The reason people make this assumption is because it is usually valid. Most "hackers" are just kids out for a good time; they really aren't that serious. These kids are extremely visible, and most IDSs are designed to catch these kids. However, determined/skilled hackers do exist. Many owners of existing IDSs do not believe they exist because they don't detect them behind the background radiation of script kiddies.
I have therefore written a program designed to demonstrate the difference between script-kiddy level attacks and serious attacks. I call it "sidestep" because it gets around most existing network IDSs. The program generates attacks using three modes:
The list of attacks chosen for this demonstration are those that are widely supported among most popular network IDSs. Also, a mixture of both Windows and UNIX attacks where chosen.
Note that all of these attacks are fairly benign, so you can likely run them against a production server without too much fear of causing a problem.
This program implements real clients for RPC, FTP, DNS, SNMP, HTTP, and BackOrifice. A common problem when testing is that an IDS will (correctly) not trigger on a simulated attack. For example, the RPC dump attack lists all the running services. Therefore, you know that if the program can successfully retrieve this list without the IDS triggering, then you know it is a fault in the IDS and not in the testing procedure.
TCP vs. UDP
The RPC, FTP, and HTTP attacks are based upon TCP and require a live victim before they will trigger an IDS. The DNS, SNMP, and BackOrifice attacks will send out UDP datagrams without requiring that anybody listen for those datagrams. However, beware that if the IDS fails to trigger, it still may be a problem in the testing procedure. For this reason, make sure you configure your IDS to detect the normal attack before trying the evasion attack.
SideStep vs. fragrouter
The program "fragrouter" has long been used to evade IDSs by fragmenting traffic at the IP or TCP layer. Despite the fact that fragrouter has been used for years now, several marketing leading IDSs do not fully reassemble TCP or IP. Moreover, if you get into the full gamut of Ptacek-Newsham attacks, I know of only two network IDSs that correctly resolve overlapping TCP or IP fragments on a per-host basis.
However, SideStep has nothing to do with fragmentation. It evades network IDS in a completely different manner. As far as I know, there is only one network IDS that can fully handle the SideStep attacks.
Status and Download
The program is still in preliminary form. I hope to create a GUI for it and compile it for other platforms soon. The raw binary (for Windows) is available at:
Note that this is a "command-line" program, not a GUI. Simply run it with no options for help:
c:\>sidestep SideStep v1.0 Copyright (c) 2000 by Network ICE http://www.robertgraham.com/tmp/sidestep.html usage: sidestep <target> [<options>] Sends attacks at the target that evades an IDS. One of the following protocols/attacks must be specified: -rpc RPC PortMap DUMP -ftp FTP CD ~root -dns DNS version.bind query -snmp SNMP lanman user enum -http /cgi-bin/phf -bo BackOrifice ping -all One of three modes must be specified: -norm Does no evasion (normal attacks) -evade Attempts to attack target evading the IDS -false Does not attack the system at all (false positive) Example: sidestep 10.0.0.1 -evade -dns Queries DNS server for version info evading IDS
I (Robert Graham) am the CTO of Network ICE. This tool will eventually be publish on Network ICE's site.
I believe that that Network ICE's IDS is by far the hardest for serious hackers to evade, whether you are talking about Ptacek-Newshame/fragrouter attacks or application-layer evasion.