building an ips solution for inline usage during red
play

Building an IPS solution for inline usage during Red Teaming - PowerPoint PPT Presentation

Oct 08, 2023 •112 likes •692 views

Building an IPS solution for inline usage during Red Teaming Repurposing defensive technologies for offensive Red Team operations K. Mladenov A. Zismer { kmladenov,azismer } @os3.nl Master Students in System and Network Engineering University

  1. Building an IPS solution for inline usage during Red Teaming Repurposing defensive technologies for offensive Red Team operations K. Mladenov A. Zismer { kmladenov,azismer } @os3.nl Master Students in System and Network Engineering University of Amsterdam February 2017 K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 1 / 29

  2. Outline Introduction 1 Background information Research question Investigating IDS/IPS engines 2 Types of IDS/IPS engines How can an IPS help? Evading investigation and detection 3 Defeating OS detection Hiding services Conclusion 4 Future work K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 2 / 29

  3. The idea Originally from Deloitte. K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 3 / 29

  4. The idea Originally from Deloitte. For use during penetration tests (Red Teaming) K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 3 / 29

  5. The idea Originally from Deloitte. For use during penetration tests (Red Teaming) Prevent the attackers from doing detectable mistakes K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 3 / 29

  6. Research question In how far is it possible to design a transparent device that disguises an attacker’s computer inside a local network? K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 4 / 29

  7. Research question In how far is it possible to design a transparent device that disguises an attacker’s computer inside a local network? 1 How can outgoing traffic be filtered and sanitised by an IPS? K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 4 / 29

  8. Research question In how far is it possible to design a transparent device that disguises an attacker’s computer inside a local network? 1 How can outgoing traffic be filtered and sanitised by an IPS? 2 How can incoming traffic be handled to evade investigation and detection? K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 4 / 29

  9. Types of IDS/IPS engines Network based Deployed either to listen to replica of the traffic or inline. Can get visibility over the entire network if properly placed. Fail short with encrypted traffic. K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 5 / 29

  10. Types of IDS/IPS engines Network based Host based Deployed either to listen to Can get full visibility over traffic replica of the traffic or inline. about to be { en/de } crypted. Can get visibility over the entire Imposes some difficulty with network if properly placed. managing multiple instances on multiple computers. Fail short with encrypted traffic. K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 5 / 29

  11. Types of IDS/IPS engines Network based Host based Deployed either to listen to Can get full visibility over traffic replica of the traffic or inline. about to be { en/de } crypted. Can get visibility over the entire Imposes some difficulty with network if properly placed. managing multiple instances on multiple computers. Fail short with encrypted traffic. In our case a network-based solution would do the job. But should it be signature or anomaly based? K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 5 / 29

  12. How can intruders get detected? By doing things detectable by an IDS. K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 6 / 29

  13. How can intruders get detected? By doing things detectable by an IDS. But also: Passively Different Operating systems behave in different ways for things not standardised in RFC. Some examples include TTL and initial TCP window size. OS TTL TCP window (B) Windows 7 128 8192 Windows 10 128 8192 Kali Linux 64 29200 K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 6 / 29

  14. How can intruders get detected? By doing things detectable by an IDS. But also: Passively Actively Different Operating systems By doing active scans against behave in different ways for them. things not standardised in RFC. More about to follow. Some examples include TTL and initial TCP window size. OS TTL TCP window (B) Windows 7 128 8192 Windows 10 128 8192 Kali Linux 64 29200 K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 6 / 29

  15. How can an IPS help? By using built-in normalizers. For IP traffic - handle the TTL. For TCP traffic - handle the initial TCP window size. K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 7 / 29

  16. How can an IPS help? By using built-in normalizers. For IP traffic - handle the TTL. For TCP traffic - handle the initial TCP window size. So how did the selected engines perform? IPS Engine TTL handling TCP window handling Snort 2.9.9.0 yes no Snort 3 alpha yes no Suricata 3.2 no no K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 7 / 29

  17. How can an IPS help? By using built-in normalizers. For IP traffic - handle the TTL. For TCP traffic - handle the initial TCP window size. So how did the selected engines perform? IPS Engine TTL handling TCP window handling Snort 2.9.9.0 yes no Snort 3 alpha yes no Suricata 3.2 no no K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 7 / 29

  18. But is really Suricata that bad? Not really. It has LuaJIT support! K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 8 / 29

  19. But is really Suricata that bad? Not really. It has LuaJIT support! And that means scripting, triggered by a rule! Including executing commands from the system shell! drop tcp 10.0.0.200 any -> any any (msg:"TCP SYN for inspection by LUA"; flags:S; sid 1000002; rev :001; luajit:tcpinspect.lua;) K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 8 / 29

  20. How did the IPS get connected to the network? There was a need for a solution that did not require scripting... But how did it get attached in this transparent device? K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 9 / 29

  21. Active detection TCP/IP fingerprinting K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 10 / 29

  22. Active detection TCP/IP fingerprinting Service and version detection K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 10 / 29

  23. TCP/IP fingerprinting unspecified situations in the RFCs of TCP/IP K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 11 / 29

  24. TCP/IP fingerprinting unspecified situations in the RFCs of TCP/IP → different OS specific implementations of the TCP/IP stack K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 11 / 29

  25. TCP/IP fingerprinting unspecified situations in the RFCs of TCP/IP → different OS specific implementations of the TCP/IP stack Nmap sends a variety of probing packets ICMP TCP UDP K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 11 / 29

  26. TCP/IP fingerprinting unspecified situations in the RFCs of TCP/IP → different OS specific implementations of the TCP/IP stack Nmap sends a variety of probing packets ICMP TCP UDP results of different tests are combined to create an individual fingerprint K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 11 / 29

  27. TCP/IP fingerprinting unspecified situations in the RFCs of TCP/IP → different OS specific implementations of the TCP/IP stack Nmap sends a variety of probing packets ICMP TCP UDP results of different tests are combined to create an individual fingerprint known OS/fingerprint mappings are stored in a database K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 11 / 29

  28. Nmap OS fingerprint format SCAN(V=5.05 BETA1%D=8/23% OT =22% CT =1% CU =42341% PV=N%DS =0% DC=L%G=Y%TM=4 A91CB90% P=i686 -pc -linux -gnu) SEQ(SP=C9%GCD =1% ISR=CF%TI=Z%CI=Z%II=I%TS=A) OPS(O1= M400CST11NW5 %O2= M400CST11NW5 %O3= M400CNNT11NW5 % O4= M400CST11NW5 %O5= M400CST11NW5 %O6=M400CST11) WIN(W1 =8000% W2 =8000% W3 =8000% W4 =8000% W5 =8000% W6 =8000) ECN(R=Y%DF=Y%T=40%W=8018%O= M400CNNSNW5 %CC=N%Q=) T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD =0%Q=) T2(R=N) T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O= M400CST11NW5 %RD =0%Q=) T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD =0%Q=) T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD =0%Q=) T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD =0%Q=) T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD =0%Q=) U1(R=Y%DF=N%T=40% IPL =164% UN =0% RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(R=Y%DFI=N%T=40% CD=S) K. Mladenov, A. Zismer (UvA) IPS solution for Red Teaming February 2017 12 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Evaluating Learnability of - User interface and inline help - Inline/Online Tutorials Aim:

Evaluating Learnability of - User interface and inline help - Inline/Online Tutorials Aim:

INF3280, 10 March, 2016 Evaluating Learnability of - User interface and inline help - Inline/Online Tutorials Aim: Evaluate learnability Basis for Assignment 5 Core literature Chapter 6.4 Grossman et.al. (2009) A Survey of

385 views • 4 slides
CSS POSITIONING (PUTTING HTML IN ITS PLACE) BLOCK VS. INLINE H1 PAGE H2 P FLOW P P BLOCK

CSS POSITIONING (PUTTING HTML IN ITS PLACE) BLOCK VS. INLINE H1 PAGE H2 P FLOW P P BLOCK

CSS POSITIONING (PUTTING HTML IN ITS PLACE) BLOCK VS. INLINE H1 PAGE H2 P FLOW P P BLOCK VS. INLINE H1 width: 300px STILL DOWN HERE H2 P P P BLOCK-LEVEL ELEMENTS INSIST ON TAKING UP THEIR OWN LINE. ON THE OTHER HAND, INLINE

741 views • 51 slides
Urban Building Usage Labeling by Geometric and Context Analyses of the Footprint Data Hai Huang,

Urban Building Usage Labeling by Geometric and Context Analyses of the Footprint Data Hai Huang,

Institute of Cartography and Geoinformatics | Leibniz Universitt Hannover Urban Building Usage Labeling by Geometric and Context Analyses of the Footprint Data Hai Huang, Birgit Kieler and Monika Sester Introduction The Usage (use and

915 views • 22 slides
Li Linux ux API PI Us Usage an and Com ompa patibility tibility : System Building: When

Li Linux ux API PI Us Usage an and Com ompa patibility tibility : System Building: When

A Stu tudy dy of of Mod odern ern Li Linux ux API PI Us Usage an and Com ompa patibility tibility : System Building: When You Become a Parent Our experience from building a OS with Linux API support ( Graphene library OS

210 views • 19 slides
Commercial Building Integrated Security Solution See Far , Go Further Contents 1 Vertical

Commercial Building Integrated Security Solution See Far , Go Further Contents 1 Vertical

Commercial Building Integrated Security Solution See Far , Go Further Contents 1 Vertical Requirements Analysis 2 System Architecture 3 Solution Application 4 Successful Cases Requirement Analysis Personnel Safety Internal Management

705 views • 54 slides
Financial & Market analysis of TESSe2b solution Dr. Olympia Polyzou, Dr. Spyridon Karytsas

Financial & Market analysis of TESSe2b solution Dr. Olympia Polyzou, Dr. Spyridon Karytsas

Thermal Energy Storage Systems Thermal Energy Storage Systems for energy efficient building an integrated solution for residential for energy efficient building an integrated solution for residential building energy storage by solar and

371 views • 18 slides
Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda

Win at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour Agenda Reverse Engineering Primer Approaches to Dynamic Analysis Inline Hooks Advantages Over Other Techniques Usages 2 Reverse Engineering

379 views • 19 slides
In-building Coverage Solutions KULASEKARAN. P Technical Specialist - RF ( Inbuilding Radio

In-building Coverage Solutions KULASEKARAN. P Technical Specialist - RF ( Inbuilding Radio

In-building Coverage Solutions KULASEKARAN. P Technical Specialist - RF ( Inbuilding Radio Network Planner) Bangalore. (INDIA) 12/13/2005 1 In-Building Solution What is an In-Building Solution & Why is it required ? It is a

619 views • 31 slides
Inline Functions http://cs.mst.edu #include <iostream> using namespace std; float

Inline Functions http://cs.mst.edu #include <iostream> using namespace std; float

Inline Functions http://cs.mst.edu #include <iostream> using namespace std; float calc_iq( const float hatsize, const int age, const float num_feet); inline float square(const float x) {return x*x;} void some_other_function (char

94 views • 6 slides
CheckMate Inline Check Valve Red Valve Company CheckMate Check Valve Red Valve Company 1

CheckMate Inline Check Valve Red Valve Company CheckMate Check Valve Red Valve Company 1

CheckMate Inline Check Valve Red Valve Company CheckMate Check Valve Red Valve Company 1 CheckMate Inline Check Valve Closed Opening Red Valve Company System Challenges CSO communities are looking for a long term approach to prevent

658 views • 20 slides
PC BUILDING PRESENTED BY WHAT IS A PC General purpose Personal Computer for individual usage

PC BUILDING PRESENTED BY WHAT IS A PC General purpose Personal Computer for individual usage

PC BUILDING PRESENTED BY WHAT IS A PC General purpose Personal Computer for individual usage Macintosh 1984 WHAT IS A PC General purpose Personal Computer for individual usage IBM Personal Computer XT 1988 WHAT IS A PC General purpose

590 views • 35 slides
S OF PIPE L INE DACON AND INL INE INSPE CT ION Dac on we ll- known for UT base d inline

S OF PIPE L INE DACON AND INL INE INSPE CT ION Dac on we ll- known for UT base d inline

MF L INSPE CT ION IO N SERVIC ES I PIPESURVEY INT DAC O N INSPEC T ERNAT IO NAL S OF PIPE L INE DACON AND INL INE INSPE CT ION Dac on we ll- known for UT base d inline inspe c tion UT tools pr ovide unr ivale d

515 views • 29 slides
Simple Steps for Building a Scalable BI Solution on MySQL 5.7, its JSON functionality and

Simple Steps for Building a Scalable BI Solution on MySQL 5.7, its JSON functionality and

Simple Steps for Building a Scalable BI Solution on MySQL 5.7, its JSON functionality and ElasticSearch / Intro Who is Pavel? Pepper.com ? / For what is this talk about How we get data from around the world in realtime? How we maintain and

504 views • 19 slides
Inline Evaluation of Hybrid Knowledge Bases Guohui Xiao Vienna PhD School of Informatics

Inline Evaluation of Hybrid Knowledge Bases Guohui Xiao Vienna PhD School of Informatics

Inline Evaluation of Hybrid Knowledge Bases Guohui Xiao Vienna PhD School of Informatics Institute of Information Systems Vienna University of Technology January 23, 2014 1/71 Inline Evaluation of Hybrid KBs Hybrid Knowledge Bases Hybrid

1.78k views • 145 slides
Appendix A: Direct comparison of features in Blackboard and Canvas. Features Canvas Blackboard

Appendix A: Direct comparison of features in Blackboard and Canvas. Features Canvas Blackboard

Appendix A: Direct comparison of features in Blackboard and Canvas. Features Canvas Blackboard Authoring/Editing Course Navigation is X X customizable Inline Editing X X Assignments with inline X+ X- (inline grading is editing

556 views • 44 slides
Euthanasia and PAS Euthanasia an ambigous concept Analytical usage vs. normative usage

Euthanasia and PAS Euthanasia an ambigous concept Analytical usage vs. normative usage

11/23/17 Introduction Euthanasia and PAS Euthanasia an ambigous concept Analytical usage vs. normative usage WMA European Region Meeting Ethics Human Rights (National) Legal on End-of Life Questions Systems Common

313 views • 3 slides
FY2017 IR Presentation Zhaopin Limited August 2017 Safe Harbor Statement and Disclaimer This

FY2017 IR Presentation Zhaopin Limited August 2017 Safe Harbor Statement and Disclaimer This

FY2017 IR Presentation Zhaopin Limited August 2017 Safe Harbor Statement and Disclaimer This presentation contains forward- looking statements made under the safe harbor provisions of Section 21E of the Securities Exchange Act of 1934, as

573 views • 20 slides
Transitioning from College to Careers Dr. Marsha Fralick Ice Breaker Find a partner Introduce

Transitioning from College to Careers Dr. Marsha Fralick Ice Breaker Find a partner Introduce

Transitioning from College to Careers Dr. Marsha Fralick Ice Breaker Find a partner Introduce yourself Where do you work? What career did you get? Does it match your personality type, interests or values? Overview The problem The

512 views • 48 slides
Literary Elements OB OBJE JECT CTIVES IVES Identify elements of a short story Define

Literary Elements OB OBJE JECT CTIVES IVES Identify elements of a short story Define

Literary Elements OB OBJE JECT CTIVES IVES Identify elements of a short story Define elements of a short story Demonstrate mastery of short story elements OV OVERV ERVIE IEW Short t stories es often en contain n structura

235 views • 20 slides
Paddy Pow er Betfair plc 2018 Interim Results 2 H1 Summary Difficult Q1 followed by a more

Paddy Pow er Betfair plc 2018 Interim Results 2 H1 Summary Difficult Q1 followed by a more

Paddy Pow er Betfair plc 2018 Interim Results 2 H1 Summary Difficult Q1 followed by a more favourable Q2 All divisions contributed to double-digit Q2 revenue growth Good progress against our strategic priorities, particularly in

527 views • 28 slides
DIRECTION, INSPIRATION, & MOTIVATION GRACE WILLERTON, GCDF UNM ADVISOR INSTITUTE SEPTEMBER

DIRECTION, INSPIRATION, & MOTIVATION GRACE WILLERTON, GCDF UNM ADVISOR INSTITUTE SEPTEMBER

CAREER TOOLS TO HELP STUDENTS FIND DIRECTION, INSPIRATION, & MOTIVATION GRACE WILLERTON, GCDF UNM ADVISOR INSTITUTE SEPTEMBER 18, 2018 OUR STUDENTS May feel lost about their future, directionless, unmotivated, or searching for the right

802 views • 22 slides
Transparency & investor protection Implications for accounting and auditing Barcelona,

Transparency & investor protection Implications for accounting and auditing Barcelona,

Transparency & investor protection Implications for accounting and auditing Barcelona, October 18, 2013 Oriol Amat UPF Programme 1.Introduction 2.Assessing solvency and forecasting bankruptcy 3.Misleading information 4.Conclusions 1

146 views • 14 slides
District 6440 Illinois Joe Leonas, Chief of Police Agenda Introduction Concept of

District 6440 Illinois Joe Leonas, Chief of Police Agenda Introduction Concept of

Rotary Presentation Lincolnshire Morning Star District 6440 Illinois Joe Leonas, Chief of Police Agenda Introduction Concept of community trust Guardian vs Warrior philosophy Campaign Zero, #8CANTWAIT, and the Lincolnshire

387 views • 15 slides
7/19/2016 1 Columbia Police Department 2 Our Mission The Columbia Police Department will

7/19/2016 1 Columbia Police Department 2 Our Mission The Columbia Police Department will

7/19/2016 1 Columbia Police Department 2 Our Mission The Columbia Police Department will provide professional and ethical service in protection of our citizens while preventing crime and reducing the fear of crime through problem solving

274 views • 4 slides

More recommend