Notice: You have reached an older version of the Vox Technologies website.

We still carry the products and offer the services on this version of the site, but many features and services are out of date.

To be directed to our new portals, please select from the below:

Please do not hesitate to contact us directly at +1-972-234-4343 or (toll free) 1-800-941-0322.


ICP Electronics
ITouch Partner
Lucent Partner
Marconi Partner
Nortel Partner
RAD Partner
Telco Partner
Tellabs Partner
VoxTechnologies 3Com Partner
Adtran Partner
Alcatel Partner
CA Partner
ChannelBank
Cisco Systems Partner
Eastern Partner
Enterasys Partner
Extreme Partner
Larscom Partner Kentrox Partner

Source for VMEbus, PMC Modules, CompactPCI, Single Board Computers, Rackmount Servers, and Rackmount Chassis

Ordering Form   

Unit of Measurement Converter

 

SideStep: IDS evasion tool

SideStep is a sample program I wrote to demonstrate some IDS evasion techniques. The basic premise is that existing network IDS technology is based upon a simplistic model of how networks work. In particular, the assumption is made that hackers will be nice and play by the rules.

The reason people make this assumption is because it is usually valid. Most "hackers" are just kids out for a good time; they really aren't that serious. These kids are extremely visible, and most IDSs are designed to catch these kids. However, determined/skilled hackers do exist. Many owners of existing IDSs do not believe they exist because they don't detect them behind the background radiation of script kiddies.

I have therefore written a program designed to demonstrate the difference between script-kiddy level attacks and serious attacks. I call it "sidestep" because it gets around most existing network IDSs. The program generates attacks using three modes:

normal
This executes the attack/scan at the level of sophistication of script kiddies. Most IDSs should pick up these attacks.
evasion
Carries out the same attack but this time using sophisticated IDS evasion techniques. None of these attacks are fragmented at the IP or TCP layer.
false positive
Doesn't attack the target, but instead does something relatively normal. However, many IDSs falsely trigger on this.

Attacks

The list of attacks chosen for this demonstration are those that are widely supported among most popular network IDSs. Also, a mixture of both Windows and UNIX attacks where chosen.

RPC Portmap Dump
Scans the system for running RPC services.
FTP CWD ~root
Attempts to exploit a common configuration problem for FTP to gain access to unauthorized portions of the FTP server.
DNS Chaos version.bind lookup
Scans the DNS server for the version number, which will then tell the intruder what exploits might work on it.
SNMP lanmanager enumeration
Attempts to access user information from an NT server using SNMP.
HTTP /cgi-bin/phf
Attempts to access a well-known vulnerable CGI script.
Back Orifice ping
Scans the target for the existence of a well-known Trojan horse.

Note that all of these attacks are fairly benign, so you can likely run them against a production server without too much fear of causing a problem.

Real client

This program implements real clients for RPC, FTP, DNS, SNMP, HTTP, and BackOrifice. A common problem when testing is that an IDS will (correctly) not trigger on a simulated attack. For example, the RPC dump attack lists all the running services. Therefore, you know that if the program can successfully retrieve this list without the IDS triggering, then you know it is a fault in the IDS and not in the testing procedure.

TCP vs. UDP

The RPC, FTP, and HTTP attacks are based upon TCP and require a live victim before they will trigger an IDS. The DNS, SNMP, and BackOrifice attacks will send out UDP datagrams without requiring that anybody listen for those datagrams. However, beware that if the IDS fails to trigger, it still may be a problem in the testing procedure. For this reason, make sure you configure your IDS to detect the normal attack before trying the evasion attack.

SideStep vs. fragrouter

The program "fragrouter" has long been used to evade IDSs by fragmenting traffic at the IP or TCP layer. Despite the fact that fragrouter has been used for years now, several marketing leading IDSs do not fully reassemble TCP or IP. Moreover, if you get into the full gamut of Ptacek-Newsham attacks, I know of only two network IDSs that correctly resolve overlapping TCP or IP fragments on a per-host basis.

However, SideStep has nothing to do with fragmentation. It evades network IDS in a completely different manner. As far as I know, there is only one network IDS that can fully handle the SideStep attacks.

Status and Download

The program is still in preliminary form. I hope to create a GUI for it and compile it for other platforms soon. The raw binary (for Windows) is available at:

http://www.robertgraham.com/tmp/sidestep.exe

Note that this is a "command-line" program, not a GUI. Simply run it with no options for help:

c:\>sidestep
SideStep v1.0  Copyright (c) 2000 by Network ICE
http://www.robertgraham.com/tmp/sidestep.html
usage:
 sidestep <target> [<options>]
Sends attacks at the target that evades an IDS.
One of the following protocols/attacks must be specified:
 -rpc    RPC PortMap DUMP
 -ftp    FTP CD ~root
 -dns    DNS version.bind query
 -snmp   SNMP lanman user enum
 -http   /cgi-bin/phf
 -bo     BackOrifice ping
 -all
One of three modes must be specified:
 -norm       Does no evasion (normal attacks)
 -evade      Attempts to attack target evading the IDS
 -false      Does not attack the system at all (false positive)
Example:
 sidestep 10.0.0.1 -evade -dns
 Queries DNS server for version info evading IDS

About me

I (Robert Graham) am the CTO of Network ICE. This tool will eventually be publish on Network ICE's site.

I believe that that Network ICE's IDS is by far the hardest for serious hackers to evade, whether you are talking about Ptacek-Newshame/fragrouter attacks or application-layer evasion.

An Industrial Partner 1999-2002. All rights reserved.


CompactPCI, Embedded SBCs, Flat panel Displays, Industrial Chassis, IndustrialPC Peripherals, Industrial Power Supplies, Backplanes, Single Board Computers, Rackmount Servers, Network Communication, Open Frame Panel Computer, PC/104, Flash Disk, CTI, RAID Back to Home CompactPCI, Embedded SBCs, Flat panel Displays, Industrial Chassis, IndustrialPC Peripherals, Industrial Power Supplies, Backplanes, Single Board Computers, Rackmount Servers, Network Communication, Open Frame Panel Computer, PC/104, Flash Disk, CTI, RAID E-Mail

VoxTechnologies Corp. - Industrial Computer Leader
Tel:
1-972-234-4343 Fax: 1-972-234-4295 Toll-Free: 1-888-568-6224

For over a decade, VoxTechnologies has been a leading source of industrial computers and complete system products for the O.E.M. and Systems Integrator. Our primary goal is to provide a solution source for engineers that have the challenging task of interfacing and controlling the real world.

Telephone: 1-972-234-4343 General Info: info@voxtechnologies.com Sales Info: sales@voxtechnologies.com
 
We accept all major credit cardsRelated Links Adtran AFC CAC Larscom Metrobility Moxa NetAnchor
VTC SBCs, VTC Chassis, VTC Backplanes, VTC CompactPCI, VTC Power Supplies, VTC Peripherals, Other SBCs, Other Backplanes, Other Chassis, Other Power Supplies, Other Embedded SBCs, Other CompactPCI Devices, Other Servers, Other Network Storage, Other VME, RAD,
CAC, Charles, Eastern, Transition, Other PC/104 Products, Other Subsystems, Other KVM Switches, Other Flat Panels, Other Plasma Engine Computers, Other ACTI Platforms, Other Industrial Peripherals, Other Network Communication Products, IPCMall, PLCPartner, Moxa, Telco, Etasis, Axiom, IEI, Channel Banks, Adtran, PowerSupplyPartner, DelvingWare
Archives
Send mail to webmaster@voxtechnologies.com with questions or comments about this web site.
Copyright 1999 VoxTechnologies Corporation- An Industrial Partner
Last modified: November 30, 2002   Proud Sponsor of Dallas Jazz