SlideShare a Scribd company logo

Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-protocol-fuzzing

Olli-Pekka Niemi
Olli-Pekka Niemi

My presentation in BlackHat EU 2017 with Antti Levomäki

Internet
1 of 18
Download to read offline
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com
WHO? ANTTI LEVOMÄKI Research Scientist OLLI-PEKKA NIEMI Director of Research
WHAT? NETWORK EVASIONS + FUZZING = Automated method for finding evasion vulnerabilities in modern up-to-date IPS & NGFW System
Evasions discovered by Ptacek and Newsham still work against modern IPS and NGFW system Lack of modern tools to highlight the risks of evasion vulnerabilities Configuring IPS systems to detect and prevent evasions can be really hard Increase the awareness to persuade vendors to fix evasion gaps WHY?
Result of a different interpretation of traffic by a security device than by the victim endpoint Robustness principle: “Be conservative in what you do, be liberal in what you accept from others”, Jon Postel Ptacek & Newsham paper: “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, 1998 NETWORK EVASIONS
2009 Research published 2010 AET Threat Identified 2012 Evader released as freeware 2013 BlackHat Talk 2017 Relaunch. AET Threat still present Applies evasion to attacks to bypass virtual patching and intrusion prevention. INTRODUCTION TO EVADER
Implements a few well known and old exploits to test traffic inspection Userspace TCP/IP stack with atomic evasions on all network layers Atomic evasions produce mostly valid transformations to traffic Combinations produce interesting traffic => at least 245 - 2186 possible combinations depending on protocols => far too many to handle as a special case in IPS/NGFW EVADER
TEST METHODOLOGY Attacker Security Device Target Verify Connectivity Verify Backdoor port availability* Send Exploit Connect to backdoor* CVE-2008-4250, MSRPC Server Service Vulnerability CVE-2004-1315, HTTP phpBB highlight CVE-2014-0160 Heartbleed *Heartbleed success is determined based on data leaked. No backdoor / post compromise
Cannot test all dynamic combinations => generate random combinations and test them rapidly Cannot ensure that all combinations produce valid traffic => use real exploit and victim host. If the exploit works, traffic is valid. Cannot know what the IPS/NGFW is doing => configure to terminate everything it thinks is malicious. IDEA
MONGBAT Fuzz generator for Evader, runs parallel Evader instances with random evasion combinations targeting specific parts of networking protocols. Handles addressing and validates the test environment. The evasions and their parameters are selected from the set Evader lists as supported. => validation scripts to drop completely useless combinations => each run is different
MONGBAT Successful attacks are recorded for repeatability Evader command line including Evasions and parameters Random seed Packet captures
DEMO
RESULTS Success/attempts in 10 minutes of fuzz testing Vendor HTTP HTTPS Conficker Heartbleed Vendor I 72 / 12364 crasha 21 / 858 0 / 557 Vendor II 133 / 8481 97 / 4119 16 / 2368 25 / 899 Vendor III 126 / 8788 277 / 4059 15 / 1204 40 / 1092 Vendor IV 746 / 1833 N/Ab 2 / 1077 N/Ab Vendor V 3366 / 8975 2550 / 5970 8 / 3561 50 / 891 Vendor VI 0 / 7366 0 / 6337 0 / 7778 0 / 994
RESULTS Low level evasions can be payload independent => TCP layer evasion discovered with HTTP attack likely also works with HTTPS & SMB/MSRPC Vendor HTTP HTTPS Conficker Heartbleed Vendor I H Vendor II P, C T, H P T Vendor III P, H P, C, T, H P P, C, T Vendor IV P, C, H P, C, T, H C P, C, T Vendor V P, C, T, H P, C, H T Vendor VI P = PAWS C = TCP_CHAFF H = HTTP T = TLS record layer segmentation
CHALLENGES – VENDORS ARE BLOCKING THE TOOL WHAT Block the tool FIX DE:AD:BE:EF Prevent testing by blocking MAC Changed MAC User-Agent “Railforge” Block attack based on User-Agent Change User-Agent TCP Syn Windows Scale 0 Prevent testing by blocking SYN packets OS Spoof to mimic Windows, Linux during 3-W HS Identify Shellbanner Block post compromise and prevent success validation Different mechanism for success validation or custom shell banner High port blocking Block post compromise and prevent success validation Inline shell, visual effect or ack based success indication Blacklist Blacklist IP or subnet used for testing Legitimate clean test pre-exploit test validation
KEY FINDINGS 1. Rapid discovery of working evasions 2. Very difficult to tune security policies to be evasion-proof 3. Low level (TCP) evasions can be payload independent 4. One (1) reliably working evasion is enough to bypass security completely.
antti.levomaki@forcepoint.com opi@forcepoint.com For questions and access to EVADER contact Olli-Pekka Niemi opi@forcepoint.com

Recommended

Metasploit Framework Executable Encoding
Metasploit Framework Executable EncodingMetasploit Framework Executable Encoding
Metasploit Framework Executable Encoding
technology_flow
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
Publicly traded global multi-billion services company
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network Defense
Salvatore Lentini
 
Netdefender
NetdefenderNetdefender
Netdefender
krishna Maddikara
 
Net Defender
Net DefenderNet Defender
Net Defender
krishna maddikara
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Olli-Pekka Niemi
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 

Recommended

Metasploit Framework Executable Encoding
Metasploit Framework Executable EncodingMetasploit Framework Executable Encoding
Metasploit Framework Executable Encoding
technology_flow
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
Publicly traded global multi-billion services company
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network Defense
Salvatore Lentini
 
Netdefender
NetdefenderNetdefender
Netdefender
krishna Maddikara
 
Net Defender
Net DefenderNet Defender
Net Defender
krishna maddikara
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Olli-Pekka Niemi
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injection
Jorge Cardoso
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
Mohit Dholakiya
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Codenomicon
 
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Brian Brazil
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
GENIANS, INC.
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
Akshay Bansal
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
C4Media
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User ComputersA Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
Joshua Gorinson
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric System
n|u - The Open Security Community
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
Asep Sopyan
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Gabriel Mathenge
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
Barry Greene
 
Wi fi security dedicated architectures
Wi fi security dedicated architecturesWi fi security dedicated architectures
Wi fi security dedicated architectures
paripec
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
rahman018755
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
PC Doctors NET
 

More Related Content

Similar to Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-protocol-fuzzing

Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injection
Jorge Cardoso
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Brian Brazil
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
GENIANS, INC.
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
Akshay Bansal
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
Wi fi security dedicated architectures
Wi fi security dedicated architecturesWi fi security dedicated architectures
Wi fi security dedicated architectures
paripec
 

Similar to Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-protocol-fuzzing (20)

Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injection
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
 
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User ComputersA Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric System
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Wi fi security dedicated architectures
Wi fi security dedicated architecturesWi fi security dedicated architectures
Wi fi security dedicated architectures
 

Recently uploaded

Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
ChloeMeadows1
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 

Recently uploaded (16)

Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of apps
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Topology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdfTopology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdf
 

Eu 17-levomaki-automatic-discovery-of-evasion-vulnerabilities-using-targeted-protocol-fuzzing

  • 1. Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com
  • 3. WHAT? NETWORK EVASIONS + FUZZING = Automated method for finding evasion vulnerabilities in modern up-to-date IPS & NGFW System
  • 4. Evasions discovered by Ptacek and Newsham still work against modern IPS and NGFW system Lack of modern tools to highlight the risks of evasion vulnerabilities Configuring IPS systems to detect and prevent evasions can be really hard Increase the awareness to persuade vendors to fix evasion gaps WHY?
  • 5.
  • 6. Result of a different interpretation of traffic by a security device than by the victim endpoint Robustness principle: “Be conservative in what you do, be liberal in what you accept from others”, Jon Postel Ptacek & Newsham paper: “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, 1998 NETWORK EVASIONS
  • 7. 2009 Research published 2010 AET Threat Identified 2012 Evader released as freeware 2013 BlackHat Talk 2017 Relaunch. AET Threat still present Applies evasion to attacks to bypass virtual patching and intrusion prevention. INTRODUCTION TO EVADER
  • 8. Implements a few well known and old exploits to test traffic inspection Userspace TCP/IP stack with atomic evasions on all network layers Atomic evasions produce mostly valid transformations to traffic Combinations produce interesting traffic => at least 245 - 2186 possible combinations depending on protocols => far too many to handle as a special case in IPS/NGFW EVADER
  • 9. TEST METHODOLOGY Attacker Security Device Target Verify Connectivity Verify Backdoor port availability* Send Exploit Connect to backdoor* CVE-2008-4250, MSRPC Server Service Vulnerability CVE-2004-1315, HTTP phpBB highlight CVE-2014-0160 Heartbleed *Heartbleed success is determined based on data leaked. No backdoor / post compromise
  • 10. Cannot test all dynamic combinations => generate random combinations and test them rapidly Cannot ensure that all combinations produce valid traffic => use real exploit and victim host. If the exploit works, traffic is valid. Cannot know what the IPS/NGFW is doing => configure to terminate everything it thinks is malicious. IDEA
  • 11. MONGBAT Fuzz generator for Evader, runs parallel Evader instances with random evasion combinations targeting specific parts of networking protocols. Handles addressing and validates the test environment. The evasions and their parameters are selected from the set Evader lists as supported. => validation scripts to drop completely useless combinations => each run is different
  • 12. MONGBAT Successful attacks are recorded for repeatability Evader command line including Evasions and parameters Random seed Packet captures
  • 13. DEMO
  • 14. RESULTS Success/attempts in 10 minutes of fuzz testing Vendor HTTP HTTPS Conficker Heartbleed Vendor I 72 / 12364 crasha 21 / 858 0 / 557 Vendor II 133 / 8481 97 / 4119 16 / 2368 25 / 899 Vendor III 126 / 8788 277 / 4059 15 / 1204 40 / 1092 Vendor IV 746 / 1833 N/Ab 2 / 1077 N/Ab Vendor V 3366 / 8975 2550 / 5970 8 / 3561 50 / 891 Vendor VI 0 / 7366 0 / 6337 0 / 7778 0 / 994
  • 15. RESULTS Low level evasions can be payload independent => TCP layer evasion discovered with HTTP attack likely also works with HTTPS & SMB/MSRPC Vendor HTTP HTTPS Conficker Heartbleed Vendor I H Vendor II P, C T, H P T Vendor III P, H P, C, T, H P P, C, T Vendor IV P, C, H P, C, T, H C P, C, T Vendor V P, C, T, H P, C, H T Vendor VI P = PAWS C = TCP_CHAFF H = HTTP T = TLS record layer segmentation
  • 16. CHALLENGES – VENDORS ARE BLOCKING THE TOOL WHAT Block the tool FIX DE:AD:BE:EF Prevent testing by blocking MAC Changed MAC User-Agent “Railforge” Block attack based on User-Agent Change User-Agent TCP Syn Windows Scale 0 Prevent testing by blocking SYN packets OS Spoof to mimic Windows, Linux during 3-W HS Identify Shellbanner Block post compromise and prevent success validation Different mechanism for success validation or custom shell banner High port blocking Block post compromise and prevent success validation Inline shell, visual effect or ack based success indication Blacklist Blacklist IP or subnet used for testing Legitimate clean test pre-exploit test validation
  • 17. KEY FINDINGS 1. Rapid discovery of working evasions 2. Very difficult to tune security policies to be evasion-proof 3. Low level (TCP) evasions can be payload independent 4. One (1) reliably working evasion is enough to bypass security completely.
  • 18. antti.levomaki@forcepoint.com opi@forcepoint.com For questions and access to EVADER contact Olli-Pekka Niemi opi@forcepoint.com