Summary:
- If IDS turns off the validation on TCP checksum, packet evasion is possible.
- First, establish the 3 way-handshake.
- Then, fool the IDS by sending a RST packet with bad TCP checksum.
- Then continue sending the EVIL packets.
Showing posts with label evasion. Show all posts
Showing posts with label evasion. Show all posts
Aug 2, 2010
IDS Evasion by TCP Checksum
Good posting at Packetstan about potential evasion where IPS fails to validate TCP checksums.
Summary:
Summary:
Jul 22, 2010
IDS Evasion on Linux Off-by-one TCP Timestamps
Tags:
evasion,
TCP Timestamp,
tcp/ip
A very good article explaining potential IDS/IPS evasion with Linux 2.4/2.6 Kernel using off-by-one TCP timestamps.
In a nutshell, TCP timestamps can be included as a TCP option to specify the sending host's timestamp and echo the most recently received timestamp from the other side of the connection. The notion of time or timestamp is not the typical one since it denotes, for most operating systems except OpenBSD, a representation of the uptime of the host since the last reboot.
Jul 1, 2010
IDS Evasion with Syncookies
Tags:
evasion,
scapy,
syncookies,
tcp/ip
Is it possible that after a destination host (server) sends you a RST packet, you still can continue to send the server some data and continue the connections?
Yes, it is possible, on a Linux server with SynCookies enabled.
Steps (howto):
Source articles:
Source codes:
Yes, it is possible, on a Linux server with SynCookies enabled.
sysctl -a | grep net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1
Steps (howto):
- During the 3-way handshake, the client sends a ACK packet (3rd packet) to the server with a value one more than the expected value.
- The Linux server will response with a RST at the 4th packet. - > fool the IDS that the TCP connection is terminated.
- Then, the client can continue to send EVIL stuff to the server.
Summary:
- TCP SynCookies is used to combat Syn flood (DoS) attack.
- By right, should see a re-transmit of SYN+ACK instead of RST, by the server.
- The faked ACK packet (4th) is just a stray packet (in SynCookies).
- The subsequent GET /EVIL packet (5th), is considered as valid final ACK of three-way handshake since the syn-cookie will match.
- With Snort IDS, the default stream5 policy of "windows" will not be fooled by this because of what it considers an invalid reset sequence number.
Source articles:
Source codes:
- FakeRST (by famousjs)
- Scapy Code for Bad ACK Reset
Subscribe to:
Posts (Atom)