------------------------------------------------------------------
Nessus News Letter # 1
2002-02-24
------------------------------------------------------------------
Summary
1. Introduction
2. Nessus 1.1.13 is out / New features in the 1.1.x tree
3. A closer look at Nessus NIDS evasion features
1. Introduction
We have decided to keep in touch with people who cannot or do not want
to read the nessus and nessus-devel mailing lists with this news
letter. Its purpose is to present the latest evolutions in Nessus,
the new plug ins, caveats & bug fixes, tips, and, if possible, some
technical articles on Nessus or some related topic.
This first issue is published on the nessus and nessus-announce
mailing lists; the next one will be send only to nessus-announce.
Cf. http://list.nessus.org/
We will try to publish it regularly, every month if possible.
Those who would like to publish articles, send comments, flames
or love letters should write to <newsletter@nessus.org>
As HTML e-mail is *Bad*, we will stick to plain ASCII. Articles in
other formats (HTML, PDF...) may be put on a web site and linked to,
though.
This letter was written by
Michel Arboi <arboi at bigfoot dot com>
Renaud Deraison <deraison at cvs dot nessus dot org>
This letter may be redistributed freely, provided it is not modified
-- this implies that the copyright above is kept.
In this issue, you will find:
- the presentation of this letter,
- the latest evolutions in Nessus,
- a description of the latest crazy feature "NIDS evasion", and why it
is not intended to be used by script kiddies.
2. Nessus 1.1.13 is out / New features in the 1.1.x tree
This letter is a little special, as we cannot give you the new
features since the *previous* letter. So we will quickly present the
differences between the 1.1.13 version and the 1.0.x "stable" branch,
and between the 1.1.12 and the 1.1.13.
You'll find Nessus 1.1.13 at :
ftp://ftp.nessus.org/pub/nessus/unstable/nessus-1.1.13/
http://www.nessus.org/experimental.html
Note that in spite of its "unstable" and "experimental" labels, we
strongly recommend the use of 1.1.13 rather than 1.0.x.
2.1. Main difference between Nessus 1.0.x and 1.1.x
- New functions
- Enhanced NTP protocol. e.g.:
- file upload from the client to the server
- plug-ins upload.
- "Consider unscanned ports as closed" option
- "Safe checks" option
- Better thread manager
- Enhanced GTK interface. e.g.:
- Plug-in filtering.
- New interface is quicker on huge networks.
- Tests SSL-based services
- PEKS layer replaced by SSL.
- Optimisations :
- Quicker on big networks (scans done in parallel, "smart" plugins)
- Some memory leak fixed.
- News NASL functions or keywords:
script_version script_keywords http_delete
http_put http_recv_headers safe_checks
get_port_transport
- New plug-ins. e.g. :
- webmirror.nasl & torturecgis.nasl
- enhanced nmap plug-in.
- and more.
and many more...
2.2. Differences between Nessus 1.1.12 and 1.1.13
Nessus 1.1.13 has been released ! Among the new features,
we have :
- New tool "nasl_syntax_check" (in the nessus-tools directory)
- Version numbers on the plug-ins.
- New "ACT_SETTINGS" category and new "Settings" family.
Those plug-ins should always be enabled: they do not perform any
security test, they just configure the server ;
- SSL version for the client / server communication can now be set;
TLSv1 is now the default, instead of SSLv3.
- NIDS evasion functions for TCP and HTTP. See section 3 about these ;
- Simpler nmap_wrapper plug-in: nmap shall now be in $PATH when
nessusd is started.
- New preference for nmap_wrapper: one can now choose the default port
list (all ports below 1024 plus what is in nmap-services). This is a
good trade off between speed and efficiency.
- A bug randomly preventing the scan of networks was fixed.
- Kazillons of typos fixed in the scripts outputs (thanks to jay at
kinetic.org)
- XML 'NG' output is now XML-compliant (thanks to Dmitriy Kropivnitskiy <nigde
at mitechki.net>)
- New C plug-ins:
nikto_wrapper
snmp_portscan
ssl_cipher
whisker_wrapper
- New NASL plug-ins:
agora.nasl asp_net_css.nasl asp_net_path_disclosure.nasl
dtspcd.nasl faqmanager.nasl fcgi_echo.nasl
ids_evasion.nasl mrtg_traversal.nasl mssql_brute_force.nasl
oracle9i_XSQLServlet_XSQLConfig.nasl oracle9i_apache_dms.nasl
oracle9i_dad_admin.nasl oracle9i_globals_dot_jsa.nasl
oracle9i_java_process_manager.nasl oracle9i_jsp_source.nasl
oracle9i_mod_plsql_overflow.nasl oracle9i_mod_plsql_traversal.nasl
oracle9i_modplsql_css.nasl php_apache_win32_default.nasl
php_nuke_sql_debug.nasl silverstream_database.nasl
silverstream_dirlisting.nasl smb_host2sid.nasl
smb_nt.inc smb_nt_ms02-005.nasl smb_sid2localuser.nasl
smb_xp_ms01-059.nasl snmp_oversized_length_field_dos.nasl
snmp_oversized_length_field_two.nasl
smb_nt_ms02-006.nasl smb_nt_ms02-008.nasl
3. A closer look at Nessus NIDS evasion features
It came to our attention that Nessus was used more than often to
test for the quality of a NIDS. A lot of people install a NIDS,
install Nessus, scan a target and see if the NIDS is full of logs.
Nessus was not designed to be stealth, meaning that however
poor your NIDS is, there will be at least two pages of red
alerts telling you it's the send of the world.
So in order to really test the quality of NIDS, we've decided to
implement common NIDS attacks, not in order to be stealth, but
in order to stress NIDSes a little more than what is done today.
Before you start to play with these, be aware that blindly
enabling NIDS evasion features may give you an incomplete
report - some web servers do not like some URL encodings,
some TCP/IP stacks do not like malformed TCP packets
in their streams.
Note that these techniques are nothing new. All the TCP-related
ones date back from 1998, so NIDS vendors have been given a head
start.
3.1. Description
3.1.2. HTTP tactics
We implemented all HTTP evasion tactics from RFP's paper[1], except
"premature request ending", "parameter hiding" and "HTTP
mis-formating". We added a couple of experimental URL encoding
methods: "broken UTF-8", "UTF-16", and "Microsoft %u UTF-16".
It is possible with Nessus to enable several features at the same
time. However, the requests are so brain damaged that your web server
may not understand them... And you will get false negatives.
All those tactics aim at defeating a simple pattern matching NIDS:
- Method matching
Using HEAD instead of GET. Other HTTP methods should be tried...
- URL encoding
Instead of writing "cgi-bin", we send "%63%67%69%2d%62%69%6e" (this
is hex encoding).
You can also use UTF-16: %00%63%00%67%00%69%00%2d%00%62%00%69%00%6e
Or MS %d UTF-16: %u0063%u0067%u0069%u002d%u0062%u0069%u006e
OR "broken UTF-8", that sends badly encoded "too long" UTF-8.
The three last tactics arenot taken from Whisker and may not work.
- Double slashes
/cgi-bin/vuln.cgi is replaced by //cgi-bin//vuln.cgi
- Reverse traversal
/cgi-bin/vuln.cgi is replaced by /blahblah/../cgi-bin/vuln.cgi
- Self-reference directories
/cgi-bin/vuln.cgi is replaced by /./cgi-bin/./vuln.cgi
- DOS/Win syntax
All slashes but the first are replaced by backslashes
- NULL method
A %00 is inserted just after the method name. The IDS might stop at
the first nul byte, while the web server may split the request in
two parts and process it.
This does not work against Apache.
3.1.3. TCP tactics
These tactics are described in [2] and [3]. Not all the techniques
described in these two papers were implemented though. What
we implemented is :
- TCP Slicing
Instead of sending full commands to the remote host, Nessus
sends them one char at a time in different packets. NIDSes
which do not do TCP stream reassembly will fall for this ;
- Malformed packets injection
This is TCP slicing, except that between two valid packets,
Nessus will send a "normal" TCP packet (with the good
sequence number / ack number / source port / dest port)
with bogus data in it and a bad checksum. The remote host
will drop this packet, but NIDSes which do not do TCP checksum
verification will badly reassemble the stream and thus
won't see the attack ;
- Short TTL
This is nearly the same as before, except that the injected
packets have a good checksum, but a short TTL (Time To Live),
so that they will not reach their target. If the NIDS is
one hop away from the target and does not check the TTLs,
then it will badly reassemble the TCP stream ;
- Fake RST
Each time Nessus establishes a connection, it will send
a forged RST packet to the remote host, with either
a short TTL or a bad checksum (at your choice). NIDSes
doing stream reassembly quite badly will think this
is the end of the connection and will not log
subsequent data going thru ;
3.2. Results
We did limited testing of this feature -
The Snort NIDS is remarkably robust in front of those nasty
features, and it turns out they make Nessus even noisier ;)
(version tested: 1.8.3 - www.snort.org)
OTOH, due to lack of TCP stream reassembly, Prelude fails
for these (and will detect a tcp slicing attack when
short packets are going to port 80).
(version tested: 0.4.2 - www.prelude-ids.org)
If you stress NIDSes with these features, report us your results!
3.3 Ethics ?
Adding such features in Nessus is something we've been hesitating to do.
On the one hand, we did not want to see it turn into a script kiddies' tool,
on the other hand, we did not want to see it used as a NIDS stressing
tool as it was.
As it turns out a good NIDS will have even more red blinking alerts when these
features are enabled, we felt confident in adding them and releasing them
to the public. Nessus with NIDS evasion techniques will be more noisy on the
network and will generate more alerts in your firewall. So it's not stealth
at all - it just tricks weak IDSes and make them believe things they should
not.
3.4 Documentation
[1]http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
"A look at whisker's anti-IDS tactics", by Rain Forest Puppy.
[2]http://www.securityfocus.com/data/library/ids.ps
"Insertion, evasion and denial of service: eluding network intrusion
detection", by Thomas H. Ptacek and Timothy N. Newsham.
[3]http://www.phrack.com/phrack/54/P54-10
Nessus News Letter # 1
2002-02-24
------------------------------------------------------------------
Summary
1. Introduction
2. Nessus 1.1.13 is out / New features in the 1.1.x tree
3. A closer look at Nessus NIDS evasion features
1. Introduction
We have decided to keep in touch with people who cannot or do not want
to read the nessus and nessus-devel mailing lists with this news
letter. Its purpose is to present the latest evolutions in Nessus,
the new plug ins, caveats & bug fixes, tips, and, if possible, some
technical articles on Nessus or some related topic.
This first issue is published on the nessus and nessus-announce
mailing lists; the next one will be send only to nessus-announce.
Cf. http://list.nessus.org/
We will try to publish it regularly, every month if possible.
Those who would like to publish articles, send comments, flames
or love letters should write to <newsletter@nessus.org>
As HTML e-mail is *Bad*, we will stick to plain ASCII. Articles in
other formats (HTML, PDF...) may be put on a web site and linked to,
though.
This letter was written by
Michel Arboi <arboi at bigfoot dot com>
Renaud Deraison <deraison at cvs dot nessus dot org>
This letter may be redistributed freely, provided it is not modified
-- this implies that the copyright above is kept.
In this issue, you will find:
- the presentation of this letter,
- the latest evolutions in Nessus,
- a description of the latest crazy feature "NIDS evasion", and why it
is not intended to be used by script kiddies.
2. Nessus 1.1.13 is out / New features in the 1.1.x tree
This letter is a little special, as we cannot give you the new
features since the *previous* letter. So we will quickly present the
differences between the 1.1.13 version and the 1.0.x "stable" branch,
and between the 1.1.12 and the 1.1.13.
You'll find Nessus 1.1.13 at :
ftp://ftp.nessus.org/pub/nessus/unstable/nessus-1.1.13/
http://www.nessus.org/experimental.html
Note that in spite of its "unstable" and "experimental" labels, we
strongly recommend the use of 1.1.13 rather than 1.0.x.
2.1. Main difference between Nessus 1.0.x and 1.1.x
- New functions
- Enhanced NTP protocol. e.g.:
- file upload from the client to the server
- plug-ins upload.
- "Consider unscanned ports as closed" option
- "Safe checks" option
- Better thread manager
- Enhanced GTK interface. e.g.:
- Plug-in filtering.
- New interface is quicker on huge networks.
- Tests SSL-based services
- PEKS layer replaced by SSL.
- Optimisations :
- Quicker on big networks (scans done in parallel, "smart" plugins)
- Some memory leak fixed.
- News NASL functions or keywords:
script_version script_keywords http_delete
http_put http_recv_headers safe_checks
get_port_transport
- New plug-ins. e.g. :
- webmirror.nasl & torturecgis.nasl
- enhanced nmap plug-in.
- and more.
and many more...
2.2. Differences between Nessus 1.1.12 and 1.1.13
Nessus 1.1.13 has been released ! Among the new features,
we have :
- New tool "nasl_syntax_check" (in the nessus-tools directory)
- Version numbers on the plug-ins.
- New "ACT_SETTINGS" category and new "Settings" family.
Those plug-ins should always be enabled: they do not perform any
security test, they just configure the server ;
- SSL version for the client / server communication can now be set;
TLSv1 is now the default, instead of SSLv3.
- NIDS evasion functions for TCP and HTTP. See section 3 about these ;
- Simpler nmap_wrapper plug-in: nmap shall now be in $PATH when
nessusd is started.
- New preference for nmap_wrapper: one can now choose the default port
list (all ports below 1024 plus what is in nmap-services). This is a
good trade off between speed and efficiency.
- A bug randomly preventing the scan of networks was fixed.
- Kazillons of typos fixed in the scripts outputs (thanks to jay at
kinetic.org)
- XML 'NG' output is now XML-compliant (thanks to Dmitriy Kropivnitskiy <nigde
at mitechki.net>)
- New C plug-ins:
nikto_wrapper
snmp_portscan
ssl_cipher
whisker_wrapper
- New NASL plug-ins:
agora.nasl asp_net_css.nasl asp_net_path_disclosure.nasl
dtspcd.nasl faqmanager.nasl fcgi_echo.nasl
ids_evasion.nasl mrtg_traversal.nasl mssql_brute_force.nasl
oracle9i_XSQLServlet_XSQLConfig.nasl oracle9i_apache_dms.nasl
oracle9i_dad_admin.nasl oracle9i_globals_dot_jsa.nasl
oracle9i_java_process_manager.nasl oracle9i_jsp_source.nasl
oracle9i_mod_plsql_overflow.nasl oracle9i_mod_plsql_traversal.nasl
oracle9i_modplsql_css.nasl php_apache_win32_default.nasl
php_nuke_sql_debug.nasl silverstream_database.nasl
silverstream_dirlisting.nasl smb_host2sid.nasl
smb_nt.inc smb_nt_ms02-005.nasl smb_sid2localuser.nasl
smb_xp_ms01-059.nasl snmp_oversized_length_field_dos.nasl
snmp_oversized_length_field_two.nasl
smb_nt_ms02-006.nasl smb_nt_ms02-008.nasl
3. A closer look at Nessus NIDS evasion features
It came to our attention that Nessus was used more than often to
test for the quality of a NIDS. A lot of people install a NIDS,
install Nessus, scan a target and see if the NIDS is full of logs.
Nessus was not designed to be stealth, meaning that however
poor your NIDS is, there will be at least two pages of red
alerts telling you it's the send of the world.
So in order to really test the quality of NIDS, we've decided to
implement common NIDS attacks, not in order to be stealth, but
in order to stress NIDSes a little more than what is done today.
Before you start to play with these, be aware that blindly
enabling NIDS evasion features may give you an incomplete
report - some web servers do not like some URL encodings,
some TCP/IP stacks do not like malformed TCP packets
in their streams.
Note that these techniques are nothing new. All the TCP-related
ones date back from 1998, so NIDS vendors have been given a head
start.
3.1. Description
3.1.2. HTTP tactics
We implemented all HTTP evasion tactics from RFP's paper[1], except
"premature request ending", "parameter hiding" and "HTTP
mis-formating". We added a couple of experimental URL encoding
methods: "broken UTF-8", "UTF-16", and "Microsoft %u UTF-16".
It is possible with Nessus to enable several features at the same
time. However, the requests are so brain damaged that your web server
may not understand them... And you will get false negatives.
All those tactics aim at defeating a simple pattern matching NIDS:
- Method matching
Using HEAD instead of GET. Other HTTP methods should be tried...
- URL encoding
Instead of writing "cgi-bin", we send "%63%67%69%2d%62%69%6e" (this
is hex encoding).
You can also use UTF-16: %00%63%00%67%00%69%00%2d%00%62%00%69%00%6e
Or MS %d UTF-16: %u0063%u0067%u0069%u002d%u0062%u0069%u006e
OR "broken UTF-8", that sends badly encoded "too long" UTF-8.
The three last tactics arenot taken from Whisker and may not work.
- Double slashes
/cgi-bin/vuln.cgi is replaced by //cgi-bin//vuln.cgi
- Reverse traversal
/cgi-bin/vuln.cgi is replaced by /blahblah/../cgi-bin/vuln.cgi
- Self-reference directories
/cgi-bin/vuln.cgi is replaced by /./cgi-bin/./vuln.cgi
- DOS/Win syntax
All slashes but the first are replaced by backslashes
- NULL method
A %00 is inserted just after the method name. The IDS might stop at
the first nul byte, while the web server may split the request in
two parts and process it.
This does not work against Apache.
3.1.3. TCP tactics
These tactics are described in [2] and [3]. Not all the techniques
described in these two papers were implemented though. What
we implemented is :
- TCP Slicing
Instead of sending full commands to the remote host, Nessus
sends them one char at a time in different packets. NIDSes
which do not do TCP stream reassembly will fall for this ;
- Malformed packets injection
This is TCP slicing, except that between two valid packets,
Nessus will send a "normal" TCP packet (with the good
sequence number / ack number / source port / dest port)
with bogus data in it and a bad checksum. The remote host
will drop this packet, but NIDSes which do not do TCP checksum
verification will badly reassemble the stream and thus
won't see the attack ;
- Short TTL
This is nearly the same as before, except that the injected
packets have a good checksum, but a short TTL (Time To Live),
so that they will not reach their target. If the NIDS is
one hop away from the target and does not check the TTLs,
then it will badly reassemble the TCP stream ;
- Fake RST
Each time Nessus establishes a connection, it will send
a forged RST packet to the remote host, with either
a short TTL or a bad checksum (at your choice). NIDSes
doing stream reassembly quite badly will think this
is the end of the connection and will not log
subsequent data going thru ;
3.2. Results
We did limited testing of this feature -
The Snort NIDS is remarkably robust in front of those nasty
features, and it turns out they make Nessus even noisier ;)
(version tested: 1.8.3 - www.snort.org)
OTOH, due to lack of TCP stream reassembly, Prelude fails
for these (and will detect a tcp slicing attack when
short packets are going to port 80).
(version tested: 0.4.2 - www.prelude-ids.org)
If you stress NIDSes with these features, report us your results!
3.3 Ethics ?
Adding such features in Nessus is something we've been hesitating to do.
On the one hand, we did not want to see it turn into a script kiddies' tool,
on the other hand, we did not want to see it used as a NIDS stressing
tool as it was.
As it turns out a good NIDS will have even more red blinking alerts when these
features are enabled, we felt confident in adding them and releasing them
to the public. Nessus with NIDS evasion techniques will be more noisy on the
network and will generate more alerts in your firewall. So it's not stealth
at all - it just tricks weak IDSes and make them believe things they should
not.
3.4 Documentation
[1]http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
"A look at whisker's anti-IDS tactics", by Rain Forest Puppy.
[2]http://www.securityfocus.com/data/library/ids.ps
"Insertion, evasion and denial of service: eluding network intrusion
detection", by Thomas H. Ptacek and Timothy N. Newsham.
[3]http://www.phrack.com/phrack/54/P54-10