Monday, August 4, 2014

NIDS Evasion



Network Intrusion Detection Systems are pretty darn good at what they do. So why avoid detection when we can just point the finger at some other poor soul? Nmap provides a fantastic method for blindly scanning a target utilizing an idle host. Thereby enabling us to execute a scan without directly sending packets from our IP address. Instead we will bounce packets off a “zombie” host.

Zombie Host Selection

In order for this scan to work we need to utilize a “zombie” host. A zombie host is considered any system that is currently idle (ie: not doing any network related functions). This is important as we must be able to predict the IP-IDs of the system in order to determine open ports on the target. Luckily Metasploit steps in to make our lives easier with their ipidseq module. This module can be configured to run over large IP address blocks and report on all idle host candidates.

msf auxiliary(ipidseq) > set RHOSTS 192.168.122.0/24
RHOSTS => 192.168.122.0/24
msf auxiliary(ipidseq) > run

[*] 192.168.122.1's IPID sequence class: All zeros
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] 192.168.122.78's IPID sequence class: All zeros
[*] Scanned 103 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] 192.168.122.172's IPID sequence class: All zeros
[*] Scanned 180 of 256 hosts (070% complete)
[*] 192.168.122.189's IPID sequence class: Incremental!
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] 192.168.122.239's IPID sequence class: Incremental!
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

From the above ipidseq scan you can see that we have two zombies to choose from. We are going to select 192.168.122.189 as our zombie. We can now use this idle host in our nmap scan. Denoting our target as xx.xx.xx.xx, the syntax of the command will look similar to the following:

# nmap -Pn -p- -sI 192.168.122.189 xx.xx.xx.xx

Diagrams

Below are some diagrams depicting how the TCP idle scan determines open ports.

 
We can see here that during the TCP idle scan, the attacker will first send a SYN/ACK to the zombie.  The zombie host, not expecting a SYN/ACK, will respond with an RST packet disclosing it's IP-ID.  This number is important and will be used later.




 

In the next phase of the scan, the attacker will spoof the header of the SYN packet to appear that it came from the zombie host and send it to the target.

As we can see from the diagram, the SYN packet causes the target to send a SYN/ACK to the zombie.  In response to the unexpected SYN/ACK, the zombie will respond with a RST.








The attacker will once again probe the zombie with a SYN/ACK in order to obtain it's new IP-ID.  It is the comparison of the two IP-IDs that will determine if the port is open or closed.



As you can see, the IP-ID has increased by 2 indicating an open port.  An increase of 1 would indicate a closed port as the target would have sent a RST which the zombie would not have responded to thus it's IP-ID would not have been incremented.




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)