Ce hv8 module 17 evading ids, firewalls, and honeypots

Evading IDS, Firewalls,
and Honeypots
Module 17

Ethical Hacking and Countermeasures
Evading IDS, Firewalls, and Honeypots

Exam 312-50 Certified Ethical Hacker

Evad in g IDS, Firew alls, and
Honeypots
Module 17

Engineered by Hackers. Presented by Professionals.

CEH

E t h ic a l H a c k in g

‫-ייי‬

a n d

C o u n te r m e a s u r e s

v 8

Module 17: Evading IDS, Firewalls, and Honeypots
Exam 312-50

Module 17 Page 2550

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.

R u s s ia n S e r v ic e R e n ts A c c e s s T o

October 23, 2012 12:30 PM

H a cke d C o rpo rate P Cs

Service provides stolen remote desktop protocol credentials, letting buyers remotely log in to
corporate servers and PCs, bypassing numerous security defenses.
Want to infiltrate a business? An online service sells access credentials for some of the world's
biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a
server or PC located inside a corporate firewall.
That finding comes by way of a new report from information security reporter Brian Krebs,
who's discovered a Russian-language service that traffics in stolen Remote Desktop Protocol
(RDP) credentials. RDP is a proprietary Microsoft standard that allows for a remote computer
to be controlled via a graphical user interface.
The RDP-renting service, dubbed Dedicatexpress.com, uses the tagline "The whole world in
one service" and is advertised on multiple underground cybercrime forums. It serves as an
online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to
17,000 PCs and servers worldwide.
h ttp ://w w w .in fo rm a tio n w e e k .co m
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u r it y

N e w s

R u ssia n S ervice R ents A ccess To H ac k ed C o rp o rate PCs
Source: http: //w ww .i nfo rm at ion we ek. co m
Service provides stolen r e m o t e d e s k to p protocol credentials, letting buyers remotely log in to
co rpo ra te servers and PCs, bypassing n u m ero us security defenses.
Want to infiltrate a business? An online service sells access credentials for s om e of th e world's
biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server
or PC located inside a co rp or a te firewall.
That finding comes by way of a new repor t from information security repo rt er Brian Krebs,
who's discovered a Russian-language service th at traffics in stolen Remote Desktop Protocol
(RDP) credentials. RDP is a proprietary Microsoft s tandard th at allows for a re m o t e c o m p u t e r to
be controlled via a graphical use r interface.
The RDP-renting service, du b b e d Dedicatexpress.com, uses t h e tagline "The whole world in one
service" and is advertised on multiple unde rgr oun d cybercrime forums. It serves as an online
marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000
PCs and servers worldwide.

Module 17 Page 2551




Here's how Dedicatexpress.com works: Hackers submit their stolen RDP credentials to th e
service, which pays t h e m a commission for every rental. According to a screen grab published
by Krebs, t h e to p submitters a re "lopster," with 12,254 rentals, followed by "_sz_", with 6,645
rentals. Interestingly, submitters can restrict wh a t t h e machines may be used f o r - f o r example,
specifying th at machines aren 't t o be used t o run online gambling op erations or PayPal scams,
or t h a t th ey can't be run with administrator-level credentials.
New users pay $20 t o join th e site, after which they can search for available PC and server RDP
credentials. Rental prices begin at just a few dollars and vary based on t h e machine's processor
speed, upload and download bandwidth, and th e length of time t h a t t h e machine has been
consistently available online.
According t o Krebs, th e site's managers have said they w o n 't traffic in Russian RDP credentials,
suggesting t h a t th e site's own er s are based in Russia and don't wish t o antagonize Russian
authorities. According to security experts, Russian law e n fo r c e m e n t agencies typically turn a
blind eye to cybercrime gangs operating inside their borders, providing they do n't target
Russians, and t h a t t h e s e gangs in fact occasionally assist authorities.
W hen reviewing t h e Dedicatexpress.com service, Krebs said he quickly discovered th at access
was being rented, for $4.55, to a system t h a t was listed in t h e Internet addres s space assigned
to Cisco, and t h a t several machines in th e IP addres s range assigned t o Microsoft's managed
hosting network we re also available for rent. In th e case of Cisco, th e RDP credentials-u s e rn a m e and p a s s w o r d - w e r e both "Cisco." Krebs r ep or ted t h a t a Cisco source told him th e
machine in question was a "bad lab machine."
As th e Cisco case highlights, poor u s e rn a m e and password combinations, combined with
re m o te -c on tro l applications, give attackers easy access t o co rp or a te networks.
Still, even complex us e rn a m es and
passwords
may not stop attackers. Since
Dedicatexpress.com was foun ded in 2010, it's offered access to a b o u t 300,000 different
systems in total, according to Krebs. Interestingly, 2010 was t h e s a m e year th at security
researchers first discovered t h e Georbot Trojan application, which scans PCs for signs t h a t
remote-control software has be en installed and t h e n captures and transmits related credentials
to attackers. Earlier this year, security researchers at ESET found th at wh en a Geor bot-infected
PC was unable to contact its designated comman d-an d-co ntro l server to receive instructions or
transmit stolen data, it instead con tac te d a server based in th e country of Georgia.
W hen it co m e s to built-in r e m o t e access t o Windows machines, RDP technology was first
included in t h e W in d o w s XP P r o f e s s io n a l - b u t not H om e -v e r s io n of th e operating system, and
it has be en included in every edition of Windows released since then. The current software is
du bb e d Remote Desktop Services (for servers) and Rem ote Desktop Connection (for clients).
Might W in do w s 8 security i m p r o v e m e n ts help prevent unauthorized people from logging onto
PCs using stolen r e m o t e desktop protocol credentials? That's not likely, since Microsoft's new
operating s y s t e m - s e t to d e b u t later this w e e k - in c lu d e s th e latest version, Rem ote Desktop
Protocol 8.0, built in.

Module 17 Page 2552




Microsoft has also released a free Windows 8 Remote Desktop application, filed in th e
"productivity" section of Windows Store. According to Microsoft, "the new Metro-style Remote
Desktop ap p enables you t o conveniently access your PC and all of your co rpo ra te resour ces
from anywhere."
"As many of you already know, a salient feat ure of Windows Server 2012 and Windows 8 is th e
ability to deliver a rich user experience for r e m o t e desktop users on corpo rate LAN and WAN
networks," read a recent blog post from Sh a n m u g a m Kulandaivel, a senior program man ag er in
Microsoft's Rem ote Desktop Virtualization te a m .
Despite such capabilities now being built into n u m er o u s operating syste ms-in clud ing Linux and
Mac OS X - m a n y security experts r e c o m m e n d deactivating or removing such tools wh en they 're
not need ed. "Personally, I am a big fan of uninstalling unnecessary software, and it is always
sound advice to minimize one's software footprint and related attack surface," said Wolfgang
Kandek, CTO of Qualys. He m ad e t h o s e c o m m e n ts earlier this year, after th e source code for
Symantec's pcAnywhere Windows remot e-a cce ss software was leaked to t h e Internet by
hacktivists. Security experts w e r e concer ne d th at attackers might discover an exploitable zeroday vulnerability in th e remot e-acc ess code, which would allow t h e m to remotely access any
machine th at had t h e software installed.

Copyright © 2012 UBM Tech
By Mathew J.Schwartz
http://www.inforrr1ationweek.com/securitv/attacks/russian-service-rents-access-to-hackedc/240009580

Module 17 Page 2553




M odule O bjectives

C EH

J

Ways to Detect an Intrusion

J

Firewalls

J

Types of Intrusion Detection Systems

J

Honeypot Tools

J

General Indications of Intrusions

J

Evading IDS

J

Firewall Architecture

J

Evading Firewalls

J

Types of Firewall

J

Detecting Honevoots

J

Firewall Identification

J

Firewall Evasion Tools

J

How to Set Up a Honeypot

J

Packet Fragment Generators

J

Intrusion Detection Tools

J

Countermeasures

J

How Snort Works

J

Firewall/IDS Penetration Testing

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M

o d u le

O b je c t iv e s

‫ *—־־‬Today, hacking and c o m p u t e r system attacks are c om m on , making th e impor tan ce of
‫׳‬
intrusion detection and active protection all th e m ore relevant. Intrusion detection systems
(IDSes), intrusion prevention systems (IPSes), firewalls, and ho neypots are th e security
mechanisms im p lem en ted to secure networks or systems. But attackers are able t o manage
even t h e s e security mechanisms and trying to break into t h e legitimate system or netw ork with
th e help of various evasion techniques.
This module will familiarize you with:
e

Ways t o Detect an Intrusion

©

Firewalls

e

Types
of
Systems

e

Honeypot Tools

©

Evading IDSes

Intrusion

Detection

e

General Indications of Intrusions

e

Evading Firewalls

©

Firewall Architecture

©

Detecting Honeypots

© Types of Firewalls

©

Firewall Evasion Tools

e

Firewall Identification

©

Packet Fragment G enerators

e

How to Set Up a Honeypot

©

Counte rme asu re s

©


©

Firewall/IDS Penetration Testing

^1
°dff0wP^10rl4W0rks

Ethical Hacking and Countermeasures Copyright © by
All Rights Reserved. Reproduction is Strictly



Module Flow

C EH

Copyright © by EG-G*nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

^

=
—

M

o d u le

F lo w

(3 =

To und ers ta nd IDSes, firewalls, and honeypots, evasion techniques used by th e
attackers to break into t h e target network or system, it is necessary to un de rst an d th ese
mechanisms and how they preve nt intrusions and offer protection. So, let us begin with basic
IDS, firewall, and ho ne ypo t concepts.

IDS, Firewall an d Ho ne yp ot Concepts

Detecting H one ypo ts

IDS, Firewall an d H o ne yp ot System

Firewall Evading Tools

Evading IDS

Evading Firewall

’

C o u n t e rm e a s u r e

Pe ne tra tio n Testing

This section introduces you with t h e basic IDS, firewall, and hon ey po t concepts.

Module 17 Page 2555




Intrusion Detection Systems (IDS)
and their Placement

CEH

1111 .1 1
2 —.
1U1‫־‬

User

Intranet

j

An intrusion detection system (IDS) gathers and analyzes information from within a com
puter or a network, to identify
the possible violations of security policy, including unauthorized access, as well as m
isuse

J

An ID is also referred to as a "packet-sniffer," which intercepts packets traveling along various com unication m
S
m
edium
s
and protocols, usually TCP/IP

J

The packets are analyzed after they are captured

_J The IDS filters traffic for signatures that m
atch intrusions, and signals an alarm when a m
atch is found

Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

^

In t r u s io n
P la c e m

D e t e c t io n

S y s t e m

s

( ID S e s )

a n d

t h e ir

e n t

An intrusion detection system is used t o mo ni to r and p r o te c t n e tw o rk s or systems for
malicious activities. To alert security personnel a b o u t intrusions, intrusion detection systems
are highly useful. IDSes are used to monitor network traffic. An IDS checks for suspicious
activities. It notifies th e administrator a b o u t intrusions immediately.
Q

An intrusion detection system (IDS) ga thers and analyzes information from within a
co m p u t e r or a network, t o identify t h e possible violations of security policy, including
un a ut hor ize d access, as well as misuse

0

An IDS is also referred to as a "packet-sniffer," which intercepts packets traveling along
various communication m ediums and protocols, usually TCP/IP

©

The packets are analyzed after th ey a re captur ed

Q

An IDS evaluates a susp ecte d intrusion once it has taken place and signals an alarm

Module 17 Page 2556



User


Intranet
FIGURE 17.1: Intrusion Detection Systems (IDSes) and their Placement

Module 17 Page 2557




How IDS Works

CEH

U rtifM

tUx*l lUckM

Signature file
com
parison

v *
Anomaly
Detection

- » ‫׳‬x
Alarm notifies
admin and packet
can be dropped

Action Rule

Stateful protocol
analysis

•V b
Connections are
cut down from that
IP source

‫§ < ״‬
Packet is
dropped

S w itch

Copyright © by EG-CtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w

a n

ID S

W

o r k s

The main purposes of IDSes are th at t h ey not only p r e v e n t intrusions but also alert
th e a d m in is tr a to r imm edi ate ly w h e n t h e attack is still going on. The administrator could
identify m e t h o d s and techni qu es being used by th e intruder and also th e source of attack.
An IDS works in th e following way:
Q

IDSes have sensors to d e t e c t signa tures and s o m e advanced IDSes have behavioral
activity detection t o d e te r m i n e malicious behavior. Even if signatures don't match this
activity detection system can alert administrators a b o u t possible attacks.

9

If th e signature matches, t he n it moves to t h e next step or the c on ne ct io ns are cut
d o w n from t h a t IP source, th e packet is dro pp ed, and th e alarm notifies th e admin and
th e packet can be dr opped.

Q

Once t h e signature is matched, t h en sensors pass on a n o m a l y dete cti on, w h e t h e r th e
received packet or requ es t matches or not.

Q

If t h e packet passes th e an omaly stage, t h e n stateful protocol analysis is done. After
th at thro ug h switch th e packets are passed on to t h e network. If anything mismatches
again, th e connections are cut do wn from t h a t IP source, th e packet is dr opped, and th e
alarm notifies th e admin and packet can be dropped.

Module 17 Page 2558




ID S P r e p r o c e s s o r

ID
S

— 1V
S n tu file
ig a re
c ma o
o pris n

Switch

FIGURE 17.2: How an IDS Works

Module 17 Page 2559




Ways to Detect an Intrusion

CEH

S ig n a tu r e R e c o g n itio n

It is also known as misuse detection. Signature recognition tries to
identify events that misuse a system

/

A n o m a ly D e te c tio n

Tl
nr

L

It detects the intrusion based on the fixed behavioral characteristics
of the users and components in a computer system

P ro to c o l A n o m a ly D e te c tio n

In this type of detection, models are built to explore anomalies in the
way vendors deploy the TCP/IP specification


^

—

W

a y s

to

D e t e c t

a n

In t r u s io n

An intrusion is d e te c te d in t h r e e ways.

S ig n atu re D etectio n
‫ * —יי‬Signature recognition is also known as misuse de tec tio n. It tries to identify events
—‫׳‬
th at indicate an abu se of a system. It is achieved by creating models of intrusions. Incoming
events are co m p a r ed with intrusion models t o make a detection decision. While creating
signatures, t h e model must de te c t an attack without disturbing th e normal traffic on the
system. Attacks, and only attacks, should match th e model or else false alarms can be
gene rated .
© The simplest form of signature recognition uses simple pattern matching to c om pa r e
th e network packets against binary signatures of known attacks. A binary signature may
be defined for a specific portion of th e packet, such as th e TCP flags.
©

Signature recognition can de tec t known attacks. However, t h e r e is a possibility th at
ot her packets th at match might re pr e s en t th e signature, triggering bogus signals.
Signatures can be customized so t h a t even well-informed users can c rea te th em .

©

Signatures th at a re fo rm e d improperly may trigger bogus signals. In or der t o de tect
misuse, th e n u m b e r of signatures required is huge. The more t h e signatures, t h e more

Module 17 Page 2560




attacks can be dete cte d, thou gh traffic may incorrectly match with t h e signatures,
reducing th e pe rfor mance of t h e system.
©

The bandwidth of th e network is co n su me d with t h e increase in th e signature da tabase.
As th e signatures are co mp ar ed against t h o s e in t h e d ata ba se, th e r e is a probability that
th e maximum n u m b e r of comparisons cannot be made, resulting in certain packets
being dropped.

©

New virus attacks such as A D M uta te and Nimda c rea te t h e need for multiple signatures
for a single attack. Changing a single bit in s o m e attack strings can invalidate a signature
and c rea te th e need for an entirely ne w signature.

©

Despite problems with signatu re-based intrusion detection, such systems a re popular
and work well w h e n configured correctly and mon itore d closely

A nom aly D etectio n
Anomaly detection is otherwise called " no t-u se de te c ti o n .‫ ״‬Anomaly detection differs
from t h e signature recognition model. The model consists of a d a ta b a s e of anomalies. Any
event t h a t is identified with t h e d a t a b a s e in considered an anomaly. Any deviation from normal
use is labeled an attack. Creating a model of normal use is th e most difficult task in creating an
anomaly de tector.
©

In t h e traditional m et h o d of anomaly detection, im po rta nt data is kept for checking
variations in network traffic for t h e model. However, in reality, t h e r e is less variation in
n e t w o r k traffic and t o o many statistical variations making t h e s e models imprecise;
s o m e events labeled as anomalies might only be irregularities in network usage.

©

In this type of approach, t h e inability t o instruct a model thoroughly on t h e normal
network is of grave concern. These models should be trained on t h e specific network
th at is to be policed.

2

P rotocol A nom aly D etectio n

Protocol anomaly detection is based on th e anomalies specific t o a protocol. This
model is integrated into th e IDS mod el recently. It identifies th e TCP/IP protocol specific flaws
in the network. Protocols are created with specifications, known as RFCs, for dictating proper
use and communication. The protocol anomaly de te c to r can identify ne w attacks.
©

There are new attack m e t h o d s and exploits t h a t violate protocol stan da rd s being
discovered frequently.

©

The pace at which th e malicious signature att a ck e r is growing is incredibly fast. But th e
network protocol, in comparison, is well defined and changing slowly. Therefore, th e
signature d a ta b a s e must be u p d a te d frequently t o d e te c t attacks.

©

Protocol anomaly de tection systems are easier to use because they require no signature
updates

Module 17 Page 2561




6

Protocol anomaly de tec tor s are different from t h e traditional IDS in how they present
alarms.

©

The best way to pr esent alarms is to explain which part of t h e state system was
compromised. For this, th e IDS ope rat ors have to have a t ho rou gh knowledge of th e
protocol design; th e best way is t h e d o c um e nt at io n provided by t h e IDS.

Module 17 Page 2562




Types of Intrusion Detection
Systems
N e tw o rk -B a se d
Intrusion D etectio n

CEH

H ost-B ased
Intrusion Detection

© These mechanisms typically consist of a black

IT.

These mechanisms usually include auditing for
events that occur on a specific host

box that is placed on the network in the
promiscuous mode, listening for patterns

These are not as common, due to the overhead
they incur by having to monitor each system
event

indicative of an intrusion

nwn
£ 3
Log File M onitoring

File In te g rity C he ckin g
These mechanisms check for Trojan horses,
or files that have otherwise been modified,
indicating an intruder has already been there,
for example, Tripwire

Q These mechanisms are typically programs
that parse log files after an event has already
occurred, such as failed log in attempts
/‫׳‬f

V


T y p e s

o f In t r u s io n

D e t e c t io n

S y s t e m

s

Basically ther e are four types of intrusion detection systems are available. They are:

N etw o rk -b ased In tru sio n D etectio n
The NIDS checks every packet entering t h e network for th e presen ce of a n o ma lie s
and incorrect da ta. Unlike th e firewalls th at are confined to t h e filtering of data packets with
vivid malicious co nten t, t h e NIDS checks every packet thoroughly. An NIDS c a p tu re s and
inspects all traffic, regardless of w h e t h e r it is permitted. Based on th e content, at either t h e IP
or application-level, an alert is gen era ted . Network-based intrusion detection systems t e n d to
be more distributed t h an h o s t- b a s e d IDSes. The NIDS is basically designed t o identify th e
anomalies at t h e router- and host-level. The NIDS audits t h e information contained in t h e data
packets, logging information of malicious packets. A t h r e a t level is assigned to each risk after
th e data packets are received. The t h re a t level enables t h e security t e a m to be on alert. These
mechanisms typically consist of a black box t h a t is placed on t h e netw ork in t h e promiscuous
mode, listening for pa tterns indicative of an intrusion.

H o st-b ased In tru sio n D etectio n
In t h e host-based system, t h e IDS analyzes each system's behavior. The HIDS can be
installed on any system ranging from a de sktop PC t o a server. The HIDS is m o re versatile th an

Module 17 Page 2563




th e NIDS. One example of a host-based system is a program t h a t op e ra te s on a system and
receives application or operating system audit logs. These programs are highly effective for
detecting insider abuses. Residing on th e trust ed network systems themselves, they are close to
th e network's a uth en tic ate d users. If o ne of t h e s e users a t t e m p t s unauthorized activity, hostbased systems usually de tec t and collect t h e mo st pertinent information promptly. In addition
to detecting unauthorized insider activity, host-based systems are also effective at detecting
unauthorized file modification. HIDSes are more focused on changing aspects of t h e local
systems. HIDS is also m ore platform-centric, with more focus on t h e Windows OS, but t h e r e are
ot her HIDSes for UNIX platforms. These mechanisms usually include auditing for events that
occur on a specific host. These a re not as co mmo n, due t o th e ove rhead t he y incur by having to
monitor each system event

Log F ile M o n ito rin g
A Log File Monitor (LFM) monitors log files crea ted by netw ork services. The LFT IDS
searches th rough t h e logs and identifies malicious events. In a similar m a n n e r to NIDS, t h e s e
systems look for pa tterns in t h e log files th at suggest an intrusion. A typical example would be
parsers for HTTP serve r log files t h a t look for intruders w ho try well-known security holes, such
as th e "phf" attack. An example is swatch. These mechanisms are typically programs t h a t parse
log files after an event has already occurred, such as failed log in a t t e m p t s .

F ile In te g rity C h e c k in g
1 PH
‫׳‬

1

------- These mechanisms check for Trojan horses, or files th at have ot herwise been
modified, indicating an intruder has already been there, for example, Tripwire.

Module 17 Page 2564




System Integrity Verifiers (SIV)

CEH

J Tripwire is a System Integrity Verifiers (SIV) that monitors system files and
detects changes by an intruder

I ▼Severity

+ Trxiwrt
-

N 52
•
‫ ■נש‬O EM T -SYS j ’
J
'
6 ?0 .1
□ &u CWWOWV 1 0 1 ‫ י‬SYS jk J 1 ‫׳‬
■
£11• r*‫״‬
ewmoowsi MJLTRASVS
t
it!
CWltOOWSI v«feya
W '“ 1
M
9
£ |M 0 d ^ ‫״‬
h i CW N00W Vpeecey*

1 J
‫־‬

3y locator‫־‬

rJ

D

^ AtJenU

J5

0yT
yo*

'* M a n *

3.04c

Hi J

Commerce Server

□ jjByic-ato Hc G v 6 M
n o* ‫ ־‬c 0
e

W J

Databeeo Server!

0

j j

By Serve•

'.oc# G0
‫׳‬oe 5C4e

W _ $ Desktop•
HI J w
WJ

‫ם‬

Server*
W*6 Server•

UJ

■
H

1e
0

a

31

10
0

A

31

10
0

31
Jl

10
0

8

10
0

■
A

31

1c
0

■a

10
0

A

-J
‫־־‬

31
3j

10
0

■
A

3j

10
0

A

r>
]

10
0

"H

£1‫״‬

1 1 C W O ‫׳‬JV » W%*y 1
1 V WO S
W
SV
iti CW DOW UMMDty*
1N
in cwwoowsv V P SYS

‫ם‬

♦ _J

‫ם‬

‫«״‬

‫ ם‬hJ CWWOOW* 'CXGTHKSYS
CW N O Sl
MD W
□ ill

By Service

♦ _$

10
0

21

._.‫׳‬J
‫־‬

'm rn ad aya
d x k

‫ם‬

* -J
*■,
'J

31

□ alj

R o Ned•G
o«
roup

'ypo

a

h ttp :/ /w w w . trip w ire, com

n r
Copyright ®

S y s t e m

In t e g r it y

V e r if ie r s

by EC-CMHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

( S IV )

Source: http://www.tripwire.com
A System Integrity Verifier (SIV) m o n i to rs sys tem files to de te r m i n e w h e t h e r an intruder has
changed t h e files. An integrity monitor watches key system objects for changes. For example, a
basic integrity monitor uses system files, or registry keys, t o track changes by an intruder.
Although they have limited functionality, integrity monitors can add an additional layer of
protection to ot her forms of intrusion dete cti on.

E

hmm

■

I
.Zj

1□

‫_ ־‬j

e J a**
,‫״‬

□

By Type

fiode Group

JfcJ

1 □

S 5 ( -to t ,iooe Grouo
o

:omnerce Server I

□

By Locatr

»» 0eGr©oc

Dataoese Server* I

□

jS By Servce

fioae Group

- -

JfcJ CWNOOWS UA.TRASVS

8 3*0

a
‫ מ‬J

w

bl

‫ם‬

1‫ * ״‬i Server
■
■

ffl

‫י‬V«fc Servers

1* ‫ח‬
1

0 W M **o n O C .

□

ill

□

51J

,

■
f

IC
O

A

Jgl "ccilcehoo Qj

ev »4.2004 S S401 Ai

10
C

9

10
C

3J

10
C

A

J l

fg ,

,

Jgl M
odtfcabcn

51J

S J >wYr
« oti
J -*
5

IC
O
» S 20MS 4 52 « ‫־.׳‬
1 •

■

Jgl llcdil ‫י -זיו־‬
‫־‬

u

□

—

lV N O Y V hdmfi»y»
(A O l/ S
‫®־‬ow* W i S S
VM O W 'OXGTVKSYS
N O SV

U

T Sevtnty

Current Verwor

3j

r< ST S' ‫ ־‬J t J
tM

8 335

SI J

Change lype

2 15

fc]

8 3*3

S J

Prem•*• fiesor*

element

_j.J

1 '

31

A

»

« . .‫« ״ ״‬

3
1
3
1
3
1
a

& -co,-.‫13 ■-׳״‬
& l ‫•. וי‬
‫13 ' ־ו,־‬

IC
O

«< :

‫׳■׳-׳‬

A

IC
O

A

IC
O

■
A

IC
O

•A

too

J

Jl

F IG U R E 17.3: System Integrity Verifiers (SIV ) Screenshot

Module 17 Page 2565




General Indications of
Intrusions

G e n e r a l

In d ic a t io n s

C EH
■ —

o f In t r u s io n s

Following are th e general indications of intrusions:

F ile S ystem In tru sio n s
By observing th e system files, you can identify t h e presen ce of an intruder. The
system files record t h e activities of t h e system. Any modification or deletion in th e file
attributes or th e file itself is a sign t h a t t h e system was a targe t of attack:
©

If you find new, u n k n o w n file s/p ro gra ms on your system, t h e n th e r e is a possibility th at
your system has been intruded. The system can be compro mise d t o t h e point th at it can
in turn c o m p r o m is e o t h e r sys tem s in your network.

©

When an intruder gains access to a system, he or she tries to escalate privileges to gain
administrative access. When t h e intruder obtains th e Administrator privilege, he or she
changes th e file permissions, for example, from Read-Only t o Write.

Q

Unexplained modifications in file size are also an indication of an attack. Make sure you
analyze all of your system files.

Q

Presence of rogue suid and sgid files on your Linux system th at do no t match your
m aster list of suid and sgid files could indicate an attack.

Module 17 Page 2566




6

You can identify unfamiliar file names in directories, including executable files with
strange extensions and double extensions.

©

Missing files are also sign of a probable intrusion/attack.

LJ 1
g

N etw ork In tru sio n s

6

Sudden increase in bandwidth co nsumption is an indication of intrusion.

©

Repeated probes of t h e available services on your machines.

©

Connection requests from IPs ot he r th an t h o s e in the network range are an indication
th at an u n a u t h e n t i c a t e d us e r (intruder) is a tte m p tin g to con n ect to t h e network.

©

You can identify r ep e a te d a t t e m p t s to log in from r e m o t e machines.

©

Arbitrary log data in log files indicates a t t e m p t s of denial-of-service attacks, bandwidth
consumption, and distributed denial-of-service attacks.

Module 17 Page 2567




General Indications of System
Intrusions

CEH

Short or

Unusual graphic displays

Unusually slow

Modifications to
system software and

incomplete logs

or text messages

system performance

configuration files

Missing logs or logs with
incorrect permissions or
ownership

System crashes
or reboots

Gaps in the system
accounting

Unfamiliar
processes


G e n e r a l

In d ic a t io n s

o f S y s t e m

In t r u s io n s

To check w h e t h e r th e system is atta cke d, you need to check certain p a ra m e t e rs t h a t
clearly indicate th e presence of an intruder on th e system. W hen an intruder a t t e m p t s t o break
into t h e system, he or she a t t e m p t s to hide his or her presence by modifying certain system
files and c onfigurations t h a t indicate intrusion.
Certain signs of intrusion include:
Q

System's failure in identifying valid user

Q

Active access to unus ed logins

9

Logins during non-working hours

©

New user accounts ot her th an th e accounts cre ate d

9

Modifications to system softw are and configuration files using Administrator access and
th e presence of hidden files

Q

Gaps in system audit files, which indicate th at t h e system was idle for t h a t particular
time; he gaps actually indicate t h a t th e i ntruder has a t t e m p t e d t o erase t h e audit tracks

© The s ystem's pe rfor mance de cre as es drastically, consuming CPU t ime
Q

System crashes suddenly and reb oots without user intervention

Module 17 Page 2568




6

The system logs a re to o s hort and incomplete

©

Timestamps of system logs are modified to include s trange inputs

©

Permissions on t h e logs are changed, including th e ownership of th e logs

©

System logs are deleted

©

Systems pe rfor mance is abnormal, t h e system responds

©

Unknown processes are identified on t h e system

Q

Unusual display of graphics, pop-ups, and text messages

Module 17 Page 2569

in unfamiliar

ways

observed on

th e system




Firew all
Firewalls are hardware and/or software
designed to prevent unauthorized access to or
from a private network

They are placed at the junction or gateway
between the two networks, which is usually
a private network and a public network such
as the Internet

CEH

UftMM ilk,<1 N hM
4 M

Firewalls examine all messages entering
or leaving the Intranet and blocks those
that do not meet the specified security
criteria

Firewalls may be concerned with the type
of traffic or with the source or destination
addresses and ports

Secure Private Local Area Network

r

v ? =Specified traffic allowed
*

=Restricted unknown traffic


F ir e w

a lls

A firewall is a set of related programs located at t h e n e t w o r k g a te w a y server th at
protects th e resources of a private network from users on o t h e r networks. Firewalls are a set of
tools t h a t monitor th e flow of traffic b e tw e e n networks. A firewall, placed at th e network level
and working closely with a router, filters all network packets t o d e te r m i n e w h e t h e r or not to
forward t h e m tow ard their destinations. A firewall is often installed away from t h e rest of t h e
network so t h a t no incoming requ es t can get directly t o a private network resource. If
configured properly, systems on one side of th e firewall are pr otected from systems on th e
ot her side of th e firewall.
©

A firewall is an intrusion d e tec tio n m e c h a n is m . Firewalls are specific to an
organization's security policy. The settings of th e firewalls can be ch anged t o make
appropriate changes t o th e firewall functionality.

0

Firewalls can be configured to restrict incoming traffic t o POP and SNMP and t o enable
email access. Certain firewalls block t h e email services to secure against spam.

Q

Firewalls can be configured to check inbound traffic at a point called th e "cho ke p o i n t / ‫׳‬
w h e r e security audit is performed. The firewall can also act as an active " p h o n e tap"
tool in identifying th e intruder's a t t e m p t to dial into th e m o d e m s within th e network

Module 17 Page 2570




th at is secured by firewall. The firewall logs consist of logging information t h a t reports
to t h e administrator on all th e a t t e m p t s of various incoming services.
Q

The firewall verifies t h e incoming and outgoing traffic against firewall rules. It acts as a
router to move data b e tw e e n networks. Firewalls man ag e access of private networks t o
host applications.

0

All th e a t t e m p t s to log in to t h e netw ork are identified for auditing. Unauthorized
a tt e m p t s can be identified by e mb ed di ng an alarm th at is triggered wh en an
unauthorized user a tt e m p t s t o login. Firewalls can filter packets based on address and
types of traffic. They identify t h e source, destination addresses, and port nu m be rs while
address filtering, and th ey identify types of network traffic w h e n protocol filtering.
Firewalls can identify th e state and attributes of th e data packets.
Secure Private Local Area Network

Public Network

/‫= ׳‬Specified traffic allowed
JOt =Restricted unknown traffic

FIGURE 17.4: Working of Firewall

Module 17 Page 2571




Firew all Architecture

CEH

Bastion Host:
S
S

Bastion host is a computer system designed and
configured to protect network resources from attack
Traffic entering or leaving the network passes through
the firewall, it has two interfaces:
6 public interface directly connected to the Internet
6 private interface connected to the Intranet

Screened Subnet:
S
2
2

The screened subnet or DMZ (additional zone)
contains hosts that offer public services
The DMZ zone responds to public requests, and
has no hosts accessed by the private network
Private zone can not be accessed by Internet users

Multi-homed Firewall:
S

In this case, a firewall with three or more
interfaces is present that allows for further
subdividing the systems based on the specific
security objectives of the organization

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

F ir e w

a ll A r c h it e c t u r e

Firewall architecture consists of t h e following elements:

B astion ho st
The bastion host is designed for t h e pur pose of de fe ndi ng against attacks. It acts as a
mediator b e tw e e n inside and outside networks. A bastion host is a co m p u t e r system designed
and configured t o protect n e t w o r k res our ces from attack.
Traffic entering or leaving t h e network passes thro ugh th e firewall, it has t w o interfaces:
©

Public interface directly co nn ect ed t o t h e Internet

0

Private interface co nne cte d to t h e intranet

Intranet
F IG U R E 17.5: Bastion Host A rchitecture

Module 17 Page 2572




IU T>

■Ill'll■

S creen ed su b n et

A sc ree ne d s ub n e t is a network architecture t h a t uses a single firewall with thre e
network interfaces. The first interface is used to co nnect t h e Internet, t h e second interface is
used t o co nnect t h e DMZ, t h e third interface is used t o co nnect t h e intranet.
The main advan tage with th e screen ed s u b n e t is it separ ate s t h e DMZ and Internet from th e
intranet so t h a t w h e n th e firewall is comprom ised access t o t h e i ntranet w o n 't be possible.
6

The scree ne d s ub ne t or DMZ (additional zone) contains hosts t h a t offer public services

©

Public zone is directly conne cted t o t h e Internet and has no hosts controlled by t h e
organization

©

Private zone has systems t h a t Internet users have no business accessing

FIGURE 17.6: Screened Subnet Architecture

‫ ״‬J M u lti-h o m ed fire w all
[

J

A multi-homed firewall generally refers to t w o are m o re netw ork s. Each interface is
co nne cte d to th e s e p a r a t e n e tw o r k s e g m e n t s logically and physically. A multi-homed
firewall is used t o increase efficiency and reliability of an IP network. In this case, m o re than
th re e interfaces are pr es e nt th at allow for further subdividing t h e s ystems based on t h e specific
security objectives of t h e organization.

Intranet

Internet

FIGURE 17.7: Multi-Homed Firewall Architecture

Module 17 Page 2573




DeMilitarized Zone (DMZ)

I C EH

DMZ is a network that serves as a buffer between the internal secure network and insecure
Internet
It can be created using firewall with three or more network interfaces assigned with specific roles
such as Internal trusted network, DMZ network, and external un-trusted network (Internet)

Firewall

Intranet
DMZ


D e m

ilit a r iz e d

Z o n e

( D M

Z )

The DMZ is a hos t c o m p u t e r or a n e tw o r k placed as a neutral network b e tw e e n a
particular firm's internal, or private, netw ork and outside, or public, netw ork to prevent th e
outside user from accessing th e co mp an y's private data. DMZ is a network th at serves as a
buffer b e tw e e n th e internal secure n e tw o r k and insecure in te r n et
It is created using a firewall with th re e or m ore network interfaces assigned with specific roles
such as Internal t ru s te d network, DMZ network, and External un-trusted netw ork (Internet).

Module 17 Page 2574




FIGURE 17.8: Demilitarized Zone (DMZ)

Module 17 Page 2575




T yp es o f Firew all

CEH

Packet Filters

Circuit Level
Gateways

Application Level
Gateways
Stateful M ultilayer
Inspection Firewalls


T y p e s

o f F ir e w

a lls

A firewall refers t o a h a r d w a r e device or a so ft w a r e p ro g ra m used in a system to
prevent malicious information from passing through and allowing only t h e approved
information.
Firewalls are mainly categorized into four types:
©

Packet filters

Q

Circuit-level gateways

Q

Application-level gateways

6

Stateful multilayer inspection firewalls

Module 17 Page 2576




Packet Filterin g Firew all

CEH

Urti*W

itkM l lUckw

Packet filtering firewalls work at the
network level of the OSI model (or the IP
layer of TCP/IP), they are usually a part of
a router

Depending on the packet and the criteria,
the firewall can drop the packet and forward
it, or send a m
essage to the originator

In a packet filtering firewall, each packet is
compared to a set of criteria before it is
forwarded

Rules can include the source and the
destination IP address, the source and the
destination port number, and the protocol
used

= Traffic allowed based on source and destination IP address, packet type, and port number

X = Disallowed Traffic

P a c k e t

F ilt e r in g

F ir e w

a ll

A packet filtering firewall investigates each individual pa c ke t passing through it and
makes a decision w h e t h e r to pass th e packet or drop it. As you can tell from their name, packet
filter-based firewalls co nc en tra te on individual packets and analyze their he a d er information
and which way they are directed.
Traditional packet filters make t h e decision based on t h e following information:
©

Source IP address: This is used t o check if t h e packet is coming from a valid source or
not. The information ab ou t t h e source IP address can be found from t h e IP h e a d e r of
th e packet, which indicates t h e source system address.

9

Destination IP address: This is used t o check if th e packet is going t o th e correct
destination and t o check if t h e destination accepts t h e s e types of packets. The
information a bo ut th e destination IP address can be found from t h e IP he a d er of th e
packet, which has t h e destination address.

©

Source TCP/UDP port: This is used t o check t h e source po rt for th e packet.

©

Destination TCP/UDP port: This is used to check th e destination port for t he services to
be allowed and th e services t o be den ied .

Module 17 Page 2577



Q


TCP cod e bits: Used to check w h e t h e r th e packet has a SYN, ACK, or o t h e r bits set for
th e connection to be made.

Q Protocol in use: Used to check w h e t h e r t h e protocol th at t h e packet is carrying should
be allowed. This is be cause s o m e networks do not allow t h e UDP protocol.
© Direction: Used to check w h e t h e r t h e packet is coming from th e packet filter firewall or
leaving it.
6

Interface: Used to check w h e t h e r or not t h e packet is coming from an unreliable site.
Network
5 Application
Firewall

4 TCP
3 Internet Protocol (IP}
2 Data Link
1 Physical

...............

xi
if

FIGURE 17.9: Packet Filtering Firewall

= Traffic allowed based on source and destination IP address, packet type, and port num ber
= Disallowed Traffic

Module 17 Page 2578




Circuit-Level Gateway Firew all

- Traffic a llo w e d based on
^

session rules, such

C EH

as w h e n a session is in itiate d b y a recognized co m p u te r

= D isallo w e d Traffic

C irc u it-le v e l G a te w a y F ire w a ll
Circuit-level gateways work at the session layer of the OSI model or the TCP layer of
TCP/IP. A circuit-level gateway forwards data between the networks without verifying it. It
blocks incoming packets into the host, but allows the traffic to pass through itself. Information
passed to remote computers through a circuit-level gateway appears to have originated from
the gateway, as the incoming traffic carries the IP address of the proxy (circuit-level gateway).
A circuit-level gateway gives the controlled network connection to the network between the
system, internal and external to it. For detecting whether or not a requested session is valid, it
checks the TCP handshaking between the packets. Circuit-level gateways do not filter individual
packets. Circuit-level gateways are relatively inexpensive and hide the information about the
private network that they protect.

Module 17 Page 2579




5 Application
4 TCP

Firewall

• ‫...... ® * ז‬

3 In te rn e t Protoco l (IP)
2 Data Link
1 Physical

FIGURE 17.10: Circuit-level Gateway Firewall
= Traffic allowed based on session rules, such as when a session is initiated by a recognized computer

Module 17 Page 2580




Application-Level Firewall

CEH

J Application-level gateways (proxies) can filter
packets at the application layer of the OSI
model

J Application-level gateways configured as a web
proxy prohibit FTP, gopher, telnet, or other
traffic

J

J Application-level gateways examine traffic and
filter on application-specific commands such
as http:post and get

Incoming and outgoing traffic is restricted to
services supported by proxy; all other service
requests are denied

5 Application
4 TCP
3 Internet Protocol (IP)
2 Data Link
1 Physical

= T ra ffic a llo w e d based o n s p e c ifie d a p p lic a tio n s (such as a b ro w s e r) o r a p ro to c o l, such as FTP, o r c o m b in a tio n s
= D isa llo w e d T ra ffic


A p p lic a tio n -le v e l F ire w a ll
‫ ־־‬Proxy/application-based firewalls concentrate on the Application layer rather than just
the packets.
© These firewalls analyze the application information to make decisions about whether or
not to transmit the packets.
Q A proxy-based firewall asks for authentication to pass the packets as it works at the
Application layer.
9

A content caching proxy optimizes performance by caching frequently accessed
information instead of sending new requests for the same old data to the servers.

Module 17 Page 2581




Network
In te rn e t

•

5 Application
Firew all

4 TCP
3 In te rn e t Protoco l (IP)
2 Data Link
1 Physical

FIGURE 17.11: Application-level Firewall

Module 17 Page 2582




Stateful M ultilayer Inspection
Firewall

CEH

J

Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls

J

They filter packets at the network layer, to determine whether session packets are legitimate,
and they evaluate the contents of packets at the application layer

5 Application
4 TCP
3 Internet Protocol (IP)
2 Data Link
1 Physical

= Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules

X



S ta te fu l M u ltila y e r I n s p e c tio n F ire w a ll
Stateful multilayer inspection firewalls combine the aspects of the other three types
of firewalls. They filter packets at the network layer, to determine whether session packets are
legitimate, and they evaluate the contents of packets at the application layer.
The inability of the packet filter firewall to check the header of the packets to allow the passing
of packets is overcome by stateful packet filtering.
Q This type of firewall can remember the packets that passed through it earlier and make
decisions about future packets based on memory
9

These firewalls provide the best of both packet filtering and application-based filtering

9

Cisco PIX firewalls are stateful

9

These firewalls tracks and log slots or translations

Module 17 Page 2583




Firewall

N etw ork

FIGURE 17.12: Stateful Multilayer Inspection Firewall
^

= Traffic is filtered at three layers based on a wide range of the specified application, session, and packet filtering rules

- Disallowed Traffic

Module 17 Page 2584




Firew all Identification: Port
Scanning

Port scanning is used to
identify open ports and services
running on these ports

Some firewalls will uniquely
identify themselves in response to
simple port scans

r Pftl
-

Open ports can be further
probed to identify the
version of services, which
helps in finding
vulnerabilities in these
services

For example: Check Point's
FireWall-1 listens on TCP
ports 256, 257, 258, and 259,
NetGuard GuardianPro firewall
listens on TCP 1500 and UDP 1501


F ire w a ll Id e n tific a tio n : P o rt S c a n n in g
Systematically scanning the ports of a computer is known as port scanning. Attackers
use such methods to identify the possible vulnerabilities in order to compromise a network. It is
one of the most popular methods that attackers use for investigating the ports used by the
victims. A tool that can be used for port scanning is Nmap.
A port scan helps the attacker find which ports are available (i.e., what service might be
listening to a port); it consists of sending a message to each port, one at a time. The kind of
response received indicates whether the port is used and can therefore be probed further for
weakness. Some firewalls will uniquely identify themselves using simple port scans. For
example: Check Point's FireWall-1 listens on TCP ports 256, 257, 258, and 259 and Microsoft's
Proxy Server usually listens on TCP ports 1080 and 1745.

Module 17 Page 2585




Firew all Identification:
Firew alking

J

A technique that uses TTL values to determine gateway ACL filters and map
networks by analyzing IP packet responses

J

Attackers send a TCP or UDP packet to the targeted firewall with a TTL set to one
hop greater than that of the firewall

J

C EH

If the packet makes it through the gateway, it is forwarded to the next hop where
the TTL equals one and elicits an ICMP "TTL exceeded in transit" to be returned, as
the original packet is discarded

J

This method helps locate a firewall, additional probing permits fingerprinting and
identification of vulnerabilities


F ire w a ll Id e n tific a tio n : F ire w a lk in g
Firewalking is a method used to collect information about remote networks that are
behind firewalls. It probes ACLs on packet filtering routers/firewalls. It is same as that of
tracerouting and works by sending TCP or UDP packets into the firewall that have a TTL set at
one hop greater than the targeted firewall. If the packet makes it through the gateway, it is
forwarded to the next hop where the TTL equals zero and elicits a TTL "exceeded in transit"
message, at which point the packet is discarded. Using this method, access information on the
firewall can be determined if successive probe packets are sent.
Firewalk is the most well-known software used for firewalking. It has two phases: a network
discovery phase and a scanning phase. It requires three hosts:
© Firewalking host: The firewalking host is the system, outside the target network, from
which the data packets are sent, to the destination host, in order to gain more
information about the target network.
© Gateway host: The gateway host is the system on the target network that is connected
to the Internet, through which the data packet passes on its way to the target network.
© Destination host: The destination host is the target system on the target network that
the data packets are addressed to.

Module 17 Page 2586




Firew all Identification: Banner
Grabbing

c EH

(citifwd

ItkKJl NMkw

w

M ic r o s o ft


51 F i r e w a l l I d e n t i f i c a t i o n : B a n n e r G r a b b i n g
1
Banners are messages sent out by network services during the connection to the
service. Banners announce which service is running on the system. Banner grabbing is a
technique generally used by the attacker for OS detection. The attacker uses banner grabbing
to discover services run by firewalls. The three main services that send out banners are FTP,
Telnet, and web servers.
Ports of services such as FTP, Telnet, and web servers should not be kept open, as they are
vulnerable to banner grabbing. A firewall does not block banner grabbing because the
connection between the attacker's system and the target system looks legitimate.
An example of SMTP banner grabbing is: telnet mail.targetcompany.org 25. The syntax is:
" < s e r v ic e

n a m e

>

< s e r v ic e

r u n n in g

>

< p o r t

n u m b e r> "

Banner grabbing is a mechanism that is tried and true for specifying banners and application
information. For example, when the user opens a telnet connection to a known port on the
target server and presses Enter a few times, if required, the following result is displayed:
C:>telnet www.corleone.com 80
HTTP/1.0 400 Bad Request
Server: Netscape - Commerce/1.12

Module 17 Page 2587




This system works with many other common applications that respond on a set port. The
information generated through banner grabbing can enhance the attacker's efforts to further
compromise the system. With information about the version and the vendor of the web server,
the attacker can further concentrate on employing platform-specific exploit techniques.

Module 17 Page 2588




Honeypot

CE
H

A honeypot is an information system resource that is expressly set up to attract and trap
people who attempt to penetrate an organization's network

It has no authorized activity, does not have any production value, and any traffic to it is
likely a probe, attack, or compromise

A honeypot can log port access attempts, or monitor an attacker's keystrokes. These
could be early warnings of a more concerted attack
Honeypot

DMZ

#

Packet Filter

Firewall

‫1 ם‬

‫׳‬
Internet

Attacker

W eb Server

H oneypot
A honeypot is a system that is intended to attract and trap people who try
unauthorized or illicit utilization of the host system. Whenever there is any interaction with a
honeypot, it is most likely to be a malicious activity. Honeypots are unique; they do not solve a
specific problem. Instead, they are a highly flexible tool with many different security
applications. Some honeypots can be used to help prevent attacks; others can be used to detect
attacks; while a few honeypots can be used for information gathering and research.
Examples:
© Installing a system on the network with no particular purpose other than to log all
attempted access.
Q

Installing an older unpatched operating system on a network. For example, the default
installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A
standard intrusion detection system can then be used to log hacks directed against the
system and further track what the intruder attempts to do with the system once it is
compromised. Install special software designed for this purpose. It has the advantage of
making it look like the intruder is successful without really allowing him/her access to
the network.

Module 17 Page 2589




Any existing system can be "honeypot-ized." For example, on WinNT, it is possible to rename
the default administrator account and then create a dummy account called "administrator"
with no password. WinNT allows extensive logging of a person's activities, so this honeypot
tracks users who are attempting to gain administrator access and exploit that access.

Web Server
FIGURE 17.13: Working of Honeypot

Module 17 Page 2590




Types of Honeypots
L o w -in te ra c tio n H o n e y p o ts
These honeypots simulate only a
limited number of services and

H ig h -in te ra c tio n H o n e y p o ts

applications of a target system or
network

These honeypots simulates all
services and applications

- Can not be compromised

Can be completely compromised by

completely

attackers to get full access to the

■ Generally, set to collect higher

system in a controlled area

level information about attack
vectors such as network probes

Capture complete information
about an attack vector such attack
techniques, tools and intent of the

and worm activities
Ex: Specter, Honeyd, and

attack

r

Ex: Symantec Decoy Server and
Honeynets

Copyright © by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

T y p e s of H o n e y p o ts
Honeypots are mainly divided into two types:

L o w -in teractio n H oneypot
They work by emulating services and programs that would be found on an individual's
system. If the attacker does something that the emulation does not expect, the honeypot will
simply generate an error. They capture limited amounts of information, mainly transactional
data and some limited interaction
Ex: Specter, Honeyd, and KFSensor
Honeyd is a low-interaction honeypot. It is open source and designed to run primarily on UNIX
systems. Honeyd works on the concept of monitoring unused IP space. Anytime it sees a
connection attempt to an unused IP, it intercepts the connection and then interacts with the
attacker, pretending to be the victim.
By default, Honeyd detects and logs connections to any UDP or TCP port. In addition, the user
can configure emulated services to monitor specific ports, such as an emulated FTP server
monitoring port 21 (TCP). When an attacker connects to the emulated service, not only does
the honeypot detect and log the activity, but also it captures all of the attacker's interaction
with the emulated service.
Module 17 Page 2591




In the case of the emulated FTP server, an attacker's login and password can be potentially
captured; the commands that were issued, what they were looking for, or their identity can be
tracked. Most emulated services work the same way. They expect a specific type of behavior,
and then are programmed to react in a predetermined way.

H ig h -in teractio n H oneypot
Honeynets are a prime example of a high-interaction honeypot. A honeynet is neither
a product nor a software solution that the user installs. Instead, it is architecture, an entire
network of computers designed to attack.
The idea is to have an architecture that creates a highly controlled network, one where all
activity is controlled and captured. Within this network, intended victims are placed and the
network has real computers running real applications.
The "bad guys" find, attack, and break into these systems on their own initiative. When they
do, they do not realize they are within a honeynet. All of their activity, from encrypted SSH
sessions to email and file uploads, is captured without them knowing it by inserting kernel
modules on the victim's systems, capturing all of the attacker's actions.
At the same time, the honeynet controls the attacker's activity. Honeynets do this by using a
honeywall gateway. This gateway allows inbound traffic to the victim's systems, but controls
the outbound traffic using intrusion prevention technologies. This gives the attacker the
flexibility to interact with the victim's systems, but prevents the attacker from harming other
non-honeynet computers.

H o w to S et U p a H o n e y p o t
Follow the steps here to set up a honeypot:
© Step 1: Download or purchase honeypot software. Tiny Honeypot, LaBrea, and Honeyd
are some of the programs available for Linux systems. KFSensor is software that works
with Windows.
Q Step 2: Log in as an administrator on the computer to install a honeypot onto the
computer.
Q Step 3: Install the software on your computer. Choose the "Full Version" to make sure
every feature of the program is installed.
© Step 4: Place the honeypot software in the Program Files folder. Once you have chosen
the folder, click"OK and the program will install.
Q Step 5: Restart your computer for the honeypot to work.
9 Step 6: Configure the honeypot to check the items that you want the honeypot to watch
for, including services, applications, and Trojans, and name your domain.

Module 17 Page 2592




M odule Flow

CEH

Copyright © by EG-GoililCil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo w
Previously, we discussed the basic concepts of three security mechanisms: IDSes,
firewalls, and honeypots. Now we will move on to detailed descriptions and functionalities of
these security mechanisms.

IDS, Firewall and Honeypot Concepts

*

1‫?י‬

Detecting Honeypots

IDS, Firewall and Honeypot System

Firewall Evading Tools

Evading IDS

Countermeasure

Penetration Testing

Evading Firewall
V

This section describes the intrusion detection system Snort.

Module 17 Page 2593




Intrusion D etection Tool: Snort
Snort is an open source network intrusion
detection system, capable of performing realtime traffic analysis and packet logging on IP
networks

It can perform protocol analysis and content
searching/matching, and is used to detect a

B

variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SM B
probes, and OS fingerprinting attempts

It uses a flexible rules language to describe

B

traffic that it should collect or pass, as well as a
detection engine that utilizes a modular plug-in
architecture

Uses of Snort:
» Straight packet sniffer like tcpdump

Q

» Packet logger (useful for network traffic
debugging, etc.)

CEH

Command Prompt
c:Soortb1n>»nort -c c:Sooxfcefccsnoxfc.conf -1 c:Snortlog -i 2
—= Initialiiation Coaplete = —
-*> Snort! <
*oVersion 2.9.0.2-O BC-KySQ
D
L-Fle*RBSP-W 32 G B (Build 9 )
IH
R
2
••
• * By Kartin Boejch £ The Snort T : httf://m
eam
nr.snort.ory/snort/snort-tea
Copyright (C 1 9 -2 1 Soarcefire, Inc., et al.
) 98 00
dsinf P R version: 8.10 201 -0 -2
CH
0 6 5
Using ZLTB version: 1.2.3
Rules Hnfine: SFSHORTDHTBCTIOHHNGINB Version 1.12 <Bo!ld 1 >
8
Preprocessor □bject: SFSSLPP Version 1.1 <Build 4
>
Preprocessor □bject: SFSSB Version 1.1 <
BaxId 3
>
Ccaencinf packet processing (pid=
5896)
85: Session e!cee< configured h i bytes to queue 1 4 5 6 using 1 4 9 9 bytes (
led
087
087
client qaeae). 192.168.168.7 1 6 6 —> 92.46.53.163 8 (0) : !.*state 0*1 UTPlags
11
0
Ban t i f for packet processing w 5985.944000 seconds
as
Snort processed 1 7 4 packets.
17
Snort ran for 0 days 1 boars 3 m
9 inutes 4 seconds
5
Pkta/hr:
174
17
Fkts/m
in:
18
1
Pkts/»«c:
1
SS: Pruned session from cache that w using 1 9 9 7 bytes (purge w
as
084
hole cad
1*2.168.168.7 1 6 6 - > 92.46.53.163 8 (0) : Llstatr 0 LW
11 0
*1 Plags 0.222003
179
440
1 7 4 ( 7.983%)
17
1 5 0 ( 92.011%)
377

0( 000)
. 0%

1 5 1 ( 92.017%)
376

» Network intrusion prevention system

h :/ w w n rt.o
ttp / w .s o rg

% .

I n t r u s i o n D e t e c t i o n T o o l: S n o r t
Source: http://www.snort.orR

Snort is an open source network intrusion detection and prevention system capable of
performing real-time traffic analysis and packet logging on IP networks. It can perform
protocol analysis and content searching/matching. It can be used to detect a variety of attacks
and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting, attempts etc.
Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a
detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting
capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX
socket, or WinPopup messages to Windows clients.
Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for
network traffic debugging, etc.), or a full-blown network intrusion prevention system.

Module 17 Page 2594




Command Prompt

‫ם‬

Snort‫ ־‬Comma n d s
.
c : S n o r t bin>snort -c c:Snorte t c s n o r t . c o n f -1 c : S nortlog -i 2
—
Initialization Compl e t e — —
,
‫ > * ־‬Snort! < * ‫־‬
o"
)*‫ ׳‬V e r s i o n 2 . 9 .0. 2 - O D B C ‫־‬M y S Q L ‫־‬F l e x R E S P ‫־‬W I N32 GRE (Build 92)
‫י ,, י‬
B y Martin Roe s c h & Th e Snort Team: http://w w w . s n o r t . o r g / s n o r t / s n o r t ~ t e a m
Copy r i g h t (C) 1998-2010 Sourcefire, Inc., e t a l .
U s i n g FCRE version: 8.10 2010-06-25
U s i n g ZLIB version: 1.2.3
R u l e s Engine: SF S N ORT D E T E C T I O N E K O I N E V e r s i o n 1.12
< B u i l d 1 G>
P r e p r o c e s s o r Object: SF_SS L P P V e r s i o n 1.1 < B u i l d 4>
P r e p r o c e s s o r Object: SF_SSH
V e rsion 1.1 < B u i l d 3>
C o m m encing p a c k e t p r o c e s s i n g (pid=5896)
S 5 : Session e x c e e d e d c o n f i g u r e d ma x b y t e s to q u e u e 1048576 u s i n g 1048979 b y t e s (
client q u e u e ) . 1 9 2 . 1 6 8.168.7 1 1 616 — > 92.46.53.163 80 (0) : LW s t a t e 0x1 LWFlags
0x2003
*** Caught Int-Signal
Run time for pac k e t p r o c e s s i n g was 5 9 85.944000 seconds
Snort p r o c e s s e d 11774 packets.
Snort ra n for 0 days 1 hours 3 9 minutes 45 seconds
Pkts/hr:
11774
Pkts/min:
118
Pkts/sec:
1
S5: Pruned se s s i o n f r o m cache that was u s ing 1098947 b y tes (purge whole cache).
192.168.168.7 11616 - - > 9 2 . 4 6.53.163 80 (0) : LWstate 0x1 LWFlags 0x222003
Packet I/O Totals:
Received:
Analyzed:
Dropped:
Filtered:
Outstanding:
Injected:

147490
11774
135707

( 7.983%)
( 92.011%)

0 ( 0 0%
.0 0 )
( 92.017%)
0

135716

FIGURE 17.14: Working of Snort in Command Promt

Module 17 Page 2595




‫נ‬

How Snort Works

CEH
Urt1fw4

ilhiul lUtbM

Decoder: Saves the captured
packets into a heap, identifies link
level protocols, and decodes IP
Detection Engine: It matches
packets against rules previously
saved in memory

Rules Files: These are plain text files which
contain a list of rules with a known syntax

Output Plug-ins: These modules
format notifications so operators
can access in a variety of ways
(console, extern flies, databases,
etc.)

Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

ft
A

H ow S no rt W o rk s
The following are the three essential elements of the Snort tool:

Q

Decoder: Saves the captured packets into heap, identifies link level protocols, and
decodes IP.

© Detection Engine: Matches packets against rules previously charged into memory since
Snort initialization.
Q

Output Plug-ins: These modules format the notifications for the user to access them in
different ways (console, extern files, databases, etc.).

Module 17 Page 2596




Reporting and Alerting
Engine (ACID)

A
V

‫־*י‬
V
..>o c m
oJ

Databases

A

Primary NIC

Webservers
Decoder

Adm inistrator
Base Detection Engine

NIC in
Promicuous
mode
sniffing
network
traffic

Dynamic Loaded Libraries

Output Plugins

Rule Set

Rules Files: These are plain text files which
contain a list of rules with a known syntax

FIGURE 17.15: How Snort Works

Module 17 Page 2597




Snort Rules

CEH

B

Snort's rule engine enables custom rules to meet the needs of the network

B

Snort rules help in differentiating between normal Internet activities and malicious activities

B

Snort rules must be contained on a single line, the Snort rule parser does not handle rules on

B

Snort rules come with two logical parts:

multiple lines

S

Rule header: Identifies rule's actions such as alerts, log, pass, activate, dynamic, etc.

S

Rule options: Identifies rule's alert messages

Exa m p le :
Rule Protocol

Rule Port

v

y
"m o un td

j a l e r t i j t c p •a ny ! - > : 1 9 2 . 1 6 8 . 1 . 0 / 2 4 : : l l l j ( c o n t e n t ::‫׳‬

A

A

A

A

Rule Action

Rule Format
Direction

Rule IP address

a c c e s s ":;)

Alert message


S nort R u le s
Snort uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the
same library that tcpdump uses to perform its packet sniffing. Snort decodes all the packets
passing through the network media to which it is attached by entering promiscuous mode.
Based on the content of the individual packets and rules defined in the configuration file, an
alert is generated.
There are a number of rules that Snort allows the user to write. In addition, each of these Snort
rules must describe the following:
e

Any violation of the security policy of the company that might be a threat to the
security of the company's network and other valuable information

© All the well-known and common attempts to exploit the vulnerabilities in the
company's network
0

The conditions in which a user thinks that a network packet(s) is unusual, i.e., if the
identity of the packet is not authentic

Snort rules, written for both protocol analysis and content searching and matching, should be
robust and flexible. The rules should be "robust"; it means the system should keep a rigid check
on the activities taking place on the network and notify the administrator of any potential
intrusion attempt. The rules should be "flexible"; it means that the system must be compatible
Module 17 Page 2598




enough to act immediately and take necessary remedial measures, according to the nature of
the intrusion.
Both flexibility and robustness can be achieved using an easy-to-understand and lightweight
rule-description language that aids in writing simple Snort rules. There are two basic principles
that must be kept in mind while writing Snort rules. They are as follows:
© No written rule must extend beyond a single line, so rules should be short, precise, and
easy-to-understand.
© Each rule should be divided into two logical sections:
© The rule header
© The rule options
The rule header contains the rule's action, the protocol, the source and destination IP
addresses the source and destination port information, and the CIDR (Classless Inter-Domain
Routing) block.
The rule option section includes alert messages, in addition to information about which part of
the packet should be inspected in order to determine whether the rule action should be taken.
The following illustrates a sample example of a Snort rule:
Rule Protocol

Rule Port

y
y
a le rt jitcp :any :->:192 .168 .1. 0/24j:lll {c o n t e n t | 00 01 86 a5 | "; msg: "mountd access"?)
'1 ;
•

Module 17 Page 2599




Snort R ules: R ule A ctions and
IP P rotocols
Rule A ctions
J

The rule header stores the complete set of rules to identify a packet, and determines the action
to be performed or what rule to be applied

J

The rule action alerts Snort when it finds a packet that matches the rule criteria

J

Three available actions in Snort:
6

Alert - Generate an alert using the selected alert method, and then log the packet

«

Log - Log the packet

6

Pass - Drop (ignore) the packet

IP Protocols
Three available IP protocols that Snort supports
for suspicious behavior:

TCP
II

UDP

III

ICMP

S n o rt R u le s : R u le A c tio n s a n d IP P r o to c o ls
_______ I

Source: http://manual.snort.org

The rule header contains the information that defines the who, where, and what of a packet, as
well as what to do in the event that a packet with all the attributes indicated in the rule should
show up. The first item in a rule is the rule action. The rule action tells Snort "what to do" when
it finds a packet that matches the rule criteria. There are five available default actions in Snort:
alert, log, pass, activate, and dynamic. In addition, if you are running Snort in inline mode, you
have additional options which include drop, reject, and drop.
6

Alert - generate an alert using the selected alert method, and then log the packet

Q

Log - log the packet

Q

Pass ‫ ־‬ignore the packet

0

Activate - alert and then turnon another

©

Dynamic - remain idle untilactivatedby an activate rule, then act as a log rule

Q

Drop - block and log the packet

dynamic rule

© Reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an
ICMP port unreachable message if the protocol is UDP

Module 17 Page 2600



6


Sdrop - block the packet but do not log it

The Internet protocol (IP) is used to send data from one system to another via the Internet.
The IP supports unique addressing for every computer on a network. Data on the Internet
protocol network is organized into packets. Each packet contains message data, source,
destination, etc.
Three available IP protocols that Snort supports for suspicious behavior:
6

TCP: TCP (transmission control protocol) is a part of the Internet Protocol. TCP is used to
connect two different hosts and exchanges data between them.

Q

UDP: UDP, the acronym of User Datagram Protocol, is for broadcasting messages over a
network.

Q

ICMP: The Internet Control Message protocol (ICMP) is a part of the Internet protocol. It
is used by the operating systems in a network to send error messages, etc.

Module 17 Page 2601




Snort Rules: The D irection
Operator and IP A ddresses

CEH

T h e Direction Operator
J

This operator indicates the direction of interest for the traffic; traffic can flow in either
single direction or bi-directionally

J

Example of a Snort rule using the Bidirectional Operator:

log >192.168.1.0/24 any < 192.168.1.0/24 23
>

IIIIIIIIIIIIIIIIIIII
IP Addresses
J

Identifies IP address and port that the rule applies to

J

Use keyword " a n y ‫ ״‬to define any IP address

J

Use numeric IP addresses qualified with a CIDR netmask

J

Example IP Address Negation Rule:

a le rt
" |00

tcp
01

86

!1 9 2 .1 6 8 .1 .0 / 2 4
a 5 | ‫;״‬

m sg:

any

->

"e x te rn a l

1 9 2 .1 6 8 .1 .0 / 2 4
m ountd

111

(c o n te n t:

a c c e s s 1; )
'

Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

M

l

S n o rt R u le s :
A d d resses

The

D ire c tio n

O p e ra to r

and

IP

The direction operator ‫ $>$־‬indicates the orientation, or direction, of the traffic that the rule
applies to. The IP address and port numbers on the left side of the direction operator is
considered to be the traffic coming from the source host, and the address and port information
on the right side of the operator is the destination host. There is also a bidirectional operator,
which is indicated with a $<>$ symbol. This tells Snort to consider the address/port pairs in
either the source or destination orientation. This is handy for recording/analyzing both sides of
a conversation, such as telnet or POP3 sessions.
Also, note that there is no $<$- operator. In Snort versions before 1.8.7, the direction operator
did not have proper error checking and many people used an invalid token. The reason the $<$‫־‬
does not exist is so that rules always read consistently.
The next fields in a Snort rule are used to specify the source and destination IP addresses and
ports of the packet, as well as the direction in which the packet is traveling. Snort can accept a
single IP address or a list of addresses. When specifying a list of IP address, you should separate
each one with a comma and then enclose the list within square brackets, like this:
[192.168.1.1,192.168.1.45,10.1.1.24]

Module 17 Page 2602

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil



When doing this, be careful not to use any whitespace. You can also specify ranges of IP
addresses using CIDR notation, or even include CIDR ranges within lists. Snort also allows you
to apply the logical NOT operator (!) to an IP address or CIDR range to specify that the rule
should match all but that address or range of addresses.

Module 17 Page 2603




Snort Rules: Port Numbers
Port numbers can be listed in different ways, including "any" ports,
static port definitions, port ranges, and by negation

Port ranges are indicated with the range operator

Example of a Port Negation
lo g

tcp

any

Protocols

->

1 9 2 .1 6 8 .1 .0 / 2 4

!6 0 0 0 :6 0 1 0

IP address

anyanyUDPLog

‫<־‬

anyanyTCPLog

anyTCPLog

any

<

:1024 <

Log U D P traffic coming from an y port and d estination

92.168.1.0/24 1:1024

ports ranging from 1 to 1024
Log TCP traffic from any port going to ports

192.168.1.0/24 :5000

less than or equal to 5000

192.168.1.0/24 400:

Log TCP traffic from th e w e ll know n ports and going
to ports g re ater than or equal to 400


S nort R u le s : P o rt N u m b e r s
Port numbers may be specified in a number of ways, including any ports, static port
definitions, ranges, and by negation. Any ports are a wildcard value, meaning literally any port.
Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or
80 for http, etc. Port ranges are indicated with the range operator
The range operator may
be applied in a number of ways to take on different meanings.
Example of Port Negation:
log tcp any any -> 192.168.1.0/24 !6000:6010
1

Protocols

Action

IP address

Log U D P any any ->

92.168.1.0/24 1:1024

Log UDP traffic coming from any port and destination
ports ranging from 1 to 1024

Log TCP any any ->

192.168.1.0/24 :5000

Log TCP traffic from any port going to ports
less than or equal to S000

Log TCP any :1024 ->

192.168.1.0/24 400:

|

Log TCP traffic from privileged ports less than or equal
to 1024 going to ports greater than or equal to 400

T A BLE 17.1: Po rt Num bers

Module 17 Page 2604




Intrusion D etection System :
Tipping Point
e

TippingPoint IPS is inserted seamlessly
and transparently into the network, it is

XXXXXXXX - /itta c k s P e r A ctio ‫ו‬

IA
‫כ‬
c

,

an in-line device
9

^

30 k

Each packet is thoroughly inspected to
determine whether it is malicious or

2
0
10

legitimate
e

CEH

‫5־‬

‫ ״‬k
£‫־‬

Hon 1 6 :0 0

°‫־‬

Mon 2 0 :0 0

Tue 0 0 :0 0

Tue 0 4 :0 0

Tue 0 8 :0 0

Tue 1 2 :0 0

Fro■ 2009/09/21 1 2 :2 2 :5 2 To 2 00 9/09/22 1 2 :2 2 :5 2

It provides performance, application,
and infrastructure protection at gigabit
speeds through total packet inspection

3

k
©

H P e r m it t e d
□ B lo c k e d
□ D is c a r d e d I n v a l i d
G raph L a s t U p d a te d :

L a s t:
2 7 .3 9 k
A vg:
1 3 .7 9 k
L a s t:
0 .0 0
A vg:
0 .0 0
L a s t:
6 9 .3 8
Avg:
6 6.9 1
Tue 22 Sep 1 2 :2 0 :0 2 CEST 2009

M ax:
M ax:
M ax:

4 0 .3 8 k

00
.0

8 1 .3 3

XXXXXXXX - A ttack s P e r P ro to c o l
40 k
30 k

2
0
10

k
k

Hor 1 6 :0 0

Mon 2 0 :0 0

Tue 0 0 :0 0

Tue 0 4 :0 0

Tue 0 8 :0 0

T ue 1 2 :0 0

rro■ 2 0
0 9/09/21 12:22:2‫ כ‬T 2009/09/22 12:22:2‫כ‬
o
M
ax:
M
ax:
Mx
a:
Mx
a:

3 .6 7 k
Avg:
3 .9 0 k
■ IC M P
L a s t:
Avg:
1 .0 4 k
8 8 6 .0 8
□ UDP
L a s t:
Avg:
8 .9 4 k
2 2 .9 0 k
□ TCP
L a s t:
Avg:
■ IP - O t h e r
L a s t:
G raph L a s t U p d ate d : T ue 22 Sep 1 2 :2 0 :0 2 C EST 2009

00
.0

00
.0

6 .0 6 k
6 .6 1 k
3 5 .8 5 k

00
.0

http://hl7007.w w w l.h p.com

In tru sio n D etectio n System : T ip p in g P oint
Source: http://hl0163.wwwl.hp.com
TippingPoint IPS is inserted seamlessly and transparently into the network; it is an in-line
device. Each packet is thoroughly inspected to determine whether it is malicious or legitimate.
It provides performance, application, and infrastructure protection at gigabit speeds through
total packet inspection.

Module 17 Page 2605

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil



XXXXXXXX ‫ ־‬Attacks Per Action
40 k
30 k
20 k
10 k

0

Mon 16:00

Mon 20:00

Tue 00:00

Tue 04:00

Tue 08:00

Tue 12:00

Fron 2009/09/21 12:22:52 To 2009/09/22 12:22:52
8 Perm itted
L a s t:
27.39 k Avg:
13.79 k
□ Blocked
L a s t:
0.00
Avg:
0.00
□ Discarded In v a lid
L a s t;
69.38
Avg:
66.91
Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009

Max:
Max:
Max:

40.38 k
0.00
81.33

XXXXXXXX • Attacks Per Protocol
40 k
30 k
20 k
10 k

0

H

|J
W1A1 11.
“ w
l^

.hr

1

J

°

f

^
__1_^——%
*
Mon 16:00

Mon 20:00

Tue 00:00

Tue 04:00

Tue 08:00

Tue 12:00

Fron 2009/09/21 12:22:52 To 2009/09/22 12:22:52
■ ICMP
3.67 k Avg:
L a s t:
3.90 k Max:
□ UDP
Avg:
1.04 k Max:
L a s t : 886.08
□ TCP
L a s t:
22.90 k Avg:
8.94 k Max:
■ IP-O ther
Avg:
Max:
L a s t:
0.00
0.00
Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009

6 .06 k
6.61 k
35.85 k
0.00

FIGURE 17.17: Tipping Point Screenshot

Module 17 Page 2606





CE
H

IBM Security Network
Intrusion Prevention System
http://w w w -01.ibm . com

Cisco Intrusion Prevention

Peek & Spy

M

http://netw orkingdynam ics.com

Systems
http ://w w w .cisco.com

INTOUCH INSA-Network
Security Agent

AIDE (Advanced Intrusion
Detection Environment)

h ttp ://w w w . ttinet. com

‫יי‬

h ttp ://a id e , sourceforge.net

Strata Guard

Q

h ttp ://w w w . s tillsecure.com

□ U C

IDP8200 Intrusion Detection
and Prevention Appliances

Q

Q

SNARE (System iNtrusion Analysis
& Reporting Environment)
h ttp ://w w w . intersectalliance. com

Vanguard Enforcer
BH|

http://www.go2s/anguard.com

https :/ / w w w .juniper, net


I n t r u s i o n D e t e c t i o n T o o ls
^
Intrusion detection tools detect anomalies. These tools, when run on a dedicated
workstation, read all network packets, reconstruct user sessions, and scan for possible
intrusions by looking for attack signatures and network traffic statistical anomalies. In addition,
these tools give real-time, zero-day protection from network attacks and malicious traffic, and
prevent malware, spyware, port scans, viruses, and DoS and DDoS from compromising hosts. A
few of intrusion detection tools are listed as follows:
0

IBM Security Network Intrusion Prevention System available at http://www-01.ibm.com

© Peek & Spy available at http://networkingdvnamics.com
Q

INTOUCH INSA-Network Security Agent available at http://www.ttinet.com

0

Strata Guard available at http://www.stillsecure.com

© IDP8200 Intrusion Detection and Prevention Appliances available at
https://www.juniper.net
Q

OSSEC available at http://www.ossec.net

© Cisco Intrusion Prevention Systems available at http://www.cisco.com

Module 17 Page 2607




© AIDE (Advanced Intrusion Detection Environment) available at
http://aide.sourceforge.net
© SNARE (System iNtrusion Analysis & Reporting Environment) available at
©

http://www.intersectalliance.com

© Vanguard Enforcer available at http://www.go2vanguard.com

Module 17 Page 2608




(C ont’d)

M
i s

V S
^ ‫ן יי ןן‬

Check Point Threat
Prevention Appliance

FortiGate
h ttp ://w w w .fo rtin e t. com

h ttp ://w w w . checkpoint, com

fragroute
http ://w w w . m onkey, org

‫&.׳‬

Enterasys® Intrusion
Prevention System
h ttp ://w w w .enterasys.com

Next-Generation Intrusion
Prevention System (NGIPS)

StoneGate Virtual IPS
Appliance

h ttp ://w w w . sourcefire.com

http ://w w w .5 tonesoft.co m

Outpost Network Security

Cyberoam Intrusion
Prevention System

h ttp://w w w .agnitum .com

‫ם‬
—

1if‫־‬i

CE
H

Check PointIPS-1
h ttp ://w w w . checkpoint, com

V4

http ://w w w .cyb eroam .com

McAfee Host Intrusion
Prevention for Desktops
h ttp ://w w w .m ca fe e . com


I n t r u s i o n D e t e c t i o n T o o l s ( C o n t ’d)
In addition, to the previously mentioned intrusion detection tools, there are few more
tools that can be used for detecting intrusions:
© Check Point Threat Prevention Appliance available at http://www.checkpoint.com
Q

Fragroute available at http://www.monkey.org

© Next-Generation Intrusion Prevention System (NGIPS) available at
http://www.sourcefire.com
Q

Outpost Network Security available at http://www.agnitum.com

Q

Check Point IPS-1 available at http://www.checkpoint.com

© FortiGate available at http://www.fortinet.com
© Enterasys® Intrusion Prevention System available at http://www.enterasys.com
6

StoneGate Virtual IPS Appliance available at http://www.stonesoft.com

Q

Cyberoam Intrusion Prevention System available at http://www.cyberoam.com

9

McAfee Host Intrusion Prevention for Desktops available at http://www.mcafee.com

Module 17 Page 2609




Firewall: ZoneAlarm PRO
Firewall

C EH

lil£ l
Z o n eA la rm

PRO Rrewall

A URCOMHUIER IS SECURE
YO

Scan Update

unc<
4> Tod3

Hi
IDENTITY A UA IA

A p h nC n l
p lim o o tro

Blocks dangerous betavtcre and inajthoiUed Irtwnst Uar«n>l«br*

!,prg-g-w wr»»d

. , PC T n U
uc p
^

Het
Vj
✓

S'.iv^n I1«« you‫־‬computerfo‫ ׳‬Imiwved performsiKe.

ftorcbaed-iewimge

V0
✓
✓

Q l Check Point
%‫׳׳‬
r*
✓
V
V

*

Log
V
*
V
vt
vf
V,
jd
V
Y
*1
*
*
y!
y!

Everts
Bkxked NetBIOS broadcasts
Blocked outgoing N Bos nane requests
et
Bfcckfd oackeU fa racwl connaaioni
Blocked ‫׳‬x r •SYN TCP pKkets
Blocked nouted jackets
Blocked loopback packets
Blocked ncnJP packet•
Blocked fragmerted IP packets
Other blocked IP packets
M Safe violations
ail
Lock violators
Bfccked 1ppltr*en«
Anuvrus/Artnpywr* •vert#
Antivfus.'Arti-cpywre •earning *rorc
Aouvnjs/Affrapyw•(• pcwecton not t&xd

~

v

! Omkft 1 O H ‫־‬
| tm [
Q
IC

If‫ ־‬Cn *
ao

]

h :/ w wz n a rmc m
ttp / w . o e la , o

F ire w a ll: Z o n e A la rm P R O F ire w a ll
/ mi

Source: http://www.zonealarm.com

ZoneAlarm PRO Firewall blocks attackers and intruders from accessing your system. It monitors
programs for suspicious behavior, spotting and stopping new attacks that bypass traditional
antivirus protection. It prevents identity theft by guarding your personal data. It even erases your
tracks allowing you to surf the web in complete privacy. Furthermore, it locks out attackers, blocks
intrusions, and makes your PC invisible online. In addition, it filters out annoying and
potentially dangerous email.

Module 17 Page 2610


Ce hv8 module 17 evading ids, firewalls, and honeypots

Ce hv8 module 17 evading ids, firewalls, and honeypots

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Ce hv8 module 17 evading ids, firewalls, and honeypots

Similar a Ce hv8 module 17 evading ids, firewalls, and honeypots (20)

Último

Último (20)

Ce hv8 module 17 evading ids, firewalls, and honeypots