Intrusion detection system, abbreviated as IDS, as its name implies, is used to detect and report attacks in real time. If the firewall is compared to the gatekeeper guarding the network gate, then Intrusion detection IDS is a patrolman who can actively search for criminals. Therefore, it is of great significance to seek a breakthrough in IDS technology for vulnerability scanning, script injection, URL attack, etc., and also to further improve IDS.
Snort is an IDS that many people use. In fact, it is not a panacea. The author will talk about the breakthrough of such web-based IDS as Snort: polymorphic URL technology.
When we talk about polymorphism, we may think of encryption technologies such as "polymorphism" and "deformation" in virus writing technology. In fact, the URL polymorphism encoding technology I want to talk about here is also similar to the polymorphism deformation technology of viruses, that is, using different manifestations to achieve the same purpose.
For the same URL, we can use different forms of encoding. When IDS detects in real time, it compares the data it detects with the string with attack intent specified in its own rule set file. If it matches, it indicates that the system is under attack, so as to prevent attacks and send alerts. Because URLs that achieve the same purpose can be expressed in different forms, the URL after deformation coding may not be in the rule set file of IDS, which will also disrupt the ID analysis engine of IDS, thus achieving the effect of breaking through and bypassing IDS!
There are many kinds of polymorphic URL encoding technologies. Here, the author introduces nine commonly used and representative methods. For the convenience of explanation, take the URL whose submission address is/msadc/msadcs.dll as an example. "/msadc/msadcs. dll" has been collected into the rule set files of various IDS such as snort, so when we submit/msadc/msadcs.dll directly to the target machine, IDS will intercept and alarm us.
First move: "/./" string insertion method
In view of the special role of "./", we can insert it into the URL to achieve URL deformation. For example, for/msadc/msadcs. dll, we can rewrite it as/.// Msadc/././msadcs.dll,/./msadc/.//./msadcs.dll and other forms disturb the identification mark analysis engine of IDS, and achieve the purpose of cheating IDS. Moreover, the rewritten encoded URL is equivalent to the unmodified URL in terms of access effect. The author once showed through experiments that this method can bypass IDS such as Snort.
Second move: hexadecimal coding
For a character, we can use the escape symbol "%" plus its hexadecimal ASCII code to represent it. For example, the first character "/" in/msadc/msadcs.dll can be represented as% 2F, and the following characters can be represented by their corresponding hexadecimal ASCII code combined with "%". The URL encoded by this method is no longer the original look. The rule set file of IDS may not contain the encoded string, so IDS can be bypassed. However, this method is invalid for IDS using HTTP preprocessing technology.
Third move: "00" ASCII code
This feature was used to transmit vulnerabilities on the Internet a while ago, and you must be familiar with it. Its principle is that the computer will automatically truncate the string when the ASCII code is 00. We can then rewrite/msadc/msadcs.dll to/msadc/msadcs.dll Iloveheikefangxian, use Winhex to change the space between ". dll" and Ilove to 00 ASCII code, and then save it and submit it with NC pipeline character. In the opinion of some IDSs,/msadc/msadcs.dll Iloveheikefangxian is not the same as the string specified in its rule set file with attack intent, so it will be indifferent to the attacker's behavior. Look! How widely the principle of "automatic truncation at 00 ASCII code when the computer processes strings" is applied! Philosophically speaking, things are connected with each other. We should think more and dig out the internal laws, so that we can find new things.
The fourth move. Illegal Unicode encoding
UTF-8 encoding allows the character set to contain more than 256 characters, so it allows more than 8 encoding bits. The hexadecimal ASCII code of the "/" character is 2F, and the binary number is 00101111. The standard method of representing 2F in UTF-8 format is still 2F, but multi byte UTF-8 can also be used to represent 2F. The character "/" can be represented by single byte, double byte and three byte UTF-8 codes as shown in the following table:
"/" character representation binary hexadecimal
Single byte 0xxxxxxx 00101111 2F
Double byte 110xxxxx 10xxxxxx 11000000 10101111 C0 AF
Three byte 1110xxxx 10xxxxxx 10xxxxxx 11100000 10000000 10101111 E0 80 AF
With this method, we can encode the entire string accordingly. Although the encoded URLs ultimately point to the same resources, they are expressed in different ways. This filter string may not exist in the rule set file of IDS, thus achieving the goal of breaking through IDS.
Fifth move. Add false path
After the "/" string is added to the URL, the directory after the string is meaningless and invalid. Therefore, using the "/" string can achieve the effect of disturbing the identification mark analysis engine and breaking through IDS!
Sixth move: Insert multiple diagonal lines
We can use multiple "/" instead of a single "/". The replaced URL still works as before. For example, the request for/msadc/msadcs.dll can be changed to///msadc////msadcs.dll. After the author's experiment, this method can bypass some IDS.
Seventh move: use the path separator ""
For Web servers like Microsoft IIS, "" can also be used as a path separator like "/". Some IDS did not consider the non-standard path separator "" when setting the rule set file. If we rewrite/msadc/msadcs.dll to msadc msadcs.dll, we can escape snort's eyes, because there is no identification mark of msadc msadcs.dll in snort's rule set file. It is worth mentioning that the path separator "" has another wonderful use, that is, the "% 5c" method of the vault mentioned in the Hacker Defense some time ago. "% 5c" is the hexadecimal representation of "".
The eighth trick: redundant coding method
Redundant coding is also called double decoding. I also remember that the Unicode decoding vulnerability and the dual decoding vulnerability of IIS were very noisy in 2000-2001. At that time, many friends mistakenly thought that the Unicode decoding vulnerability was a dual decoding vulnerability. In fact, they are two different things. The principle of the former has been described in the above "illegal Unicode encoding". Redundant encoding refers to multiple encoding of characters. For example, the "/" character can be represented by% 2f, and the "%", "2", and "f" characters in "% 2f" can be represented by the hexadecimal of its ASCII code respectively. According to the knowledge of mathematical permutation and combination, its coding form has the 3rd power of 2, so "% 2f" can be rewritten as "% 25% 32% 66", "% 252f", etc. to realize URL polymorphism, The encoded string may not be collected in the rule set file of IDS, so some IDS can be fooled.
Ninth trick: comprehensive polymorphic coding
Smart, you can see from this subtitle. The so-called synthesis is to combine several polymorphic deformation coding technologies introduced above, so that the effect will be better.
Postscript: When I mentioned the "00 ASCII code" and non-standard path separator "" just now, you may be familiar with it, because it is closely related to the popular loopholes on mobile Internet and the big method of treasuries. Hacker is an art. Hackers pay attention to inspiration and ideas. Through in-depth thinking, old knowledge can also create new technologies!
Original article reprint please specify: reprint from Seven Travelers Blog
Fixed link of this article: https://www.qxzxp.com/2990.html
