IDS and Firewall Evasion Techniques


Firewalls and intrusion detection systems (IDS) are examples of security measures designed to keep hackers out of a network. Even firewalls and IDS, nevertheless, have certain security drawbacks. A selection of them are listed below.


Packet Fragmentation

When a probe packet is sent to a network, it may divide into multiple smaller packets, or fragments, a process known as packet fragmentation. This process was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The IDS and firewalls behind the host typically queue up all of these packets and handle them one at a time when they arrive at the host. Nevertheless, because this processing approach uses more CPU and network resources, most intrusion detection systems are configured to ignore fragmented packets while performing port scans.


Therefore, attackers use packet fragmentation tools such as Nmap and fragroute to split the probe packet into smaller packets using the command nmap -sS -T4 -A -f -v <IP>.


Source Routing

The IP options field, one of the several fields of an IP datagram, stores a list of IP addresses and source routing information the packet uses to reach its destination. Every router in the network looks up the destination IP address of a packet as it passes through a node and selects the next hop to direct the packet to the destination. 

When attackers send malformed packets to a target, these packets hop through various routers and gateways which might include firewalls and IDS that block such packets. To avoid them, an attacker sends a packet to the intended destination with a partially or completely specified route(without firewall/IDS routers) to evade an IDS or firewall known as Source Routing. 

Source Port Manipulation

Source port manipulation involves getting around the firewall and intrusion detection system (IDS). It involves replacing actual port numbers with common port numbers to get around firewall and intrusion detection regulations. 


The primary source of security misconfigurations is naive trust in the source port number. The firewall is mostly configured by the administrator by permitting inbound traffic from popular ports like HTTP, DNS, FTP, and so on. Although firewall elements with protocol parsing or application-level proxies can make the firewalls secure.

In nmap, the -g or --source-port option can be used for source port manipulation.

IP Address Decoy

To get beyond IDS and firewalls, the IP address decoy approach involves creating or manually entering the IP address of the decoys. The target believes that both the host(s) and the decoys are scanning the network. The IDS/firewall finds it challenging to distinguish between IP addresses that are spoofing and those that are genuinely scanning the network due to this technique. This can be performed using two techniques:
  • nmap -D RND:10 [target] - Using this command, Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP addresses between the decoy IPs. 
  • nmap -D decoy1,decoy2,decoy3..,ME,... [target] - Using this command, you can specify the IP addresses of the decoys to scan the victim's network. Here, you must comma-separate each fake IP address. Alternatively, you can use the ME command to set the position of your genuine IP address within the decoy list. This is an optional command; if you leave it, Nmap will automatically assign your actual IP address to any random location during the scan. Eg: nmap -D 192.168.0.1,172.120.2.1,10.10.0.1,ME,192.168.5.1  192.186.85.15 

IP address decoy is a useful technique for hiding your IP address. But if the target uses active methods like response dropping, router path tracing, etc., it will fail. Furthermore, employing an excessive number of decoys may cause the scanning process to lag and compromise scan accuracy.

IP Address Spoofing

IP address spoofing is a hijacking technique in which an attacker obtains a computer's IP address, alters the packet headers, and sends required packets to a target machine, pretending to be a legitimate host. The packets appear to be sent from a legitimate machine but are actually sent from the attacker's machine, while his/her machine's IP address is concealed. The spoof address is returned when the victim answers to the address, not the attacker's actual address. DoS attacks are generally carried out by attackers via IP address spoofing. You can use Hping3 to perform IP spoofing, for example, hping3 www.hackhunt.in -a 192.168.1.1.

Custom Packets

The attacker creates and sends custom packets to scan the intended target beyond the IDS/firewalls. Various techniques are used to create custom packets. Some of them are mentioned below:

  • By using Packet Crafting Tools: Attackers create custom TCP packets using various packet crafting tools like Colasoft Packet Builder, NetScan Tools Pro, etc. to scan a target beyond a firewall. 
  • By appending Custom Binary Data: Attackers send binary data (0's and 1's) as payloads in the packets sent to the target machine present behind the firewall. The option used by Nmap is --data <hex_string>. Any <hex_string> is specified in the formats 0xAABBCC or \xAA\xBB\xCC. For example, --data 0xcalmstorm (or) --data \xCA\xF1\xA9.
  • By appending Custom String: This can be done using the Nmap command, --data-string <string>. The <string> is enclosed with double quotes ("") and special characters from the shell are not used. For example, --data-string "Scan conducted by HackHunt".
  • By appending Random Data: This can be done using the Nmap command, --data-length <number>. For protocol-specific and no random payloads, --data-length 0 is used. 

Randomizing Host Order

The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. This can be done using the Nmap command --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow-timing options, thus making the scan less notable to network monitoring systems and firewalls. 

Proxy Chaining

Using a proxy chain increases an attacker's anonymity on the Internet. Internet anonymity depends on the number of proxies used for fetching the target application; the more proxy servers utilised, the more anonymous the attacker is. The proxy chaining process is described below:
  • The user requests a resource from the destination.
  • A proxy client in the user's system connects to the proxy server and passes the request to the proxy server. 
  • The proxy server strips the user's identification information and passes the request to the next proxy server. 
  • This process is repeated by all the proxy servers in the chain. 
  • Finally, the unencrypted request is passed to the web server. 

Anonymizers

An anonymizer removes all identity information from the user's computer while the user surfs the Internet. Anonymizers make activity on the Internet untraceable. Anonymizers allow you to bypass Internet censors. The reasons for using anonymizers include Ensuring Privacy, Accessing government-restricted content, Protecting against online attacks, and Bypassing IDS and firewall rules. A few notable tools are Alkasir, Tails, Whonix, Psiphon, and Orbot (mobile).  

You might be interested in, 

No comments:

Post a Comment