Packet fragmentation VS Intrusion Detection System (IDS)

Intrusion Detection Systems (IDS) have long had a problem with packet fragmentation. This was true five years ago and it is still a problem today. For years the IDS has suffered from several key ailments. Chief amongst them is in how they deal with packet fragmentation. There has been great progress made over the years in how an IDS will deal with packet reassembly, however the problem still remains. Over the past years IDS vendors have grown smarter when it comes to packet fragmentation, and how their IDS’s reassemble these fragments.
During the course of this series I will use the following tools:

• Fragrouter
• Metasploit Framework
• Snort
• tcpdump.exe

Fragrouter will be used as our main packet fragmentation tool for this article, but we will also look at Metasploit Framework’s built in fragmentation abilities as well. These fragmented attacks will be tested against the Snort IDS, and lastly we shall be using the tcpdump.exe packet sniffer to collect packets.

What we will now do in part one of the article series is set up our test lab so that we can use fragrouter. First up, we will need to add a new route on the Windows 2000 Pro (W2K) box that we will be launching the attacks from. The router we will need to add is that of all packets sent to our victim W2K computer need to go via the SuSE box running fragrouter. This way the exploit sent via the attacking computer will be first sent to the SuSE box running fragrouter for fragmentation and will then be forwarded on to the victim computer. Seeing as this explanation can be a tad confusing let’s take a look at the diagram below.

Figure 1

Because fragrouter requires that it acts as the middleman, we are required to use this type of layout. Now we will go ahead and add the route change as seen in the diagram below.

Please bear in mind again that the computer running fragrouter must be on a separate network and as such the IP’s shown below would be different for your usage.

Figure 2

Well so far things have been pretty painless in terms of setup. It is always frustrating for me when I am trying to learn something, and I end up getting sidetracked by having to fix or learn something else. Now as it impacts the attacking computer, all we have to do is make sure that we have Metasploit Framework installed. This is what we will use to simplify our attacks. Not everyone is comfortable in compiling exploit code, so by using Metasploit we are able to neatly side-step that issue. Compiling exploit code though is not that difficult once you have seen it done. If you do not yet know how to do so, I would encourage you to learn how. That, or feel free to email me and I will send you the compiler syntax for an exploit that is freely available via Securiteam, and many other places.

We now need to set up our victim computer. You will need to download Snort and have it installed with winpcap. Snort should install by default to the root of your C drive, and winpcap will also install itself seamlessly. If you are going to be using the latest version of Snort then please ensure that you download the rules as well. Newer versions of Snort no longer come with the rules, and you will need to download those separately. Once you have downloaded the rules please copy the rules folder over to the main Snort directory as seen below. There will already be a rules folder there. Simply delete it and add your just downloaded rules folder there.

Figure 3

Now one key point that I should mention here is that ultimately we will want to see what our fragmented traffic looks like as it hits the victim computer. To do that we will need to install tcpdump from MicroOLAP. This program will allow us to capture and later inspect the packets as they arrive at our victim computer. It is important to show theory put into practice as it will help cement lessons learned. That is why we will look at the fragmented packets. It will help us recognize them for what they are should we encounter them at some point in the future, and odds are, we will. There is still the SuSE computer that we have to set up. You will need the fragrouter installed on it for one, as well as its dependencies. Those should all be in the folder that you download. Once downloaded you will need to “cd” to the fragrouter directory and install it via the following commands:

./configure
make
make install

That was fairly simple and straight forward. You will now need to invoke fragrouter with the following command “./fragrouter –F1”. This will give you the simplest setting for fragrouter, and one that we will use shortly. We now have all of the pieces in place, barring any mental hiccups on my part. Let’s take an attempt at packet fragmentation then.

On with the show
We will now take a stab at the beast, as it were. Please ensure that you have Metasploit Framework up and running either via the web interface or DOS prompt. The web interface is better as it involves less typing. Secondly, have Snort up and running on the victim computer so that we can see what it detects on our first pass at packet fragmentation. Please see the screenshot below for the switches I used to invoke it.

Figure 4

Lastly, start up fragrouter on the SuSE computer which will actually be doing the fragmentation of the exploit as sent via the Metasploit Framework. Please see the screenshot below for the syntax used to invoke it.

Figure 5

All set? Let’s get to it then. Seen below is a screenshot of Metasploit obtaining a shell on the victim computer. Once you have obtained shell access, go to your victim computer and stop Snort. Do a “control c” to stop it in the DOS prompt that it is running in.

Figure 6

Once you have stopped Snort, go back to the attacking computer and click on “session::break”. This will sever the connection between the attacking computer and the victim. Lastly, let’s also stop fragrouter by again doing a “control c” in the term window that it is running in. What we now need to do is take a look at the output of Snort to see what, if anything, it detected. Let’s take a look at the screenshot below.

Figure 7

My instance of Snort logged seven items and two alerts. Interesting is the chunk of data beneath the “Action Stats”. There was a total of 271 fragmented IP packets sent during our attack session. That is a fairly high number of fragments as compared to the total of zero fragmented packets I saw when using Metasploit Framework on the victim computer. Without using fragrouter as a middleman earlier on to establish a benchmark, I had many, many less. Let’s now take a look to see what Snort actually logged as alerts. Please see the screenshot below.

Figure 8

Snort detected the attack as two instances of “NETBIOS DCERPC Remote Activation bind attempt”, which in reality is what the attack was. I used the MS03-026 exploit which targets TCP port 135. We now know that our attempt at “simple” fragmentation to evade Snort failed miserably. That is reason for celebration as we would indeed hope that a modern IDS would catch such a generic fragmentation attempt.

we saw how to set up the various computers in our VMware lab. The setup was simple, and even the installation and use of fragrouter fairly pain free. We ended off part one with an attempt at packet fragmentation via fragrouter in an effort to evade Snort. That first attempt failed for Snort did indeed pick up the attack. It had no problem in reassembling the fragmented packets and recognizing the attack for what it was; an RPC bind attempt via the MS03-026 exploit contained in the Metasploit Framework. Fragrouter has quite a few more tricks in its arsenal. If you enter the “./fragrouter –help” command as seen in the screenshot below, you will be shown all of the fragrouter options available to you.

Figure 1

What we now need to do is use a fragmentation attack that will likely be a bit more evasive. Seen in the screenshot above is one of interest. Specifically, the “-F3” one. This is much like the first attempt we made, but this time there will be one fragment out of order in the fragmented packet train. This also serves as an orderly incrementing of our attempted evasion attempts. We will now again have to ensure that Snort is running on the victim computer, as well as tcpdump.exe this time. It will allow us to log the incoming fragmented traffic and then view some sample packets. Also please ensure that you have invoked fragrouter before you initiate the attack via Metasploit Framework. In order to try and keep our results uniform we will again use the MS03-026 exploit via Metasploit. All set? Let’s get to it then.

Figure 2

In the screenshot above I have invoked fragrouter with the “-F3” switches as discussed.

Figure 3

Now in the screenshot above I have invoked tcpdump.exe on the victim computer in order to log the fragmented packets as they arrive. This will allow us to take a look at them. Please note the “–w” switch as this will log the packets in binary format. You will later need to use “tcpdump –r test1 –nXvSs 0 | more” to view them.

Action!
Now back to the fun stuff. On your attacking computer, bring Metasploit back up and enter the appropriate information in the web interface in order to attack the victim computer. Once ready, fire away as it were. As soon as you have obtained a shell on the computer, go and stop Snort on the victim computer. Then go back to the attacking computer and click on “session::break” to gracefully terminate the connection. In the screenshot below we can see that fragrouter does produce output when it is running. It will actually list the fragments as well as the offset in them as it is doing its fragmentation. That is a good list to have as a reference, should you want to go over your packet trace in detail.

Figure 4

Seeing as we did not really increase the rate of fragmentation, the total amount of packets sent to the victim should be roughly the same. Let’s take a look at the screenshot below for it displays the statistics that tcpdump.exe collected.

Figure 5

There was a total of 290 packets received by tcpdump.exe which is roughly the same amount as previously recorded. That number can vary due to NetBIOS protocol broadcasts and the such. Of more interest is just what Snort did see this time.

Figure 6

Well it would seem that Snort once again detected our attempts to evade it. To find out definitively, let’s take a look at the “alert.ids” file contained in the “log” directory.

Figure 7

Our most recent attempt at IDS evasion via packet fragmentation using fragrouter has once again failed miserably.

Bring on Metasploit
So far we have seen that generic attempts at packet fragmentation will not evade a modern IDS such as the latest version of Snort. There are many other options in fragrouter that may allow to bypass Snort if used creatively. Now that you have seen how to use fragrouter, I will leave that experimentation to you. What we shall now do is move on to another tool that will allow us to fragment attack traffic. That tool is the ever increasingly sophisticated Metasploit Framework. We have used it so far to generate attack traffic, but we will now also use its built in fragmentation capabilities as well.

To keep things simple we will recreate what we have already done before. To whit, we shall once again use MS03-026 but this time with fragmentation. Please see the screenshot below for the syntax used.

Figure 8

What Metasploit will now do is fragment the actual DCERPC fragment itself. It will not fragment all of the packets themselves, but only the DCERPC portion of it. Let’s go ahead and now try it, and see what Snort finds. Please see the screenshot below for what Snort saw.

Figure 9

Snort detected one alert within the traffic that was sent to it via Metasploit, but it detected no fragmented traffic, as only the DCERPC portion was fragmented. Now, the object of our interest, was the RPC bind attempt detected? Let’s take a look below.

Figure 10

Snort has once again foiled our attempts at being stealthy by using packet fragmentation. It detected three separate attempts at an RPC bind attempt. We could easily experiment further by continually decreasing the size of the fragment, but I will leave that up to you to do so. The key lesson to be learnt here is that IDS’s have indeed grown in sophistication and in their ability to deal with fragmented traffic.

Wrap Up
This article series dealt with the problem of a potential attacker deliberately fragmenting their attack traffic in order to evade IDS signatures. We attempted to recreate what such an aggressor may do in an attempt to obfuscate their attack. The slightly old but to some accounts still effective fragrouter was looked at. There was a good deal of options available to us via fragrouter, but some of the simpler ones were easily detected by Snort. That would leave the more sophisticated ones for use against a computer with an IDS running on it for further experimentation.

There were certainly quite a few more scenarios that we could have tried via fragrouter, but that would have entailed quite a few more article segments. The goal of this article series was to show you the existence of computer security tools such as fragrouter and Metasploit Framework. Neither of these tools is hidden away somewhere, rather they are out there for the taking. You would be wise to do just that, and learn how to use them. That in turn will lead you to a far more fundamental understanding of how fragmentation can affect an IDS. I know that it certainly worked for me. Prior to my having used these tools, the whole concept of fragmentation was really kind of murky. I always try to recreate any concept that I read about. The best way to learn is to actually do it. I sincerely hope this article was of use to you and as always welcome your feedback. Till next time.