Last modified: Wednesday, 28-March-2001 03:17:41 PDT


Stealth Scanning & IDS Evasion Techniques
(Latest version: http://nmap.org/presentations/CanSecWest01/index.html)
  1. Introduction
    • Hello; Motivation; Purpose; URL

  2. Nmap & Scanning Intro
    • Usage example [1].

  3. Preventing standard host logging
    • Logging demo

  4. IDS Evasion
    • Demo our guinnea pig IDS
    • Demo Simple scan [2]
    • One potential solution: Decoys ("nmap -D"). Explanation. Demo [3]
    • Slow scan ("-T sneaky" or "-T paranoid")
    • Fragmentation attacks ("-f") and other low-level mischief. Great papers/resources:
    • Specific signature evasion.
      • Example: All of the snort rules which refer to Nmap:
        zardoz~/src/snortrules>grep -i nmap *
        icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nmap2.36BETA or HPING2 Echo ";itype:8;dsize:0; reference:arachnids,162;) 
        icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162;) 
        scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt";flags:SFPU; reference:arachnids,05;) 
        scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28;) 
        zardoz~/src/snortrules>
             
      • Don't expect protection just because your IDS is proprietary or expensive.
    • Overload via false alarms. Demo [4]
    • Crash or exploit the IDS
    • Exploit the IDS attacker identification mechanism
      • Vulnerability of various identification mechanisms (IP addy, DNS, NetBIOS)
      • Windentd -- Fun with NMB authentication. Demo [5].
    • Use an exploit that is not in the signature database.

  5. More fun
    • Icepick. Demo.

The Code:

Before I provide links to the code demonstrated, please allow me to state a few caveats and "rules":