McAfee Evader User Manual [nl]

Evader

User’s Guide

USING EVADER

Evader allows you to test the effectiveness of security devices in your network environment against advanced evasion techniques.

The following sections are included:

Getting Started With Evader (page 2) Installing the Evader Test Environment (page 3) Using the New Evader Web Interface (page 7) Using the Old Evader Web Interface (page 19) Evader Command Syntax (page 20) Mongbat Command Syntax (page 24) Supported Evasions (page 28)

Getting Started With Evader

Security Device(s)

1 2

An evasion is an attempt to disguise attacks in order to avoid detection and blocking by network security systems. Evasions can be applied to normal traffic as well as to attacks. An attack consists of a delivery mechanism (for example, a buffer overflow) and a malicious payload (for example, code that is executed by the victim computer). The attack is considered successful if the delivery mechanism succeeds in gaining access to the victim computer, regardless of whether the security device detects or responds to the attack.

Evasion techniques can be divided into the following categories:

• Defined in a specification and used according to the specification (example:

IPFragmentation).

• Defined in a specification but never actually used according to the specification (example:

MSRPC BigEndian).

• Defined in a specification for some other component, but not defined for the way it is used in

the evasion technique (example: MSRPC NDR Flags).

• Forbidden by a specification, but accepted by the victim system (example: TCP overlap).

The well-known exploits available in Evader are used for evasion testing only.

Installation Environment

The installation environment consists of an attacker computer that runs the Evader software and one or more victim computers. The examples in this document are based on the following example installation. Your installation may vary according to your environment.

Illustration 1.1 Example Installation

1. Attacker computer

•IPv4 Address: 172.16.120.1

•Netmask: 255.255.255.128 (25)

•Attacker source IPv4 address range: 172.16.120.30 - 172.16.120.126

2. Linux victim computer

•IPv4 Address: 172.16.120.21

•Netmask: 255.255.255.128 (25)

The following credentials are used to log in to the Linux operating system on both computers:

• User:

• Password: password

root

Using Evader

Installing the Evader Test Environment

Installation Files

The attacker software and the victim software are distributed as one live DVD. The attacker software includes the Evader software. The Linux victim software includes the following vulnerable software:

• Apache HTTP Server version 2.0.64

• MySQL 4.1.22

• PHP 4.2.2

• phpBB 2.0.10 (CVE-2004-1315)

System Requirements

The live DVD can be deployed on the PC platform of your choice. It can also be deployed on a virtual platform. Promiscuous mode must be enabled on the virtual switches to get Evader and your security device(s) to work correctly. On virtual platforms, e1000 network adapters are recommended.

Additional Targets

Additional targets can be installed on the victim computer using virtualization (for example, vmware Workstation or Oracle VirtualBox). Virtualization is not part of the live DVD.

If you want use a Windows XP victim computer as the target for testing evasions with the conficker (CVE-2008-4250) attack, you must install the operating system and configure the vulnerable services according to the requirements below:

• Windows XP (en-US) SP2 without patches

• MSRPC Server Service configured to allow unauthenticated MSRPC binds

Example IP addresses for a Windows XP victim computer:

• IPv4 Address: 172.16.120.20

• Netmask: 255.255.255.128 (25)

If you want use a Windows 7 victim computer as the target for testing evasions with the rdp_dos (CVE-2012-0002) attack, you must install the operating system and configure the vulnerable services according to the requirements below:

• Windows 7 (en-US) without the MS12-020 patch installed

• Remote Desktop Services started with Allow Connections From Computers Running Any

Version Of Remote Desktop selected. See http://technet.microsoft.com/en-us/magazine/

ff404238.aspx for configuration instructions.

Example IP addresses for a Windows 7 victim computer:

• IPv4 Address: 172.16.120.22

• Netmask: 255.255.255.128 (25)

Installing the Evader Test Environment

Deploying the Attacker and Victim Machines

These instructions explain how to deploy the live DVD for the attacker and the victim machines.

If you want to run the attacker and the victim machines from a live DVD, you need two copies of the Evader live DVD.

 To run the attacker and the victim machines on two separate PCs

1. Insert the live DVD in the DVD drive of the PC.

2. Reboot the PC.

•Make sure that the PC is able to boot from the DVD drive. Change the BIOS settings of the

PC if needed. In some PCs, the function key F12 allows you to select a temporary boot device during the BIOS boot.

3. Select the first option on the menu of the live DVD: live - boot the Live system. Xubuntu

starts.

4. Start the terminal emulator from the command prompt icon in the bottom left corner of the

screen.

5. Run the command

6. Enter the password for the Evader:

You have now root access.

The live DVD runs its own operating system on the PC hardware. It does not affect the existing operating system on the PC’s hard drive.

Remember that all changes are temporary when you run the Evader from the live DVD. If you want to create a permanent Evader environment, you must install the Evader from the live DVD. The installation overwrites the existing hard drive and its operating system. If you want to install Evader from the live DVD, you can use the desktop icon Install Evader Live CD.

sudo su -.

password.

What’s Next?

 Repeat these steps to deploy the other machine. Then continue by Configuring the

Attacker Computer (page 5).

Using Evader

Configuring the Attacker Computer

 To configure the attacker computer with the live DVD

 Enter the following command:

ip addr add 172.16.120.1/25 dev eth0

 To configure the attacker computer when making a permanent installation

1. If you are making a permanent installation, edit the /etc/network/interfaces file and

configure the following settings according to your network environment:

auto eth0 iface eth0 inet static address 172.16.120.1 netmask 255.255.255.128

2. Enter the following command to restart networking and apply your network settings:

/etc/init.d/networking restart

What’s Next?

 Continue by Configuring the Linux Victim Computer.

Configuring the Linux Victim Computer

 To configure the Linux victim computer with the live DVD

1. Enter the following command:

ip addr add 172.16.120.21/25 dev eth0

Note – If you get the message “Operation not permitted”, run the command sudo su - and retry the ip command.

2. Enter the following command to start the vulnerable services:

./start_victim_services.sh

 To configure the Linux victim computer when making a permanent installation

1. Log in to the Linux victim computer with the following credentials:

•User:

root

•Password: password

2. Edit the /etc/network/interfaces file and configure the following settings according to your

network environment:

auto eth0 iface eth0 inet static address 172.16.120.21 netmask 255.255.255.128

3. Enter the following command to restart networking and apply your network settings:

/etc/init.d/networking restart

4. Enter the following command to start the vulnerable services:

./start_victim_services.sh

Installing the Evader Test Environment

Testing Connectivity

 To ping from the attacker host to the victim host

1. Enter the following command:

ping 172.16.120.21

2. If you do not get a response from the victim host, make sure that:

•The cabling is ok.

•Both hosts have an IP address. You can use the command

interfaces on the host and their IP addresses.

3. Once you get the ping response, open a web browser and browse to

http://172.16.120.21/. If the victim services are running correctly, an Apache web page

should open.

What’s Next?

 If you want to use the old Evader user interface, proceed to Using the Old Evader Web

Interface (page 19).

 Otherwise, continue by Using the New Evader Web Interface (page 7).

ip addr show to show the

Using Evader

Using the New Evader Web Interface

 To use the new Evader web interface

1. Change to the

Note – If you get the message “Permission denied”, run the command sudo su - and retry the cd command.

cd /root/evader directory.

2. Enter the following command:

3. Open a web browser and browse to

ruby webgui2.rb.

http://localhost:8000. The Evader web interface

opens.

4. Select the attack module for testing the evasions. Select the http_phpbb_highlight exploit,

because it works against the Linux victim software that is delivered with the Evader live DVD.

Note – If you want to test evasions against a Windows XP victim computer with the Conficker module, or against a Windows 7 victim computer with the Windows RDP Denial of Service, you must install the operating system and configure the vulnerable services. See the System Requirements (page 3) for more information.

5. Select the exploit outcome:

•Bind shell (default)

•Get /etc/password

Using the New Evader Web Interface

6. Click Configure Test Environment.

7. Select Intrusion Prevention System Layer 2.

8. Select the Strength that defines the maximum number of stacked evasions.

•The default setting is 2.

Using Evader

9. Define the network options for the Evader command as instructed in the table below.

Table 1.1 Network Options for Evader Command

Setting Description

Interface

Evader IP range

Layer 3 device under test IP

Target IP

Enter the name of the interface on the attacker computer from which the attacks originate.

Enter the IP range of the addresses for the attacks. These addresses must be unique IP addresses from the same subnet as the IP address of the target (victim) computer. In this setup, the Evader IP address range should be 172.16.120.30 -

172.16.120.45

Note! The Evader tool implements its own TCP/IP stack. Do not use the attacker

computer’s IP address as part of the Evader IP address range.

Not needed in this case. Both the attacker and the victim are in the same network.

Enter the IP address of the victim. In this setup, the target IP address should be

172.16.120.21

The finished Configure Test Environment screen (step 2 screen) should look like the illustration below.

Using the New Evader Web Interface

+ 21 hidden pages

McAfee Evader User Manual [nl]

Specifications and Main Features

Frequently Asked Questions

User Manual

Getting Started With Evader

Installation Environment

Installing the Evader Test Environment

Installation Files

System Requirements

Additional Targets

Deploying the Attacker and Victim Machines

Configuring the Attacker Computer

Configuring the Linux Victim Computer

Testing Connectivity

Using the New Evader Web Interface