Everybody agrees to consider “security by obscurity” a false sense of security. By using this principle, the security of an information system in (falsely) increased by hiding sensitive details. Such information can be removed like: by altering the application welcome banner (in Apache, sendmail, etc), by changing the default port (example: binding your SSH daemon on port 2222 instead of the standard 22), by renaming critical files with invalid names or extensions.
From an offensive point if view, attacking by obscurity can be much more interesting. If you launch an attack on a specific target, there are (mis)chances that your behavior will be detected by an IDS, a firewall or any other security countermeasure. One of the solution is to work “below the radar”. It means performing the attack at a very low rate to not trigger the rules in the security system or by avoiding regular patterns in your packets. Example when using Nmap:
# nmap -sF --max-rate 0.5 --scan-delay 3 192.168.0.0/24
In this command line:
- “–scan-delay” asks Nmap to wait at least the given amount of time between each probe it sends to a given host.
- “–max-rate” limits the scan sending rate to a given maximum
Note that,Â by default, Nmap randomizes the ports to scan (except the well-know ports for efficiency)
Another method is to use a solution like inundator. What’s the purpose of this tool? Quoted from the official website: “inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.“
It could be resumed as “The security analyst’s nightmare” 😉 The principle is quite simple: Hide your real attacks amongst thousand of false-positive alerts generated by the IDS and hope that the real attack won’t be discovered.
Based on the schema above, inundator reads the current Snort rules database and generate packets which will trigger the rules. A Nmap scan of the target host(s) is performed to detect interesting ports. inundator floods the target host(s) via the generated packets to the ports reported open by Nmap. In parallel, the real attack is performed. Of course, the flood of packets will be send via Tor or a bunch of open proxies to increase the number of sources.
Unfortunately, inundator is not able to detect the IDS in place and works only with the Snort signatures. If we come back to the “defensive” point of view, inundator can be used to stress test your Snort.
Source code: inundator_0.5.tar.gz