Pentesting

Network Evasion

  • Ways to accomplish evasion

    • Fragmenting packets - break down packets before they are sent to IDS can't recognize them and sees them as useless chatter

    • Spoofing an IP address - use a packet crafting tools to obscure the source IP address of packets. Data coming back to the fake address will not be seen by the attacker.

      • Tools: Hping, Scapy, Komodia

    Source routing

    • Originally designed to allow applications to specify the route a packet takes to a destination, ignoring what the route tables between the two systems say

    • It was deprecated long ago

    • Attacker could use an IP address of another machine on the subnet and have all the return traffic sent back

    • Doesn't really work in modern networks because firewalls and routers detect and block source-routed packets

  • IP Address Decoy

    • Hide the real source of the scan by hiding it among a bunch of decoy source addresses (making it look like the decoys are also scanning)

# Command to generate decoy IP addresses 
nmap -D RND:10 X.X.X.X

nmap -D decoyIP1,decoyIP2, decoyIP3,...,sourceIP,...[target]

Proxies

  • a system you set up to act as a middle man between you and your targets

  • used by network admins to control traffic and provide security for internal users

  • can be in a single location or spread across multiple proxies

  • Proxy Chain Tools

    • Proxy Switches

    • Proxy Workbench

    • ProxyChains

    • SoftCab's Proxy Chain Builder

    • CyberGhost

    • Proxifier

  • Onion Routing (TOR)

    • installs a small client on your machine

    • gets a list of other clients running Tor from a directory server

    • communication between Tor clients is encrypted

![[../../../Screenshots/TOR.png]]

  • Anonymizers

    • services on the Internet that make use of a web proxy to hide your identity

    • Tools

      • Guardster

      • Ultrasurf

      • Psiphon

      • Tails

  • HTTP tunneling

    • firewall evasion technique

    • wrapping traffic within an HTTP shell

    • Works because port 80 is almost never filtered

Devices Aligned Against the Attacker

  • Intrusion Detection Systems (IDSs)

    • hardware and/or software devices that examine streams of packets for unusual or malicious behavior

    • Types of IDSs

      • Signature based

        • IDS compares packets against a list of known traffic patterns that indicate an attack

        • Only as good as the signature list, if it is not kept up to date, new intrusions may go undetected.

      • Anomaly (behavior based)

        • decisions on alerts based on learned behavior and "normal" patterns

        • better at picking up the latest attacks

        • can generate a lot of false positives

      • Host-based IDS

        • usually a software program that lives on the host itself

        • usually signature based

    • IDS Evasion tools

      • ADMutate

      • Nessus

      • NIDSbench

      • Inundator

      • IDS Informer

  • Snort

    • An open source IDS that combines the benefits of signature, protocol and anomaly-based inspections

    • Things it can detect

      • Buffer overflows

      • Port Scans

      • OS fingerprinting

    • Runs in three modes

      • Sniffer mode - lets you watch packets in real time as they come across the network tap

      • Packet Logger - saves packets to disk for review

      • Network Intrusion Detection System - analyzes network traffic against rule sets

    • Snort rules are a single line composed of a header and options.

      • Each rule contains

        • Action

          • Alert

          • Log

          • Pass

        • Protocol

        • format direction

        • Source address/port

        • Message parameters

        # Snort Rule example - Any address and port not part of HOME_NET destined to an address in my HOME_NET on port 31337 - alert me with msg
alert tcp !HOME_NET any -> $HOME_NET 31337 (msg: "BACKDOOR ATTEMPT-Backorifice")

  • Firewall

    • An appliance within a network that is designed to protect internal resources from unauthorized access

    • There is always an implicit deny

    • Types of firewalls

      • Stateful inspection - tracks the entire status of a connection

      • Circuit-level gateway - works at the Session layer and allows or prevents data streams not concerned with each packet

      • Application-level - filters traffic much like a proxy, allowing specific services in and out of the network based on its rule set

    • Firewall Evasion

      • firewalking - peck away at the firewall in such a manner to identify which ports and protocols it is letting through and which ones it has blocked (filtered)

      • best method available is to have a compromised machine on the inside initiate all communication for you

  • Honeypots

    • A system set up as a decoy to entice attackers

    • Important points

      1. Anything and everything on a honeypot system is not to be trusted

      2. The location of the honeypot is super important

    • Types of Honeypots

      • High-interaction honeypot - simulates all services and applications and is designed to be completely compromised

        • Examples: Symantec, Decoy Server, Honeynets

      • Low-interaction honeypot - simulates a limited number of services and cannot be compromised completely (by design)

        • Examples: Specter, Honeyd, KFSensor

PreviousHiding Files and Covering TracksNextAttacking Services

Last updated