Avoiding Network and Host Detection using Packet Bit-masking

George Stergiopoulos; Eirini Lygerou; Nikolaos Tsalis; Dimitris Tomaras; Dimitris Gritzalis

doi:10.5220/0009591500520063

Avoiding Network and Host Detection using Packet Bit-masking

George Stergiopoulos, Eirini Lygerou, Nikolaos Tsalis, Dimitris Tomaras, Dimitris Gritzalis

2020

Abstract

Current host and network intrusion detection and prevention systems mainly use deep packet inspection, signature analysis and behavior analytics on traffic and relevant software to detect and prevent malicious activity. Solutions are applied on both system and network level. We present an evasion attack to remotely control a shell and/or exfiltrate sensitive data that manages to avoid most popular host and network intrusion techniques. The idea is to use legitimate traffic and victim-generated packets that belong to different contexts and reuse it to communicate malicious content without tampering their payload or other information (except destination IP). We name the technique “bit-masking”. The attack seems able to exfiltrate any amount of data and execution time does not seem to affect detection rates. For proof, we develop the “Leaky-Faucet” software that allows us to (i) remotely control a reverse shell and (ii) transfer data unnoticed. The validation scope for the presented attack includes evading 5 popular NIDS, 8 of the most popular integrated end-point protection solutions and a Data Leakage Prevention system (DLP); both on the network and host session level. We present three different variations of the attack able to transfer (i) shell commands, (ii) large chunks of data, and (iii) malicious code to a remote command and control (CnC) center. During experiments, we also detected an NPcap library bug that allows resent packets to avoid logging from network analysis tools for Windows that use the Npcap library.

Download

Paper Citation

in Harvard Style

Stergiopoulos G., Lygerou E., Tsalis N., Tomaras D. and Gritzalis D. (2020). Avoiding Network and Host Detection using Packet Bit-masking.In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - Volume 3: SECRYPT, ISBN 978-989-758-446-6, pages 52-63. DOI: 10.5220/0009591500520063

in Bibtex Style

@conference{secrypt20,
author={George Stergiopoulos and Eirini Lygerou and Nikolaos Tsalis and Dimitris Tomaras and Dimitris Gritzalis},
title={Avoiding Network and Host Detection using Packet Bit-masking},
booktitle={Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - Volume 3: SECRYPT,},
year={2020},
pages={52-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0009591500520063},
isbn={978-989-758-446-6},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - Volume 3: SECRYPT,
TI - Avoiding Network and Host Detection using Packet Bit-masking
SN - 978-989-758-446-6
AU - Stergiopoulos G.
AU - Lygerou E.
AU - Tsalis N.
AU - Tomaras D.
AU - Gritzalis D.
PY - 2020
SP - 52
EP - 63
DO - 10.5220/0009591500520063