I'm doing some testing using Nessus's NIDS evasion techniques. I'm running Nessus against Apache 1.3.22 using the Apache Chunked Encoding vulnerability. I'm doing this to observe Snort's behavior in front of Nessus's evasion techniques.
Nessus 2.0.10a on Linux 2.6.1
Apache 1.3.22 on FreeBSD 4.9
Snort 2.1.2 on FreeBSD 4.9
.nessusrc from Nessus client (non-enabled plug-ins, and unrelated info snipped)
# This file was automagically created by nessus
trusted_ca = /usr/local/com/nessus/CA/cacert.pem
nessusd_host = 192.168.3.10
nessusd_user = sgt_b
paranoia_level = 3
begin(SCANNER_SET)
10180 = no
10277 = no
10278 = no
10331 = no
10335 = no
10841 = no
10336 = no
10796 = no
11219 = no
11840 = no
end(SCANNER_SET)
begin(SERVER_PREFS) max_hosts = 30 max_checks = 10 log_whole_attack = yes cgi_path = /cgi-bin:/scripts port_range = -1 optimize_test = no language = english checks_read_timeout = 5 non_simult_ports = 139, 445 plugins_timeout = 320 safe_checks = no auto_enable_dependencies = no use_mac_addr = no save_knowledge_base = no kb_restore = no only_test_hosts_whose_kb_we_dont_have = no only_test_hosts_whose_kb_we_have = no kb_dont_replay_scanners = no kb_dont_replay_info_gathering = no kb_dont_replay_attacks = no kb_dont_replay_denials = no kb_max_age = 864000 plugin_upload = no plugin_upload_suffixes = .nasl, .inc slice_network_addresses = no save_session = no save_empty_sessions = no host_expansion = ip ping_hosts = no reverse_lookup = no detached_scan = no continuous_scan = no unscanned_closed = no diff_scan = no end(SERVER_PREFS)
begin(SERVER_INFO) server_info_nessusd_version = 2.0.10 server_info_libnasl_version = 2.0.10 server_info_libnessus_version = 2.0.10 server_info_thread_manager = fork server_info_os = Linux server_info_os_version = 2.6.1 end(SERVER_INFO)
begin(RULES) end(RULES)
begin(PLUGIN_SET) 10889 = yes 11030 = yes 10890 = yes end(PLUGIN_SET)
begin(PLUGINS_PREFS)
NIDS evasion[radio]:TCP evasion technique = split
NIDS evasion[checkbox]:Send fake RST when establishing a TCP connection = no
HTTP NIDS evasion[checkbox]:Use HTTP HEAD instead of GET = no
HTTP NIDS evasion[radio]:URL encoding = none
HTTP NIDS evasion[radio]:Absolute URI type = none
HTTP NIDS evasion[radio]:Absolute URI host = none
HTTP NIDS evasion[checkbox]:Double slashes = no
HTTP NIDS evasion[radio]:Reverse traversal = none
HTTP NIDS evasion[checkbox]:Self-reference directories = no
HTTP NIDS evasion[checkbox]:Premature request ending = no
HTTP NIDS evasion[checkbox]:CGI.pm semicolon separator = no
HTTP NIDS evasion[checkbox]:Parameter hiding = no
HTTP NIDS evasion[checkbox]:Dos/Windows syntax = no
HTTP NIDS evasion[checkbox]:Null method = no
HTTP NIDS evasion[checkbox]:TAB separator = no
HTTP NIDS evasion[checkbox]:HTTP/0.9 requests = no
--snip--
Upon completion of the scan I see that the server is vulnerable (as expected), and that the NIDS evasion feature 'split' was used.
Snort accurately detects the chunked encoding attempt.
A packet trace of this attempt, however, shows that the split function is not performing as it should. By description at http://www.nessus.org/doc/nids.html the split function should send the request one character at a time. As you can see in the below packet trace, the split function sends the 'G' character of the GET request, but then fails to send the rest of the request one character at a time. Instead the next packet contains the rest of the request in its entirety.
The same attempt was performed using the 'injection' feature. This feature splits the request one character at a time, but also sends garbage packets (bad tcp checksums) between the good ones. By using the injection method, the split function performs as it should by splitting the request in packets containing one character at a time.
Split Method - Split function does not work properly
Injection Method - Split function performs as it should
Is there an issue with the NIDS evasion split method?
--Begin Packet Trace---
--snip--
21:32:27.135145 IP (tos 0x0, ttl 64, id 51888, offset 0, flags [DF], length: 53) 192.168.3.10.33589 > 192.168.3.31.80: P [tcp sum ok] 775613766:775613767(1) ack 3404479781 win 5840 <nop,nop,timestamp 285091819 28896078>
0x0000: 4500 0035 cab0 4000 4006 e898 c0a8 030a [EMAIL PROTECTED]@.......
0x0010: c0a8 031f 8335 0050 2e3a ed46 caec 3d25 .....5.P.:.F..=%
0x0020: 8018 16d0 c461 0000 0101 080a 10fe 27eb .....a........'.
0x0030: 01b8 eb4e 47 ...NG
21:32:27.232796 IP (tos 0x0, ttl 64, id 36444, offset 0, flags [DF], length: 52) 192.168.3.31.80 > 192.168.3.10.33589: . [tcp sum ok] ack 775613767 win 57920 <nop,nop,timestamp 28896088 285091819>
0x0000: 4500 0034 8e5c 4000 4006 24ee c0a8 031f [EMAIL PROTECTED]@.$.....
0x0010: c0a8 030a 0050 8335 caec 3d25 2e3a ed47 .....P.5..=%.:.G
0x0020: 8010 e240 3fef 0000 0101 080a 01b8 eb58 [EMAIL PROTECTED]
0x0030: 10fe 27eb ..'.
21:32:27.232895 IP (tos 0x0, ttl 64, id 51889, offset 0, flags [DF], length: 115) 192.168.3.10.33589 > 192.168.3.31.80: P [tcp sum ok] 775613767:775613830(63) ack 3404479781 win 5840 <nop,nop,timestamp 285091917 28896088>
0x0000: 4500 0073 cab1 4000 4006 e859 c0a8 030a [EMAIL PROTECTED]@..Y....
0x0010: c0a8 031f 8335 0050 2e3a ed47 caec 3d25 .....5.P.:.G..=%
0x0020: 8018 16d0 edef 0000 0101 080a 10fe 284d ..............(M
0x0030: 01b8 eb58 4554 202f 696e 6465 782e 6e65 ...XET./index.ne
0x0040: 7320 4854 5450 2f31 2e30 0d0a 5472 616e s.HTTP/1.0..Tran
0x0050: 7366 6572 2d45 6e63 6f64 696e 673a 2063 sfer-Encoding:.c
0x0060: 6875 6e6b 6564 0d0a 0d0a 310d 0a58 580d hunked....1..XX.
0x0070: 0a0d 0a ...
21:32:27.233489 IP (tos 0x0, ttl 64, id 36445, offset 0, flags [DF], length: 492) 192.168.3.31.80 > 192.168.3.10.33589: P [tcp sum ok] 3404479781:3404480221(440) ack 775613830 win 57920 <nop,nop,timestamp 28896088 285091917>
0x0000: 4500 01ec 8e5d 4000 4006 2335 c0a8 031f [EMAIL PROTECTED]@.#5....
0x0010: c0a8 030a 0050 8335 caec 3d25 2e3a ed86 .....P.5..=%.:..
0x0020: 8018 e240 e059 0000 0101 080a 01b8 eb58 [EMAIL PROTECTED]
0x0030: 10fe 284d 4854 5450 2f31 2e31 2034 3030 ..(MHTTP/1.1.400
0x0040: 2042 6164 2052 6571 7565 7374 0d0a 4461 .Bad.Request..Da
--snip--
---End Packet Trace---
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
