Dailydave mailing list archives

RE: Dreaming of Summer

From: David Maynor <dave () 0dayspray com>
Date: Sun, 07 Dec 2003 16:26:46 -0500

On Sun, 2003-12-07 at 15:42, Halvar Flake wrote:

Add a shim to the packet capture engine. Before the captured packet gets
set up the stack for traditonal protocol decodes you can check for
conditions like the seq number matches a predefined set and if it does
you can readsomething like the window size and translate that into a
part of a command. If a packet like this is captured it woun't get
flagged by the IDS becasue it never makes it to the IDS analysis phase.
Command response is done by the same shim via packet injection. This
would require some device driver foo. This would not work well if the
IDS supplies its own network card driver.


The installations I've seen so far lack any ability to talk back to the
network for use of a cable without the appropriate wires -- but then
again I am no expert on this.


This is a common type of installation. The IDS is in a "read only" mode
where it is attached to the mirror port of a router or something
similiar where it is just getting traffic. Installs like this are not
good canidate for a trojan attack of this type, although still doable.
Aside from the sniffing port the IDS machine must have a network
connection outboud somewhere. This makes backdooring it much more
complex, but not impossble.
 
Luckily for people that want to do things like this the IDS market is
moving to a Intrusion Prevention System(IPS) stance. This means the
device is dual homed and will have to run inline between the attacker
and the target, meaning it is easy to inject packets from a shimed
network driver. This would not be a script kiddy attack in any way, even
attempting something like this would require a deep knowledge of covert
channel communcations as well as device driver programming on the target
OS. 

Below are some examples commerical IPSes, although a perfect example
would be proof of concept on a snort box.
ISS IPS:http://www.iss.net/issEn/delivery/prdetail.jsp?oid=22929 
Tipping Point IPS:http://www.tippingpoint.com/products/index.html
Reflex Security IPS:http://www.reflexsecurity.com/products/products.html


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Pen-Testing Disclosure was Re: Dreaming of Summer, (continued)
- - - Pen-Testing Disclosure was Re: Dreaming of Summer dailydave (Dec 08)
    - Re: Dreaming of Summer David Maynor (Dec 06)
  - RE: Dreaming of Summer Michael J Freeman (Dec 06)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 06)
  - RE: Dreaming of Summer David Maynor (Dec 06)
    - Re: Dreaming of Summer Dave Aitel (Dec 06)
    - Re: Dreaming of Summer David Maynor (Dec 06)
  - RE: Dreaming of Summer Halvar Flake (Dec 09)
    - RE: Dreaming of Summer David Maynor (Dec 07)
    - RE: Dreaming of Summer Halvar Flake (Dec 09)
    - RE: Dreaming of Summer David Maynor (Dec 07)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 07)
- RE: Dreaming of Summer ph00dy (Dec 07)
  - RE: Dreaming of Summer The Dark Tangent (Dec 09)
- RE: Dreaming of Summer Kohlenberg, Toby (Dec 09)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 09)