Saturday, June 27, 2009

Bypassing IPS: A Penetration Tester Perspective

IPS (Intrusion Prevention System) technology was designed to cover the shortcomings of the IDS systems. In technical words, it will not only detect but also prevent the malicious packets from entering the secure zone on your network. Basic firewalls are just capable of scanning and examining the headers of the packet but IPS also inspect the payload inside it. Intrusion prevention system manages a deep packet inspection (DPI) technology to conduct its tests against protocol headers and payloads by gathering more information on attack patterns,
anomalous behavior and controlling the network traffic intelligently. The basic IPS deployment can be done using an open source tools, such as, Snort Inline + IPTables. With this kind of basic configuration, a security administrator would be able to capture malicious packet (snort_inline) and block(IPTables) that sequential traffic from reaching vulnerable host.

Now lets take a look on evasion technique used to bypass these intrusion prevention systems. As we know that there are several IPS vendors in the market today, such as;

- Cisco
- 3Com
- Cyberoam
- Fortinet
- Checkpoint
- Sourcefire
- Third Brigade
- eEye
- Juniper
- Radware
- TippingPoint
- ForeScout
- IntruPro
- StoneGate
- DeepNines
- Enterasys

and others...

These vendors design the IPS technology in different ways but their basic approach of stopping the bad network packets remain similar. Holding a strong knowledge of TCP/IP, an attacker can easily manage to bypass the IPS and deliver the malicious packets destined for the vulnerable host. The technique is known "Packet Fragmentation". However, this is an old method but still useful to bypass some of the vendors IPS. The task to generate and route the malicious packets can be accomplished using 'Fragroute' tool. 'NMap' can do the similar stuff using '-f' option.
Recently, while conducting the penetration testing, I found that the DMZ network was protected with an IPS. Although I am not going to disclose the vendor name, but I will explain the method I used to approach the web application server with malicious SQL/XSS query. However, it should be noted that not all vendors are vulnerable to these specific attacks.

This tool helps the pentester to intercept, modify and rewrite the egress traffic according to the rules defined in the configuration file. By simply modifying the configuration file located at '/etc/fragroute.conf' with the following values:
tcp_seg 24 ip_frag 64 tcp_chaff paws print

This modification will help segmentation of TCP data into forward overlapping 24-byte segments, dervie the 64-byte fragments, interleave with overwriting, random chaff segments holding older timestamps for PAWS elimination and print the output. Fragroute has changed the sequence of the traffic generated and directed them from my attacking machine to the vulnerable host bypassing the IPS. It is recommended that these variable-set should be tested in the controlled environment before applying them for the live network.

The network layout was simple, {Attacker<-->(Fragroute)-->Internet-->IPS-->Webserver}

Its worth noticing that we dont need to use the local proxy to browse the remote web application (true for many web applications auditing tools). So, just browsing and injecting the application with SQL and XSS queries worked very well this time. Another technique can be used in conjunction with fragroute is gzip encoding for evasion purposes.

Problems with IPS
Two major problems should be outlined when we talk about IPS deployment.
-False Positives (need the exact signatures)
-Performance (Latency issues, such that in VoIP network it not acceptable at all)
-Evasion (A simple obfuscation of detectable traffic pattern can make its way through)

However, if we create a conceptual picture of the above mentioned problems. They can only be the reasons because of cost, physical limitations or any specific network envrionment. A small perl based script '' from "" can help to assess these IPS systems for their limitations.