If you want the full detail, please go to the Source.
Testing IDS
SCENARIO
The objective of this laboratory test, scenario is to create a solution and
instructions for testing an IDS^1 systems usefulness for detecting attacks
against a wordpress site. In addition, a repeatable process to evaluate vendor
claims. Whatever passive IDS system sample delivered as a VM or a dedicated
box. Creating the IDS system itself is out of scope.
The process must be detailed enough so that somebody else can get the same results
when applying that. The “other person” is expected to have IT knowledge
sufficient to install and run a Linux desktop.
Budget requirements: Modest – 2 machines + a tester (Joe) + networking
equipment to connect the two machines and an IDS together.
The process must test at least the following attacks:
- Port scan
- SYN flood
- “Regular” DoS overwhelming
attack (Ab)
Optionally the process may test:
- slowloris/pyloris
- Apache Range header DoS
vulnerability http://httpd.apache.org/security/CVE-011-3192.txt
- An attack targeting any other
fairly recent (not older than 3-4 years) known vulnerability that could in
theory apply to the target system (wordpress server)
However the competition rules are:
The highest number of attacks evaluated. Limits: * Each attack must be relevant
eg. if it attacks IIS it’s NOT relevant. If it attacks Windows RPC it’s not
relevant. If it attacks some other CMS eg. Drupal it’s NOT relevant. *
Basically equivalent attacks count as one (different port scanners for example)
* You must be able to explain in broad terms what the attack does eg: attacks
the vulnerability #X in Apache server If the #attacks is equal.Lab
instaractions:
Install 3 VM-s: Attacker IDS and Target
- Make sure all VM-s have two
network adapters: NAT and Host-Only.
- Install Snort and it’s GUI
called “acidbase” on IDS https://help.ubuntu.com/community/SnortIDS.
- Install Apache, Mysql and
WordPress on Target.
- Execute an attack on Attacker
towards the IP address on the Host Only network.
- Take notice of the results
displayed on Acid console.
- Reset counters, move on to
next attack
Additionally, illustration 1 describes the overview of above scenario
Illustration 1: Lab 5 Illustration of Scenario
Firstly, setup procedure of snort, secondly available proposals and thirdly
illustrating the results and the functionality of proposals. Finally, closing
this laboratory report with conclusion. In addition, appendixes is
configuration of VM’s – Virtual Machines.
SETUP of SNORT
To setup snort in a right way, that will work for the second Host only
network please following the instruction link provided with a full description
and configuration of snort [SNORT2].
After completing the setup and configuration to run snort on the second
interface use the following command:
snort -c /etc/snort/snort/conf -i eth1
PROPOSALS
In total three proposals and each one is highlighted in the next
sub-sections.
PROPOSAL 1
Full instructions
1. Set up IDS (Snort) and WordPress on the first PC
2. Install Ubuntu server on the second PC . Then install all attacking tools
there :
wget enos.itcollege.ee/~avein/lab4i.sh
sudo sh lab4i.sh
After that you should have:
[sourcecode]ab.sh – DoS attack script – uses ab to generate traffic flood
apachekiller.pl – Apachekiller attack script More info:
http://www.hackersgarage.com/apache-killer-denial-of-service-flaw-in-apache-
webserver.html[/sourceocode]
README.txt – extra instructions
scan.sh - Port scanning script - uses nmap
sloworis.pl - Sloworis attack script More info: \
http://ha.ckers.org/slowloris/
synf.sh - syn flood attack script - uses hping3
3. Start your IDS/wordpress server and the server with attack tools.
4. Run each attack tool ONE AT A TIME (targeting the wordpress/IDS server of course)
. Monitor the logs/notifications on yours IDS system (SNORT) and check whether
wordpress site is still accessible.
Let each attack tool run 2 minutes, then stop the attack by pressing CTRL+C on
the terminal window where the attack tool is running. The only exeption is port
scan- its better to wait until it finishes .
After each attack save the IDS log and wait atlest 5 minutes before trying next
tool (to give server time to recover). Best practice is to manually check if
the server load is at normal (one can use htop for that)
a) To run DoS attack :
sh ab.sh
Page 6
{target}
eg sh ab.sh 192.168.56.101
b) For port scan:
sh scan.sh
{target IP}
eg sh scan.sh 192.168.56.101
c) For Syn flood (with hping3)
sh
synf.sh {target}
eg synf.sh 192.168.56.101/wordpress
d) For Sloworis attack:
perl slowloris.pl -dns {target}
eg perl sloworis.pl -dns 192.168.56.101/wordpress
e) For Apachekiller attack:
perl apachekiller.pl
{target IP}
eg perl apachekiller.pl 192.168.56.101
PROPOSAL 2
Intro
For this scenario we need to run several different attacks and scans to be
able to compare the results with different IDS setups and rulesets. We might
also want to test it with legitimate traffic to see that we dont get false
positives in our alarms. We dont have that much legitimate traffic
possibilities with 1 blog on our servers right now, but if we start tweaking
the IDS false positives becomes an important metric and we might want to test
normal usage and create traffic to run with tcpreplay for example. My proposal
is to test the IDS with pytbull running on BackTrack. Pytbull is IDS testing
framework and BackTrack a Linux ditribution.
I will assume that we have WordPress server with running default Snort set up
on it and working. No extensive testing has been done with different snort
setups so we might have to tune the methods, but basic things should be
covered.
DL and install BackTrack
backtrack-linux.org/downloads/
Install it rather than running a live version for this scenario. Boot it up in
default mode, start GUI and launch installation from desktop. Default login
root / toor. Standard setup comes with pytbull and several pieces of software
the IDS test-system depends on like nmap, hping3, nikto and others.
Setup connections
Connect the machines and install ftp and ssh on server. We need ftp to get
snort alert files and ssh to run attacks against.
apt-get install vsftpd openssh-server
Setup pytbull
You will find pytbull from /pentest/enumeration/ids/pytbull/ or Applications
> BackTrack > Information Gathering > Network Analysis > IDS IPS
Identification > pytbull when using the GUI. Change the configuration file
values to have correct connection information, user credentials and locations
of dependencies. Here you also select which test modules out of the 9 available
you want to run. ClientSideAttacks needs extra configuration.
cd /pentest/enumeration/ids/pytbull/
gedit config.cfg
Example conf file: http://www.tud.ttu.ee/~t061780/attacks/config.cfg
Now get custom DoS module to have hping SYN flood and \
ApacheBench DoS tests covered.
cd modules
mv denialOfService.py denialOfService.py-backup
wget http://www.tud.ttu.ee/~t061780/attacks/denialOfService.py
You may want to refer to Pytbull documentation
Run
/pentest/enumeration/ids/pytbull/pytbull -t <WP/Snort server IP>
If everything works you will find html report file under /reports. If you have
problems add -d on run for debugging.
(optional) Slowloris
To have slowloris attack test for pytbull we need to get custom slowloris
that allows to set how many packets to send because we dont want the tests to
run forever. I added argument s that tells the script to stop after we have sent
s packets.
cd /pentest/stressing
wget www.tud.ttu.ee/~t061780/attacks/slowloris.pl
Slowloris attack has been written into DoS module, \
you have to uncomment it. Lines 47-52.
gedit /pentest/enumeration/ids/pytbull/modules/denialOfService.py
PROPOSAL 3
For this proposal I will suggest to use open source tool OpenVas for
vulnerability scanning, to test our IDS system. It contains many security tools
integrated. The security and analysis tools are: Nikto, nmap, ike-scan,
snmpwalk, amap, ldapsearch, SLAD (John-the-Ripper, Chkrootkit, LSOF, ClamAV,
Tripwire, TIGER, logwatch, trapwatch, lm-sensors, snort and ovaldi), pnscan,
portbunny, strobe, w3af, etc.
Instructions of installation process, for further more information please refer
to http://www.openvas.org/setup-and-start.html
Step 1: Configure OBS Repository
sudo apt-get -y install python-software-properties
sudo add-apt-repository "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_10.04/ ./"
sudo apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys BED1E87979EAFD54
sudo apt-get update
Step 2: Quick-Install OpenVAS
sudo apt-get -y install greenbone-security-assistant gsd openvas-cli openvas-manager openvas-scanner
openvas-administrator sqlite3 xsltproc
Step 3: Quick-Start OpenVAS
(copy and paste whole block, during first time you will be asked to set a
password for user “admin”)
test -e /var/lib/openvas/CA/cacert.pem || sudo openvas-mkcert -q
sudo openvas-nvt-sync test -e /var/lib/openvas/users/om || sudo openvas-mkcert-client -n om -i
sudo /etc/init.d/openvas-manager stop
sudo /etc/init.d/openvas-scanner stop
sudo openvassd
sudo openvasmd --migrate
sudo openvasmd --rebuild
sudo killall openvassd
sleep 15
sudo /etc/init.d/openvas-scanner start
sudo /etc/init.d/openvas-manager start
sudo /etc/init.d/openvas-administrator restart
sudo /etc/init.d/greenbone-security-assistant restart
test -e /var/lib/openvas/users/admin || sudo openvasad -c \
add_user -n admin -r Admin
Step 4: Log into OpenVAS as “admin”
Open https://localhost:9392/ or start “gsd” on a command line as a regular
user (not as root!).
Optional we can use and the Slowloris and Pyloris DoS attacks.
Download link for Slowloris is: http://ha.ckers.org/slowloris/slowloris.pl
The above solution and tool will help us to check and test our IDS system
usefulness. It tests the following attacks: Port scan, SYN flood, DoS, etc. The
results are presented with nice GUI interface. For more info about the project
please refer to www.openvas.org.
If you like my blog, Please Donate Me
