Chapter 16 Evading IDSs, Firewalls, and Honepots Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 16 Evading IDSs, Firewalls, and Honepots > Flashcards

Flashcards in Chapter 16 Evading IDSs, Firewalls, and Honepots Deck (27)
Loading flashcards...
1
Q

IDS

A

application used to gather and analyze info that passes through a NW or host

designed to analyze, identify, and report any violations or misuse of NW

main purpose: to detect and alert admin about attack

2
Q

NIDS vs packet sniffer

A

NW IDS is a packet sniffer at its core, but an NIDS includes a rules engine to determine malicious vs legit traffic

3
Q

Four types of IDS: Each of these perform something the other does not

NIDS
HIDS
LFM IDS
FILE INTEGRITY CHECKING MECHANISMS

A

1) NIDS //inspect every packet entering the NW for malicious activity and to throw an alert if found; can monitor from router to host; can be in form of dedicated computer or black box design (dedicated device)
2) HIDS //host-based IDS// installed on server or computer //monitoring activities on a specific system or host; detects misuse of system, insider abuse
3) LFM IDS //Log file monitors //monitors log files created by NW services, identifies malicious events; (tool: swatch)
4) FILE INTEGRITY CHECKING MECHANISMS //checks for trojans or altered files indicating an intruder has been there (tools: tripwire)

4
Q

IDS Detection Methods (how does it rule out what is an attack and what is not?)

SIGNATURE
ANOMALY DETECTION
PROTOCOL

A

SIGNATURE or MISUSE DETECTION //compares traffic to known models or attacks;
PROS effective for known attacks
CONS poor at detecting attacks not in its DB, other traffic could trigger false positive; improper signatures could result in false positive or false negative; as signature DB increases, time to analyze increases, traffic may be dropped, evolution of attacks, signature files must be updated often

ANOMALY DETECTION //any activity that matches something in the DB is considered an anomaly; any deviation from normal activity is regarded as an attack;
must be set up to understand what normal activity is, if not configured correctly false + and false - become a prob

//a learning type mode is available to allow the system to learn and observe how your specific nw looks over time

PROTOCOL DETECTION //uses known specifications for a protocol to determine anomalies; new attacks can be discovered before signature or anomaly detection; this is the ONLY method where signature updates are not required

5
Q

False Negative vs False Positive

A

A false negative is an alert that should’ve happened, but didn’t

A false positive is an alert that happened, but shouldn’t have

6
Q

Types of Intrusions

HOST SYSTEM INTRUSIONS
NW INTRUSIONS

A

HOST SYSTEM INTRUSIONS //unknown files, altered files

NW INTRUSIONS //increased or unexplained use of NW bandwidth, connection requests from unknown IPs, repeated login attempts from remote host, unknownlog files

NONSPECIFIC SIGNS OF INTRUSION //buncha random jibberish

7
Q

IPS

A

works like IDS, but with added capability to shut down an attack by reconfiguring FWs and routers or lock down a system at the host level

8
Q

Firewalls

A

represent a barrier between two zones (private and public NW)

//collection of programs and services located at the CHOKE POINT (or the location where traffic enters and exits the NW); designed to filter all traffic flowing in and out, determines if traffic should be allowed to continue

//form of IDS

9
Q

Firewalls and Routers and NIDS

A

placing a router in front of a firewall can help reduce the load placed on the router allowing it to perform more efficiently

can also install NIDS alongside FW to monitor and identify how well the FW is functioning

10
Q

Firewall Configs

BASTION HOST
SCREENED SUBNET
MULTHOMED FIREWALL

A

BASTION HOST //hosts nothing other than what it needs to perform its defined role (to protect resources from attack) This host has two interfaces: one connected to the public NW and the other to the internal NW

SCREENED SUBNET //uses single firewall with 3 built-in interfaces: internet, DMZ, intranet; each area is separated from one another, they are connected to its own interface;
PRO - prevents one area from affecting another

MULTIHOMED FIREWALL //two or more NWs; each interface is connects to its own NW segment logically and physically; used to increase efficiency and reliability of an IP nw; more then 3 interfaces are present

11
Q

DMZ - Demilitarized Zone

A

buffer zone between public and private NWs in an organization;

also a way to host services that a company wishes to make publicly available without allowing direct access to their own internal nw

always constructed through firewall; 3 or more interfaces such as internal trusted NW, DMZ NW, and external untrusted NW

12
Q

Types of Firewalls

PACKET FILTERING FIREWALL
CIRCUIT-LEVEL GATEWAY
APPLICATION-LEVEL FIREWALL
STATEFUL MULTILAYER INSPECTION FIREWALL

A

PACKET FILTERING FIREWALL //works at NW layer, typically built directly into router; compares properties of packet such as source and destination address, protocol, port;

CIRCUIT-LEVEL GATEWAY //works at session layer; detects whether requested session is valid by checking TCP handshake; do not filter individual packets

APPLICATION-LEVEL FIREWALL //analyze application info to make decisions about whether to transmit packets

(((PROXY-BASED FIREWALL //works at applications layer, asks for authentication to pass packets

//content caching proxy optimizes performance by caching frequently access info instead of sending new requests for same data to servers)))

STATEFUL MULTILAYER INSPECTION FIREWALL //combines the aspect of other three types of FWs; Filters packets at the NW layer to determine whether session packets are legit, and evaluate contents of packets at app layer; (The inability of the packet filter firewall to check header of packets is overcome by stateful packet filter)
//analyzes status of traffic
13
Q

What’s that firewall running?

general
FIREWALKING

A

To determine type of FW or brand, use port scanning and see what ports the FW is listening on

or use Telnet to perform banner grabbing (enumeration to see what services are running on open ports)

FIREWALKING //probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets at the firewall; packets are set to have one more hop in their TTL to get them past firewall

to perform, you need 3 components:

1) Firewalking - hosting system outside target nw
2) Gateway - host system on NW connect to internet
3) Destnation - host system on NW packets are addressed to

**Tools: command-line tool called firewalk

can use packet crafters or port redirection to evade configuration on firewall

14
Q

Honeypots

Two main categories:
Low-interaction honeypots
High-interaction honeypots

A

used to attract and trap attackers training to gain access to system, also used to just gain information, not used to address security problems

LOW-INTERACTION HONEYPOTS // rely on the emulation of service and programs that would be found on a vulnerable system; if attacked, system throws error

HIGH-INTERACTION HONEYPOTS //more complex; no longer just single system that looks vulnerable but an entire NW aka HONEYNET; in addition to emulation, real systems with real apps are present

15
Q

IDS Evasion Techniques

DoS vs IDS
OBFUSCATING
CRYING WOLF
SESSION SPLICING

(Fun with Flags)
BOGUS RST
SENSE OF URGENCY

ENCRYPTION (MOST EFFECTIVE)

A

DoS vs IDS //use enumeration techniques and system hacking to determine what resources are under load or are vital to proper functioning of IDS, now clog up resources to make IDS not function properly

OBFUSCATING //IDS relies on reading information, if we manipulate info so that IDS cannot understand it but the target can; can be done through manual manipulation of code or use of an OBFUSCATOR;
(One example that is successful against older IDSs is use of Unicode; by changing standard code such as HTTP requests/responses to their unicode equiv, web server understands but IDS does not)

CRYING WOLF //as the story states, an attacker can target the IDS with an actual attack causing IDS to alert owner; if done repeatedly, but nothing happening on the system, owner will eventually ignore it; (will become false positives to the owner) eventually attacker will actually strike

SESSION SPLICING //some IDSs do not reassemble or rebuild sessions before analyzing traffic; possible to tamper with fragment packets in a way IDS cannot analyze them and forwards them to host
//adjust fragmentation so IDS takes longer to reassemble fragments or adjust fragments such that when reassembled they overlap causing problems for IDS

(Fun with flags: TCP uses flags to describe status of packet)
BOGUS RST //RST is used to end 2 way communications between endpoints; in addition checksums are used to verify integrity of packet to ensure what was received was sent originally; an attacker can alter checksum, IDS will not process packet, and the traffic passes by IDS without raising an alert

SENSE OF URGENCY //URG flag used to mark data urgent; all info before is ignored to process urgent data; some IDSs do not take previous data into account and let it pass

ENCRYPTION //MOST EFFECTIVE, some IDSs cannot process encrypted traffic and let it pass

16
Q

Evading Firewalls

IP ADDRESS SPOOFING
SOURCE ROUTING
FRAGMENTATION
IP ADDRESS TO ACCESS WEBSITES
USING ICMP TUNNELING
USING ACK TUNNELING
HTTP TUNNELING
A

IP ADDRESS SPOOFING //pretending to be a trusted source

SOURCE ROUTING //attacker designates the route a packet should take (a way to prevent this is to configure router to ignore any source routing attempts)

FRAGMENTATION //attacker uses IP fragmentation technique to create extremely small fragments and force into TCP header info into next fragment; IDS ignores TCP flags, only checks first octet

IP ADDRESS TO ACCESS WEBSITES //use of IP address in place of URL; Some firewalls only look at URLs instead of actual IP addresses;
Tools: host2ip //converts URLs to IP addresses

USING ICMP TUNNELING //ICMP protocol defines format and structure of packet, but not what is carried in it so malicious code can be put in there
*Tools: Loki, Ncovert, 007shell //tunnels commands in ICMP packet

USING ACK TUNNELING //some firewalls do not check packets that have ACK bit configured; the reason is bc ACK packets are used to respond to previous, assumed legit traffic already approved; An attacker can send packets with ACK flag set using tool such as AckCmd

HTTP TUNNELING //most easiest since HTTP is already allowed through many firewalls as normal operation;
Tools to exploit HTTP: HTTPTunnel

17
Q

Testing your Firewall

A

1) Footprint the target
2) perform port scanning
3) perform banner grabbing against open ports
4) attempt firewalking
5) disable trusted hosts
6) perform ip address spoofing
7) perform source routing
8) substitute an ip address for a url
9) perform a fragmentation attack
10) use an anonymizer
11) make use of a proxy server to bypass a firewall
12) use icmp tunneling
13) use ack tunneling

18
Q

Testing IDS

A

1) disable trusted hosts
2) attempt insertion attack
3) implement evasion techniques
4) perform dos
5) use code obfuscation
6) perform false positive generation technique
7) attempt a unicode attack
8) perform a fragmentation attack

19
Q

Altering a checksum of a packet can be used to do what?

a //send a RST
b //send a URG
c //reset a connection
d //evade an NIDS

A

d // evade an NIDS

20
Q

which of the following can be used to evade an IDS

a//packet sniffing
b//port scanning
c//enumeration
d//encryption

A

d//encryption

21
Q

An anomaly-based NIDS is designed to look for what

a//patterns of known attacks
b//deviations from known traffic patterns
c//log alterations
d//false positives

A

b//deviations from known traffic patterns

22
Q

multhomed firewall has a minimum of how many nw connections

a//2
b//3
c//4
d//5

A

b//3

23
Q

DMZ is created with which of the following

a//firewall and a router
b//multihomed firewall
c//two routers
d//multihomed router

A

b//multihomed firewall

24
Q

What is a system used as a chokepoint for traffic?

a//ids
b//dmz
c//bastion host
d//snmp host

A

c//bastion host

25
Q

at which layer of the osi model does a packet filtering firewall work

a//1
b//2
c//3
d//4

A

c//3 network layer

26
Q

what type of firewall analyzes the status of traffic

a//circuit level
b//packet filtering
c//stateful inspection
d//nids

A

c//stateful inspection

27
Q

what can be used instaed of a url to evade some firewalls

a//ip address
b//encryption
c//stateful inspection
d//nids

A

a//ip address