When conducting a penetration test, security professionals may need to bypass Intrusion Prevention Systems (IPS) to understand the level of security of the target infrastructure. An IPS is designed to examine network traffic in order to detect and prevent vulnerability exploits. While an ethical hacker’s intention isn’t malicious, the methods used to bypass an IPS can be similar to those of real attackers.
Understanding the Target IPS
- Research the IPS Product: Identify the specific product and version the target is using. This may involve OSINT (Open Source Intelligence) techniques or network scanning.
- Learn Default Settings and Limitations: Many IPS solutions come with default rules and behaviors. Understanding these can help you plan your approach to bypass the system.
- Identify Known Bypass Techniques: Manufacturers’ forums, IT community discussions, and CVE (Common Vulnerabilities and Exposures) databases may provide insights into known vulnerabilities or bypass methods for the specific IPS.
Bypass Techniques
- Traffic Fragmentation:
- Split packets into smaller fragments so that the IPS has difficulty reassembling and properly inspecting them.
- Employ tools that can create fragmented packets that conform to RFC standards to keep traffic looking legitimate.
- Protocol Obfuscation:
- Modify or interleave protocols in a way that confuses the IPS but is still valid for the end host.
- Use non-standard ports for common services (e.g., running HTTP on port 8080 instead of port 80).
- Encryption and Tunneling:
- Use encrypted protocols like HTTPS, SSH, or VPNs to mask the traffic content.
- Employ steganography to hide information in multimedia files that the IPS might overlook.
- Resource Exhaustion:
- Generate high volumes of traffic to saturate the IPS, potentially causing it to miss malicious traffic.
- Utilize low-and-slow attack techniques to evade detection thresholds.
- IPS Signature Evasion:
- Change the attack signature by modifying the exploit to avoid matching known signatures.
- Utilize polymorphic and metamorphic code techniques to alter code without changing functionality.
- Timing and Delay-Based Techniques:
- Introduce delays between packets to escape from time-based detection windows.
- Use slow-rate attacks which fall below the IPS detection threshold.
Evolving Techniques
- Machine Learning and AI:
- Utilize adversarial machine learning techniques to deceive AI-based IPS solutions into misclassifying malicious traffic.
- Zero-Day Exploits:
- Discover and utilize undisclosed vulnerabilities that the IPS is unaware of and thus unable to prevent.
Legal and Ethical Considerations
- Permission: Ensure that you have written authorization from the organization that owns the target systems. Bypassing IPS without permission is illegal and carries severe penalties.
- Rules of Engagement: Clearly define the scope, boundaries, and rules under which the penetration test is conducted to avoid legal issues and unintentional service disruptions.
- Documentation: Keep detailed records of the techniques used, including the tools, methodologies, and scripts. This information is critical for providing feedback to the organization for strengthening its security posture.
Conclusion
Bypassing modern Intrusion Prevention Systems requires a combination of technical knowledge, creativity, and a careful approach to avoid detection. Penetration testers must stay up-to-date with the latest techniques and IPS capabilities. However, it is essential to operate within legal and ethical boundaries to maintain the trust and integrity of the security community.