Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • IDS (Intrusion Detection System) and IPS (Intrusion Prevention System):
  • IDS Evasion techniques
  • Firewalls
  • Firewall Evasion Techniques
  • Honeypots
  • Tools to detect Honeypots
  1. Red Team

Network Security Evasion

Evading IDS, Firewalls, and Honeypots etc.

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System):

IDS is a security system that monitors network traffic or system activities for suspicious or malicious activity. It analyzes traffic and compares it to known attack signatures or behavioral anomalies to detect potential threats. IDS primarily provides real-time alerts about suspicious activities.

IPS, on the other hand, goes beyond IDS by not only detecting but also actively preventing intrusions. It can take actions to block or stop malicious traffic in real-time. This proactive approach helps in stopping attacks before they can cause harm.

IDS Evasion techniques

IDS Evasion Techniques
Description

Insertion Attack

Injecting malicious code into legitimate traffic.

Evasion

Using various tactics to avoid IDS detection.

Denial-of-Service

Overloading IDS with excessive traffic to disrupt it.

Obfuscating

Modifying malicious code to make it less recognizable.

False Positive Generation

Generating fake alerts to distract or overwhelm the IDS.

Session Splicing

Splitting an attack into multiple sessions to evade IDS.

Unicode Evasion

Using Unicode characters or encoding to disguise content.

Fragmentation Attack

Breaking attack traffic into smaller fragments.

Overlapping Fragment

Creating overlapping fragments to confuse IDS.

Time-To-Live Attacks

Manipulating the Time-To-Live (TTL) field in packets.

Urgency Flag

Setting Urgent Pointer field in TCP headers to bypass IDS.

Invalid RST Packets

Sending invalid Reset (RST) packets to disrupt IDS.

Polymorphic Shellcode

Code that constantly changes to avoid signature-based IDS.

ASCII Shellcode

Creating malicious code using ASCII characters.

Application-Layer Attacks

Applications accessing media files are compress this can help bypass IDS.

Desynchronization

Breaking protocol rules to create IDS inconsistencies.

Encryption

Encrypting malicious content to hide it from IDS.

Flooding

Overwhelming IDS with high volumes of legitimate traffic.

Firewalls

A firewall is a network security device or software that acts as a barrier between a trusted internal network and untrusted external networks, such as the internet. It enforces a set of rules that allow or block traffic based on defined security policies. Firewalls can filter traffic by port, protocol, or source/destination IP addresses, thereby protecting a network from unauthorized access and potential threats.

DMZ (Demilitarized Zone) is a network segment that is isolated from both a trusted internal network and an untrusted external network. It serves as an intermediary zone between these two networks. Typically, servers that need to be accessible from the internet, such as web servers or email servers, are placed in the DMZ. This arrangement adds an extra layer of security by isolating potential attack targets from the internal network.

Hardware and Software Firewalls:

  • A hardware firewall is a physical device dedicated to filtering network traffic. It is usually placed between an organization's internal network and the external network (e.g., between a local network and the internet). Hardware firewalls offer robust protection and can be managed independently of other network devices.

  • A software firewall is a program or application that runs on an individual computer or device. It controls inbound and outbound network traffic for that specific device. Software firewalls are useful for protecting individual devices but may not offer the same level of network-wide security as hardware firewalls.

Firewall Evasion Techniques

Firewall Evasion Techniques
Description

Firewalking

Scanning for open ports by manipulating TTL values in packets to avoid detection. Nmap has a script for this.

IP Address Spoofing

Faking the source IP address in packets to hide the true origin and gain unauthorized access.

Source Routing

Manipulating packets to specify their route, bypassing firewall rules.

Tiny Fragments

Sending very small IP fragments to confuse packet inspection rules.

Using an IP Address in place of a URL

Accessing websites directly via IP address to bypass DNS-based restrictions.

Using a Proxy Server

Routing traffic through proxy servers to mask the source IP address.

ICMP Tunneling

Using ICMP packets to carry data through a firewall.

ACK Tunneling and HTTP Tunneling

Hiding data within TCP acknowledgments or HTTP traffic to evade detection.

SSH and DNS Tunneling

Using secure shell (SSH) or DNS channels to bypass firewall restrictions.

Through External Systems

Routing traffic through external systems to mask its origin.

Through Man-in-the-Middle (MiTM) Attack

Intercepting and altering network traffic between two parties.

Through Content and Cross-Site Scripting (XXS) Attacks

Hiding malicious code in web content to deliver exploits.

Through HTML Smuggling

Encoding malicious HTML code to bypass security filters.

Through Windows Background Intelligent Transfer Service (BITS)

Abusing BITS for file transfer to avoid firewall restrictions.

Honeypots

A honeypot is a security mechanism or system designed to lure and deceive attackers. It appears to be a legitimate part of a network but is actually a trap. The purpose of a honeypot is to monitor, detect, and learn about the tactics and methods used by malicious actors. It can also divert attackers away from critical systems or gather information about their activities. Honeypots are valuable tools for threat intelligence and understanding the threat landscape.

Tools to detect Honeypots

Send-Safe Honeypot Hunter is a specialized tool designed for detecting and tracking spammers and email spambots. It is often used by email administrators and cybersecurity professionals to identify and monitor IP addresses and domains associated with email spam.

kippo_detect is a utility designed to work with the Kippo SSH honeypot. Kippo is an SSH honeypot that simulates a vulnerable SSH server to attract and track potential attackers.

PreviousMobile DevicesNextPrivileges Escalation

Last updated 1 year ago