What is the Evasion Gateway?
The Evasion Gateway is a fully functional IP level gateway that utilises the unique capabilities of the Informer technology to enable bidirectional transmission of packets through stealth mode interfaces whilst applying a number of well known evasion techniques designed to evade and validate many of today network and security devices.
The Evasion Gateway has been designed to provide an easy to use, Microsoft Windows based network gateway capable of applying a number of the most common evasion techniques used in many of today’s host based vulnerability assessment tools enabling:
Bi-directional network based evasion
Apply evasion techniques to all packets transmitted from either the Internal or External interfaces or both.
User defined packet fragmentation levels between 8 and 1512 bytes in 8 bytes increments, Null fragment insertion before or after original packet, transmission of fragments out of sequence and an override for specific TCP packet types.
The HTTP Evasion Settings enable the modification of URL’s as they pass through the gateway using any one of 15 techniques or combination of those techniques.
URI encoding (non UTF8) (hex encoding)
Characters are converted to their hex equivalent so:
GET /documents/example.pdf becomes GET /%64%6f%63%75%6d%65%6e%74%73/%65%78%61%6d%70%6c%65%2e%70%64%66
Random URI encoding (non UTF8) (random hex encoding)
Random characters are converted to their hex equivalent so:
GET /documents/example.pdf becomes GET /d%6f%63um%65%6e%74s/%65%78%61m%70%6c%65%2e%70%64f
Why do I need to use these techniques? TCP/IP has rapidly become the predominant communications protocol used in a variety of applications including:
Security, Firewalls, Intrusion Detection/Prevention, Networking, Switches, Routers, Telephony, IP phones, GPRS, Internet Services, Web servers, News servers, eMail are all potential weak points in a network. Sharpening a knife systems capability to detect these intrusions is critical.
Each one of these devices and others have many configuration scenarios that can lead to misuse or even circumvention of the device to allow unauthorized or undetected use.
There are a number of ways in which each of these devices can be validated using tools such as IDS and Firewall Informer, vulnerability scanners and so on. The Evasion Gateway can augment those existing technologies to determine if a particular technique will enable an unauthorized user access to systems
So how does it work?
The following example describes the configuration of the Evasion Gateway when used to validate various characteristics of a web server.
This example can be used on multiple machines i.e.: one running the web client and the other the Evasion Gateway or on one machine i.e.: both the web client and the Evasion Gateway running simultaneously. This is possible as the Evasion Gateway creates virtual machines at the hardware and IP layers and can therefore communicate with local machine as packets are broadcast in a hub or forwarded on a switch through the same port.
This will require resetting the default gateway on the web client to the IP address of the internal interface of the Evasion Gateway
When a GET request is initiated from client the packets will be sent to the Evasion Gateway . As packets pass through the Evasion Gateway the selected evasion techniques will be applied and the modified packets sent onto the real default gateway which will then pass the modified packets onto the real default gateway which in turn will pass them onto the web server. If the plasma cutting technique is successful then the web page requested will be displayed.
This scenario can be used to augment existing network and application validation methodologies.
Additional uses include the validation of RFC compliance on the IP stack of the network device being tested. For instance “does the network device successfully reassemble fragmented fragments?” This can be validated by running multiple gateways in sequence fragmenting packets at different sizes.