Introduction to Ethical Hacking

Week 13 Reading and In the News

Intrusion Prevention System (IPS) are network security appliances which inspect data and flow of network traffic.   This appliances is configured to detect or prevent malicious activity targeting systems. The assigned reading lists various methods used to circumvent or bypass the different types of intrusion presention systems in the marketplace. The following are very effective methods; Obfuscation, Encryption and tunneling,  Fragmentation and Protocol Violations.  Quite often several of these methods are combined or requeired to circumvent the intrusion presevention system of a target.


In the NEWS:Why Banks Need to Prepare for More Chase-Like Breaches

Week 13 – Reading Summary & News

Intrusion Prevention System examines data and flow of network traffic to detect or prevent vulnerabilities or exploits. The reading for this week discusses different ways and methods to bypass different flavors of IPS from various vendors.  The mentioned methods in the reading are Obfuscation (making something unreadable), Encryption and tunneling (sending attack through SSH),  Fragmentation (splitting malicious packets into fragments; reassembly is tricky; delaying packets) and Protocol Violations.  In some cases, a combination of the methods were required to get through the IPS.  Decoy trees and big-endian evasion techniques were also shown to help with making the attack successful. IPS are not meant to be the be-all and end-all in protection and also need to be configured or tailored to your environment.


In the news:

Self-encrypting drives are little better than software-based encryption

If a laptop using a self-encrypted drive is stolen or lost while in sleep mode, the security of its data can’t be guaranteed. Companies relying on self-encrypting drives (SEDs) to secure data stored on their employees’ laptops should be aware that this technology is not immune to attack and should carefully consider whether they want to use this rather than software-based approaches.


Week 13: Reading, Question for Class, and In The News…

Reading: Dyrmose, M. (2013). Beating the IPS. SANS Institute InfoSec Reading Room.  The paper: describes how to build an intrusion protection system research laboratory, introduces four evasion techniques, and illustrates how to use three of them in various combinations to avoid detection by 1 open source and 5 commercial intrusion protection systems (IPSs) to execute a successful web-based information security exploit.  The techniques include: Obfuscation, Fragmentation (including overlapping, reassembly order, and timeout variants), and Protocol violations.  The article demonstrated that the simple one-exploit attacks were detected by most of the IPSs, but particular combinations could be formulated to bypass any one of them.

Question for the Class:  Did you know that: “99% of all successful attacks/breaches involve a vulnerability that is at least 1 year old”, and “ 90% of all breaches involve a vulnerability from 7 years or older”?  (From:

InTheNews: Shackelford, S.J. (2015-10-30) Another ‘Back to the Future’ Moment – 27 Years After the World’s First Cyber Attack.  Twenty-seven years ago (1988) a Cornell University grad student (Robert Morris) launched the first “Internet worm” from MIT. Meant to measure the size of the Internet, the worm morphed into a denial of service exploit copying itself onto many of the 60,000 computers connected to the Internet. The worm caused between $100,000 to $10 million in damages. Morris received 3 years of probation and a $10,050 fine,  and note as “the world’s first cyber attacker” prosecuted under the Computer Fraud and Abuse Act. He is now a tenured MIT professor and dot-com millionaire. Today, there are > 9 billion devices and >3 billion people online.  Positive outcomes traceable to Morris’ exploit include: Carnegie Mellon University’s Cyber Emergency Response Team (CERT), proactive cybersecurity best practices, and the NIST Cybersecurity Framework. The government of Australia reports success in preventing 85% of cyberattacks based on following 3 common sense techniques: (1) Only permitting pre-approved programs to operate on networks (i.e. application whitelisting), (2) regular patching of operating systems and applications, and (3) minimizing the number of people on the network with admin privileges.

Week 13 Reading Summary, Question, and recent Cyber Security News…

  1. Summarize one key point from each assigned reading…

Regarding the following tested IPS HW security appliances (HP Tipping Point, Check Point Firewall, Palo Alto Networks Firewall, Cisco ASA, Fortinet FortiGate, and Snort open-source IPS), all products failed to protect against multiple TCP/IP network evasion techniques (overlapping fragments, wrapping sequence numbers, and packet insertions) using the “Conficter worm” on vulnerable Windows PCs. Best practices for protecting IPS devices are some of the following: modify default vendor IPS settings for one’s business enterprise network & systems (continue to update as threats evolve), block un-needed NULL sessions (unauthenticated connections) to any networked Windows PCs, always check IPS alerts too.

  1. Question to classmates (facilitates discussion) from assigned reading…

Which IPS is most secure in an online business enterprise setup?

*Answer: All IPS appliance devices (Cisco, Check Point, PaloAlto Networks, etc) have similar & different vulnerabilities, but enterprise IT staff can minimize vulnerabilities with following best practices: put the IPS in the right place (performance & coverage), teach the IPS what you know (configure for your network & system), think about high availability (plan your disaster recovery), don’t block initially (initially test for false positives), get trained (train IT staff beyond IPS vendor’s info), and plan to tune (continue periodic adjustments for evolving attacks.)

  1. Identify, read, and post to our blog a current event article regarding ethical hacking & penetration testing (follow theme topic of the week, or other interesting related article)…

In the Cyber Security News lately

“DDOS, APT attacks on Corporate & Banks – as reported on 6/28/2015…
… Advanced Persistent Threat (APT) are followed by DDOS attacks, this is done to erase any tracks of compromise on firewall, router, Intrusion Prevention Systems (IPS)… no direct connection at corporate end from the Internet (using firewalls & IPS), but the antivirus/firewall/IPS not fully safeguarding business & banking systems due to poor technical controls or products (the main problem for organizations is there are many vulnerabilities on systems which are undetected for a long period of time!)”

Week 13 Summary

Evasion Techniques

Here’s what I’ve used in the past for evasion techniques; very slow and steady scanning, scanning for only one or two ports at a time, spoofing an IP addresses, encryption to avoid IDS’s, clearing traffic logs, fragmenting payloads and packets, pivoting and using another machine to do the scanning for you. You could also try ARP poisoning and MAC spoofing.

In the news:
The Army wants to put cyber Soldiers in the mud with the Infantry. For what practical purpose? Not too sure.

Week 13 – Summary

Evasion Techniques – Reading

Even though IPS systems provide means to prevent malicious attacks from entering the network systems beyond secured perimeter, it is still possible to evade detection through bypass of IPS/IDS and perform an attack. IPS performs deep packet filtering to reveal abnormal content or traffic behavior based on various threshold values that trigger an alert/detection and then executes prevention mechanism if configured right. Possible evasion ways are done via obfuscation, encryption and tunneling, packet fragmentation, protocol violation. One of evasion tools is Evader and others. When data is captured, an analysis of payload is performed to reveal services, sources, destination, etc.. Various IPS are used for protection, such as Palo Alto, Cisco ASA and others. It is critical to constantly review configuration design for threshold values as well as always review all logs to find out of anything might be vulnerable.

Question for the Class: What IPS is greatest in all terms in the market today?

In the News:

Following the bloody terror attacks in Paris where over 130 people were killed, the hacktivist collective Anonymous has declared total war against the Islamic State (IS, formerly ISIS/ISIL).
Anonymous released a video message, posted in French, on YouTube Sunday announcing the beginning of #OpParis, a coordinated campaign to hunt down ISIS’s social media channels and every single supporter of the jihadist group online.
The combat mission #OpParis was announced as revenge for the recent ISIS terror attacks that took place in Paris on Friday, November 13, 2015.
Under the #OpISIS online campaign, an Anonymous group hacked, defaced, unmasked, and reported thousands of ISIS Twitter accounts.
The social network giant Facebook on Friday the 13th deleted an Anonymous group page, which has been exposing and reporting social media accounts linked to pro-ISIS, as well as banned all its administrators, without giving any prior warning
Details at:

Week 13 Summary and Articles

The reading discussed techniques that penetration testers can use to evade IPS. Examples are fragmenting packets, obfuscation, using decoy trees, using open ports .etc. The main lesson is that an IPS and other systems by themselves won’t protect your client. You have to make sure unwanted services are turned off, activities are logged & monitored in combination with other measures. There is no panacea for vulnerabilities because there is always a way into an enterprise. Security professionals should make the best use of available resources to make it as difficult as possible to breach the enterprise.

Articles I found interesting for discussion are:

Week 13!

Regardless of how many security products and procedures you put in place there will still be ways to get around them and cover the tracks. Evasion techniques are used to accomplish these goals. Our reading is an introductory piece to evasion techniques and lists obfuscation, encryption and tunneling, fragmentation, and protocol violations as evasion techniques.

Evasion is incredibly dangerous because it is an attack that you’re unable to trace. It would be like the IT version of a stealth bomber flying into your airspace without you being able to track it on radar. Since these techniques are so dangerous it’s important to test your ability to launch one of these attacks on your systems. The suggested method in the reading was to set up a test network that simulates the real environment and is off the grid.

Article for the week: Anonymous declares cyber war on ISIS

I thought this was of note because as we shift to more and more cyber risk in society there is a chance that individuals can play unsolicited roles in military type actions that used to be exclusive to the government.

1 2 3 12