Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 7 – Scenario Two Findings – Evasion

Evasion Techniques


In this section different evasion techniques have been implemented to evade Snort. The first task of this setup was to run fragtest on the attacker, feeding it the IP address of the target to determine if the target system processes fragmented and overlapped data correctly and not being dropped by a firewall. Then fragroute was executed to fragment packets destined to the target using different fragmentation methods. The tests started with the default fragmentation settings and then the settings were changed accordingly.

Tcpdump was also started to capture the traffic for later analysis. Figure 6.17 illustrates this setup.

Figure 6.17: Evasion Techniques – Fragmentation Test Block Diagram

Figure 6.18: Evasion Techniques – Fragmentation – Testing target’s handling of fragmentation data

Fragtest’s results illustrates the target’s handling of fragmented and overlapped data, such as the target’s distance being one hop away from the attacker, the target’s IP options (sec, ts, esec, rr, satid), the target handles fragmented data correctly, handles overlapped data favouring new data and the target’s timeout setting is 29.99 seconds. All this information is very important to an attacker and would aid the attacker in deciding which fragmentation patterns to use.

The experiments presented in this scenario used the following fragmentation settings:

  • Fragroute’s default configuration.
  • An 8-byte fragments favouring old data.
  • 4-byte TCP segments favouring new data.


The default settings are as follows:

  • tcp_seg 1 new – breaks the data into one byte segments favouring new data.
  • ip_frag 24 – breaks IP packets up into 24 byte fragments with duplicate IP chaffing (ip_chaff dup) to confuse the IDS.
  • Order random – orders the data into random order.
  • Print – prints the output on screen in tcpdump format.

As described by fragroute’s manual page ip_chaff is:

“Interleave IP packets in the queue with duplicate IP packets containing different payloads, either scheduled for later delivery, carrying invalid IP options, or bearing short time-to-live values.”


Figure 6.19: Fragroute on standby

Figure 6.20: Nmap running a normal SYN scan

Figure 6.21: Fragroute fragmenting nmap’s SYN scan

Figure 7.22: Snort alerts for Fragroute’s default settings

Figure 6.23: Snort statistics – Fragroute’s default settings


With this experimentation fragroute was activated to run using default settings, then nmap SYN scan pointed at the target was executed. The figures above demonstrate that out of the 4274 packets that were analysed only 68 alerts were generated. Considering how SYN scan works; the source sends a SYN packet per port to approximately 1000 reserved TCP ports, the target sends back SYN ACK, then the source sends RST to close the connection, which makes around three packets; if 4274 analysed packets was divided by 3 that will equal to 1425 alerts, while only 68 alerts generated. If the alerts produced in scenario one compared with this one it is clear that although snort handled these fragments and managed to raise few alerts, there were some scans that managed to skip through, however.


This time nmap’s fragmentation option with a setting of 8 byte was executed with fragroute fragmenting this scan further according to the default settings.

Figure 6.24: Fragroute and Nmap

Figure 6.25: Fragroute performing the default fragmentation

Figure 6.26: Snort’s alert console and statistics screen


As it can be seen the alerts produced represent false positives as they describe a different activity, in a real organisation scenario IDSs are usually tuned more granularly in which case such alerts are not likely to be generated. Also as described by (Champion Undated, p.8) evasion techniques could produce either total detection failure or trigger less serious or obscure alerts, thus confirms the above results.

This means that the IDS did not detect the scans due to the combination of fragroute’s modifications and nmap’s fragmentation option. This can be further confirmed by looking at snort’s statistics shown above, which displays the number of packets and the number of alerts, the same can be said here as described previously (figure 6.23) 12191 packets and only 48 alerts, which are for a different activity. Attackers can use such techniques to confuse IDSs.


This stage’s settings are as follows:

  • ip_frag 8 old – breaks the data into 8 byte fragments favouring old data.
  • order random – arranges the fragments into random order.
  • print – prints the results of the modification into the console screen in tcpdum format.


Figure 6.27: Fragroute and Nmap’s results

Figure 6.27 shows fragroute on standby ready to fragment anything going out the interface of the machine it’s running on into 8 byte fragments and then reorders them into random order before sending the packets to its destination. The figure also shows nmap’s SYN scan being executed and fragroute fragmenting the packets. Figure 6.28 (below) shows that snort successfully detected the scans.

Figure 6.28: Snort alert console

Figure 6.29: Snort’s Statistics


Although fragroute’s settings were changed as shown in the figures, which is also indicated by the change in the number of packets shown in snort’s statistics; it is clear that snort detected the scans. Thus this also confirms that the conclusion derived from the results of the previous experiment were correct, in the previous experiment the IDS failed to detect the scans.


Figure 6.30: Nmap’s fragmented SYN scan and Fragroute output

Figure 6.31: Snort’s alert Console screen and Statistics


The previous test snort managed to detect nmap’s normal SYN scan even when it was fragmented with fragroute, however this time when nmap’s fragmentation option was combined with fragroute’s 8-bytes fragmentation pattern snort failed to detect it. This is because there are no alerts indicating a scan was attempted and so the alerts shown here are considered as false positives as was the case with experiment three (figure 6.23), which demonstrates that fragmentation techniques still work even though they’ve been around for a long time.


Fragroute has many options that can be used to make dozens of different ways to modify data before sending it to its destination so any IDS that could be monitoring the target’s network can be confused. At this final stage of this part of the evasion techniques experiment fragroute was configured to break TCP packets wanting to exit the interface it’s monitoring into four-byte segments favoring new data before allowing the packets to exit the interface. The actual configuration of fragroute was as follows:

  • tcp_seg 4 new – break any TCP packet into 4 byte segments favouring new data.
  • tcp_chaff paws – inserts TCP segments in the queue with duplicate TCP segments containing different payloads, bearing older TCP timestamp options for PAWS elimination.
  • order random – reorder the packets in the queue in random order.
  • print – print output into the console screen.


Figure 6.32: Fragroute, Snort’s alerts console and statistics


Fragroute broken down nmap’s scans into 4 byte segments with an overlap favouring new data, then it inserted duplicate TCP segments with different payloads containing old TCP timestamp options into the TCP segments that are in the queue and finally ordered these segments into a random order, this should confuse the IDS and bypass its pre-processors and signature engine, however although there were a few false positives snort did actually handle this type of attack very well and successfully detected it.


Figure 6.33: Fragroute Nmap’s scan and Fragroute output

Figure 6.34: Snort’s Alerts Console Screen and Statistics


For this final stage of the fragmentation technique experiment fragroute was configured with the same settings described above, the results here are also as described on experiment three (figure 6.23) it can be confidently decided that this type of scan have succeeded in evading the IDS.


For this part of the study the aim was to study metasploit’s evasion techniques and analysing snort’s ability to detect them. As explained previously metasploit is an excellent exploitation framework that contains hundreds of exploits ready to be used with hundreds of payload options and methods that aim at making the attacks stealthier such as encoders, different evasion techniques suitable for different exploits, etc. The framework also is very flexible and allows its users to create their own exploits and payloads. A framework such as this is very valuable to security professionals and can make their tasks a lot easier.

This section looks at the following:

  1. One of the exploits (exploit/unix/misc/distcc_exec) was executed without its evasion techniques and snort was checked to see if it managed to detect it.
  2. Because snort didn’t detect the attack; the captured packets were analysed and a signature was created, which enabled the IDS to detect the attack.
  3. After establishing that the IDS was able to fully detect this attack one of the evasion techniques (TCP::max_send_size) that metasploit offered for this exploit was used and then the attack was executed again.
  4. Due to the technique’s ability to evade the IDS; the captured traffic was analysed and four chained signatures was created and tested to be successful in detecting the attack even when evasion was used.
  5. Finally metasploit’s evasion method was combined with fragroute to evade detection.


Figure 6.35: Metasploit’s console screen

As shown above the msfconsole is being used to search for exploits that would be suitable for the distcc service. After finding a suitable exploit a payload was chosen and all the parameters needed for the exploit to execute was completed. The bottom right screen shows the exploit being executed, a shell being created from the target to the attacker’s machine and the command cat /etc/passwd was used to capture the password file. Figure 6.36 show the IDS console screen and the statistics screen; as shown no alerts was produced because there was no suitable signature available to detect this attack.

Figure 6.36: Snort’s console and statistics screen

Figure 6.37: Packet captures being analysed using TCPDUMP and wireshark

Figure 6.38: Rule being created and the exploit being re-executed

After examining why the IDS was not able to detect the attack even when no evasion was used it was established that the IDS had no signature for the attack in the first place. Thus the packet capture was analysed using tcpdump and wireshark to see if there is any identifiable fingerprint that can be used as a signature to detect the attack. After analysing the packets a rule was created, tested and confirmed to be successful in detecting this attack. Figure 6.39 shows snort’s console and statistics showing the IDS detecting the attack.

Figure 6.39: Snort’s console and statistics screen


As was demonstrated in this experiment if tools such as metasploit does not exist then this task alone would’ve taken the researcher a long time just to create one signature such as this and test it. This is because a lot of the time would be spent by the researcher creating the exploit itself.


Figure 6.40: Metasploit’s TCP segmentation evasion method

Figure 6.41: Snort console and statistics

Figure 6.42: Rules File showing the four chained rules to detect metasploit segmentation

Figure 6.43: Metasploit, Snort alert console and snort stats

Figure 6.44: metasploit evasion combined with fragroute and Snort Statistics


The screenshots shown above illustrates how snort’s signatures were bypassed due to metasploit’s evasion method. Metasploit contains many evasion methods that suites different types of exploits, for this attack however metasploit recommended two methods. One of these was (TCP::max_send_size) chosen and the attack was executed again, which evaded detection. The packets were captured, examined and finally four chained signatures created as shown above (figure 6.42-6.44), again the attack was executed and this time was detected by the IDS. Finally metasploit’s evasion was combined with fragroute to evade the IDS.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s