Advanced Topics in Security Testing: Dynamic Evasion in Exploit and Malware Packet Capture Replaying

 

   The pandemic has greatly accelerated the pace of extending many aspects of our lives into the cloud: work, shopping, finances …. thanks to the omnipresent networks around us.  While it brings tremendous productivity, quality of life and profits,  it carries many dangers along as well: network and cloud security. 

   Because the Cloud is relatively new, a trillion dollar industry, the cloud security is involving just as rapidly as the innovation itself on the cloud.  Given that the attackers are motivated and relentless, effective network security testing is more important than ever, especially with the presence of vastly expanded attack surfaces on the ever increasing networking capable entities.

   Security Testing by replaying packet captures (also called pcap) and malware files is an effective testing methodology. But the tool needed would be challenging to develop if the realism is required when replaying application and attack traffic (more on this in a future blog). At Terapackets, we rose to the challenge and created exactly such a tool to replay both pcaps and malware (user would need to specify a transport, HTTP, FTP, HTTP2 .. for replaying malware) and it is used by the world-class testing organizations like NSS Labs and CyberRatings.org to benchmark the top vendors in the world on their networking gears in the categories such as NGFW, SD-WAN, CNFW (cloud network firewall) etc. 

   More recently, we added the support to test SASE (Secure Access Service Edge) and it has been used to test top vendors in this field. More and more of the major vendors like Checkpoint, Juniper Networks and Palo Alto Networks are using this tool in their development and testing cycle, some even in demo setting to highlight their superior performance on blocking attacks and malwares to their potential customers.

 

   Network evasion techniques are common elements of many network attack vectors and therefore should be considered an essential element of an effective Network Security Testing and Continuous Validation process. In this blog, we are going to talk about the two approaches on the implementations of evasion in the testing process.

The Static Evasion

   In this approach, the implementation of evasions as part of security testing is to pick one or a few pcaps with attacks known to be blocked by the DUT (device under test); modify the packets in the source pcap and produce a set of new pcap files according to the evasion combinations in the test plan; and replay the packets from the resulting pcaps and observe if the DUT (device under test) can still block the traffic. While it’s straightforward, this approach suffers from the following disadvantages:

    • Only a few attacks – out of infinite -- got tested with evasions

    • The evasion suite has many tools, making it harder to run extensive evasion tests

    • Adapting to a new combination of evasion techniques will require code change = time and $$.

The dynamic Evasion 

   Terapackets Threat Replayer replays comes with evasion fully integrated.  To replay on any source pcap with evasion, all a user has to do is to add a few evasion parameters.  For the IP/ICMP/UDP/TCP level evasions, a slightly modified syntax from the familiar “fragroute” (by the legendary developer, Doug Sun) is used. There is no need to install any additional software or perform any special setup (e.g. a client host and a server host) to run the tests with evasions applied. 

   For example, with the following additional command line parameters one can simply run pcap replay tests on a single host with two Ethernet interfaces.

-evasion ip_frag:64,order:rand,tcp_seg:128

   Note that the difference from the original fragroute syntax is; each line is replaced with a comma (,) and spaces ( ) are replaced with a colon (:) so they can be expressed as a command line parameter and then passed into the Threat Replayer, which makes it easier for scripting in bash or other languages.

   Since it’s easy to replay any source pcaps with advanced evasions, it is also easy to replay the entire pcap library with different evasion combinations. This type of “dynamic” evasion is much more comprehensive than the current static approach, which covers one or only a few attack techniques. 

Terapackets HTTP Evasion Support

   For the HTTP-level evasion,Terapackets Threat Replayer took a flexible approach in the implementation due to the high number of possible of combinations of all the fields and parameters in a HTTP messages:

    • status code, status text and termination characters of status line

    • HTTP header fields, the spelling, the values and termination characters

    • HTTP body chunk header 

        ◦ leading/trailing spaces, leading 0’s

        ◦ chunk-extension

        ◦ termination character for chunk header

        ◦ extremely long last-chunk with 0’s

    • compression of body

        ◦ compression method actually used vs declared in the HTTP header fields

        ◦ how many times to compress body

        ◦ whether to remove some bytes from a compressed body

    • ...

   A user can specify the evasion combination in a YAML file with various fields in the HTTP header and HTTP body. As an example, here is such a YAML file: 

response:   meta:     #bodyOnly: true   protocol: HTTP/1.0   statusCode: 200   status: OK   headers:     Transfer-Encoding: "chunked"     #Content-Length: -10     Server: "abcdef"     Content-Encoding: gzip   headerEnd: "\r\n\r\n"   body:     #skipBytes: -4 4     chunk:       size: 34       #header:         #each: "%x;zip=78717"     compression:         method: gzip  #can be gzip|deflate         #count: 2

Note that a user can easily change the headerEnd (termination of a HTTP header, normally “\r\n\r\n”) into “\r\r\n\n” or other combinations, or just as easily, adding a binary character “\x00” in a header field.

Support for TCP 4-way handshake

   There are many evasions to be supported. We added two fun ones:

    • Delay the TCP data packets after TCP handshake for a specified a mount of time

    • TCP 4-way handshake (aka TCP split open)

   Here, let’s talk about the Evasion “tcp split open” which is based on a technique showing that the TCP handshake can be made into a 4-way handshake, instead of the familiar 3-way. As a consequence of the 4-way handshake, instead of the server sending the TCP SYNACK packet in a TCP handshake; the client will send it. For network devices relying on the direction of the SYNACK packet to determine the client or server, it could miss some attacks as documented in the great paper by the world-renowned cyber security guru Tod Beardsley.  Adding the following in the command line is all you need to do to generate the 4-way handshake when replaying any TCP based pcaps.

-evasion tcp_splitopen

Summary:

  Given the importance of a rigorous and comprehensive security and effectiveness testing to Cloud Security, the integration of evasion techniques into the Terapackets Threat Replayer with a dramatically easy to use interface makes it simpler to adopt into any Continuous Validation and Effectiveness strategy. 

    • No code changes are required. 

    • Save time and money. 

    • Improve security and effectiveness. 

   We hope more security testing will be done with Advanced Evasion Techniques which will significantly improve the quality and effectiveness of the network security devices that protect our Digital lives in the Cloud, home and office. 

   We will be covering many more Network Security Testing Topics like this Advanced Evasion Techniques in detail in future blogs.

   Interested Network Security professionals can contact us with questions, challenges or eval requests anytime at https://terapackets.com.