Breaking up the Attack
First Published: X-Force Monthly Magazine
For several years now, some of the more advanced
commercial penetration testing tools have made use of packet fragmentation
techniques to obfuscate vulnerability checks or exploit attempts in an
attempt to bypass legacy firewall and intrusion detection systems.
In most cases, depending upon the actual security device defending
the network, there are typically multiple fragmentation techniques and
packet size combinations capable of squeezing exploit material past each
class of protection device on a network.
As customers continue to deploy and rely
upon ever more advanced intrusion prevention systems which automatically
block malicious attacks, there has been an increase in testing requirements
to use tools that employ a diverse array of fragmentation techniques.
By making use of multiple packet fragmentation techniques, the
security consultant is not only able to test the security of the targeted
host, but also the robustness of the network-based protection system.
Depending upon the networking protocol
being used by the vulnerable service under investigation, there are specific
fragmentation techniques which are more successful than others.
For example, the technique of overlapping packet fragments so that
subsequent packets overwrite a few bytes of the previous packet tend to be
effective for text based protocols such as HTTP.
However, by using tools that provide additional obfuscation
techniques in combination to fragmentation (e.g. using chunked encoding
within a HTTP POST packet), the security consultant has a higher probability
of remaining undetected and delivering an exploit payload.
In fact the combination of overlapping packet fragments and chunked
encoding is such a successful combination for delivering a payload to web
server that it will bypass many current generation network protection
In the past many penetration testing
clients have been surprised to learn that these fragmentation techniques can
be used so successfully to bypass their network security.
The process of reassembling fragmented packets and identifying their
malicious payloads can be very difficult, as well as dangerous for the
protection device, as evidenced by the numerous security alerts published on
mailing lists such as Bugtraq and Full-disclosure.
Protection systems that rely upon string matching and regular
expression engines tend to suffer the most, and a re consequently the
easiest to defeat.
From a penetration testers perspective the
adage “fragmentation is my friend” is quite appropriate.
In several tests not only could fragmentation be used to slip exploit
payloads past perimeter defenses, but it could also be used tunnel data and
banned network traffic out of the organization – for example, accessing
external instant messenger services and transferring files.
While there have been a number of
open-source or free attack tools specializing in the use of packet
fragmentation for many years, and there have been some “boutique” commercial
penetration tools for the last few years, many of the new tools used by
attackers provide packet fragmentation as standard and can be tuned just by
selecting a few tick-boxes.
Therefore it is becoming increasingly
important that organizations correctly identify network traffic that
utilizes packet fragmentation to hide attacks, and that their protection
systems are “up to the job”.
With the near ubiquitous deployment of network detection systems, not only
are malicious attackers utilizing packet fragmentation to obfuscate their
attacks, but several automated worms and bots now also come fully equipped
with an array of fragmentation routines ready for use.
The expectation is that specialist packet
fragmentation techniques will become more prevalent and be included by
default in most tools or applications.
Consequently security professionals will increasingly need to
understand the different techniques and be capable of not only detecting
their usage, but also regularly employ them in testing their network