separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer. Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions? Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.

1. Harden Security Devices Against Increasingly
Sophisticated Evasions
BreakingPoint Webcast Wednesday
December 16, 2009

2. www.breakingpointlabs.com
Introductions/Agenda
• BreakingPoint speakers:
– Dennis Cox, CTO
– Todd Manning, Protocol & Security Researcher
– Dustin D. Trammell, Protocol & Security Researcher
• Quick Glance Agenda:
– Evasions Overview
– Evasions in Layer 3, 4, 5, 7 and more
– Latest evasion techniques
– How to validate you are protected
– BreakingPoint Five Keys
2

3. www.breakingpointlabs.com
Evasion Technique Introduction
• What Is An Evasion?
– Legitimate Permutation of Data
• Data remains valid
• Data looks different
– Attempt at bypassing detection or filters
• Data representation not recognized or understood by the
monitoring entity
• Cause the monitor to revert to a less scrutinizing state
• Transport of data in a state that is not observable by the
monitor
3

4. www.breakingpointlabs.com
Where are Evasions Used?
• Everywhere!
– Layer 3: IP
– Layer 4: TCP
– Layer 5: DCERPC, SunRPC, SIP
– Layer 7: HTTP, SMTP, POP3, FTP
– Content: HTML, OLE, Command-lines (Windows &
UNIX), Exploit Shellcode
4

5. www.breakingpointlabs.com
Layer 3: IP Evasions
• FragEvasion
– IP Fragmentation
– Four IP fragmentation methods available:
• Overlapping end fragments, favoring either old or new data
• Overlapping all fragments, favoring either old or new data
• FragOrder
– Change the order in which fragments are sent
– Three behavior options:
• Normal order
• Reverse order
• Randomize order
5

6. www.breakingpointlabs.com
Layer 4: TCP Evasions
• SegmentOrder
– Change the order in which segments are sent
– Three behavior options:
• Normal order
• Reverse order
• Randomize order
• SkipHandShake
– Skip the three-way handshake for all connections
6

7. www.breakingpointlabs.com
Layer 5: SIP Evasions
• CompactHeaders
– Use compact header names instead of full-length header names
– Example: “From: <user>” -> “f: <user>”
• PadHeadersLineBreak
– Pad headers with line breaks
– Example: ‘Authorization: Digest username=“user”, realm=“home”’
-> ‘Authorization: Digest rnusername=“user”, rnrealm=“home”’
• PadHeadersWhitespace
– Pad headers with whitespace elements
– Example: “From: <user>” -> “From:tt<user> “
• RandomizeCase
– Randomize the case of data which is case insensitive
– Example: “From: <user>” -> “fROm: <UsEr>”
7

8. www.breakingpointlabs.com
Layer 7: Common Evasions
• PadCommandWhiteSpace
– SMTP, POP3, FTP, Commands (Windows, UNIX)
– Inserts arbitrary whitespace between commands and their
arguments
– Examples:
• SMTP: “HELO example.com” -> “HELOtt t example.com”
• FTP: “USER username” -> “USER t tt username”
• Commands: “rm -rf /” -> “rmt t –rft tt/”
• PadPathSlashes
– Commands (Windows, UNIX)
– Uses slashes to pad command path names
– Examples:
• Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”
8

9. www.breakingpointlabs.com
Layer 7: HTTP Evasions
• Too many to list them all here…
• DirectorySelfReference
– Convert all directories to self-referenced relative directories
– Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”
• EncodeHexRandom
– Encode random parts of the URI in hex
– Example: “GET /index.html” -> “GET /ind%65x.%68tml”
• ServerChunkedTransfer
– Use “chunked” transfer-encoding to split up the server response
• ServerCompression
– Use gzip to encode the server response
• EncodeUnicodeRandom
– Encode random parts of the URI in wide Unicode (UTF-16)
9

10. www.breakingpointlabs.com
Content Evasions
• HTML Evasions: HTMLUnicodeEncoding
• Encodes HTML in the selected flavor of Unicode:
– UTF_7: 7-bit
– UTF_8: 8-bit
– UTF_16BE: 16-bit big-endian
– UTF_16LE: 16-bit little-endian
– UTF_32BE: 32-bit big-endian
– UTF_32LE: 32-bit little-endian
• Shellcode Evasions: RandomNops
• Uses random nop-equivalent sequences instead of actual No-Op
instructions
• Example (ia32):
– “x90x90x90x90x90x90x90x90”
– becomes
– “x16x2fx5dx55x91x06x44x0e”
10

11. www.breakingpointlabs.com
The Latest Evasion Techniques
• Latest and greatest
• 2010 Forecast?
11

12. www.breakingpointlabs.com
Do Evasions Cause Damage?
12

13. www.breakingpointlabs.com
How To Validate You Are Protected
• Forward Thinking
• Test, Test, Test
• Be Realistic
• Be Random
• Be Consistent
13

14. Properly Testing Using Evasions

15. www.breakingpointlabs.com
Enabling Evasions for BreakingPoint
• BreakingPoint Methods
– Attack Manager:
• Attack Group Options - Affects only the attack group selected
– Security Test Component:
• Parameters Tab, Attack Profile setting - Affects the entire test
• Overrides Tab - Affects the entire test
• Order of precedence
– Overrides
– Group Options
– Attack Profile
15

16. www.breakingpointlabs.com
The Five Keys BreakingPoint Provides
1. 80+ evasion techniques
2. Dedicated security team
3. New evasion techniques
4. Apply across 4,300+ attacks
5. Multi-layered evasions
16

17. www.breakingpointlabs.com
Q&A
Thank You!
17