Apr 23

Secure Hash Algorithms and IDS Evasion – DOUBLE ARTICLE!

Hash Algorithms

Secure Hash Algorithm (SHA) can be defined as a set of cryptographic hash functions that were created by the National Security Agency (NSA). They were then published by the National Institute of Standards and Technology (NIST) as a United States Federal Information Processing Standard. There are three differently structured SHA algorithms which are labeled SHA-0, SHA-1 and SHA-2.

SHA-2 has a set of algorithms in itself distinguished as SHA-224, SHA-256, SHA-384 and SHA-512. The difference between SHA-0 through SHA-512 is the length of the message digest and the hash functions that are used. Each SHA algorithm uses a different number of bits. The SHA-1 is 160 bits, SHA-256 is 256 bits, SHA-384 is 384 bits and so on. SHA-512 is the most secure out of these algorithms because it uses the highest number of bits.

Another type of algorithm is called Message-Digest algorithm 5 (MD5). MD5 has now been cast aside for SHA due to flaws that were found in the design. The main difference between MD5 and SHA is that although MD5 is somewhat faster than SHA, SHA is more secure. The reason for this is because MD5 uses a 128-bit 16-byte digest while SHA uses a 160-bit 20-byte digest.

One way to reverse a hashed password is using something called a rainbow table. A rainbow table can be looked at as a code book for hash functions. It’s created by gathering every possible plain text password (within reason) that fit certain requirements (for example password length and case sensitivity).

The RainbowCrack Project is a time-memory tradeoff hash cracker. This cracker uses these same exact rainbow tables to crack hashes. The brute force hash cracker creates all possible plain text passwords and works out all of the matching hashes at the same time while also comparing it to the target.




All about IDS Evasion Methods & VPN

An Intrusion Detection System (IDS) is a setup of hardware and/or software that was designed to detect unwanted behavior such as attempts to access, immobilize or manipulate a computer system. Behavior like this will come from things such as crackers, disgruntled employees or malware. An IDS system attempts to protect against network attacks, software attacks, unauthorized access to the system, malware and more. Intrusion Detection System evasions techniques are changes that are made to an attack so that it will not be detected by an Intrusion Detection System.

I’m going to describe four different evasion techniques that will avoid an intrusion from being detected. The first one I’m going to describe is known as obfuscating attack payload. In this IDS evasion attack the “attack payload” is obfuscated or encoded so that the intended machine will reverse but the IDS will not. When security wasn’t quite as advanced as it is now, it was possible to encode the attack packet so that the IDS wouldn’t recognize it, allowing it to get to the IIS server which would decode it and then become attacked. This exploit has now been found and sealed up.

Another IDS evasion attack is fragmentation and small packets. How this works is, the attacker splits the packets into multiple segments so that it doesn’t appear as an attack until it is reassembled. The IDS receives, reassembles and then becomes victim to these packets. There are many tools out there which will allow you to split up packets, but due to security reasons these will not be revealed. Splitting packets is done by fragmenting them but packets can also be originally created split up for exactly this reason.

The third IDS evasion technique I’m going to talk about is overlapping fragments. What happens here is a series of packets are created with TCP sequence numbers set to overlap each other. An example of this is having 2 packets, one of them 70 bytes of the attack payload but the other one’s sequence number will be 66 bytes after the start of the first packet. The victim computer then rebuilds the TCP stream and tries to figure out how to deal with the four overlapping bytes. Some machines will take the new data; some will take the older data.

The last technique I will talk about is a resource exhaustion attack. This attack is also known as a DoS attack or denial of service. This attack is done by exhausting or immobilizing the IDS. With this attack you’ll use a bug found in the IDS to use up the computers resources or hide the actual attack by creating a large amount of alerts on the system. IDS alerts can be triggered by sending attack signatures through the network.

The second subject I wanted to get into was VPN and OpenVPN. VPN stands for Virtual Private network. A Virtual Private Network is a network that uses the public infrastructure already set up by providers of solutions for DAS – for things like telecommunications and internet but maintains privacy and security with the use of a tunneling protocol and various other security procedures such as firewalls. A VPN sets up a private or secure network within a public network such as the Internet.

OpenVPN is free VPN related software for creating encrypted tunnels between host computers. This can be done by creating either point to point or server to multiple client connections. OpenVPN can create direct links between systems that are protected by NAT firewalls without even having to reconfigure it.




Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>