Posted by: Dan O'Connor
dce rpc, dce rpc fragmentation, fragmentation, ips, ips evasion, metasploit, SonicWall, sonicwall ips evasion
Well this did work a few weeks ago.
Until a week or so ago, someone could use an IPS evasion module in Metasploit to pass attacks through a SonicWall. This involved using DCE / RPC Fragmentation which fragments the packets during the NetBIOS session setup.
This has been known since at least 2006 ish when Snort implemented a dynamic pre-processor to handle this in it’s engine. Several other UTM’s have the ability to detect this type of traffic, most of them based on the Snort pre-processor.
Last week I was successfully getting the ms10_061 passed the SonicWalls IPS engine and AV engine using the fragmentation. I did not specifically chose the ms10_061, but it was in the list of top 10 blocked attacks on the dashboard.
Turn off the Frag,
Right through like Jim Morrison.
I reported the issue to SonicWall and after a some debate there is a new signature.