bypassingintrusiondetectionsystems(編輯修改稿)
2024-11-05 09:04 本頁面
【文章內(nèi)容簡(jiǎn)介】 IDS WWW Segment with MTU = 1300 1350 byte packet with DF = 1 Bypassing NIDS HTTP Proto ? ?/? padding: “/cgibin///phf” ? Self referencing directories: “/cgi bin/./phf” ? URL Encoding: “%2fcgibin/phf” ? Reverse Traversal: “/cgibin/here/../phf” ? TAB instead of spaces removal ? DOS/Win syntax: “/cgibin\phf” ? Null method: “GET%00/cgibin/phf” Bypassing NIDS Tel Proto ? Strip out Tel codes ? Automatic proxies which add random characters followed by backspace –“su X{backspace}root” Bypassing NIDS Resources ? Tools – Whisker Rain Forest Puppy – Fragrouter Dug Song – Congestant horizon, Phrack 54 ? Papers – “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham – Bro information: Bypassing HIDS Kernel Hacks ? Windows NT – 4 byte patch that removes all security restrictions from objects within the NT domain. – Could use access to disable or manipulate HIDS ? Linux “” kernel module not in /proc/modules hides a sniffer hides files hides processes redirects execve() socket backdoor magic setuid gets root Bypassing HIDS Stack Protection ? Stackguard –A ?canary? is placed next to return address – Program halts and logs if canary is altered – Canary can be random or terminating – Bypass: overwrite return address without touching canary – Fix: XOR the return address and the canary – Point: Yet another example of an arms race Bypassing HIDS Library Hacks ? Environment variables which redirect shared library locations ? Library has a ?wrapper? run by a p
教學(xué)課件相關(guān)推薦
鄂ICP備17016276號(hào)-1