion Techniques

Scanning for Firewalls, IDS and Honeypots

Knowing where the filters are is critical to the attacker. This is also a primary difference between the white hat penetration test and the true attack as the filters are moved for simple assessments.

Playing a major role in the scanning phase of the attack, the attacker wants to know where their barriers are located. By knowing this, the attack can either be graceful and never discovered or one that will cause alarms to be triggers and thus prompting a rapid escape and retreat.

There are five basic ways to fingerprint firewalls. These are:

  • Traceroute
  • Banner Grabbing
  • Look for any accessible open port
  • Port Scanning
  • Firewalking

Traceroute - It is important to know the path to a target host when interpreting the results of all other scans. By using traceroute, the attacker can make sure that they don't inadvertently attack a host that don't belong to the target organization. It also aids in distinguishing hosts and gateways which will determine the different scanning techniques used.

Should two or more hops with the same IP address show, this suggests that a load balancer or cluster is in place. Though this may not influence the attack, this information is still good to know.

Banner Grabbing - Using a tool like telnet, an attacker can try to connect to any access point that has been discovered and attempt to gather information. The proper instructions must be sent relative to the expected service to achieve full interaction, but even those that return only errors often divulge important information.

Look for any accessible open port - The two major issues with a routing firewall is the firewall itself and the hosts.

An attacker can gain clues about the nature of the possible routing firewall by determining which ports are showing as being open. IP protocol ID 47 shows support for Generic Router Encapsulation (GRE) and is often accompanied by TCP ports 1723 or 1701 that could reveal a potential VPN gateway.

The most common way to find a series of routers is by using the traceroute command. It is equally important to be able to use a variey of scanning techniques including the ICMP type 8 and other ACK scans. If it is shown that two hosts with the same IP source address exists, this can be an indication of a Network Address Translation (NAT) server or a load balancer.

Port Scanning - Port scanning can be conducted against both the routing firewalls and the hosts that are possibly running software firewalls themselves. The attacker is interested about what they can access.

Firewalking - The firewalk scan requires three hosts: the scanner, the gateway and the destination.

Traffic is sent to the destination by the scanner and informs the firewall tool what the gateway is. Firewalk sets the Time to Live (TTL) value of each packet it send to one hop past the gateway of the destination. If this traffic is passed by the gateway, the destination will respond with an ICMP type 11, which is the Time Exceeded, and the attacker knows the port is open. If not, the packet is dropped from the gateway.

Simple Evasion Techniques

Signature-based analyzers and other real time IDS systems can be fooled if they are not set up correctly or are not installed on hardware that is designed to handle the load on their segment. in this case, simple command line tools can can play havoc in these circumstances.

  • Fragmented Traffic
  • Encryption
  • Decoy Traffic
  • Denial of Service

Fragmented Traffic - Available for Linux, fragrouter is a command line tool that allows the attacker to ensure that all packets sent to a particular host will be fragmented to the size the attacker specifies. The IDS must then reassemble the fragments before full analysis can take place and therefore keeps the IDS busy. During this period other packets might be able to pass through during the time of high network load.

It is important not to confuse fragrouter with the tool fragroute. Fragroute is capable of being an inline packet modification tool otherwise known as a packet sharper.

Encryption - Whether encryption is mandated or forbidden is dictated by security policies. This is the only way any traffic can be flagged as suspicious even when a determination cannot be made as to what the attack is exactly.

Encryption countermeasures can sometimes be used to create covert channels for attackers. If the host end points that have established tunnels are compromised, the attacker might not need to even care about encryption, in fact it is sometimes even a benefit to them. Unless given the ability to decode the packets, IDS tools cannot analyze encrypted traffic. This action will expose the keys to more risk or further complicates key issuance and management.

Decoy Traffic - There are tools such as nmap that includes options for generating packets that have random IP addresses and port numbers that are used to mix with the attack packets. This could cause the IDS to log many false positives so the analyst has to figure out what is real and what is not.

Denial of Service - The IDS might be Denial of Service based on the underlying operating system or on a flaw in the IDS code itself. If attention is paid, this problem will be fixed quickly. Usually this issue can be fixed by a member of the Security Operations Center (SOC), however it might be just enough time for the attacker that is conducting the access step to plant the maintaining access code.

Packet Crafting

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behavior instead of using existing network traffic. Testing may target a firewall, IDS, TCP/IP stack, router or any other component of the network.

There are many ways to craft packets such as languages like PERL or Python created by programmers to automate crafting traffic and have complete control over the system. Comprised of a series of bits, a packet can be captured, manipulated, parsed, adjusted, created and sent in any way attackers might need as long as they know what is required for a given attack.

One of the easiest command line tools is Hping that comes with Backtrack Linux. It can be used to test firewalls and IDS.

Signature Changing

A quicker approach than Packet Crafting is to change the signature. Signatures that are based on a sequence of bytes in the data layer can be circumvented if the bytes under analysis are changed.

Adding bytes into the data is known as an Injection Attack. Should the signature bee too strict, the attacker might be able to change some values that have nothing to do with the signature but would cause the analysis rule to decide on a false negative. Some of these tools are:

  • SideStep: Is a tool that generates Metasploit payloads encrypted using the CryptoPP library and uses several other techniques to evade the Anti Virus.
  • ADMutate: Will attempt to encode the shell code with a simple mechanism so the shell code will be unique to any NIDS sensor.
  • Fragrouter: This is just a one-way fragmenting router. IP packets get sent from the attacker to the fragrouter which transforms them into a fragmented data stream to forward to the victim.
  • NIDSBench: This tool implements several well known attacks against passive network monitoring and allows for the instrumentation of trace-driven network attack simulations.

Tunnels and Reverse Shells

Tunnels - Tunnels, or tunneling, which is also known as port forwarding is the transmission of data intended for a private, corporate network through a public network. It is achieved in such a way that the routing nodes in the public network are completely unaware that the transmission is part of a private network.

Reverse Shells - Reverse Shells is the connection of one computer to another where the initiating computer forwards their shell to the destination. It is common that a reverse shell happens during an attack or as part of a penetration test. This kind of attack allows an attacker an interactive shell on a machine that they should not have had access to inside of the hardened area.

Packets can be enveloped within one another. Protocols that specify arbitrary data in the payload area can also be used in tunnels.

An ICMP type 8 message, which is a ping request, does not specify what should be echoed as the RFC just refers to "data". Loki is a tool that is able to split a message, split it up into pieces and send each piece as a part of the echo request in a type 8 message.

There is one thing that should be noted and that is that something on the receiving end has to understand the encapsulation. This is the same principle that applies to Virtual Private Networks (VPNs) as they can also be applied to covert attack channels.

Stateful Packet Inspection (SPI) firewalls are the reason reverse shells happen. SPI firewalls prevent incoming connection attempts but will allow traffic generated from requests. Essentially, this is a way of telling the attacker that the target wants to be attacked. This is where social engineering comes into play.