Stonesoft’s Evader 0.9.8.557 modifications for testing AETs against IPSs

Stonesoft’s Evader 0.9.8.557 (http://evader.stonesoft.com/) is a testing tool for Advanced Evasion Techniques. It includes a test framework for evasions that cover MS-RPC with Conficker and HTTP with phpBB viewtopic.php vulnerabilities.

We have played around with the automated attack system known as mongbat. An example of the is shown bellow. Mongbat will in turn call multiple evaders with the selected options (dont forget to consult the man pages and the online assistance provided).

root@evader:~# ruby mongbat.rb –mode=random –attack=conficker –iface=eth1 –victim=10.0.1.10 –validator=externals/conficker_validator.rb –attacker=10.0.0.4 –ips_per_worker=1000 –workers=50  –mask=16 –time=1200

The system will also produce a random seed and this can be used to replicate the attacks generated with the –randseed= option .

Something that was missing was the ability to turn off the obfuscate flag in evader. After a bit of hacking around I came up with the following changes to mongbat.rb and predator4_module.rb and introduced the flag –disable_obfuscate to mongbat.rb.

The proposed patches are as follows (code may not be fully shown but when copied it is all there):

for mongbat.rb:

--- mongbat.rb.bak    2012-08-02 10:48:26.000000000 +0100
+++ mongbat.rb    2012-09-05 11:51:18.000000000 +0100
@@ -91,6 +91,7 @@
 attack = $default_attack
 $recdir = nil
 $passthrough = nil
+$disable_obfuscate = nil
 $min_evasions = 1
 $max_evasions = 0
 $stop_on_success = false
@@ -122,6 +123,7 @@
   puts "\t--workers=<worker count, default 1>\t\tUse this many workers (and source IP addresses) to do the attacking"
   puts "\t--use_evasions=<evasion>(,evasion)*\t\tUse only these evasions"
   puts "\t--disable_evasions=<evasion>(,evasion)*\t\tDo not use these evasions"
+  puts "\t--disable_obfuscate\t\tDo not use obfuscation"
   puts "\t--check_victim=(true|false)\t\t\tCheck that victim allows legal traffic without evasions before attacking (default true)"
   puts "\t--record=<recdir>\t\t\t\tRecord the attacks to dirname in pcap format"
   puts "\t--min_evasions=<min evasions>\t\t\tMinimum evasions for random mode (default: #{$min_evasions})"
@@ -164,6 +166,8 @@
     use_evasions = $1.split(/,/)
   elsif arg =~ /^--disable_evasions=(.+)$/
     disable_evasions = $1.split(/,/)
+  elsif arg =~ /^--disable_obfuscate$/
+    $disable_obfuscate = 0 
   elsif arg =~ /^--check_victim=(true|false)$/
     # PORT_USAGE
     # controls how many ports will be used at max per attack
@@ -742,9 +746,10 @@
               code, explanation, result, cmd, recname = $predator4.server_attack(@attack_name, nc, evasion, 80, $recdir, 10, $driver_by_ip[attacker_ip], randseed, $passthrough)
             else
               if @attack.extra_options_by_name[ "bindport" ].nil?
-                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, nil, PORT_USAGE, $recdir, 300, randseed, $passthrough)
+               
+                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, nil, PORT_USAGE, $recdir, 300, randseed, $passthrough, $disable_obfuscate)
               else
-                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, attacker_shell_port, PORT_USAGE, $recdir, 300, randseed, $passthrough)
+                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, attacker_shell_port, PORT_USAGE, $recdir, 300, randseed, $passthrough, $disable_obfuscate)
               end
             end

and for the predator4_module.rb:

--- predator4_module.rb.bak    2012-08-02 10:42:23.000000000 +0100
+++ predator4_module.rb    2012-08-02 15:15:54.000000000 +0100
@@ -708,7 +708,7 @@
       p4serv.close
     end

-    def attack(attack, network_config, evasions, src_port, attacker_shell_port, port_usage, recdir, timeout, randseed = nil, passthrough = [])
+    def attack(attack, network_config, evasions, src_port, attacker_shell_port, port_usage, recdir, timeout, randseed = nil, passthrough = [], obfuscate_flag=nil)
       # test clean
       code, explanation, result, cmd = clean(attack, network_config, src_port, port_usage)
       if code != 0
@@ -717,11 +717,16 @@

       time = Time.new
       attack_src_port = src_port+port_usage-1
+      if obfuscate_flag.nil?
+        obfuscate_cmd = "--obfuscate"
+      else
+        obfuscate_cmd = ""
+      end

       if attacker_shell_port.nil?
-        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --verifydelay=200 --obfuscate"
+        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --verifydelay=500 #{obfuscate_cmd}"
       else
-        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --extra=bindport=#{attacker_shell_port} --verifydelay=200 --obfuscate"
+        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --extra=bindport=#{attacker_shell_port} --verifydelay=500 #{obfuscate_cmd}"
       end
       if not randseed.nil?
         cmd += " --randseed=#{randseed}"
This entry was posted in Computer Systems Security, Network Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *