CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [84]
List the Types of Intrusion Detection
Systems and Evasion Techniques
Intrusion detection systems (IDSs) are systems that inspect traffic and look for known signatures of attacks or unusual behavior patterns. A packet-sniffer views and monitors traffic and is a built-in component of an IDS. An IDS alerts a command center or system administrator by pager, e-mail or cell phone when an event listed on the company's security event list is triggered. Intrusion prevention systems (IPSs) initiate countermeasures such as blocking traffic when suspected traffic flow is detected. IPS systems automate the response to an intrusion attempt and allow you to automate the deny-access capability.
There are two main types of IDS:
Host-based Host-based IDSs (HIDSs) are applications that reside on a single system or host and filter traffic or events based on a known signature list for that specific operating system. HIDSs include Norton Internet Security and Cisco Security Agent (CSA). Warning: Many worms and Trojans can turn off an HIDS.
Network-based Network-based IDSs (NIDSs) are software-based appliances that reside on the network. They're used solely for intrusion detection purposes to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data attacks on applications, hostbased attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware. NIDSs are passive systems; the IDS sensor detects a potential security breach, logs the information, and signals an alert on the console.
Hacking Tool
Snort is a real-time packet sniffer, HIDS, and traffic-logging tool deployed on Linux and Windows systems. You can configure Snort and the IDS rules in the snort. conf file. The command to install and run snort is Snort -l c:\snort\log -c C:\snort\etc\snoft.conf -A console.
An IDS can perform either signature analysis or anomaly detection to determine if the traffic is a possible attack. Signature detection IDSs match traffic with known signatures and patterns of misuse. A signature is a pattern used to identify either a single packet or a series of packets that, when combined, execute an attack. An IDS that employs anomaly detection looks for intrusion attempts based on a person's normal business patterns and alerts when there is an anomaly in the behavior of access to systems, files, logins, and so on.
A hacker can evade an IDS by changing the traffic so that it does not match a known signature. This may involve using a different protocol such as UDP instead of TCP or HTTP instead of ICMP to deliver an attack. Additionally, a hacker can break an attack up into several smaller packets to pass through an IDS but when reassembled at the receiving station will result in a compromise of the system. This is known as session splicing. Some other methods of evading detection involve inserting extra data, obfuscating addresses or data by using encryption, or desynchronizing and taking over a current client's session.
Hacking Tool
ADMutate takes an attack script and creates a different-but functionally equivalent-script to perform the attack. The new script isn't in the database of known attack signatures and therefore can bypass the IDS.
List the Firewall Types and Honeypot
Evasion Techniques
A firewall is a software program or hardware appliance that allows or denies access to a network and follows rules set by an administrator to direct where packets are allowed to go on the network. A perimeter hardware firewall appliance is set up either at the network edge where a trusted network connects to an untrusted network, such as the Internet, or between networks.