Last modified: Wednesday, 28-March-2001 03:17:41 PDT

Stealth Scanning & IDS Evasion Techniques
(Latest version:
  1. Introduction
    • Hello everyone! My handle is Fyodor. Some of you may recognize me from last year's CanSecWest. I also maintain several security resources on the 'Net which you may have used, such as the Insecure.Org web site and the Nmap Security Scanner
    • Anyway, Dragos was nice enough to invite me back here. And when I looked at the CanSecWest lineup, I noticed a preponderance of IDS vendors. There was Robert with his NetworkICE, Marty with Snort, and Ron Gula with Dragon, although Ron had to cancel. Obviously IDS systems are becoming popular. So I decided to investigate how this affects users of Nmap and other network reconnaissance tools. In particular, I am going to demonstrate techniques for making your scans more stealthy and IDS resistant. One question you might be asking yourself is: why should I care about IDS evasion? Well, if you are wearing a black hat, the answer is obvious. They want to avoid detection and getting caught. But most of you only make "authorized" attacks against your network where there is no need to be stealth. Yet it is still important to maintain an awareness of these techniques so that you can properly defend against them and also so that you are aware of any limitations in your detection measures.
    • Make note of the URL for obtaining these notes and the source code of the programs I will demonstrate.
    • Hello; Motivation; Purpose; URL

  2. Nmap & Scanning Intro
    • So that I can get an idea of how much you guys already know about Nmap and scanning, would you please raise your hand if you have used Nmap? Fantastic! I will just go over it briefly. Lets start with a usage example.
    • Usage example [1].
    • Go over the command flags and the results.

  3. Preventing standard host logging
    • Our first goal is to avoid having our scan logged by standard host applications and operating systems. After all, there is no point even trying to confuse IDS systems if the hosts will log our scan right out of the box.
    • Do scan above ([1]) with a tail -f /var/spool/messages . Demo all the logs. Now change the command to a SYN scan (& drop -I and -sR) -- explain how SYN scan works. Wow! no logs at all! :)
    • Logging demo
    • OK, as you can see, it was very easy to prevent a stock OS installation from logging our scan. Five years ago that was all that mattered. But now some organizations are more paranoid (which is generally a good thing) and they run various advanced logging and IDS systems to watch their network for suspicious activity.

  4. IDS Evasion
    • Demo our guinnea pig IDS
    • Demo Simple scan [2]
    • One potential solution: Decoys ("nmap -D"). Explanation. Demo [3]
    • Slow scan ("-T sneaky" or "-T paranoid")
    • Fragmentation attacks ("-f") and other low-level mischief. Great papers/resources:
    • Specific signature evasion.
      • Example: All of the snort rules which refer to Nmap:
        zardoz~/src/snortrules>grep -i nmap *
        icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nmap2.36BETA or HPING2 Echo ";itype:8;dsize:0; reference:arachnids,162;) 
        icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162;) 
        scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt";flags:SFPU; reference:arachnids,05;) 
        scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28;) 
      • Don't expect protection just because your IDS is proprietary or expensive.
    • Overload via false alarms. Demo [4]
    • Crash or exploit the IDS
    • Exploit the IDS attacker identification mechanism
      • Vulnerability of various identification mechanisms (IP addy, DNS, NetBIOS)
      • Windentd -- Fun with NMB authentication. Demo [5].
    • Use an exploit that is not in the signature database.

  5. More fun
    • Icepick. Demo.