Beruflich Dokumente
Kultur Dokumente
A STONESOFT INNOVATION
User’s Guide
USING STONESOFT EVADER
Stonesoft Evader allows you to test the effectiveness of security devices in your network
environment against advanced evasion techniques.
1
Getting Started With Stonesoft Evader
An evasion is an attempt to disguise attacks in order to avoid detection and blocking by network
security systems. Evasions can be applied to normal traffic as well as to attacks. An attack
consists of a delivery mechanism (for example, a buffer overflow) and a malicious payload (for
example, code that is executed by the victim computer). The attack is considered successful if
the delivery mechanism succeeds in gaining access to the victim computer, regardless of
whether the security device detects or responds to the attack.
Evasion techniques can be divided into the following categories:
• Defined in a specification and used according to the specification (example:
IPFragmentation).
• Defined in a specification but never actually used according to the specification (example:
MSRPC BigEndian).
• Defined in a specification for some other component, but not defined for the way it is used in
the evasion technique (example: MSRPC NDR Flags).
• Forbidden by a specification, but accepted by the victim system (example: TCP overlap).
The well-known exploits available in Stonesoft Evader are used for evasion testing only.
Installation Environment
The installation environment consists of an attacker computer that runs the Stonesoft Evader
software and one or more victim computers. The examples in this document are based on the
following example installation. Your installation may vary according to your environment.
1 2
1. Attacker computer
• IPv4 Address: 172.16.120.1
• Netmask: 255.255.255.128 (25)
• Attacker source IPv4 address range: 172.16.120.30 - 172.16.120.126
2. Linux victim computer
• IPv4 Address: 172.16.120.21
• Netmask: 255.255.255.128 (25)
The following credentials are used to log in to the Linux operating system on both computers:
• User: root
• Password: password
Installation Files
The attacker computer and the Linux victim computer are distributed as one OVF Template. The
attacker computer includes the Evader software. The Linux victim computer includes the
following vulnerable software:
• Apache HTTP Server version 2.0.64
• MySQL 4.1.22
• PHP 4.2.2
• phpBB 2.0.10 (CVE-2004-1315)
System Requirements
The OVF Template can be deployed on the virtualization platform of your choice. You may need to
enable Promiscuous mode on the virtual switches to get your security device(s) to work
correctly.
The attacker virtual machine has the following additional requirements:
• e1000x emulated Network Interface Card
• Minimum of 1 GB virtual RAM
• (Recommended) Two CPUs
If you want use a Windows XP victim computer as the target for testing evasions with the
conficker (CVE-2008-4250) attack, you must install the operating system and configure the
vulnerable services according to the requirements below:
• Windows XP (en-US) SP2 without patches
• MSRPC Server Service configured to allow unauthenticated MSRPC binds
Example IP addresses for Windows XP victim computer:
• IPv4 Address: 172.16.120.20
• Netmask: 255.255.255.128 (25)
If you want use a Windows 7 victim computer as the target for testing evasions with the rdp_dos
(CVE-2012-0002) attack, you must install the operating system and configure the vulnerable
services according to the requirements below:
• Windows 7 (en-US) without the MS12-020 patch installed
• Remote Desktop Services started with Allow Connections From Computers Running Any
Version Of Remote Desktop selected. See http://technet.microsoft.com/en-us/magazine/
ff404238.aspx for configuration instructions.
Example IP addresses for Windows 7 victim computer:
• IPv4 Address: 172.16.120.22
• Netmask: 255.255.255.128 (25)
What’s Next?
Repeat these steps to deploy the other virtual machine, then continue by Configuring
the Attacker Computer (page 4).
What’s Next?
Continue by Configuring the Linux Victim Computer (page 5).
Option Description
--if=<name> Interface from which the attacks originate.
The source port number for the attacks. By default, a random port
--src_port=<port number>
number is used.
--dst_port=<port number> The port number of a vulnerable service on the victim computer.
Option Description
--attacks | -a Lists the supported attacks.
Option Description
Lists the supported evasion techniques for a specific attack
and the evasion-specific options. Not all evasions can be used
--evasions | -e with all attacks. An attack must be selected using the --
attack=<attack name> option.
Example: --attack=conficker --evasions.
Each evasion has its own set of options that are specific to that evasion. Use the following
options to show detailed information about the options for a specific evasion:
--info=<evasion_name>
Each evasion-specific option accepts one of the following three types of values (the evasion
description indicates what type of value each option accepts):
• Integer: An integer value. The evasion description indicates the range of valid integers and
how to use them with the evasion.
• Probability: Indicates how often the evasion is applied to the traffic. Probability values can be
entered in three ways:
• As a percentage. For example, 75%. The evasion is applied with a probability of 75% to
each packet, so on average at the end of the attack, 75% of packets will have received
the evasion.
• As a number. For example, 3. The evasion is applied to exactly every third packet.
• As a list of iterations each preceded by '#'. For example, #3#6#13. The evasion is
applied exactly at the third, sixth and thirteenth iterations.
• Multiple Choice: A specific named option. The evasion description specifies whether single
or multiple options can be used with the evasion. The syntax for the option depends on
whether single options or multiple options can be used:
• Single Valid: A single named option. Quotes are optional.
• Multiple Valid: A single named option or a list of named options separated with a pipe
(|). The entire list of options must be enclosed in quotes to prevent the pipe from being
interpreted as part of the Linux shell command.
Option Description
--version | -v Shows the Evader software version.
--verifydelay=<length Length of time (in milliseconds) to wait before verifying the attack
of delay> result. The default is 100.
Sets the seed to use for random number generation. The random
--randseed=<string> number generator generates random data for the payload of certain
attacks.
--record=<file name> Records all generated traffic in PCAP format to the specified file.
4 6
5
8
Note – If you want to test evasions against a Windows XP victim computer with the
Conficker module, you must install the operating system and configure the vulnerable
services. See the System Requirements (page 3) for more information.
Setting Description
Enter the name of the interface on the attacker computer from which the attacks
Interface
originate.
Enter the source IP address for the attacks. This address must be a unique IP
address from the same subnet as the IP address of the attacker computer.
Source IP
Note! The Evader tool implements its own TCP/IP stack. Do not use the attacker
computer’s IP address as the source IP address.
Option Description
The mode of attack:
Solo mode uses individual evasions with some options.
Dual mode combines two evasions from the list of enabled evasions.
--mode=(solo|dual|random)
Random mode uses random evasions from the list of enabled evasions
with random options.
The default is random.
The starting source IP address for the attacks. This address must be a
unique IP address from the same subnet as the IP address of the
attacker computer. The first worker uses this address, and any additional
workers use the next sequential IP addresses. There must be a sufficient
--attacker=<src ip>
range of free IP addresses to provide a unique IP address for each
worker.
Note! The Evader tool implements its own TCP/IP stack. Do not use the
attacker computer’s IP address as the source IP address.
The gateway address if the victim is not in the local network. Default:
--gw=<IP address>
empty.
The duration of the attack in seconds when random mode is used. The
--time=<time in seconds>
default is 60 seconds.
The number of workers to use for the attacks. Each worker is a separate
instance of the Evader program. There must be a sufficient range of free
--workers=<worker count> IP addresses to provide a unique IP address for each worker.
The default is 1 worker.
--use_evasions=<evasion>
Use only the specified evasion(s).
(,evasion)*
Option Description
Exclude the specified evasions from testing. Disabling evasions is
--disable_evasions= recommended when dual mode or random mode is used for attacks.
<evasion> (,evasion)* Disabling single evasions that are successful against the security device
is also recommended.
Check that the victim allows legal traffic without evasions before
--check_victim=(true|false)
attacking. Default: true.
--record=<directory name> Records the attacks to the specified directory in pcap format.
--index=<begin(-end)?> The start index and optional stop index for solo and dual mode.
Network setup:
Attackers: 10.102.100.100-10.102.100.104
Victim : 10.102.0.4
Number summary
Total Clean Exploit
Attempts 156 156 134
Failures 156 21 134
Success 1 135 1
conficker, http_phpbb_highlight,
ipv4_opt IPv4 options
rdp_dos
conficker, http_phpbb_highlight,
tcp_chaff TCP Chaff
rdp_dos
conficker, http_phpbb_highlight,
tcp_initialseq TCP initial sequence number
rdp_dos
conficker, http_phpbb_highlight,
tcp_inittsopt TCP timestamp option settings
rdp_dos
conficker, http_phpbb_highlight,
tcp_nocwnd Disable TCP congestion avoidance
rdp_dos
conficker, http_phpbb_highlight,
tcp_nofastretrans Disable TCP fast retransmit
rdp_dos
conficker, http_phpbb_highlight,
tcp_order TCP segment order
rdp_dos
conficker, http_phpbb_highlight,
tcp_paws TCP PAWS elimination
rdp_dos
conficker, http_phpbb_highlight,
tcp_recv_window TCP receive window
rdp_dos
conficker, http_phpbb_highlight,
tcp_seg TCP segmentation
rdp_dos
conficker, http_phpbb_highlight,
tcp_timewait TCP TIME-WAIT decoys
rdp_dos
conficker, http_phpbb_highlight,
tcp_tsoptreply TCP timestamp echo reply modifications
rdp_dos
conficker, http_phpbb_highlight,
tcp_urgent TCP urgent data
rdp_dos
http_request_line_separato
HTTP request line separator http_phpbb_highlight
r
Supported Evasions 15
Stonesoft Guides
Administrator’s Guides - step-by-step instructions for configuring and managing the system.
Installation Guides - step-by-step instructions for installing and upgrading the system.
Reference Guides - system and feature descriptions with overviews to configuration tasks.
Copyright 2012 Stonesoft Corporation. All rights reserved. All specifications are subject to change.