IDS/IPS Evasion
Stalking isn't that easy.
Firewall Detection
Testing Firewall rules (Using ACK scan)
When sending an ACK flag, BOTH Open and Closed ports will reply with an RST flag!
└──╼ $ sudo nmap 10.10.10.10 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace
SENT (0.0278s) TCP 10.10.14.2:57347 > 10.10.2.10:21 S .. <SNIP> ..
SENT (0.0278s) TCP 10.10.14.2:57347 > 10.10.10.10:22 S .. <SNIP> ..
SENT (0.0278s) TCP 10.10.14.2:57347 > 10.10.10.10:25 S .. <SNIP> ..
RCVD (0.0329s) ICMP [10.10.10.10 > 10.10.14.2 Port 21 unreachable (type=3/code=3) ] .. <SNIP> ..
RCVD (0.0341s) TCP 10.10.10.10:22 > 10.10.14.2:57347 SA .. <SNIP> ..
RCVD (1.0386s) TCP 10.10.10.10:22 > 10.10.14.2:57347 SA .. <SNIP> ..
PORT STATE SERVICE
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)└──╼ $ sudo nmap 10.10.10.10 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace
SENT (0.0422s) TCP 10.10.14.2:49343 > 10.129.2.28:21 A .. <SNIP> ..
SENT (0.0423s) TCP 10.10.14.2:49343 > 10.129.2.28:22 A .. <SNIP> ..
SENT (0.0423s) TCP 10.10.14.2:49343 > 10.129.2.28:25 A .. <SNIP> ..
RCVD (0.1252s) ICMP [10.129.2.28 > 10.10.14.2 Port 21 unreachable (type=3/code=3) ] .. <SNIP> ..
RCVD (0.1268s) TCP 10.129.2.28:22 > 10.10.14.2:49343 R .. <SNIP> ..
SENT (1.3837s) TCP 10.10.14.2:49344 > 10.129.2.28:25 A .. <SNIP> ..
PORT STATE SERVICE
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)IDS/IPS Evasion
Since we must be as quiet as possible in our scans, here we provide some techniques to evade getting caught in our scans:
Scenario 1 : Hiding our IP with legitimate IPs
We can hide our real IP address in a collection of IP addresses so that the IDS/IPS won't filter out our probes and treat them like legitimate ones.
ALL the IP addresses we provide must be ALIVE, otherwise it's easy for the monitoring system to detect fake ones and ban us. \
So, we can use our VPS IP addresses and use them with "IP ID" headers manipulation.
Solution : Decoys
The idea is generating random IP addresses and hide our IP in a random position in between.
└──╼ $ sudo nmap 10.10.10.10 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
SENT (0.0378s) TCP 102.52.161.59:59289 > 10.129.2.28:80 S
SENT (0.0379s) TCP 210.120.38.29:59289 > 10.10.10.10:80 S
SENT (0.0379s) TCP 191.6.64.171:59289 > 10.10.10.10:80 S
SENT (0.0379s) TCP 184.178.194.209:59289 > 10.10.10.10:80 S
SENT (0.0379s) TCP 43.21.121.33:59289 > 10.10.10.10:80 S
RCVD (0.1370s) TCP 10.129.2.28:80 > 10.10.14.2:59289 SA
PORT STATE SERVICE
80/tcp open http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)Scenario 2 : Some services are only available for specific subnets
Solution : Changing source IP address
└──╼ $ sudo nmap 10.10.10.10 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
-S 10.129.2.200 : Source of the requests to be sent.
-e : Send all requests through the specified interface.Scenario 3 : We need to perform DNS resolution but there are DNS-based Firewalls or filtering systems
Solution : DNS Proxying
Scenario 4 : Hiding our probes with legitimate DNS resolution queries
SYN scan from default port:
└──╼ $ sudo nmap 10.10.10.10 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace
PORT STATE SERVICE
50000/tcp filtered ibm-db2SYN scan from port 53:
└──╼ $ sudo nmap 10.10.10.10 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
PORT STATE SERVICE
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)└──╼ $ ncat -nv --source-port 53 10.10.10.10 50000
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.129.2.28:50000.
220 ProFTPdWe successfully got a connection through the port that was showed as filtered at first.
Last updated