***************************************************************************
g0 - XRAY - Intrusion Detection System for win/32.
© GroundZero Security Research and Software Development.
2005-2006, All rights reserved.
***************************************************************************
Contents:
1. - Introduction
2. - Installation
3. - Using the IDS
3.4 - Packet capture engine
3.5 - Pattern matching explained
3.5.1 - Exploits
3.5.2 - Shellcode
3.5.3 - Command Injection
3.5.4 - Directory traversal
3.5.5 - Suspicious activity
3.5.6 - Source Code Dump
3.6 - Logging
4. - Other features
5. - General Informations
6. - Appendix
***************************************************************************
1.) Introduction
***************************************************************************
Intrusion Detection Systems are a very usefull Application for
Administrators to keep an eye on what is happening on your
Network.
Usually such Systems run on Unix based Servers, but for win32
there is hardly any Attack detection Software and thats why
we wrote XRAY.
***************************************************************************
2.) Installation
***************************************************************************
The installation is easy, just start the Setup executable and
follow the instructions on the screen.
***************************************************************************
3.) Using the IDS
***************************************************************************
The interface is kept simple so it should be easy for everyone
By clicking on the "Start IDS" button, the engine will start to
operate and listen on the Network Interface for Traffic.
On the left side of the main window, you see general network
statistiks such as recived packets sepperated by protocol.
Every incoming packet is captured and will be analyzed
(see section 3.5 for more information)
***************************************************************************
3.4) Packet capture engine
***************************************************************************
The packet capture engine is basicially the main part of XRAY.
It listens on the Network Interface Card with use of raw_sockets
to capture every recived packet that arrives.
***************************************************************************
3.5) Pattern matching explained
***************************************************************************
If you dont know what pattern matching is about, let us explain
it to you quickly with a little example and as simple as possible:
Lets say we got a textfile with 1000 lines of text and we want to
find a certain word in it, the word represents a pattern that we
want to find...the same concept is used in our engine. Every
received packet (which is just like a texfile if viewed in ascii)
will be compared with a list of attack patterns and if we got a
match it is very likely to be an attack directed at your Computer!
***************************************************************************
3.5.1) Exploits
***************************************************************************
Exploits are programs designed to *exploit* a bug in Software
to gain unauthorized access or to make the target computer
unavailable by crashing it for example.
If the IDS detected such a pattern, you should investigate the
issue as soon as possible i.e. see where the connection is
comming from and what port it was directed to. Disable the
service if possible, look for current security vulnerabilities
regarding the software and install latest patches, or update to
latest version.
***************************************************************************
3.5.2) Shellcode
***************************************************************************
To make it short, Shellcodes are CPU instructions used to
execute commands directly in memory of a vulnerable program.
If the IDS detects such a pattern, it is highly likely that you are
under Attack !
***************************************************************************
3.5.3) Command Injection
***************************************************************************
Webbased scripting languages such as perl/cgi and php offten
have bugs which makes it possible for an attacker to inject
strings into the script, allowing him/her to run commands with
the privileges of the installed script which can obviously lead to
full compromise of the vulnerable system.
***************************************************************************
3.5.4) Directory traversal
***************************************************************************
With this methode an attacker can access files outside the
webroot, making it possible to access sensitive information.
***************************************************************************
3.5.5) Suspicious activity
***************************************************************************
If you have suspicious activity logs, this indicates that someone
is snooping around or maybe is even trying to attack your
System. Watch carefully if you recive any more packets and
look at the recived data to get more information about where the
activity is directed to.
***************************************************************************
3.5.5) Source Code Dump
***************************************************************************
Through some bugs it is possible to view the source code of
certain web applications such as PHP,ASP,CGI and the like.
This could lead to disclosure of sensitive information such as
passwords to the mysql database for example.
***************************************************************************
3.6) Logging
***************************************************************************
Enabling logging for packets should always be done!
Be carefull with selecting all packets to be logged, as it may
slow down the performance and the file can get huge deppending
on your network traffic, so be sure to have enough space left
on the logging device.
***************************************************************************
4.) Other features
***************************************************************************
Some usefull features such as netstats are included.
Browse the menu on the main window to see all features.
***************************************************************************
5.) General Informations
***************************************************************************
This engine is not an attack prevention System and therefore
only informs you about bad network activity. Its intention is to
detect attacks on the network level.
***************************************************************************
6.) Appendix
***************************************************************************
- Information about exploits:
http://www.phrack.org/phrack/60/p60-0x0a.txt
http://www.phrack.org/phrack/55/P55-15
- Example of directory traversal:
http://www.idefense.com/application/poi/display?id=212&type=vulnerabilities&flashstatus=true
- Script Injection explained:
http://www.cgisecurity.com/lib/sips.html
- More information about Shellcode:
http://www.phrack.org/phrack/62/p62-0x07_Advances_in_Windows_Shellcode.txt
http://www.phrack.org/phrack/57/p57-0x05
http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html